Active Directory (AD), Microsoft’s on-premises directory service for Windows domain networks, is so widely used for enterprise identity and access management that compromising AD has become a near-standard step in a cyber intrusion. Masu.
“Active Directory is susceptible to compromise due to its permissive default settings, complex relationships, and permissions. Lack of support for legacy protocols and tools to diagnose Active Directory security issues,” Five Eyes Cyber Security The agency reveals in its recently released guide to detecting and mitigating AD breaches.
“By gaining control of Active Directory, malicious actors with a variety of intentions, whether cybercriminals seeking financial gain or nation-states conducting cyberespionage, can conduct malicious operations within a victim’s network. Get the access you need to achieve your goals.”
Microsoft AD attacks, mitigation, and detection
Active Directory provides several services.
Domain Services (AD DS) – Authentication and authorization, security policy enforcement Federation Services (AD FS) – Federated identity and access management Certificate Services (AD CS) – Public key infrastructure certificate issuance/management, including secure communications ) Lightweight Directory Services (AD LDS) – Application directory service Rights Management Services (AD RMS) – Information rights management
“For many organizations, Active Directory consists of thousands of objects that interact with each other through complex permissions, configurations, and relationships. Understanding object permissions and the relationships between those objects “It’s critical to securing your Active Directory environment,” the agency noted, listing several tools that can be used to do so.
Attackers use Active Directory for privilege escalation, reconnaissance, lateral movement, and persistence using a variety of techniques, including Kerberoasting, password spraying, MachineAccountQuota compromise, golden certificates, and Microsoft Entra Connect compromise. Masu.
Each of these is explained in the guide, with a list of security controls that can mitigate them, and a list of logged events that may indicate a compromise.
However, the agency also recommends the use of canary objects because “many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity.”
“Eliminating the most determined malicious attackers may require drastic action, from resetting passwords for all users to rebuilding Active Directory itself. Responding to and recovering from malicious activity is often time-consuming, costly, and disruptive, so organizations can better protect their Active Directory from malicious actors and breaches. We recommend that you implement the recommendations in this guidance to prevent this.”
Check out these open source tools.
SOAPHound: A tool to collect Active Directory data via ADWS
Adalanche: Active Directory Visualizer and Explorer Tool
GOAD: Penetration testing lab for practicing common AD attack techniques
BloodHound: A penetration testing solution that maps attack paths in AD and Azure environments
