Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
05:25 PM
Connect Directly

Researchers Explore Active Directory Attack Vectors

Incident responders who investigate attacks targeting Active Directory discuss methods used to gain entry, elevate privileges, and control target systems.

Active Directory is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data. Incident responders find the service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

Related Content:

11 Tips for Protecting Active Directory While Working from Home

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

Anurag Khanna and Thirumalai Natarajan Muthiah, both principal consultants with Mandiant Consulting, have been observing Active Directory as an attack vector for more than 10 years. Khanna estimates about 90% of attacks their team investigates involve Active Directory in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges.

Active Directory has been around since Windows 2000 but has become a priority for both attackers and defenders in recent years, he says.

"There have been other technologies which have come out, but most of the organizations we work with still use Active Directory for their primary identity," Khanna explains. "And of late, identity has become more important as we go into the cloud, as we move into new services."

In their incident response investigations, Khanna and Muthiah see attackers conduct privilege escalation to move laterally, persist in target environments, and blend in. Backdoors and misconfigurations on Active Directory systems provide attackers with long-term privileges. Some use Active Directory to deploy ransomware across domainwide systems, Muthiah adds.

"So it's not just to reach the crown jewels to extract the data alone; the attackers are also using Active Directory as a living-off-the-land technique in order to push binaries across domainwide systems," he says.

When it comes to attack methods, intruders often have several options. Some gain access via social engineering or phishing; some exploit vulnerabilities or misconfigurations to access Active Directory. In one technique Khanna has observed, the attacker can adjust the registry configuration so the password for an Active Directory system account doesn't change every 30 days. If the password doesn't change, and the attacker has stolen the account's password hash, that person can access the machine with a tactic commonly known as a silver ticket attack, he says.

"That means for a period of a year, or two years, depending on how the attacker puts that backdoor in, they have access to that machine — and those can be critical," Khanna adds.

[Khanna and Muthiah will discuss more about detecting threats in their upcoming Black Hat Asia briefing, "Threat Hunting in Active Directory Environment," on Thursday, May 6.]

Because Active Directory is a large attack surface with many moving parts, it's usually not difficult for an attacker to succeed, Khanna says. The researchers advise blue teams to not be reactive and wait for an incident to trigger an alert, and instead to conduct their own threat hunting and look for misconfigurations, backdoors, and signs an attacker has accessed their environment.

"Organizations are doing a better job in detecting things which are malicious, in terms of malware and what attackers are doing," he explains. "But configuration issues, living-off-the-land techniques — they are still really, really hard to detect."

Microsoft has baked in new Active Directory security features over time, they note, but it takes a while for many businesses to upgrade their systems and catch up. Some may not have dedicated security teams and lack the resources to strongly focus on Active Directory; others may still run legacy applications that prohibit them from upgrading to the new versions that come with added built-in security features.

"We see organizations where the blue teamers know they are missing security features just because of not migrating a legacy application due to various challenges," Muthiah says, noting it's a common problem. "A lot of customers are definitely still sticking to legacy applications and they couldn't enable a lot of auditing features in Active Directory because of that."

In addition to active threat hunting, Khanna urges organizations to adopt multifactor authentication — "we still work with organizations which do not have MFA enabled on external facing services, on their M365 email services," he says, and use unique local admin passwords. Many organizations still use the same local admin account in a large fleet of their systems; if compromised, this could enable attackers to move laterally from one machine to another.

Implementing these steps, both widely known best practices, can "drastically" improve an organization's Active Directory security posture, Khanna says. While businesses are doing a better job at discussing and securing Active Directory compared to 10 years ago, there is still plenty more work that needs to be done.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.