Blocking malicious DC replication

  • 121 Views
  • Last Post 5 weeks ago
Ravi.Sabharanjak posted this 16 August 2019

Mimikatz et all use the same calls that DCs make to each other to replicate DS changes.
See: https://adsecurity.org/?p=1729
has anyone been able to do :"Step 2: Configure IDS to trigger if DsGetNCChange request originates an IP not on the “Replication Allow List” (list of DC IPs)." using a Palo Alto firewall?
(I dont think this can be done using the windows firewall - not granular enough)
Any other ideas?
thanks,-Ravi

Order By: Standard | Newest | Votes
kurtbuff posted this 16 August 2019

Hmmmm....

Restricting logons to known computers for privileged accounts?

Kurt

show

aaugagneur posted this 16 August 2019

I tried with another IPS and it is not applicable because of the high numbers of false positives in my environment.
Le ven. 16 août 2019 à 04:31, Ravi Sabharanjak <ravi.sabharanjak@xxxxxxxxxxxxxxxx> a écrit :
Mimikatz et all use the same calls that DCs make to each other to replicate DS changes.
See: https://adsecurity.org/?p=1729
has anyone been able to do :"Step 2: Configure IDS to trigger if DsGetNCChange request originates an IP not on the “Replication Allow List” (list of DC IPs)." using a Palo Alto firewall?
(I dont think this can be done using the windows firewall - not granular enough)
Any other ideas?
thanks,-Ravi

PhilipElder posted this 16 August 2019

Off the top, if DC to DC replication uses a unique protocol structure not found in DC to Client then yes, Windows Firewall can be used

to define a protocol filter based on an incoming/outgoing IP, range, or subnet.

 

Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: (780) 458-2028

www.CommodityClusters.Com

Blog Site

Twitter: MPECSInc

Skype: MPECS Inc.

Cloud: Canadian Cloud Worx

 

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru

Friday.


 

show

darren posted this 16 August 2019

In a past life, I experienced the pain of properly firewalling DC to DC communication. It’s not terribly easy. This article does a good job of articulating the challenges:

https://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

 

Just to be clear, you have to worry about both modes of mimikatz  (i.e. DCSync for pulling from a DC and DCShadow for pushing changes to a DC), but as was pointed out, if you can get the firewalling right (and keep it right over time as

the environment changes) you should have a whitelist of valid DCs that you should be able to rely on, and anything outside of those are obviously not valid targets/recipients of replication.



 

Darren

 

show

kurtbuff posted this 16 August 2019

Your suggested article closely (perfectly?) aligns with this article:
https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb

He suggests using IPSec pretty much everywhere.

Kurt

show

PhilipElder posted this 16 August 2019

Awesome article thanks for that!



 



Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: (780) 458-2028

www.CommodityClusters.Com

Blog Site

Twitter: MPECSInc

Skype: MPECS Inc.

Cloud: Canadian Cloud Worx

 

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru

Friday.




 

show

Ravi.Sabharanjak posted this 16 August 2019

thanks Darren. The article is pretty good. I guess this section is what i need (RPC UUID filtering):
https://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx#RPCUUIDFiltering  
I am going to check if our Palo Alto firewalls support RPC UUID filtering. I am thinking the best way would be at the host level though, does the Windows firewall support filtering on the RPC UUID?
-Ravi


show

Ravi.Sabharanjak posted this 16 August 2019

Found this: 

show

chriss3 posted this 19 August 2019

Don’t forget that all clients aka ntdsapi.dll are using the same RPC interface, it’s not just DC to DC :P

 

show

darren posted this 5 weeks ago

Hey Christoffer-

Can you say more about this? Assuming you can filter on the specific RPC endpoint, in what context does a client need to call the replication endpoint as a normal course of business?



 

Darren

 

Darren Mar-Elia

GPOGuy Blog: https://gpoguy.com

Semperis Blog: https://semperis.com/blog

 















 



 

 

 

 

show

chriss3 posted this 5 weeks ago

Sure.

List of operations over the same RPC interface:


https://docs.microsoft.com/en-us/openspecs/windowsprotocols/ms-drsr/58f33216-d9f1-43bf-a183-87e3c899c410

 

Ntdsapi.dll?DsCrackNames calls into IDL_DRSCrackNames over RPC targeting a DC for example. The RPC handle will be a little bit different (having a static GUID for ntdsapi callers – might you can filter on that somehow).

You can PM/e-mail me for more info, guess this is something most AD admins don’t dig into

😊

 

show

DonH posted this 5 weeks ago

Doing client calls over the same interface as replication was a crappy design decision that I didn’t discover had been made that way until it was too late to change.  We should have put those calls on a separate interface, and I should

have been more watchful in the late 90s.  My apologies.

 

Don Hacherl

Previous Millennium AD Guy

 

P.S.  I think I’ve already apologized for also screwing up auxiliary classes, but in case I haven’t done so on this forum: sorry.

 

show

Ravi.Sabharanjak posted this 5 weeks ago

No worries Don. The product is solid and you should take pride in that :)


show

chriss3 posted this 5 weeks ago

Product is still Awesome+1

 

show

darren posted this 5 weeks ago

Ok, yea makes sense. So I think in this case, if you can filter on endpoint UUID then you should be able to avoid breaking these calls

😊

 

Darren

 

Darren Mar-Elia

GPOGuy Blog: https://gpoguy.com

Semperis Blog: https://semperis.com/blog

 

 

show

Close