3 telltale signs the Active Directory has been compromised

The transition to remote and hybrid working models has led to an attack surface that is more dynamic than ever. Between the public cloud adoption trends, remote working and corporate data dissemination, the need to focus on user identities is essential. Organisations should be asking who these users are, what their access is and whether they should have access at all. This makes Active Directory (AD) security front and centre for any organisation.

AD has been used by organisations for identity and access management for over 20 years. Before the shift to remote work, managing AD on-premises was easier as IT administrators had visibility and could control the number of users on a network and the resources they could access. The new working model complicates things because AD environments are constantly changing. That means if AD security hygiene isn’t managed or secured properly, cybercriminals can find attack pathways through weak passwords or phishing links. Attackers go after the low-hanging fruit like weak passwords and encryption and through phishing attacks.

It’s worth noting that most organisations in India conduct AD scans only once, sometimes twice a year, leaving the AD unattended and room for attackers to stay hidden within the network. Securing the AD requires a deeper understanding of the methods cybercriminals deploy to stay hidden and telltale signs that AD has been compromised:

DCSync: Get access to Privileged Accounts. Using this attack model, the attacker takes advantage of the Directory Replication Service Remote (DRSR) protocol to locally replicate the AD database and get offline access to the information stored in the database. In such an attack, adversaries masquerade as a DC to use replication and will be able to access all sensitive data, including password hashes. The attacker uses this method to gain access to Domain Admin accounts, to then be able to execute the second step: Golden Ticket.

For instance, once a DCSync attack is perpetrated, attackers can become privy to calendars that may have links to virtual meetings where confidential business matters are discussed. Would you notice an extra participant in a large meeting? Proper AD delegation management, limiting DRSR protocol activity to DC VLAN and detecting attempts to replicate the DC database are important to securing the AD from such an attack. At the same time, continuous monitoring of the AD can stop attackers from moving laterally before the IT infrastructure is completely compromised.

Golden Ticket: Do whatever you want. A Golden Ticket attack is generally the second step after a DCSync attack. A Golden Ticket is when attackers are able to manipulate the Kerberos Ticket Generating Ticket, which can only be accessed by DCs. As a Golden Ticket expires quickly, attackers use it to gain unrestricted access to all computers, files, data and, more importantly, the control system itself.

Enforcing the least privilege model, where the number of users with privileges is limited, helps admins determine the exact number of privileged accounts at any given time. Installing endpoint protection to block attackers from loading modules like Mimikatz creates a choke point for access to DCs, which is another layer of protection. Finally, it is necessary to reset the password of the KRBTGT account regularly.

DCShadow: Mask your actions and create backdoors. In DCShadow, attackers create a rogue Domain Controller/Admin (DC) to alter permissions to the Active Directory and to create backdoors using the PrimaryGroupID or SIDHistory attributes. Via DCShadow, the attacker will be able to modify attributes that are not accessible via traditional management tools because DCShadow uses the replication flow and not the Active Directory management API. They are then able to act as a “real” DC and even cover their trail by deleting activity logs. The rogue DC will have the ability to communicate with the real DCs and create backdoors in AD without being detected.

For instance, once attackers create a rogue DC and gain access to authentication keys, they can deploy ransomware on systems across the network. Using automated tools to continuously monitor the AD enables security teams to lock down an attacker’s capability to create new objects. Full visibility into the attack surface can stop attackers from modifying the service principal names (SPNs) of users and report all AD permissions that exist within the network that may be used to escalate privileges.

Given the fluid nature of AD, organisations need full and continuous visibility to discover underlying issues affecting the AD, identify dangerous relationships, catch every single change to the AD, find and fix weaknesses, uncover new attack pathways and detect and stop ongoing attacks before attackers escalate privileges.

With a fragmented workforce, the attack surface is also wider, making AD security mission-critical. Full visibility into the AD infrastructure will help security teams identify abnormal user behaviours and detect a breach before attackers can move laterally. Securing the AD is now a fundamental step in reducing your organisation’s cyber risk.

The author is Kartik Shahani, Country Manager, Tenable India.