How and why do attackers target an organization’s Active Directory (AD)?
This blog, which is part 8 of the series A Practical approach to Active Directory Domain Services, will provide you with the answers. In this part, we will examine what attackers gain by compromising the AD setup. We will also look at some of the most noted means by which AD is compromised.
There are two main sections to this blog:
Section 1: A macroscopic view of the AD attack methodology
Section 2: Three examples of noted AD attacks:
DCSync and DCShadow attacks
Ntds.dit password extraction attacks
Understanding the AD attack methodology
If you want to understand AD and its associated security concepts, you have to first know about the anatomy of AD breaches in an extremely clinical manner. But before getting to know about the anatomy of AD attacks, would you like to brush up on the basics of AD security? Go ahead and read part 7 of this blog series.
Now, let us take a look at the AD attack methodology from an attacker’s perspective:
Their ultimate strategy: The final goal of AD attackers is to gain control of the victim’s AD environment.
The lucrative gain: The AD attack surface, once exposed, provides attackers with access to the most critical AD accounts and services. With such privileged access, attackers gain unregulated passage to sensitive identities and their associated data for further compromise and exploitation.
The chosen approach: Attackers seek access to either highly sensitive data or to highly privileged user accounts and groups. Attackers take control, compromise the AD infrastructure through the tactics covered below, and then make demands of both monetary nature and otherwise that ultimately cripple the victim.
The tactics employed: Attackers look to create, modify, and manage the AD infrastructure, i.e., to impersonate domain administrators and operate within the compromised network by exercising the highest access privileges. The tactics used to gain initial entry can be performed through phishing emails, open-source scripting tools such as Mimikatz, or through vulnerable open ports as in the case of RDP attacks.
The next steps: Once an attacker gains access to the AD environment, they move laterally and work on strengthening their hold on resources and data that is not meant for them. And this is how their exploitation begins.
At this stage, attackers can do almost anything from within the AD infrastructure.
➤ Stay undetected to monitor and exploit any misconfigurations in the AD design.
➤ Change the group membership of domain administrator groups to numb control of AD by its rightful administrators. For example, after making initial entry, the domain administrator group can be monitored for any vulnerabilities including over-privileged users or other unmanaged and unmonitored group membership settings. Through credential exploitation attacks or malware deployment, various permissions, security settings, and membership configurations can be changed by attackers.
➤ Change passwords, attribute values, and modify Group Policy management settings and AD group memberships, thereby meddling with access rights, permissions, and privileges available to AD users and groups.
➤ Deploy ransomware through the circulation of phishing emails, the delivery of drive-by downloads through a compromised web infrastructure, or through the installation of downloadable malware on compromised AD workstations.
Some notable AD attack examples
DCSync and DCShadow attacks:
➤ These AD attacks are primarily performed through the exploitation of the AD replication model.
Similarity: Both attacks are characterized by attackers gaining illicit control of one domain controller (DC), subsequently extending their control over all other DCs in the domain.
Key difference: While DCSync attackers rely solely on replication to crack open the required authentication credentials to impersonate domain administrators, DCShadow attackers go a step further and register a new fake DC before ultimately unregistering it post attack. The nature of the attack also warrants them to be quicker and more discreet.
➤ DCSync attacks:
During a DCSync attack, attackers obtain the authentication credentials of each of the other DCs in the AD forest. They accomplish this using the DCSync command on the open-source scripting tool called Mimikatz.
Alternatively, the Directory Replication Service (DRS) Remote Protocol can be the first touchpoint for exploitation. The DRS protocol is a communication protocol that is used to manage replication of data in AD.
With access to all DCs in each domain, attackers compromise the replication topology.
Attackers then elevate their access privileges and permissions to gain control of and manage all AD users, groups, and computer accounts; configurations; and Group Policy settings. The AD service is now at the mercy of their unlawful control.
➤ DCShadow attacks:
During a DCShadow attack, attackers stealthily gain control of any DC, replication server-partner, or low-privileged user or their workstation, and use the DCShadow command to register a “rogue” DC with replication rights. They do this using tools like Mimikatz or Remote Server Administration Tools.
Attackers then launch malicious changes that will be replicated across the domain. They may also add backdoors in the AD schema.
Attackers can immediately cover their traces by unregistering the rouge DCs, making these attacks harder to track and monitor.
To learn about DCShadow attacks in detail, read more here.
➤ Every aspect of the Kerberos protocol flow can be exploited by attackers to compromise the AD set up.
➤ Kerberoasting is one of the many well-documented AD exploit methods.
➤ In this technique, attackers gain access and authenticate illegitimately into an enterprise network.
➤ They acquire a valid ticket granting ticket (TGT) by impersonating any client who is authenticating into the AD environment during the primary Kerberos authentication procedure.
➤ The compromised user here can be any valid domain user. There is no requirement for this user to be a privileged user such as a domain administrator.
➤ The attacker subsequently requests service tickets from the key distribution centre (KDC) for a specific service associated with the necessary service principal name (SPN). This service ticket is encrypted with a server secret key or the password of the service account associated with the SPN.
➤ This key is accessed from the database of the KDC.
➤ Only the KDC (which is essentially the DC authenticating the client) and the target server providing the required service know this secret key.
➤ The attacker, mimicking the client or user, sends this service ticket to the target server. At this point, the server will cross-check credentials and establish a unique session for service delivery.
➤ The attacker, however, may exploit this situation further and use various means to crack open the credentials of the service account. They can do this by adopting offline password cracking tools. They could even be sniffing the network traffic for other Kerberos TGTs or recover password hashes from the user’s memory for this purpose.
➤ As a result, they can then gain access to service accounts and their associated services without needing to contact the target server for the service.
➤ More often than not, service accounts are granted permissions that go beyond what is intended, and are often infrequently monitored.
➤ The compromised user account here might not actually be authorized to access the service. And yet, with no mechanism in place during the Kerberos protocol flow that confirms the validity of any client’s access request to certain services, this vulnerability is often exploited by attackers.
➤ Service account passwords are vulnerable to compromise by attackers because user SPN passwords are often manually set as simple, short character passwords (usually less than 25 characters) that are changed infrequently and are thus easier to exploit.
➤ Once attackers gain access to service accounts, they can also gain unwarranted administrative access. They convert from being a low-privileged domain user to a high- privileged domain administrator who can then proceed laterally through the AD domains to penetrate further.
➤ To learn more about Kerberoating attack, refer here.
➤ To learn more about how Kerberos authentication works, which is an interesting and extensive topic in itself, you can refer to a stand-alone blog on this topic.
Ntds.dit password extraction attacks:
➤ The core of an AD service is the data stored in the database file, ntds.dit, in the file path C:\Windows\NTDS\. This database stores all types of AD objects, including AD users, computers, groups, OUs, and Group Policy settings.
➤ Password hashes for each of the user accounts in AD are also stored here on every DC of the AD domains.
➤ Gaining unauthorized access to this database file opens up a host of opportunities for AD adversaries. Attackers usually plan future attacks like pass-the-hash attacks from within the compromised AD network with the help of these password hashes.
➤ In this technique, which is a type of credential dumping, attackers initially make a copy of the ntds.dit file using various methods. Some of them may be either through the ntdsutil commands of AD or through penetration testing PowerShell modules such as Invoke-NinjaCopy from PowerSploit scripts.
➤ Attackers then extract the password hashes and cover their tracks.
➤ The password hashes can be forwarded to tools like Mimikatz to carry out further attacks or can be extracted to their clear text, readable form through other tools such as Hashcat or John the Ripper.
➤ The knowledge of either the password hashes or their clear text versions is valuable for attackers to compromise domain users, gain privileged access, and ultimately gain domain administrator access to control the AD environment.
There are many more AD attack methodologies out there. However, it is important to understand the general attack mechanism through a few well-documented attacks such as those listed above and then build on this knowledge to dig deeper into other exploit methods used by AD attackers. Stay tuned for more on this topic.