Active Directory is considered as a central heart of authentication and authorization for enterprise network and provides services such as Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), and Active Directory Certificate Services (AD CS).
The CISA, in collaboration with several cybersecurity agencies, has released a comprehensive guide on detecting and mitigating Active Directory compromises. Co-authored by the Australian Signals Directorate (ASD), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), aims to inform organizations about the common techniques used by malicious actors to target Microsoft Active Directory.
The guide highlights that Active Directory’s susceptibility to compromise stems from its permissive default settings, complex relationships, and support for legacy protocols, as well as a lack of adequate tooling for diagnosing security issues.
Common Techniques Exploited by Malicious Actors
The guide details 17 common techniques used by malicious actors to compromise Active Directory.
Key Techniques Include:
Kerberoasting: This involves exploiting user objects configured with a service principal name (SPN) to obtain their ticket-granting service (TGS) tickets, which can be cracked to reveal the cleartext password.
Authentication Server Response (AS-REP) Roasting: This technique targets user objects that do not require Kerberos pre-authentication, allowing attackers to crack the Authentication Server Response (AS-REP) ticket to obtain the password.
Password Spraying: A brute-force attack method where attackers attempt to log in with common passwords across multiple accounts.
MachineAccountQuota Compromise: Exploiting the default quota of machine accounts that can be created by a user to gain unauthorized access.
Unconstrained Delegation: Allowing attackers to impersonate any user in the domain.
Password in Group Policy Preferences (GPP) compromise: Microsoft has deprecated the use of cpasswords and now provides more secure methods to configure passwords – for instance, by using Microsoft’s LAPS. As other methods exist for configuring passwords via Group Policy, cpasswords should no longer be used and any existing cpasswords should be removed from the SYSVOL directory.
Active Directory Certificate Services (AD CS) compromise: AD CS implements Microsoft’s public key infrastructure (PKI), providing various services including encryption, code signing and authentication. The AD CS Certificate Authority (CA) manages and issues public key certificates. The AD CS CA can be configured with multiple certificate templates, allowing user and computer objects to request certificates for various purposes. Depending on the configuration of the AD CS CA, a range of vulnerabilities can exist which can be exploited by malicious actors to escalate their privileges and move laterally.
Golden Certificate: A Golden Certificate is a persistence technique that expands upon an AD CS compromise. If malicious actors obtain administrative access to a CA, they can extract a CA certificate and private key. Once obtained, these can be used to forge valid certificates for client authentication to impersonate any other user object in the domain.
DCSync: DCSync replicates information from Active Directory, including password hashes. This requires ‘Replicating Directory Changes’, ‘Replicating Directory Changes All’ or ‘Replicating Directory Changes in Filtered Set’ privileges – or either ‘GenericAll’ or ‘AllExtendedRights’ permissions – on the domain root object in Active Directory.
Dumping ntds.dit: Tools such as Volume Shadow Copy Service and Ntdsutil are commonly used by malicious actors to dump the ntds.dit file and the SYSTEM hive from Domain Controllers. These tools can be executed using PowerShell. If PowerShell logging is enabled, these tool names and their parameters are recorded, which can help identify if an attempt was made to compromise the ntds.dit file. Additionally, monitoring for signs of compromise by analysing events for unusual authentication events, such as objects that do not normally authenticate or authenticate during unusual times of the day, can assist in identifying malicious activity.
Golden Ticket: A Golden Ticket misuses the KRBTGT user object’s password hash to forge TGTs. With the KRBTGT user object’s password hash, malicious actors can forge their own TGTs to impersonate any user object and subsequently request a TGS ticket from a domain controller.
Silver Ticket: A Silver Ticket exploits specific services running on computers by compromising the password hash of the user object running a service or a computer object’s password hash. Just like user objects, computer objects are also configured with passwords and are how they authenticate to a domain. If a computer object’s password hash is compromised, malicious actors can authenticate to the computer or authenticate as the computer object itself, gaining access to its domain privileges.
Golden Security Assertion Markup Language (SAML): AD FS enables the secure sharing of verified identity information across security and enterprise boundaries. It is commonly used to extend authentication from an AD DS domain to cloud-based resources and services. AD FS supports SAML, an authentication standard that enables single sign-on. AD FS can be configured as an identity provider for different services that it can securely share identity information with, acting as an authentication broker. AD FS uses a private key to sign SAML responses, and these tokens are used to identify and authenticate users to the services for which AD FS acts as an identity provider.
Microsoft Entra Connect Compromise : Microsoft Entra Connect is an on-premises application that enables hybrid identity management by synchronising Active Directory with its cloud-based counterpart Microsoft Entra ID which allows Active Directory objects, such as user objects, to seamlessly access cloud-based resources and services, such as Microsoft 365 and Azure, using their Active Directory credentials and single sign-on
One-way domain trust bypass: Active Directory supports trusts between domains to allow users from one domain to be authenticated in another domain and access its resources. Trust relationships are either one-way or two-way, and transitive or non-transitive. In a one-way trust, users in Domain B (trusted) can access resources in Domain A (trusting), but users in Domain A can not access resources in Domain B. If a trust is transitive, then trust can be extended to other domains beyond the two domains that established it, while a non-transitive trust can be used to deny trust relationships with other domains
Security Identifier (SID) History compromise : Every object in AD DS has a unique and immutable SID that is used by AD DS to identify the object and determine the privileges it has when accessing systems, services and resources. As usernames can be changed, AD DS relies on the SID to distinguish between objects to ensure that the correct access is provided to an object. In addition to the ‘SID’ attribute, there is the ‘sIDHistory’ attribute that stores previous SIDs. If a SID is changed, i.e., when an object is migrated from one domain to another, the object will be given a new SID, and its previous SID will be stored in the ‘sIDHistory’ attribute
Skeleton Key : Skeleton Key is malware that overrides the NTLM and Kerberos authentication process and sets a password – called the Skeleton Key – to authenticate as any user object in a domain. This compromises the LSASS process on a domain controller and requires administrative privileges to execute. This malware is used by malicious actors to establish persistence and evade detection. After overriding the authentication process and injecting the Skeleton Key, malicious authentications are virtually indistinguishable from legitimate authentications, making it difficult to identify malicious activity.
Mitigation Strategies
The guide provides robust mitigation strategies to protect against these threats:
Implementing Microsoft’s Enterprise Access Model: This tiered model ensures that Tier 0 user objects (those with significant access) do not expose their credentials to lower-tier systems and that Tier 0 computer objects are only managed by Tier 0 user objects.
Minimizing SPNs: Reducing the number of user objects configured with SPNs to limit the attack surface for Kerberoasting.
Ensuring Kerberos Pre-authentication: Configuring all user objects to require Kerberos pre-authentication to mitigate AS-REP Roasting.
Using Group Managed Service Accounts (gMSAs): Automatically rotating passwords and using complex, unpredictable passwords to protect service accounts.
Monitoring and Logging: Centrally log and analyze events such as TGS ticket requests to detect suspicious activity.
Detecting Active Directory compromises can be challenging due to the similarity between legitimate and malicious activities. The release of this guide underscores the critical need for organizations to prioritize the security of their Active Directory environments.
The guide suggests using tools like BloodHound, PingCastle, and Purple Knight to understand and identify misconfigurations and weaknesses. It also recommends analyzing specific event IDs, such as 4769 for TGS ticket requests, to identify potential Kerberoasting activity.
By understanding the TTP’s used by malicious actors and implementing the recommended mitigation strategies, organizations can significantly enhance their cybersecurity posture and protect against potentially devastating compromises.
As the cyber threat landscape continues to evolve, staying informed and proactive is essential for maintaining the integrity of enterprise IT networks.
