Researchers have discovered a way for attackers to access and change the password of a user's Active Directory account, without being detected log-based security tools like SIEM.
The researchers, from AD security firm Aorato, say this is a severe flaw partly because of the ubiquity of Active Directory and partly because it allows attackers to do something that they may not be able to do even with physical access to a user's machine.
As lead researcher Tal Be'ery explains, if someone goes to get coffee, walks away from his or her desk, and forgets to lock his or her screen, a ne'er-do-well can sneak by, get physical access to the machine, and do basically anything that the logged-in user can do ... except change the password, if that person doesn't know the current one. That's why this new attack Aorato describes is significant, according to Be'ery.
Obviously, if the compromised account is one that's used often, someone will notice the password has been changed as soon as the individual tries and fails to log in. However, Be'ery points out that if this is done on a weekend, an attacker may evade notice for 48 hours. Plus, attackers could go after a dormant account to stay under the radar longer.
As Aorato explains in its report, the attacker first uses a publicly available free penetration testing tool (like WCE or Mimikatz) to steal the NTLM hash from user devices -- an authentication component that resides by default on devices that connect to enterprise resources.
NTLM is known to be a bit of a security hazard itself, and therefore, lots of organizations log NTLM activity. So, as Aorata describes it in the report:
2. The attacker forces the client to authenticate to Active Directory using a weaker encryption protocol. At this stage, the attacker uses the Active Directory flaw where the encryption protocol relies on the NTLM hash.
This activity is not logged in system and 3rd party logs -- even those that specifically log NTLM activity. As a result, no alerts, or forensic data, ever indicate that an attack takes place.
3. The attacker proves its so-called legitimate identity to Active Directory using the weaker authentication protocol.
According to Be'ery, when Aorato responsibly disclosed this, Microsoft said they do consider it not a vulnerability, but a part of Active Directory's design. Be'ery says, "We argue that it doesn't matter. A flaw is a flaw is a flaw."