Government agencies from the Five Eyes countries have published guidance on techniques that threat actors use to target Active Directory, while also providing recommendations on how to mitigate them.
A widely used authentication and authorization solution for enterprises, Microsoft Active Directory provides multiple services and authentication options for on-premises and cloud-based assets, and represents a valuable target for bad actors, the agencies say.
“Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory,” the guidance (PDF) reads.
AD’s attack surface is exceptionally large, mainly because each user has the permissions to identify and exploit weaknesses, and because the relationship between users and systems is complex and opaque. It’s often exploited by threat actors to take control of enterprise networks and persist within the environment for long periods of time, requiring drastic and costly recovery and remediation.
“Gaining control of Active Directory gives malicious actors privileged access to all systems and users that Active Directory manages. With this privileged access, malicious actors can bypass other controls and access systems, including email and file servers, and critical business applications at will,” the guidance points out.
The top priority for organizations in mitigating the harm of AD compromise, the authoring agencies note, is securing privileged access, which can be achieved by using a tiered model, such as Microsoft’s Enterprise Access Model.
A tiered model ensures that higher tier users do not expose their credentials to lower tier systems, lower tier users can use services provided by higher tiers, hierarchy is enforced for proper control, and privileged access pathways are secured by minimizing their number and implementing protections and monitoring.
“Implementing Microsoft’s Enterprise Access Model makes many techniques utilized against Active Directory significantly more difficult to execute and renders some of them impossible. Malicious actors will need to resort to more complex and riskier techniques, thereby increasing the likelihood their activities will be detected,” the guidance reads.
The most common AD compromise techniques, the document shows, include Kerberoasting, AS-REP roasting, password spraying, MachineAccountQuota compromise, unconstrained delegation exploitation, GPP passwords compromise, certificate services compromise, Golden Certificate, DCSync, dumping ntds.dit, Golden Ticket, Silver Ticket, Golden SAML, Microsoft Entra Connect compromise, one-way domain trust bypass, SID history compromise, and Skeleton Key.
“Detecting Active Directory compromises can be difficult, time consuming and resource intensive, even for organizations with mature security information and event management (SIEM) and security operations center (SOC) capabilities. This is because many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity,” the guidance reads.
One effective method to detect compromises is the use of canary objects in AD, which do not rely on correlating event logs or on detecting the tooling used during the intrusion, but identify the compromise itself. Canary objects can help detect Kerberoasting, AS-REP Roasting, and DCSync compromises, the authoring agencies say.
Related: US, Allies Release Guidance on Event Logging and Threat Detection
Related: Israeli Group Claims Lebanon Water Hack as CISA Reiterates Warning on Simple ICS Attacks
Related: Consolidation vs. Optimization: Which Is More Cost-Effective for Improved Security?
Related: Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation