> For the complete documentation index, see [llms.txt](https://otter.gitbook.io/red-teaming/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/configuration-naming-context-replication.md).

# Configuration Naming Context Replication

The Configuration Naming Context (NC) serves as the repository for forest-wide configuration data in Active Directory, necessitating its replication across the entire AD forest. The Distinguished Name (DN) for this context is `CN=Configuration,DC=domain,DC=com`, wherein `DC=domain,DC=com` denotes the DN of the forest root domain.

> The Configuration NC is the primary repository for configuration information for a forest and is replicated to every domain controller in the forest. Additionally, every writable domain controller in the forest holds a writable copy of the Configuration NC.

To access the NC, follow these steps:

1. Open the Active Directory Services Interfaces (ADSI) Edit tool `adsiedit.msc`
2. Click on `Action` in the menu bar
3. Select `Connect to...` from the dropdown menu
4. In the `Connection Settings` window, under `Select a well-known Naming Context`, choose `Configuration`
5. Click `OK` to connect
6. Once connected, you will have access to the `Configuration Naming Context`, where you can view and manage configuration settings for Active Directory&#x20;

<figure><img src="/files/GEQlE7yu0CvArM1V0jgX" alt=""><figcaption></figcaption></figure>

Any modifications made to an object within Configuration at the forest root level will be `replicated downwards` to all domains within the forest and vice-versa: if an object within Configuration undergoes a change in a child domain, that alteration will propagate `upwards` to the forest root.

#### NC Replication Abuse

Configuration Naming Context (NC) replication abuse refers to a offensive tactic wherein attackers exploit the `replication` mechanism of the `Configuration Naming Context` in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.

To retrieve the `Access Control List (ACL)` rights associated with the DN for the NC we can use the `Get-Acl` cmdlet from a high-integrity shell.

```powershell
$dn = "CN=Configuration,DC=DOMAIN,DC=COM"
$acl = Get-Acl -Path "AD:\$dn"
$acl.Access | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|Write" }
```

Let's take a look at some dummy output

```
ActiveDirectoryRights : GenericAll
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\SYSTEM
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DOMAIN\Domain Admins
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : GenericAll
InheritanceType       : All
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DOMAIN\Enterprise Admins
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None  
```

| **User**                          | **Rights on Configuration Naming Context (NC)**    |
| --------------------------------- | -------------------------------------------------- |
| `NT AUTHORITY\SYSTEM`             | Full Control                                       |
| `INLANEFREIGHT\Domain Admins`     | Read all, List all, Write all, All Extended rights |
| `INLANEFREIGHT\Enterprise Admins` | Full Control                                       |

We can see that `NT AUTHORITY\SYSTEM` has `GenericAll` over the NC.

{% hint style="info" %}
On a child domain's DC, a `SYSTEM` account has the authority to make modifications to the Configuration Naming Context within the forest by querying its local replica; any alterations initiated in this context will propagate back to the parent domain.
{% endhint %}

To abuse these privileges we can:

* [carry out ADCS attacks](/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/adcs-nc-replication-attack.md)
* [manipulate GPOs](/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/gpo-on-site-attack.md)
* [change DNS entries](/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/dns-trust-attack.md)
* [execute GoldenGMSA attacks](/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/goldengmsa-attack.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/configuration-naming-context-replication.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
