Microsoft Active Directory is used by tens of thousands of organizations across the globe, including about 90% of Fortune 1000 companies, as a way to manage access to resources on their networks. Companies are also taking advantage of Microsoft’s cloud-based equivalent, Azure AD. As you would expect, both Active Directory and Azure AD are prime targets for cybercriminals looking to steal sensitive data and engage in other types of malicious activity.
Most Common Active Directory Attack Methods
It is imperative that organizations are aware of the most common ways that attackers can compromise Active Directory, which is explained below.
Kerberoasting attacks target service accounts in Active Directory by exploiting the SPN (ServicePrincipalName) attribute on user objects. Services publish their SPNs to AD objects when they authenticate themselves, and adversaries will try to target these service accounts and change the SPN values to suit their needs, especially if the account belongs to privileged groups. Organizations must continuously monitor user objects for anomalous changes made to SPN values and service accounts must be protected with strong passwords.
2. Password Spraying
This is where the attacker uses a list of previously compromised passwords and hashes to brute-force their way into an account. Since most authentication systems will lock out users after multiple failed logon attempts, the attacker will try different combinations of usernames until they find a match. Naturally, it is a good idea to ensure that employees are using complex passwords, and where possible, use multi-factor authentication to prevent password spraying attacks. A solution that also maintains a list of previously compromised passwords and hashes can also be effective in detecting anomalous logon attempts.
3. Local Loop Multicast Name Resolution (LLMNR)
Local Loop Multicast Name Resolution (LLMNR) is a Windows networking function that puts Active Directory at risk. LLMNR allows for name resolution without the requirement of a DNS server. Multicast packets are broadcast to the network, asking for the IP address of a given hostname. Attackers can intercept these packets, and claim that the IP address is linked to their hostname. This feature isn’t necessary if the Domain Name System (DNS) is properly configured. As such, the best way to mitigate this threat would be to simply disable LLMNR altogether.
4. Pass-the-hash with Mimikatz
Pass-the-hash is a technique used to steal credentials from Active Directory and also facilitates lateral movement throughout the environment. Attackers use a tool called Mimikatz, which exploits the NTLM authentication protocol to impersonate a user and dump credential hashes from memory. Organizations must ensure that privileged account hashes are not stored in a place where they can be easily extracted. They should also consider enabling LSA Protection and using Restricted Admin mode for Remote Desktops.
5. Default Credentials
Companies often forget to change the default passwords on devices/systems, and attackers will look for these devices/systems in order to break into your network. Organizations must ensure that they change the default passwords and keep an up-to-date inventory of all network hardware. It might also be worth adopting a solution that creates random passwords for line-of-business users and devices.
6. Hard-coded Credentials
In some cases, software developers will hard-code credentials into scripts, which is obviously a security risk, especially if the credentials provide privileged access. The developers may have hard-coded the credentials in order to test the functionality of the script and then forgot to remove them. Regardless of the reason, attackers will try to find scripts that contain hard-coded credentials, which they can exploit. Administrators must keep a close eye on all user accounts to ensure that they are being used for their intended purposes.
7. Privilege Escalation
Cybercriminals will typically try to gain access to a standard user account by exploiting poor password practices. Once they have gained access, they will try to elevate their privileges through social engineering, exploiting software/hardware vulnerabilities, misconfigurations, installing malware, and so on. Organizations must maintain an up-to-date inventory of which accounts have access to which resources, especially critical resources. Accounts must have the least privileges they need to perform their role, and all privileged account activity must be continuously monitored, with real-time alerts being sent to the administrator.
8. LDAP Reconnaissance
Adversaries who have already gained access to your Active Directory environment can use LDAP queries to gather further information about the environment. Using this method, they can discover users, groups, and computers, which will help them plan their next move. Preventing LDAP reconnaissance is tricky because most information in Active Directory is available to all users by default. As such, you will need to closely monitor LDAP traffic for anomalies, and ensure that all accounts are given the least access they need to perform their roles.
9. BloodHound Reconnaissance
BloodHound is a tool that helps adversaries identify and visualize attack paths in Active Directory environments. The tool works by creating a map of which computers are accessible to which users, and what user credentials can be stolen from memory. Organizations can also use BloodHound to help them identify and fix vulnerabilities in their environment, as well as provide meaningful insights about how to assign the appropriate level of access to users.
10. NTDS.dit Extraction
Domain controllers store all Active Directory data in a file called ntds.dit, or “the dit”, as some call it. By default, this file is located at the following path: C:\Windows\NTDS\. If an adversary gains access to Active Directory, they can access the ntds.dit file, or compromise the organization’s backup solution and extract the ntds.dit file from the backup. To prevent adversaries from extracting the ntds.dit file, you should minimize the number of accounts that can log on to domain controllers, control access to the physical domain controller machines, and take all of the steps necessary to harden your Active Directory environment.
Using Lepide to Prevent Active Directory Attacks
When protecting accounts and data, it is important to remember that visibility is key! You will need a solution that closely monitors your Active Directory environment for anomalies.
Lepide’s Active Directory Security solution uses machine learning techniques to detect and respond to atypical usage patterns, such as anomalous failed logon attempts, irregular access to sensitive data, and any changes to users, groups, computers, objects, and more.