Common Active Directory attacks

How do you protect your organization from Active Directory attacks?

With over 95 percent of the Fortune 1000 companies relying on Microsoft Active Directory (AD) and Azure AD for authentication and single-sign-on support for their user populations, it’s the primary target of threat actors attempting to breach your security and access your intellectual property.  Originally developed to support functionality across a network, its intention was to connect users with resources within a closed infrastructure. The world has changed. A lot. So has Active Directory and its internet-borne cloud baby, Azure Active Directory. AD and AAD now are critical components of cybersecurity with its ability to control access to resources from on-premises to the cloud and back again. Identity is the new cybersecurity perimeter and the data stored in AD/AAD can be the keys to the kingdom for a successful hacker.

How safe is Active Directory?

What are common attack methods? And what can be done to around AD/AAD-controlled provisioning tasks? In this blog, we’ll share a few of the common Active Directory attacks that hackers use to get into your infrastructure, how you can protect it and what impact it can have on the reputation and productivity of your organization.

First, let’s share some of the most common techniques that threat actors use to break into your network.

  1. Password Spraying

With password spraying (this might be more accurately called username spraying), an attacker will use lists of previously compromised passwords and cracked hashes to methodically inject these to an authentication web page or other system until they find a credential that has access. Since most systems will lock a user account after a pre-set number of failed attempts, often attackers will switch usernames until it matches with a target password.

Remediation: Multi-factor authentication, good password hygiene, complex passwords and enforcement of password policies help to slow down this attack method. Also, from an administrative side, using a password solution that prevents users from using known compromised passwords, is effective.

  1. Local Loop Multicast Name Resolution (LLMNR)

A traditional function from days of yore that was safe on closed network but is still run across by SIs and others who work with end-user clients. This name and acronym of this Windows networking function is a mouthful, but LLMNR is akin to taking grammar school attendance on the network. “User X?!” “Here!” This attack exploit leverages Windows systems with certain browser settings (in IE), such as ‘Automatic Proxy’. IE will look for a host with the name WDAP. Attackers set up a web server by that name and listen for the beck and call of LLMNR. The user system will call out for WDAP server, and the interloper server will answer and ask for the user credentials. Now the attacker has a valid user’s info – also called the hash. Often, the attacker will take the compromised hash and given enough time can discover the valid password. Then, they are on the network. And if the user has elevated privileges, the attacker has access to critical systems and can steal or copy valuable data or do extensive damage to the network functionality.

Remediation: You can simply disable the multicast name resolution on your domain. This will prevent the systems from asking for resources without resolving names through DNS. Complex passwords can also slow down attackers, but the most effective way to protect your infrastructure – and a proven game-stopper for many threat types – is to implement multifactor authentication (MFA) with your user population.

  1. Default Credentials

Update the default passwords that are preloaded on devices/systems. When not changed, this makes it easy for threat actors to access the device and subsequently, the rest of your network. Even something as simple as a fish tank temperature monitor that is connected to a home or office network can be an entry point for bad guys.

Remediation: Immediately update passwords on new systems and devices to eliminate this fish-in-a-barrel opportunity for threat actors. You can also use a password manager solution that can randomize passwords for line-of-business users and devices. Additionally, solutions that specialize in privileged passwords can protect admin access by randomizing passwords, require users to check out passwords for a particular session and have them checked back in and changed. This will also strengthen your compliance performance as well.

  1. Hardcoded credentials

Like default credentials, hardcoded credentials are a feast for threat actors. They will review scripts and scheduled tasks to discover username/password in the script. Then they are off to the races plundering data and damaging systems, especially if the script or task may have privileged permissions.

Remediation: The simple solution is to NOT use hardcoded credentials, especially if the script or task has privileged access to critical resources. You can also use a solution that requires credentials to be checked out to use.

  1. Kerberoasting

Kerberoasting is an attack against service accounts in Active Directory that use the ‘ServicePrincipalName’ or SPN attribute on a user object. Services that are set to authenticate against AD, such as Microsoft SQL, ‘publish’ their SPNs to their AD object. These service accounts are usually members of some privileged groups as well, making them more likely to be targeted.

Remediation: Assess your service accounts to identify those that are vulnerable to Kerberoasting. You can also use solutions that alert when a SPN attribute is populated and prevent unauthorized attribute changes. As service accounts cannot use MFA, password complexity – 25 characters or more - is critical. Vulnerable objects and service accounts can be organized into an AD-controlled group with the proper solution; and finally using a privileged password manager can vault complex password for optimal cybersecurity.

  1. Privilege elevation in Active Directory

The first step of threat actors is to get in. Often this is done through a standard account with weak cybersecurity practices – such as the use of non-complex or common passwords. Unless the hacker gets in with elevated credentials, the next step is to parlay their standard access into privileged access. There are several ways they attempt to do this, but once they can compromise an admin account, they can steal, damage, or hold systems and data for ransom.

Remediation: Assess who has access to which resources, especially admin accounts with privileged access. Once you know your privileged user population, you can create a plan to monitor and secure them. Closely monitor this group for aberrant behaviors using historic data or user actions for baseline comparison. A change auditor solution can send alerts when attributes of privileged resources are modified.

  1. Social Engineering

The crossroads of technology and human psychology, social engineering is sleight of hand by threat actors to trick people to give up information that enables hackers to gain access to systems. Once in, they can do all sorts of damage. Social engineering is not limited to but includes email phishing, vishing and whaling exploits.

Remediation: User training and awareness. If users can identify potential social engineering attacks and are given knowledge on how to handle them, they can strengthen the weakest part of any cybersecurity plan, human gullibility. Access control, putting limits on what types of resources can be accessed or downloaded to your infrastructure. As with many other exploits discussed here, MFA can stop many attack methods before the threat actors can get in.

Active Directory is often a critical part of organizational infrastructure. By taking steps to safeguard against the most common active directory attacks, you can strengthen your overall security posture.

Blog Post CTA Image

Related Content