Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/3/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Explore Active Directory Attack Vectors

Incident responders who investigate attacks targeting Active Directory discuss methods used to gain entry, elevate privileges, and control target systems.

Active Directory is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data. Incident responders find the service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

Related Content:

11 Tips for Protecting Active Directory While Working from Home

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

Anurag Khanna and Thirumalai Natarajan Muthiah, both principal consultants with Mandiant Consulting, have been observing Active Directory as an attack vector for more than 10 years. Khanna estimates about 90% of attacks their team investigates involve Active Directory in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges.

Active Directory has been around since Windows 2000 but has become a priority for both attackers and defenders in recent years, he says.

"There have been other technologies which have come out, but most of the organizations we work with still use Active Directory for their primary identity," Khanna explains. "And of late, identity has become more important as we go into the cloud, as we move into new services."

In their incident response investigations, Khanna and Muthiah see attackers conduct privilege escalation to move laterally, persist in target environments, and blend in. Backdoors and misconfigurations on Active Directory systems provide attackers with long-term privileges. Some use Active Directory to deploy ransomware across domainwide systems, Muthiah adds.

"So it's not just to reach the crown jewels to extract the data alone; the attackers are also using Active Directory as a living-off-the-land technique in order to push binaries across domainwide systems," he says.

When it comes to attack methods, intruders often have several options. Some gain access via social engineering or phishing; some exploit vulnerabilities or misconfigurations to access Active Directory. In one technique Khanna has observed, the attacker can adjust the registry configuration so the password for an Active Directory system account doesn't change every 30 days. If the password doesn't change, and the attacker has stolen the account's password hash, that person can access the machine with a tactic commonly known as a silver ticket attack, he says.

"That means for a period of a year, or two years, depending on how the attacker puts that backdoor in, they have access to that machine — and those can be critical," Khanna adds.

[Khanna and Muthiah will discuss more about detecting threats in their upcoming Black Hat Asia briefing, "Threat Hunting in Active Directory Environment," on Thursday, May 6.]

Because Active Directory is a large attack surface with many moving parts, it's usually not difficult for an attacker to succeed, Khanna says. The researchers advise blue teams to not be reactive and wait for an incident to trigger an alert, and instead to conduct their own threat hunting and look for misconfigurations, backdoors, and signs an attacker has accessed their environment.

"Organizations are doing a better job in detecting things which are malicious, in terms of malware and what attackers are doing," he explains. "But configuration issues, living-off-the-land techniques — they are still really, really hard to detect."

Microsoft has baked in new Active Directory security features over time, they note, but it takes a while for many businesses to upgrade their systems and catch up. Some may not have dedicated security teams and lack the resources to strongly focus on Active Directory; others may still run legacy applications that prohibit them from upgrading to the new versions that come with added built-in security features.

"We see organizations where the blue teamers know they are missing security features just because of not migrating a legacy application due to various challenges," Muthiah says, noting it's a common problem. "A lot of customers are definitely still sticking to legacy applications and they couldn't enable a lot of auditing features in Active Directory because of that."

In addition to active threat hunting, Khanna urges organizations to adopt multifactor authentication — "we still work with organizations which do not have MFA enabled on external facing services, on their M365 email services," he says, and use unique local admin passwords. Many organizations still use the same local admin account in a large fleet of their systems; if compromised, this could enable attackers to move laterally from one machine to another.

Implementing these steps, both widely known best practices, can "drastically" improve an organization's Active Directory security posture, Khanna says. While businesses are doing a better job at discussing and securing Active Directory compared to 10 years ago, there is still plenty more work that needs to be done.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26543
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
CVE-2021-27216
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
CVE-2021-29490
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
CVE-2021-29491
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
CVE-2021-29921
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...