Understanding the AD Attack Surface
The overall Active Directory attack surface is broad and complex but can be summarized into the following categories:
Windows System and Active Directory Vulnerabilities
Over the lengthy lifespan of Windows Server and Active Directory, numerous vulnerabilities have been identified with low to critical scores on the CVSS scale. A recent AD vulnerability (CVE-2020-1472) scored a 10/10 on the CVSS scale. This vulnerability, called ZeroLogon, allows an attacker to compromise the entire domain without even requiring a valid domain credential.
One of the most powerful Active Directory capabilities is its flexible policy constructs. Unfortunately, this also is one of its biggest security drawbacks. User provisioning, computer/server management, groups management, ACLs, ACEs, GPOs, attribute populating for multiple object types are managed using various scripts. As a standard practice, IT teams rely heavily on native methods for administration, such as PowerShell.
Availability of Advanced Tools
Over the last few years, the cybersecurity community has made many technological advances in developing and open-sourcing Red Team tools. This has delivered tremendous benefits for security teams, but attackers are also aggressive in adopting these tools. BloodHound, PowerSploit, MetaSploit, Mimikatz, Hashcat, Rubeus, ADRecon, Kekeo, DeathStar, PowerView, and many others are relatively easy to obtain. A tool like BloodHound can be used to very quickly discover relationships between various entities in the domain and calculate the shortest path between entities.
The following examples show how attackers can leverage specific elements and factors that make up the AD attack surface:
- An enterprise often runs critical applications, non-Windows servers, and systems that have been configured via older versions of AD. Such a situation makes upgrading an existing AD deployment a non-trivial task. Administrators may choose to defer even a recommended AD upgrade. This gives attackers a chance to exploit known vulnerabilities in AD.
- Users are given privileges by adding their accounts to groups such as the Domain Administrators and Enterprise Administrators groups. These privileges are based on users’ roles and responsibilities, which change over time. These changes result in new privileges being granted. But privileges granted earlier are not always withdrawn when they are no longer applicable. Group memberships are left as is without periodic review. Attackers look at such accounts as prime targets for compromise.
- A Domain Controller (DC) sometimes runs additional applications and utilities unrelated to Active Directory. These applications and utilities significantly add to the AD attack surface by requiring configuration settings that open ports, access users who should not be connected to the DC, and create high-privileged service accounts. Users often use a high-privilege account to log in to a DC and then use the same account, for example, to access the Internet and download freeware utilities. If such an account is compromised, attackers gain direct access to the DC.
- Constant changes in AD object configurations may also lead to a transient attack surface. In such situations, a dormant, persistent threat can exploit these for attack progression.
- An enterprise may have gaps in its patch management systems and processes. Non-Windows operating systems, commercial applications, networking devices may get patched sporadically. Patching that is incomplete or terminates with errors may not be reviewed and rectified. Because all assets are managed in AD, a compromise of any poorly patched asset gives the attackers a path to reach AD.
- Antivirus and antimalware in server subnets may be misconfigured or outdated. Attackers can exploit these weaknesses to compromise a server, gain a foothold in the network, and reach AD.
- An enterprise may configure AD to store LAN Manager hashes or reversibly encrypted passwords to support outdated applications that use legacy authentication protocols. This situation presents attackers with the opportunity to employ well-known methods to crack admin passwords.
Identifying all elements and factors that make up the AD attack surface is the first step toward securing AD. But this is a challenging task for security teams because the attack surface is constantly changing and expanding. Given the central function of AD, managing and minimizing its attack surface is not just a security responsibility. It requires cross-functional collaboration and commitment to AD attack surface monitoring and minimization.
In the next blog, we will cover how attackers can use various attack paths within the AD attack surface to achieve their objectives.