Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/3/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Explore Active Directory Attack Vectors

Incident responders who investigate attacks targeting Active Directory discuss methods used to gain entry, elevate privileges, and control target systems.

Active Directory is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data. Incident responders find the service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

Related Content:

11 Tips for Protecting Active Directory While Working from Home

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

Anurag Khanna and Thirumalai Natarajan Muthiah, both principal consultants with Mandiant Consulting, have been observing Active Directory as an attack vector for more than 10 years. Khanna estimates about 90% of attacks their team investigates involve Active Directory in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges.

Active Directory has been around since Windows 2000 but has become a priority for both attackers and defenders in recent years, he says.

"There have been other technologies which have come out, but most of the organizations we work with still use Active Directory for their primary identity," Khanna explains. "And of late, identity has become more important as we go into the cloud, as we move into new services."

In their incident response investigations, Khanna and Muthiah see attackers conduct privilege escalation to move laterally, persist in target environments, and blend in. Backdoors and misconfigurations on Active Directory systems provide attackers with long-term privileges. Some use Active Directory to deploy ransomware across domainwide systems, Muthiah adds.

"So it's not just to reach the crown jewels to extract the data alone; the attackers are also using Active Directory as a living-off-the-land technique in order to push binaries across domainwide systems," he says.

When it comes to attack methods, intruders often have several options. Some gain access via social engineering or phishing; some exploit vulnerabilities or misconfigurations to access Active Directory. In one technique Khanna has observed, the attacker can adjust the registry configuration so the password for an Active Directory system account doesn't change every 30 days. If the password doesn't change, and the attacker has stolen the account's password hash, that person can access the machine with a tactic commonly known as a silver ticket attack, he says.

"That means for a period of a year, or two years, depending on how the attacker puts that backdoor in, they have access to that machine — and those can be critical," Khanna adds.

[Khanna and Muthiah will discuss more about detecting threats in their upcoming Black Hat Asia briefing, "Threat Hunting in Active Directory Environment," on Thursday, May 6.]

Because Active Directory is a large attack surface with many moving parts, it's usually not difficult for an attacker to succeed, Khanna says. The researchers advise blue teams to not be reactive and wait for an incident to trigger an alert, and instead to conduct their own threat hunting and look for misconfigurations, backdoors, and signs an attacker has accessed their environment.

"Organizations are doing a better job in detecting things which are malicious, in terms of malware and what attackers are doing," he explains. "But configuration issues, living-off-the-land techniques — they are still really, really hard to detect."

Microsoft has baked in new Active Directory security features over time, they note, but it takes a while for many businesses to upgrade their systems and catch up. Some may not have dedicated security teams and lack the resources to strongly focus on Active Directory; others may still run legacy applications that prohibit them from upgrading to the new versions that come with added built-in security features.

"We see organizations where the blue teamers know they are missing security features just because of not migrating a legacy application due to various challenges," Muthiah says, noting it's a common problem. "A lot of customers are definitely still sticking to legacy applications and they couldn't enable a lot of auditing features in Active Directory because of that."

In addition to active threat hunting, Khanna urges organizations to adopt multifactor authentication — "we still work with organizations which do not have MFA enabled on external facing services, on their M365 email services," he says, and use unique local admin passwords. Many organizations still use the same local admin account in a large fleet of their systems; if compromised, this could enable attackers to move laterally from one machine to another.

Implementing these steps, both widely known best practices, can "drastically" improve an organization's Active Directory security posture, Khanna says. While businesses are doing a better job at discussing and securing Active Directory compared to 10 years ago, there is still plenty more work that needs to be done.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.