Active Directory is a massive and complex attack surface that has long been a prime target for criminals looking for valuable privileges and data. Responders find that the service is involved in most of the attacks they investigate, highlighting key security challenges for defenders.
Anurag Khanna and Thirumalai Natarajan Muthiah, both senior consultants at Mandiant Consulting, have observed Active Directory as an attack vector for over 10 years. Khanna estimates that around 90% of the attacks her team investigates involve Active Directory in some form, whether it is the initial attack vector or targeted for persistence or privilege.
Active Directory has been around since Windows 2000, but has become a priority for attackers and defenders in recent years, he says.
“Other technologies have emerged, but most of the organizations we work with still use Active Directory as their primary identity,” Khanna explains. “And lately identity has become more important as we move to the cloud, as we move into new services.”
In their incident response investigations, Khanna and Muthiah see attackers escalating privileges to move sideways, persist in target environments, and blend in. Backdoors and misconfigurations on Active Directory systems provide attackers with long-term privileges. Some are using Active Directory to deploy ransomware to domain-wide systems, adds Muthiah.
“So it’s not just about reaching for the crown jewels to extract data alone; attackers are also using Active Directory as a lifecycle technique to push binaries through domain-wide systems.” , he said.
When it comes to attack methods, intruders often have several options. Some access it through social engineering or phishing; some exploit vulnerabilities or configuration errors to access Active Directory. In a technique that Khanna observed, the attacker can adjust the registry configuration so that the password for an Active Directory system account does not change every 30 days. If the password doesn’t change and the attacker has stolen the account’s password hash, that person can gain access to the machine with a tactic commonly known as a silver ticket attack, he says.
“This means that for a period of a year or two, depending on how the attacker places that backdoor, he has access to this machine – and these can be critical,” Khanna adds.
[Khanna and Muthiah will discuss more about detecting threats in their upcoming Black Hat Asia briefing, “Threat Hunting in Active Directory Environment,” on Thursday, May 6.]
Because Active Directory is a large attack surface with many moving parts, it’s usually not difficult for an attacker to be successful, says Khanna. Researchers advise Blue Teams to be unresponsive and wait for an incident to trigger an alert, and instead conduct their own threat hunt and look for misconfigurations, backdoors, and signs that a attacker accessed their environment.
“Organizations are better at detecting malware, in terms of malware and what attackers do,” he explains. “But the setup issues, the off-earth living techniques – they’re still really, really hard to spot.”
Microsoft has incorporated new Active Directory security features over time, they note, but it takes time for many companies to upgrade their systems and catch up. Some may not have dedicated security teams and may not have the resources to focus heavily on Active Directory; still others may be running legacy applications that prevent them from upgrading to newer versions with additional built-in security features.
“We are seeing organizations where blue teams know they are missing security features just because they are not migrating a legacy application due to various challenges,” says Muthiah, noting that this is a common problem. “A lot of customers are definitely sticking with legacy applications and they couldn’t enable a lot of auditing features in Active Directory because of it.”
In addition to actively hunting down threats, Khanna urges organizations to embrace multi-factor authentication – “we are still working with organizations that have not enabled MFA on external services, on their M365 email services,” he says. , and use unique local administrator passwords. Many organizations still use the same local administrator account in a large fleet of their systems; if compromised, it could allow attackers to move sideways from machine to machine.
Implementing these steps, both of which are widely known best practices, can “dramatically” improve an organization’s Active Directory security posture, Khanna explains. While businesses do a better job of discussing and securing Active Directory compared to 10 years ago, there is still a lot of work to be done.
Kelly Sheridan is Editor-in-Chief at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously covered InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered finance … See the full bio