Active Directory compromise: Cybersecurity agencies provde guidance
Active Directory (AD), Microsoft’s on-premises directory service for Windows domain networks, is so widely used for enterprise identity and access management that compromising it has become almost a standard step in cyber intrusions.
“Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues,” Five Eyes cybersecurity agencies have clarified in a recently released guide for detecting and mitigating AD compromises.
“Gaining control of Active Directory can enable malicious actors with a range of intentions, whether they be cyber criminals seeking financial gain or nation states conducting cyber espionage, to obtain the access they need to achieve their malicious objectives in the victim’s network.”
Microsoft AD attacks, mitigations, and detection
Active Directory provides several services:
- Domain Services (AD DS) – authentication and authorization, enforcing security policies
- Federation Services (AD FS) – federated identity and access management
- Certificate Services (AD CS) – issuing/managing public key infrastructure certificates (e.g., for secure communication)
- Lightweight Directory Services (AD LDS) – directory services for applications
- Rights Management Services (AD RMS) – information rights management
“For many organisations, Active Directory consists of thousands of objects interacting with each other via a complex set of permissions, configurations and relationships. Understanding object permissions and the relationships between those objects is critical to securing an Active Directory environment,” the agencies noted, and enumerated some tools that can be used to that end.
Attackers use Active Directory for privilege escalation, reconnaissance, lateral movement and persistence, by leveraging a wide variety of techniques such as kerberoasting, password spraying, MachineAccountQuota compromise, golden certificate, Microsoft Entra Connect compromise, and many others.
Each of these is explained in the guide, accompanied with a list of security controls that can mitigate them and a list of logged events that could point to compromise.
But “because many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity,” the agencies also recommend using canary objects.
“Evicting the most determined malicious actors can require drastic action, ranging from resetting all users’ passwords to rebuilding Active Directory itself. Responding to and recovering from malicious activity involving Active Directory compromise is often time consuming, costly, and disruptive. Therefore, organisations are encouraged to implement the recommendations within this guidance to better protect Active Directory from malicious actors and prevent them from compromising it,” they concluded.
Check out these open-source tools:
SOAPHound: A tool for collecting Active Directory data via ADWS
Adalanche: An Active Directory visualizer and explorer tool
GOAD: A pentesting lab for practicing common AD attack techniques
BloodHound: Pentesting solution that maps attack paths in AD and Azure environments