Top 8 Ways Attackers Can Own Active Directory

Active Directory (AD) is one of the most valuable targets for cyberattackers because it handles authentication and authorization across all enterprise resources and touches virtually everything on the network. AD is complicated to secure, and today, red teams estimate that they can compromise it 100% of the time. Once attackers compromise AD, they can use it to escalate their privileges at will, significantly increasing the scope and damage of the attack. There are many ways that cybercriminals can attack AD, and enterprises should be aware of these tactics. Below is a primer of the most common tactics attackers use to help organizations understand their attackers and better prepare their defenses.

ADRecon

Many IT pros don’t consider this a type of “attack,” but they should—it is often the first step an attacker takes. ADRecon is relatively easy for attackers to carry out; however, it is difficult to detect, because these activities appear as normal operations within AD, making it difficult to differentiate between normal and anomalous activity. Attackers often use tools like Bloodhound to queryAD and create a map of the entire database to identify overlapping permissions and paths to domain admin rights.

DCSync

In a DCSync attack, attackers impersonate an AD domain controller (DC) to obtain authentication credentials from other domain controllers. An attacker with privileged access to a DC will have complete control over the other AD user accounts and services on the domain. The attack works by discovering DCs and submitting a replication request. This prompts the primary DC to replicate the credentials of other DCs back to the compromised domain administrator, using the Directory Replication Service (DRS) remote protocol. Attackers can then use offline tools to run attacks or pull data from the DC without actively accessing the primary DC, allowing them to operate without detection.

DCShadow

This attack is essentially the mirror image of a DCSync attack. A DCShadow attack leverages Mimikatz to register “rogue” DCs to replicate changes to other DCs without detection. This also allows the attacker to unregister the rogue DC to cover their tracks. The attacker can create accounts, objects, or security groups that give them elevated privileges on the rogue DC, then replicate those changes to the primary DC, giving them those same rights on the entire domain. They can then remove other users from the domain administrator group, leaving only themselves, or assign domain administrator privileges to multiple users they have already compromised. For an attacker, this is essentially the Holy Grail—if they can successfully pull it off, there is little defenders can do.

DPAPI

Data Protection Application Programming Interface (DPAPI) protects user secrets like saved browser passwords, email account credentials, FTP passwords, certificates and other assets that Windows stores locally. Each user on the system has a master key that DPAPI protects, stored on that user’s local profile. If the attacker knows the password for the user the master key belongs to and can access that master key file, they can obtain it using Mimikatz. This attack essentially takes advantage of a data protection API to steal data, turning its intended purpose on its head. With the master key, the attacker can execute code using that user’s context and elevate their privileges to local or domain administrators. This type of attack is hard to detect or prevent, since everything happens locally.

Domain Trust Exploitation

If multiple DCs exist on a system, they can create trust between them. Domain trust essentially means that a user in one domain may act as a security principal in another domain. This trust relationship establishes a link between the two different domains, which might go one way or both ways (or have a parent/child relationship). Attackers look for overlapping security principles, mapping how they relate to one another so they can exploit them. Suppose an attacker has compromised a user who is a regular user in one domain, but has trust privileges to a service account on another domain. In that case, the attackers know they can compromise that service account by abusing the trust relationship.

AD Privilege Escalation

Many different techniques fall under this umbrella, but they all relate to providing a regular user with elevated privileges. Attackers might force-add the user to the domain administrator group and give them permissions to modify administrator groups of AD objects. They might also assign the user a hidden security identifier number with administrator privileges to conduct administrator actions without being a member of the domain admins group. Essentially, giving privileged access to a non-privileged user is difficult to detect and can help intruders escalate their attacks.

Kerberos Attacks

Referred to as “Kerberoasting,” attackers generally carry out these attacks using Mimikatz. The idea behind Kerberoasting is extracting service account credentials without interacting with the target system. When the malicious user authenticates to the domain, they receive a ticket-granting ticket (TGT) from the Kerberos key distribution center (KDC) signed by its service account in AD. The attacker can then request a service ticket for the service they wish to compromise. The DC will retrieve the permissions from the AD database and create a TGT encrypted with the service’s password.

The DC provides the user with the service ticket, which they then present to the service. The service decrypts the ticket and determines whether the user has permission to access it. At this point, the attacker can extract the ticket from system memory and crack it offline, giving them the service account used to open that database server and the password, letting them log in. Because the attacker does not interact directly with the database server, the login looks valid. Unfortunately, DCs do not track whether the user actually connects to the service after requesting a ticket, so attackers can request hundreds of tickets and brute force them offline.

Forged Kerberos Tickets

When users first log onto a domain, they request a TGT from the KDC, which sends them a session key. This key is valid for a limited amount of time and expires after every session. The key is only valid for that session and is stored locally, expiring when it times out or the user requests another TGT. When the user wants to log on to a service that the domain controls, they send the TGT back to the DC and request a service ticket to validate to the server.

What is known as a “Golden Ticket” attack occurs when an attacker steals the Kerberos TGT account authentication hash. By compromising the TGT hash, they can act as if they are the DC, granting them access to anything on the network. There are also “Silver Ticket” attacks, which don’t necessarily give attackers direct access to the DC, but instead crack service accounts so the attacker can get access. The attacker steals the service ticket, extracts the hash and uses it to access the service without going through the DC, avoiding touching the DC entirely. Silver Ticket attacks can escalate to Golden Ticket attacks, depending on the attacker’s ultimate goals.

Protecting AD Is Essential

Despite Active Directory’s vulnerability and high value to attackers, today’s enterprises are not investing enough resources in its security. Organizations tend to think of AD as “part of the plumbing,” expecting it to work without much outside interference. But modern security tools have come a long way, and are providing threat actors access to Active Directory undetected. Defenders need to fight back with new innovations designed to expose vulnerabilities and detect and derail attack activities. These in-network defenses are critical, and can range from continuous visibility to exposures and attack paths, real-time attack detection, concealment capabilities that hide AD objects and misdirections that steer unknowing attackers away from their targets.

With so many ways for attackers to target AD, it is more important than ever for enterprises to focus their attention on its protection. Compromising AD remains one of the most effective ways for attackers to elevate their permissions and escalate their attacks. It is clearly time to give it the attention that it so desperately needs.

Avatar photo

Carolyn Crandall

Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of taking companies from pre-IPO through to multi-billion-dollar sales and held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Carolyn is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operational, digitalization, and security challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based cybersecurity infrastructure to one of an active security defense based on the adoption of deception technology.

carolyn-crandall has 3 posts and counting.See all posts by carolyn-crandall