Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/3/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Explore Active Directory Attack Vectors

Incident responders who investigate attacks targeting Active Directory discuss methods used to gain entry, elevate privileges, and control target systems.

Active Directory is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data. Incident responders find the service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

Related Content:

11 Tips for Protecting Active Directory While Working from Home

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

Anurag Khanna and Thirumalai Natarajan Muthiah, both principal consultants with Mandiant Consulting, have been observing Active Directory as an attack vector for more than 10 years. Khanna estimates about 90% of attacks their team investigates involve Active Directory in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges.

Active Directory has been around since Windows 2000 but has become a priority for both attackers and defenders in recent years, he says.

"There have been other technologies which have come out, but most of the organizations we work with still use Active Directory for their primary identity," Khanna explains. "And of late, identity has become more important as we go into the cloud, as we move into new services."

In their incident response investigations, Khanna and Muthiah see attackers conduct privilege escalation to move laterally, persist in target environments, and blend in. Backdoors and misconfigurations on Active Directory systems provide attackers with long-term privileges. Some use Active Directory to deploy ransomware across domainwide systems, Muthiah adds.

"So it's not just to reach the crown jewels to extract the data alone; the attackers are also using Active Directory as a living-off-the-land technique in order to push binaries across domainwide systems," he says.

When it comes to attack methods, intruders often have several options. Some gain access via social engineering or phishing; some exploit vulnerabilities or misconfigurations to access Active Directory. In one technique Khanna has observed, the attacker can adjust the registry configuration so the password for an Active Directory system account doesn't change every 30 days. If the password doesn't change, and the attacker has stolen the account's password hash, that person can access the machine with a tactic commonly known as a silver ticket attack, he says.

"That means for a period of a year, or two years, depending on how the attacker puts that backdoor in, they have access to that machine — and those can be critical," Khanna adds.

[Khanna and Muthiah will discuss more about detecting threats in their upcoming Black Hat Asia briefing, "Threat Hunting in Active Directory Environment," on Thursday, May 6.]

Because Active Directory is a large attack surface with many moving parts, it's usually not difficult for an attacker to succeed, Khanna says. The researchers advise blue teams to not be reactive and wait for an incident to trigger an alert, and instead to conduct their own threat hunting and look for misconfigurations, backdoors, and signs an attacker has accessed their environment.

"Organizations are doing a better job in detecting things which are malicious, in terms of malware and what attackers are doing," he explains. "But configuration issues, living-off-the-land techniques — they are still really, really hard to detect."

Microsoft has baked in new Active Directory security features over time, they note, but it takes a while for many businesses to upgrade their systems and catch up. Some may not have dedicated security teams and lack the resources to strongly focus on Active Directory; others may still run legacy applications that prohibit them from upgrading to the new versions that come with added built-in security features.

"We see organizations where the blue teamers know they are missing security features just because of not migrating a legacy application due to various challenges," Muthiah says, noting it's a common problem. "A lot of customers are definitely still sticking to legacy applications and they couldn't enable a lot of auditing features in Active Directory because of that."

In addition to active threat hunting, Khanna urges organizations to adopt multifactor authentication — "we still work with organizations which do not have MFA enabled on external facing services, on their M365 email services," he says, and use unique local admin passwords. Many organizations still use the same local admin account in a large fleet of their systems; if compromised, this could enable attackers to move laterally from one machine to another.

Implementing these steps, both widely known best practices, can "drastically" improve an organization's Active Directory security posture, Khanna says. While businesses are doing a better job at discussing and securing Active Directory compared to 10 years ago, there is still plenty more work that needs to be done.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23478
PUBLISHED: 2021-09-22
Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
CVE-2020-23481
PUBLISHED: 2021-09-22
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
CVE-2020-23469
PUBLISHED: 2021-09-22
gmate v0.12+bionic contains a regular expression denial of service (ReDoS) vulnerability in the gedit3 plugin.
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...