fake domain controller
On January 10, 2022, Kaido, a foreign security researcher, published a document stating that he had discovered a new method of fake domain control. The security researcher only needs to create a new machine account, and then modify the UserAccountControl attribute of the machine account to 8192. Active Directory will consider this machine account to be a domain controller, and then use this newly created machine account for DCSync operations. Since modifying the UserAccountControl attribute of a machine account requires high authority in the domain, this method can be used to maintain domain authority.
This permission maintenance method is similar to DCShadow, which is to forge domain controllers in the domain. It’s just that DCShadow adds malicious objects to the domain, and this method uses the DSCync function to export the hash of any user in the domain.
Vulnerability principle
Why change the UserAccountControl attribute of the machine account to 8192, and the active directory will think that the machine account is a domain controller? First, let's take a look at the UserAccountControl property. Through official documents, it can be clearly seen that the UserAccountControl attribute may have a value, as shown in the figure:
When the value is 8192, the corresponding SERVER_TRUST_ACCOUNT attribute flag corresponds to the meaning, as shown in the figure, you can see that Microsoft's interpretation of this attribute flag is a computer account that is a member domain controller in the domain.
Therefore, after modifying the UserAccountControl attribute of the machine account to 8192, Active Directory will consider the machine account as a domain controller.
