This post is sponsored by Semperis
For twenty years, Active Directory (AD) has been the cornerstone of identity management. Despite the popularity of cloud computing, AD remains a key part of the infrastructure that almost every IT service relies on for its security.
Active Directory was designed for a world without cloud computing and where attacks launched by nation-states and organized criminal gangs were unheard of. Regardless of the new reality that we live in today, Microsoft hasn’t made any significant changes to AD security since its release. And as more people work from home due to the global COVID19 pandemic, AD is more vulnerable than ever.
AD can be extended to support single sign-on to cloud services, like Microsoft 365 and other line-of-business apps. AD user accounts and passwords are synchronized to Azure AD, Microsoft’s cloud-based identity platform, using a tool called AD Connect. Devices can also be joined to an AD domain and registered with Azure AD simultaneously. Because AD performs a critical security role in authenticating users to both on-premises and cloud resources, it must be properly managed and secured.
Active Directory is easy to attack because it has hundreds of settings that are complex to manage. Furthermore, management best practices are rarely implemented, leaving AD exposed. In cases where AD is compromised, organizations must expect that all resources that depend on it will also be compromised.
AD is complex but it is relatively easy to attack because it is rarely properly secured. Hacking tools, like BloodHound, PowerSploit, and MimiKatz, make it simple even for those with little experience to takeover Active Directory.
BloodHound is a free tool that uses graph theory to search out relationships in AD domains and expose the easiest way for attackers to elevate privileges. Attackers can use the visual information provided by BloodHound to identify paths to targets, such as users in the Domain Admins group. Providing help for each path, BloodHound even gives exact details of how to exploit flaws so hackers can move to the next level.
PowerSploit’s Invoke-ACLScanner cmdlet scans all access control lists (ACL) in AD. It then displays the security identifiers (SID) of users and groups in each ACL with resource IDs (RID) over 1000, and where the rights assigned provide at least modify access on an object. The cmdlet’s output makes it simple to identify permissions that might be easily exploited.
Another well-known tool, Mimikatz, is used by hackers to dump passwords from memory, including password hashes, PINs, and Kerberos tickets. Once a hacker has administrative privileges on a device, armed with Mimikatz, they can get the information needed to move laterally around a network.
This post is sponsored by Semperis, you can learn more about their Active Directory solutions including Directory Services Protector, the industry’s most comprehensive Active Directory threat detection and response platform.
In a few easy steps, an attacker can modify AD to make sure they aren’t detected. The first step uses MimiKatz to compromise the credentials of a helpdesk user that has write permissions to a privileged AD group. The attacker then adds an account to a group, like Domain Admins, so that they can access domain controllers (DC) and other servers.
Next, the attacker prepares a DCShadow attack to evade monitoring tools. The attacker registers objects representing a DC in the directory’s ‘Configuration’ partition. Then they make changes to AD for maintaining persistence, which are replicated to genuine DCs. Finally, the attacker deletes the ‘rogue’ DC, which only exists for a few seconds.
Many of the techniques used to take over AD are difficult to spot. DCShadow can’t be detected by monitoring the Windows security event log because it directly changes AD replication traffic, which can’t be logged or audited.
Microsoft provides a series of Group Policy baseline security templates for securing domain controllers. The templates are part of Microsoft’s free Security Compliance Toolkit. Another free tool, the Local Administrator Password Solution (LAPS), can be used to make sure each device joined to an AD domain has a unique local administrator password. Unique passwords make it harder for attackers to move laterally around a network.
Minimizing the use of privileged credentials to manage AD is important because of the level of access they provide. Windows 10 Credential Guard uses virtualization-based security (VBS) to protect domain credentials even if the OS kernel is compromised. Privileged access workstations (PAW) are specially secured devices for managing AD with privileged credentials. But day-to-day operational tasks, like managing users and resetting passwords, should be delegated.
A tiered-administration model can also help reduce the risk posed by privileged user accounts. Microsoft’s model defines three tiers that are used to create buffer zones for separating the administration of high-risk devices, like PCs, and valuable assets like domain controllers.
Tiered administration makes lateral movement around the network harder. Attackers often use a technique called Pass-the-Hash to move from PCs to more sensitive devices like domain controllers. You can find out more about preventing credential attacks, like Pass-the Hash, on Microsoft’s website.
AD is a prime target for hackers, so even if you are not responsible for its operation, it’s worth considering how AD makes your entire infrastructure vulnerable and what you can do to protect it. Organizations should identify who is responsible for securing AD and implement security and management best practices.
Use of third-party tools to detect weak configurations, and being one step ahead of hackers, reduces the likelihood that a compromised AD will lead to your organization making headlines.