CISA and other government agencies from the security agencies in Five Eyes nations have published an alert and extensive security guidance outlining techniques that threat actors use to target Microsoft Active Directory (AD) and recommendations on how to mitigate these attacks. Microsoft Active Directory (AD) the most commonly used authentication and authorization solution for managing enterprise identity and access and is a valuable target for attackers in cyber intrusions. AD is susceptible to compromise due to its permissive default settings, complex relationships, and permissions. Support for insecure legacy protocols such as NTLMv1, LDAP without TLS, SMBv1, Kerberos with RC4-HMAC, and MS-RPC further increase AD's vulnerability.
Detection can be challenging because many AD compromises leverate Living Off The Land Attacks (LOTL) which exploit legitimate built-in functions and generate similar events to normal activity, meaning they attacks can escape behavioral analysis techniques. Detecting AD compromises is resource-intensive and time-consuming, even for organizations with mature SIEM and SOC capabilities.
The Five Eyes is an intelligence alliance of five nations: the United States, the United Kingdom, Canada, Australia, and New Zealand. Formed during World War II and formalized through the UKUSA Agreement in 1946, the alliance is centered around sharing signals intelligence (SIGINT) and other classified information among its members. The cooperation focuses on defense and security matters, counter-terrorism, cyber threats, and broader international intelligence activities.
The Five Eyes alliance has faced scrutiny and criticism for its expansive surveillance activities, particularly after whistleblower Edward Snowden revealed its extensive electronic spying programs in 2013. Snowden revealed classified documents such as the PRISM, XKeyscore, Tempora, MUSCULAR, and Upstream programs, proving that the Five Eyes were engaged in large-scale data collection and monitoring—often targeting individuals and organizations not directly related to national security threats.
A full list of attacks referenced in the Five Eyes' report can be found online in HTML and PDF formats and each attack type includes a list of mitigation strategies.
Here are some of the referenced attacks against Microsoft Active Directory (AD):
Kerberoasting: Attackers request service tickets for SPNs (Service Principal Names) from AD, which are then brute-forced offline to crack service account passwords.
Golden Ticket and Silver Ticket attacks: In Golden Ticket attacks, attackers create a forged Kerberos ticket using the KRBTGT account, granting them domain admin privileges while in a Silver Ticket attack, attackers create a forged service ticket using a compromised service account hash, allowing them access to specific services.
AS-REP Roasting: Similar to Kerberoasting, AS-REP Roasting targets accounts that do not require pre-authentication. Attackers obtain encrypted AS-REP messages, which can be cracked offline to retrieve the account password.
Password spraying: Attackers attempt to log in using a common password against multiple user accounts, rather than brute-forcing a single account.
MachineAccountQuota (MAQ) compromise: Attackers leverage AD’s default setting that allows any user to create up to 10 new computer accounts in the domain, which they then use to perform further attacks.
DCSync and dumping ntds.dit: Attackers extract the ntds.dit database file from a domain controller, which contains password hashes for all users in the domain.
Several open-source tools are widely used for pentesting Active Directory (AD) environments. These tools help security professionals and malicious actors alike in enumerating AD, identifying vulnerabilities, performing privilege escalation, lateral movement, and persistence. Below is a list of the most commonly used open-source tools for AD hacking and their purposes:
Bloodhound is a single page JavaScript-based tool designed for AD enumeration and attack path analysis. It leverages graph theory to uncover hidden relationships within an AD environment, allowing users to identify potential attack paths for privilege escalation. BloodHound maps AD objects and their permissions, providing a visual representation of potential attack vectors. It is commonly used to enumerate AD relationships, identify paths for lateral movement, and detect privilege escalation opportunities.
Impacket is a collection of Python classes used for network protocol exploitation and lateral movement. It provides low-level access to various network protocols, enabling attackers to execute tasks such as Pass-the-Hash, Pass-the-Ticket, and performing DCSync attacks. Impacket can be utilized to carry out attacks like Pass-the-Hash, Pass-the-Ticket, DCSync, SMB relay, and Kerberos ticket impersonation, making it a versatile tool for network-based exploitation.
Mimikatz is widely known for its capability in credential dumping and manipulation. It extracts plaintext passwords, hashes, PINs, and Kerberos tickets from memory, making it a go-to tool for credential theft. Mimikatz also enables advanced attacks such as Golden Ticket, Silver Ticket, and Pass-the-Hash. Its primary use cases include dumping credentials from LSASS and performing a variety of credential-based attacks like Golden Ticket, Silver Ticket, and Skeleton Key.
PowerView is a PowerShell-based AD enumeration tool that is part of the PowerShell Empire framework. It offers numerous functions to gather information about users, computers, trusts, and other AD objects. PowerView is often used to enumerate AD objects, find logged-on users, identify group memberships, and understand domain trust relationships, providing detailed insight into the AD environment for further exploitation.
Responder specializes in LLMNR/NBT-NS poisoning and credential capture. It works by poisoning Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) requests, allowing it to capture NTLM hashes from network devices. These captured hashes can then be used for relay attacks or cracked offline. Common usage includes poisoning LLMNR/NBT-NS requests, capturing NTLMv2 hashes, and executing relay attacks.
Rubeus is a C# tool focused on Kerberos ticket manipulation and exploitation. It provides functionality to request TGTs and service tickets, perform ticket renewals, extract tickets from memory, and execute Pass-the-Ticket and Overpass-the-Hash attacks. Rubeus is used for a variety of Kerberos-related attacks, including Kerberoasting, Pass-the-Ticket, ticket extraction, and ticket injection, making it a powerful tool for Kerberos abuse.
Certify / certipy-ad automate attacks against Microsoft’s Active Directory Certificate Services (AD CS), enabling certificate service exploitation. The tool first helps identify vulnerable certificate templates and then perform Enterprise Admin to Domain Admin (ESC) escalation by abusing certificate templates. Certify is commonly used to identify vulnerable certificate templates, abuse AD CS, and escalate privileges within an AD environment.
The Five Eyes alliance has released detailed guidance on detecting and mitigating Microsoft Active Directory (AD) intrusions. The guidance outlines the common tactics, techniques, and procedures (TTPs) attackers use to compromise AD, including Kerberoasting, AS-REP Roasting, and Golden Ticket attacks.
Detection is challenging due to the frequent use of Living Off The Land (LOTL) techniques, making it crucial for organizations to follow the provided recommendations and implement strong AD security practices.
Download our Guide to Penetration Testing to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
February 04 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
December 25 - Blog
It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
© 2024 Packetlabs. All rights reserved.