Configuration Naming Context Replication

The Configuration Naming Context (NC) serves as the repository for forest-wide configuration data in Active Directory, necessitating its replication across the entire AD forest. The Distinguished Name (DN) for this context is CN=Configuration,DC=domain,DC=com, wherein DC=domain,DC=com denotes the DN of the forest root domain.

The Configuration NC is the primary repository for configuration information for a forest and is replicated to every domain controller in the forest. Additionally, every writable domain controller in the forest holds a writable copy of the Configuration NC.

To access the NC, follow these steps:

1. Open the Active Directory Services Interfaces (ADSI) Edit tool adsiedit.msc

2. Click on Action in the menu bar

3. Select Connect to... from the dropdown menu

4. In the Connection Settings window, under Select a well-known Naming Context, choose Configuration

5. Click OK to connect

6. Once connected, you will have access to the Configuration Naming Context, where you can view and manage configuration settings for Active Directory

Any modifications made to an object within Configuration at the forest root level will be replicated downwards to all domains within the forest and vice-versa: if an object within Configuration undergoes a change in a child domain, that alteration will propagate upwards to the forest root.

NC Replication Abuse

Configuration Naming Context (NC) replication abuse refers to a offensive tactic wherein attackers exploit the replication mechanism of the Configuration Naming Context in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.

To retrieve the Access Control List (ACL) rights associated with the DN for the NC we can use the Get-Acl cmdlet from a high-integrity shell.

$dn = "CN=Configuration,DC=DOMAIN,DC=COM"
$acl = Get-Acl -Path "AD:\$dn"
$acl.Access | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|Write" }

Let's take a look at some dummy output

ActiveDirectoryRights : GenericAll
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\SYSTEM
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DOMAIN\Domain Admins
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : GenericAll
InheritanceType       : All
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DOMAIN\Enterprise Admins
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None  

User	Rights on Configuration Naming Context (NC)
NT AUTHORITY\SYSTEM	Full Control
INLANEFREIGHT\Domain Admins	Read all, List all, Write all, All Extended rights
INLANEFREIGHT\Enterprise Admins	Full Control

We can see that NT AUTHORITY\SYSTEM has GenericAll over the NC.

On a child domain's DC, a SYSTEM account has the authority to make modifications to the Configuration Naming Context within the forest by querying its local replica; any alterations initiated in this context will propagate back to the parent domain.

To abuse these privileges we can:

• carry out ADCS attacks
• manipulate GPOs
• change DNS entries
• execute GoldenGMSA attacks