Active Directory Replication¶
Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.
Active Directory data takes the form of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. The values of the attributes define the object, and a change to a value of an attribute must be transferred from the domain controller on which it occurs to every other domain controller that stores a replica of that object.
An adversary can abuse this model and request information about a specific account via the replication request. This is done from an account with sufficient permissions (usually domain admin level) to perform that request. Usually the accounts performing replication operations in a domain are computer accounts (i.e dcaccount$). Therefore, it might be abnormal to see other non-dc-accounts doing it.
The following access rights / permissions are needed for the replication request according to the domain functional level:
Control access right symbol
Identifying GUID used in ACE
More information about the control access rights can be found here
DC-to-DC AD Replication via Directory Replication Service (DRS) Remote Protocol¶
The DC-to-DC interaction for replication and management of data in Active Directory is performed via the Directory Replication Service (DRS) Remote Protocol. If A DC wants to connect to a DC in a particular domain, the DC constructs a service principal name (SPN) specifying the fixed DRS RPC interface GUID “E3514235-4B06-11D1-AB04-00C04FC2DCD2”. The format of the SPN constructed by the DC is the following:
Directory Replication Services Auditing¶
Events generated by the replication activity on the targeted DC are available and easy to collect at scale. These events are related to the replication access control performed by the targeted DC and provided via event id 4662 from the security log channel.
The main operation performed for AD replication purposes is categorized as
Object Access. When an adversary performs a replication operation against a DC, the type of active directory object being accessed is of class Domain-DNS and points to the root domain distinguished name (i.e DC=shire,DC=com) or GUID.
Event 4662 displays the AD object class with its
The type of access in event 4662 is provided by the
access maskfield and it is of value
0x100which translates to access type
The access type
Control Accessallows adversary to have access to the AD object only after extended rights checks supported by the object are performed. Here is where the replication extended rights from the table above are checked and captured by event 4662. Those extended rights are captured in the
Propertiesfield in 4662 provides two things, the first part is the type of access that was used. Typically, it has the same value as
Accesses fieldwhich in this case is simply
The second part is a tree of GUID values of Active Directory classes or property sets, for which operation was performed. In our case we see the extended rights guid first and then the GUID of the class
Domain-DNS. Therefore, when looking for this type of activity in event logs produced by the targeted DC, it is easy to find replication extended rights in event 4662.
Remember that adversaries willing to perform a DCSync or activer directory replication attack, could also use any domain account to perform the task, despite being in no privileged groups, having no malicious sidHistory, and not having local admin rights on the domain controller itself.
An adversary will just need to add the three ad replication access rights shown in the table above to the unprivileged account to create a DCSync user backdoor.