An attack path refers to the route attackers take to gain full control of an IT environment. Attack paths are particularly relevant to Active Directory as it is the most popular directory service on the market.
This gives adversaries more targets to choose from, and more tools to exploit vulnerabilities. Secondly, and perhaps more importantly, it is because a typical Active Directory environment consists of very complex hierarchies of groups and objects, and there isn’t an easy way to manually map out such hierarchies so that the attack paths are visible.
For example, you will need visibility into the permissions setup for Group Policy Objects (GPOs), the Group Policy Creator Owners group, the System/Policies and sysvol folders on domain controllers (DCs), and the gpLink and gpOptions attributes on the domain root and organizational units (OUs).
You must also have visibility into computers placed in the wrong OUs, inheritance blocking, and link priorities.
A company that has been using Active Directory for many years will probably have lots of blind spots caused by deeply nested privileges, neglected policies, inactive user accounts, and a lot more.
The Anatomy of a Cyberattack
When talking about Active Directory attack paths and how to identify and remove them, it helps to first reflect on the five stages of a cyberattack, which are:
Reconnaissance: Identifying targets, collecting information, and assessing the plausibility of a given attack path.
Planning: Identifying which attack vectors to use, which might include exploiting a zero-day vulnerability, obtaining credentials via social engineering or tricking a user into downloading malware.
Intrusion: Carrying out the attack according to your chosen method.
Lateral movement: Escalating privileges, compromising additional systems, creating new accounts, changing security settings, installing backdoors, etc.
Exfiltration and clean-up: Stealing or encrypting the victim’s data, tampering with audit logs, removing malware, and other signs of compromise.
It is at the fourth stage where the attacker will try to move laterally throughout the network in an attempt to obtain the ‘keys to the kingdom’, thus allowing them to take control over the entire Active Directory environment. As such, traditional perimeter security techniques and technologies will not suffice in identifying and blocking attack paths, as the adversary will already have access to your network.
Common Active Directory Attack Paths
Given that there are potentially thousands of attack paths that adversaries can exploit, a full list of these paths is clearly beyond the scope of this article. Instead, below are two common examples of the types of attack paths we might see in a typical Active Directory environment.
Example 1: An attacker compromises a user account that is a member of the HelpDesk group, which in turn is a member of the Workstation Admins group. The Workstation Admins group has local Administrator permissions for a server that has access to session credentials from a service account that recently logged in. Using various tools, such as Mimikatz, the attacker can harvest these credentials, which in turn will give them Add Member permissions for the Domain Admins group. The attacker now has full control over the Active Directory environment.
Example 2: A user account that was granted permission to edit a GPO was compromised by an adversary, thus giving them control over an AD domain. Using a PowerShell script, the attacker can harvest the credentials of another user when they log in. If the user has rights to the Domain Admins group, they can add accounts to this group, thus giving them complete control over the AD environment.
How to Identify and Remove Active Directory Attack Paths
As mentioned previously, there are far more attack paths than what we could possibly count, let alone block. Instead, we must focus on the “choke points”, which are the last segments in the attack path chain.
However, in a complex Active Directory environment, identifying choke points manually will be a daunting and time-consuming process, as it will require scrutinizing all of the possible connections between all objects in Active Directory.
A better approach would be to adopt an attack path management tool that will help you map out and visualize all relationships and connections in Active Directory. Likewise, you will need to use a real-time Active Directory Auditing solution to give you visibility into how users interact with your Active Directory environment – identifying atypical usage patterns, which administrators can investigate to help them identify potential choke points.
If you’d like to see how the Lepide Auditor for Active Directory can help to identify and remove attack paths in Active Directory, schedule a demo with one of our engineers or start your free trial today.