Active Directory (AD) is the backbone of many corporate networks, providing centralized management of users, devices, and permissions. With its central role, AD has become a prime target for ransomware operators and threat actors seeking higher levels of access and persistence within networks.
Why Active Directory?
Active Directory is critical for managing network resources, authentication, and security policies. Attackers target AD because compromising it can lead to widespread access, allowing them to move laterally, escalate privileges, and gain control over entire environments.
Will not go in depth of AD but few info:
Microsoft’s Active Directory (AD) provides a centralized database and services that allow users to connect to networking resources
Domains use a Domain Name System (DNS) structure to organize namespaces into logical units. For example, a domain of victimnetwork.local might be set up to contain resources specific to a logical grouping of users, computers, and other objects within the AD database.
Domain controllers (DCs) are servers that respond to authentication requests and determine if the requesting users should be provided access to the domain. The DCs in an AD environment may also provide services and protocols such as DNS, Dynamic Host Configuration Protocol (DHCP), and other services that facilitate allowing hosts access to the network or resources provided within
Authentication within AD is often carried out via the Kerberos authentication protocol.
If you are using a Windows computer on a corporate network, you most likely are connected to AD. The overall AD system provides the domain to which you are connected. In order to be connected to said domain, you must authenticate to the domain. You typically carry out these activities by logging in to your machine using the provided username and password for your domain account.
Popular Tools Used in Active Directory Attacks
Nltest
What It Does: A built-in Windows command-line tool, nltest helps attackers pull domain-related information, such as domain lists and trust relationships.
Why It’s Used: It provides attackers with a quick and easy way to perform reconnaissance on the AD environment.
AdFind
What It Does: Originally developed as an LDAP query tool for IT admins, AdFind has been repurposed by attackers to extract data from AD environments.
Why It’s Used: It is highly respected among attackers for its ability to pull detailed AD information, including user accounts, group memberships, and more.
BloodHound
What It Does: BloodHound is a reconnaissance tool that maps relationships between AD objects, helping attackers identify vulnerable attack paths.
Why It’s Used: It provides a graphical interface that makes it easier for attackers to understand the AD environment and find weaknesses to exploit.
Mimikatz
What It Does: A well-known credential harvesting tool, Mimikatz can extract credentials directly from memory, including passwords, hashes, and Kerberos tickets.
Why It’s Used: Mimikatz is a go-to tool for attackers looking to escalate privileges and gain deeper access to the network.
Rubeus
What It Does: Rubeus is a C# tool focused on Kerberos attacks, such as Kerberoasting and AS-REP Roasting.
Why It’s Used: It allows attackers to steal encrypted credentials and crack them offline, often leading to compromised accounts.
CrackMapExec
What It Does: This versatile post-exploitation tool helps attackers assess and exploit security weaknesses in AD environments.
Why It’s Used: CrackMapExec is a powerful tool that simplifies the process of exploiting AD vulnerabilities, making it a favorite among threat actors.
Common Active Directory Attack Techniques
Now, let's delve into some of the most common AD attacks used by ransomware operators and threat actors.
1. BloodHound and AD Reconnaissance
BloodHound is often used after initial access to map out the AD environment. Attackers use a collector called SharpHound to gather information on AD objects, such as users, computers, and groups. Once this data is collected, it is passed to BloodHound, which generates a graphical representation of attack paths using the Neo4j graph database.
Detection:
Monitor for SharpHound (or any renamed executables) being written to disk (System Event ID 11, via EDR, or manual MFT analysis).
Pay attention to the file's original name to spot potential renaming attempts.
Look for signs of reconnaissance activity, such as unusual LDAP queries.
2. Kerberoasting
Kerberoasting targets service accounts within AD that have a Service Principal Name (SPN) assigned. Attackers request a Kerberos ticket for these accounts, which contains an encrypted version of the account's password. Once the ticket is obtained, attackers attempt to crack the password offline.
Detection:
Enable "Audit Kerberos Service Ticket Operations" in AD.
Monitor for Event ID 4769, focusing on Ticket Options (0x40810000) and Ticket Encryption (0x17 for RC4).
Alert on .kirbi file creation (Mimikatz saves tickets with a .kirbi extension).
Watch for known Kerberoasting tools like Mimikatz and Rubeus in your environment.
Mitigation:
Remove SPNs from accounts where possible.
Use strong, non-crackable passwords for service accounts (long and high-entropy).
Consider using Managed Service Accounts (MSAs) to mitigate the risk.]
3. AS-REP Roasting
AS-REP Roasting exploits accounts with Kerberos pre-authentication disabled. In a typical Kerberos authentication process, pre-authentication ensures that the user's password is verified by the Key Distribution Center (KDC) before issuing a ticket. However, if pre-authentication is disabled, attackers can request an AS-REP message without needing to supply a valid password.
Detection:
Monitor for Event ID 4768, focusing on accounts where the Pre-Authentication Type is 0.
Investigate why pre-authentication is disabled for any accounts in your environment.
Mitigation:
Review accounts with pre-authentication disabled and re-enable it where possible.
Ensure that accounts with pre-authentication disabled have strong, non-crackable passwords.
4. DCSync Attack
DCSync is a powerful attack that allows an attacker to simulate the behavior of a domain controller (DC) and request replication of AD data. By gaining replication permissions, the attacker can pull password hashes for all users in the domain, including highly privileged accounts like Domain Admins.
Detection:
Monitor for Event ID 4662, which indicates that an operation was performed on an AD object. Pay attention to properties associated with Control Access, particularly the following:
DS-Replication-Get-Changes
DS-Replication-Get-Changes-All
DS-Replication-Get-Changes-In-Filtered-Set
The following values are the Control Access values important to DCSync attacks:
• {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes
• {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes-All
• {89e95b76-444d-4c62-991a-0facbeda640c} – DS-Replication-Get-Changes
Watch for accounts being granted replication permissions, as this is a key indicator of a potential DCSync attack.
Mitigation:
Lock down replication permissions and ensure that only necessary accounts have this level of access.
Use strong, non-crackable passwords for accounts with replication permissions.
Regularly audit accounts with high-level privileges, especially those with replication permissions.
Conclusion: Protecting Active Directory
Active Directory attacks are a significant threat to organizations, particularly when leveraged by ransomware operators. These attacks can provide attackers with deep access to your network and the ability to spread ransomware across the entire environment.
For more in-depth details on some of these attacks, check out this insightful post on DCSync attacks by Jaye, which explores AD replication in detail.
Akash Patel
Bonus:
If you know that conti ransomware group had a documentation leak in 2021, the document basically contained training for affiliates how to conduct attacks (manual was named CobaltStrike MANUALS v2 Active Directory”
Attaching it for you:
Comments