Active Directory is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data. Incident responders find the service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

Anurag Khanna and Thirumalai Natarajan Muthiah, both principal consultants with Mandiant Consulting, have been observing Active Directory as an attack vector for more than 10 years. Khanna estimates about 90% of attacks their team investigates involve Active Directory in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges.

Active Directory has been around since Windows 2000 but has become a priority for both attackers and defenders in recent years, he says.

"There have been other technologies which have come out, but most of the organizations we work with still use Active Directory for their primary identity," Khanna explains. "And of late, identity has become more important as we go into the cloud, as we move into new services."

In their incident response investigations, Khanna and Muthiah see attackers conduct privilege escalation to move laterally, persist in target environments, and blend in. Backdoors and misconfigurations on Active Directory systems provide attackers with long-term privileges. Some use Active Directory to deploy ransomware across domainwide systems, Muthiah adds.

"So it's not just to reach the crown jewels to extract the data alone; the attackers are also using Active Directory as a living-off-the-land technique in order to push binaries across domainwide systems," he says.

When it comes to attack methods, intruders often have several options. Some gain access via social engineering or phishing; some exploit vulnerabilities or misconfigurations to access Active Directory. In one technique Khanna has observed, the attacker can adjust the registry configuration so the password for an Active Directory system account doesn't change every 30 days. If the password doesn't change, and the attacker has stolen the account's password hash, that person can access the machine with a tactic commonly known as a silver ticket attack, he says.

"That means for a period of a year, or two years, depending on how the attacker puts that backdoor in, they have access to that machine — and those can be critical," Khanna adds.

[Khanna and Muthiah will discuss more about detecting threats in their upcoming Black Hat Asia briefing, "Threat Hunting in Active Directory Environment," on Thursday, May 6.]

Because Active Directory is a large attack surface with many moving parts, it's usually not difficult for an attacker to succeed, Khanna says. The researchers advise blue teams to not be reactive and wait for an incident to trigger an alert, and instead to conduct their own threat hunting and look for misconfigurations, backdoors, and signs an attacker has accessed their environment.

"Organizations are doing a better job in detecting things which are malicious, in terms of malware and what attackers are doing," he explains. "But configuration issues, living-off-the-land techniques — they are still really, really hard to detect."

Microsoft has baked in new Active Directory security features over time, they note, but it takes a while for many businesses to upgrade their systems and catch up. Some may not have dedicated security teams and lack the resources to strongly focus on Active Directory; others may still run legacy applications that prohibit them from upgrading to the new versions that come with added built-in security features.

"We see organizations where the blue teamers know they are missing security features just because of not migrating a legacy application due to various challenges," Muthiah says, noting it's a common problem. "A lot of customers are definitely still sticking to legacy applications and they couldn't enable a lot of auditing features in Active Directory because of that."

In addition to active threat hunting, Khanna urges organizations to adopt multifactor authentication — "we still work with organizations which do not have MFA enabled on external facing services, on their M365 email services," he says, and use unique local admin passwords. Many organizations still use the same local admin account in a large fleet of their systems; if compromised, this could enable attackers to move laterally from one machine to another.

Implementing these steps, both widely known best practices, can "drastically" improve an organization's Active Directory security posture, Khanna says. While businesses are doing a better job at discussing and securing Active Directory compared to 10 years ago, there is still plenty more work that needs to be done.