Understanding Active Directory attacks is vital for one simple reason: Active Directory provides the essential authentication and authorization services that keep your IT ecosystem running. Any adversary who gains control over your Active Directory can steal your sensitive data, launch ransomware or bring your business to a standstill.
But how exactly does an Active Directory attack unfold? What are the most common Active Directory attacks, and what steps can organizations take to mitigate their risk? Read on to find out.
The five stages of cyberattacks
Active Directory attacks follow the same five stages of any cyberattack: reconnaissance, planning, intrusion, lateral movement and privilege escalation, and exfiltration and cleanup.
Adversaries start by identifying target organizations and collecting information about them — what valuable data they might be able to steal, how big a payoff they could get from a ransomware attack, how strong the organization’s cybersecurity posture is, and so on. Reconnaissance can involve using public sources such as tax records, job postings and social media to discover what systems and applications the organization uses, the names of its employees, and so on. And it can also involve active techniques like network and port scanning to understand the target organization’s network architecture, firewalls, intrusion detection programs, operating systems, applications and services, as well as the access provided to third-party vendors, contractors and others.
Next, the adversary determines which attack vector to use for infiltration. Examples include exploiting a zero-day vulnerability, launching a phishing campaign such as a business email compromise (BEC) attack, or even bribing an employee to provide credentials or deploy malware.
The adversary then uses the chosen attack vector to attempt to breach the organization’s network perimeter. For instance, the adversary might succeed in guessing an employee’s credentials in a password spraying, credential stuffing or brute force attack; gain entry through an unpatched or misconfigured system; or trick an employee into launching malware hidden in a malicious attachment to a phishing email.
4. Lateral movement and privilege escalation
Once an adversary has gained an initial foothold in the network, they will seek to escalate their privileges and compromise additional systems to locate sensitive data and other critical resources.
They also want to maintain their access. That means evading detection using strategies like causing systems to falsely report that everything is working normally. It also often involves ensuring that they can get back in if they are spotted and booted out using persistence techniques such as creating new user accounts, modifying registry settings, setting up PowerShell scripts and installing backdoors.
5. Exfiltration and cleanup
Last, the adversary exfiltrates or encrypts the organization’s data, or perhaps corrupts systems to disrupt business operations. In addition, they often also use their privileged access to disable backups and cover their tracks in order to thwart investigations and keep the organization from enhancing their defenses against future attacks. Techniques include uninstalling programs or scripts used in the attack, deleting any folders or accounts that they created, and modifying, corrupting or deleting audit logs.
Common Active Directory attacks and defense strategies
Some of these phases are not system-specific. For example, hackers can use phishing attacks to gather credentials for any corporate network. But some of the phases, especially lateral movement and privilege escalation, exploit specific features of the IT ecosystem that has been penetrated. Here are some of the top techniques used specifically in Active Directory attacks.
Attack path mapping
A key goal for an adversary is to gain membership in a highly privileged Active Directory security group. In particular, an attacker who controls an account that is a member of the Domain Admins group has unlimited power in the domain.
Unfortunately, all too often, becoming a Domain Admin is far easier than it ought to be. Adversaries can use an open-source tool called BloodHound to identify Active Directory attack paths — chains of abusable privileges and actions that could enable an attacker who compromises a user account to gain administrative privileges. An attack path often involves a combination of concealed permissions, unconstrained delegation, nested group membership and inherent security gaps in AD architecture.
BloodHound provides hackers with a clear, graphical view of Active Directory attack paths and therefore a roadmap to control of the entire domain. In many organizations, a very high proportion of ordinary user accounts offer an attack path that leads to Domain Admin rights in just a handful of steps.
The strategy for defending against this type of Active Directory attack is two-fold:
- Proactively minimize the attack paths available for hackers to find and exploit by identifying and mitigating them through attack path management using Active Directory attack path management software
- Zealously monitor any Active Directory attack paths you’ve been unable to yet mitigate, as well as watch for other suspicious activity in your environment, using a real-time threat monitoring and change management solution.
Exploiting Group Policy
Group Policy is an extremely powerful feature of Active Directory. It enables centralized management of users and computers through groups of related settings called Group Policy objects (GPOs). Administrators can use GPOs to accomplish literally thousands of important goals: Lock out accounts after a certain number of incorrect passwords, block unidentified users on remote computers from connecting to a network share, disable the command prompt on users’ machines, and more.
But like most powerful tools, Microsoft Windows Group Policy is a two-edged sword — by creating or deleting GPOs or altering GPO settings, hackers can undermine a wide swath of your defenses against lateral movement, privilege escalation and data theft.
The process for abusing Group Policy is fairly straightforward. Once an attacker has compromised a user account in your IT environment, they can use an open-source tool like BloodHound, PowerSploit or Mimikatz to review your GPOs and figure out which user accounts will provide them with access to the ones they need to complete their Active Directory attack. (Indeed, delegated access to modify GPOs is a common element in attack paths.) The adversary can use any of the credential-harvesting attacks mentioned earlier to compromise the necessary account and then begin reshaping Group Policy to suit their malicious purposes.
To defend against this type of Active Directory attack, you need effective Group Policy management. Two strategies in particular are invaluable: Pare the number of accounts with GPO access rights down to a bare minimum, and block changes to your crucial GPO settings.
DCSync attacks abuse the Microsoft Directory Replication Service, a legitimate Active Directory service that cannot be disabled. An attacker who has compromised an account with domain replication privileges can use the open-source tool Mimikatz to run the DCSync command. This command enables them to impersonate an AD domain controller (DC) and make a replication request. In response, they receive password hashes from real DCs, which the hacker can then use in Active Directory attacks like Pass the Hash, Golden Ticket and Silver Ticket (described below).
DCShadow is another Mimikatz command that enables an attacker with privileged credentials to impersonate a domain controller. But instead of receiving information from a replication request like DCSync, DCShadow uses replication to push out changes to a domain. Since the changes are made through replication rather than direct user action, these Active Directory attacks are hard to detect.
For example, the adversary can make an account they have compromised a member of Domain Admins, and then replicate that change to other DCs, thereby gaining elevated rights across the domain. Moreover, they could then remove all the other users from Domain Admins group to gain exclusive control of the domain.
To reduce the risks from these Active Directory attacks, organizations should minimize the number of accounts that have domain replication permissions and audit activity across the AD environment.
Exploiting NTLM authentication
Pass the Hash attacks
Pass the Hash is an Active Directory attack that exploits the NTLM authentication protocol. In a nutshell, this Active Directory attack enables an adversary to compromise AD accounts without ever knowing their cleartext passwords (the actual string of characters that the individual types to log in). Instead, all the hacker needs is the hash of the password — an encrypted version of the password that NTLM uses to authenticate the user. Using a hacking tool like Mimikatz, they can use the password hash to send a logon request and respond properly to the domain controller’s logon challenge.
Pass the Hass is especially dangerous because attackers can easily harvest password hashes from the LSASS memory of a system they are logged into — which might well include the password hashes of privileged accounts left behind when an IT pro logs into a user’s machine locally or uses RDP to work remotely on an issue. Using those hashes, they can steal sensitive data, install remote access tools (RATs) and more.
The most obvious way to defend against Pass the Hash is to get rid of NTLM. After all, NTLM was replaced as the default authentication protocol by Kerberos way back in Windows 2000. However, many corporate applications still require NTLM, so organizations often cannot simply disable it altogether (though it’s wise to make every effort to disable at least the weaker NTLMv1).
Fortunately, there are multiple other strategies for defending against Pass the Hash attacks. They include auditing logon activity, limiting lateral movement with attack path management, using managed service accounts (MSAs), and not allowing domain administrators to use their privileged accounts to log into workstations (not even their personal machines!).
Exploiting Kerberos authentication
Kerberos is a much stronger authentication protocol than NTLM, but guess what — attackers have devised methods to abuse it, too. With Kerberos, users never directly authenticate themselves to the various services they need to use, such as file servers. Instead, the Kerberos Key Distribution Center (KDC), which runs on every DC, issues a ticket granting ticket (TGT), which includes a unique session key and a timestamp that specifies how long that session is valid (normally 8 or 10 hours). When the user needs access to resources, they don’t have to re-authenticate; their client machine simply sends the TGT along to prove that the user has already been recently authenticated.
Importantly, before sending a TGT, the KDC encrypts it using the password hash for a special account, the KRBTGT account. That password hash is shared among all the DCs in the Active Directory domain so that they can read the TGTs they receive when users request access to various resources.
In a Golden Ticket attack, the adversary steals the password hash of the KRBTGT account, which enables them to bypass the KDC and create TGTs (Golden Tickets) themselves. In other words, they can act as if they are the DC, which enables them to access to anything on the network.
Silver Tickets are more limited than Golden Tickets because they provide access to only a particular service account. Nevertheless, they can still be quite devastating and, moreover, they’re harder to detect. Here’s how a Silver Ticket attack works: An adversary who has compromised the credentials of a valid domain user can request a TGS for a service, such as SharePoint or SQL Server. They can then extract the hash of the service account’s password and use it to forge additional TGS tickets (Silver Tickets) for that service.
In a Kerberoasting attack, an adversary who has compromised the credentials of a valid domain user can request a TGS for a service (such as SharePoint) and then attempt to crack the service account’s password offline using a readily available password-cracking tool such as Hashcat or John the Ripper.
Strategies for defending against these attacks include the following:
- Change the KRBTGT password on a regular schedule and whenever a person who had the ability to create Golden Tickets leaves your organization.
- Minimize the number of accounts that can access the KRBTGT password hash.
- Don’t give end users admin authority on their workstations, and don’t let admins log on to end-user computers.
- Use MSAs to ensure that service account passwords are rotated on a regular basis.
- Invest in an Active Directory monitoring and protection solution that can spot activity indicative of these attacks and alert you immediately.
While this blog post details some of the top Active Directory attacks and offers strategies for defending against them, it’s best not to take a piecemeal approach to Active Directory security. With the threat landscape constantly evolving and IT ecosystems growing in complexity, it’s wiser than ever to implement a thoughtful defense-in-depth strategy. A great way to get started is with the core best practices laid out in the blog post “8 ways to secure your Active Directory environment.”
Active Directory security risk assessment
Active Directory is a favorite target for cyber attackers. Learn why current defenses aren’t enough, how risk assessments can go wrong and a better approach for security.Download e-Book