So why would we (and why you should) give Active Directory (AD) all this attention and importance?
Active Directory makes life easier for system administrators by providing many core features, such as centralizing resources and security administration, single sign-on for access to global resources, simplified resource location, and more.
All these pros look excellent and useful.
As a result, nine out of ten companies around the world use AD to control and maintain internal resources.
But the thing is most of these companies only invest money and effort into defending endpoints, applications, servers, mobile devices, and networks, which leaves AD dangerously unguarded.
And this makes life easier for adversaries, too.
Cybercriminals today are targeting Active Directory (AD), performing reconnaissance to discover users, servers, and computers in an enterprise network and then move laterally to carry out multi-stage attacks to gain access and abuse the target organization’s resources and data.
Let’s get to the first one.
1 Group Policy Preferences Visible Passwords
Quick and easy to understand.
Administrators use Group Policy Preferences (GPPs) to configure local administrator accounts, schedule tasks, and mount network drives with specified credentials when a user logs on.
They write GPPs to the SYSVOL share of domain controllers.
Once on an endpoint, attackers can access the GPP XML files inside the SYSVOL share and extract credentials stored in the GPP. See the picture below.
The picture above was taken from an Active directory misconfiguration lab and it demonstrates how an adversary can get a username (SVG_TGS) and password from the GPO file which can be found with a few reconnaissance tries. And while it is encrypted it will only take a few minutes to crack the password.
2 Golden Ticket
The most famous one, yet forgotten by administrators.
Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets.
It’s the golden ticket to Willy Wonka Chocolate factory (Domain controller in this case). It is so called because attackers gain privileges for any service or endpoint on the network and use it everywhere. Plus, it’s not so hard to find.
Here’s how it works:
The intruder gains a foothold in the network via an individual endpoint.
The intruder performs reconnaissance to gather more information about the domain, such as the domain name and domain security identifier (SID). Note that there are various tools to perform such tasks. Fast and easy.
The emergence of Golden Ticket Attacks is tied closely to the development of one tool: Mimikatz.
3 Power User Enumeration
It’s all about reconnaissance.
An adversary with control over an endpoint is considered as an authenticated user. This authenticated intruder has the power to enumerate objects in the domain, thus, he or she can enumerate users whose passwords never expire, revealing high-privileged users in the domain.
With these credentials, attackers gain access to higher sets of privilege in the network that last indefinitely.
4 Domain Replication Backdoor
This is a critical one.
If a low-privileged user was added to the domain replication object, an attacker accesses all the domain sensitive data (for example, user hashes in the domain) without being a high-privileged user. Because some domain services require domain replication capabilities, replication permissions must be assigned to AD objects.
Consequences? Attackers gain full access to the entire company domain database
5 Local Admin Traversal
Administrators are the number one target, protect them.
Attackers steal local administrator credentials from a local computer in the network - many companies use imaging software, so the local administrator password is frequently the same across the entire enterprise - and pass the local admin long-term key to a remote endpoint to authenticate itself.
Attackers obtain local admin credentials on one machine, then move laterally and obtain access to every endpoint in the network.
These were some of the top Active Directory misconfigurations.
In the next piece of content, we will discuss some more and how to avoid being breached through any of these misconfigurations so stay tuned.
You can also follow our Linkedin account where we publish tips about how to stop intruders to move laterally in your network.