In the recent SolarWinds hack and Ransomware attack on Colonial Pipeline, Active Directory (AD) compromise was at the core of the attack playbook. In this 3-part blog series, we look at protecting Microsoft Active Directory – which is central to most enterprise architectures. We will cover aspects related to understanding the AD Attack Surface, look at Attack Paths, and finally, we will discuss how a unique fusion of Advanced Deception and Graph Theory can be used to protect AD. This first blog discusses the AD Attack Surface that attackers exploit to perform lateral movement, escalate privileges, and maintain persistence in the enterprise network.
When the first version of Active Directory was released two decades ago, it was built on the philosophy of inherent trust models within the boundaries of a network. Against the backdrop of these legacy architecture principles, securing this crown jewel is a challenge. As an enterprise grows, new users, computers, applications, and cloud services are added to the enterprise network. Each such addition is a new object that is managed in AD. Administrators must set up new accounts, grant the required permissions to these accounts, and manage configurations to enable these accounts to communicate with devices and applications within the enterprise network and beyond. These factors have led to an exponential increase in the complexity of securing AD.
The AD attack surface comprises all infrastructure elements, vulnerability vectors, and other factors in the AD ecosystem that attackers can use to enter, traverse through, or exit from the enterprise network.
Technological advances in workforce mobility, digital transformation, and cloud adoption have led to a rapid increase in attack surface area. In addition, everyday business events, such as new remote or branch office networks, onboarding of partners and contractors, and M&A integration activities, all contribute to a dynamically changing AD attack surface.

Understanding the AD Attack Surface

The overall Active Directory attack surface is broad and complex but can be summarized into the following categories:

Windows System and Active Directory Vulnerabilities

Over the lengthy lifespan of Windows Server and Active Directory, numerous vulnerabilities have been identified with low to critical scores on the CVSS scale. A recent AD vulnerability (CVE-2020-1472) scored a 10/10 on the CVSS scale. This vulnerability, called ZeroLogon, allows an attacker to compromise the entire domain without even requiring a valid domain credential.

Microsoft regularly releases security patches. Security analysts closely track these vulnerabilities for disclosures, testing, and fix validations. However, the issue is that deploying a patch and ensuring that the AD infrastructure is always on the latest release is a non-trivial task for any enterprise and leaves the AD infrastructure vulnerable to attacks.

AD Misconfigurations

One of the most powerful Active Directory capabilities is its flexible policy constructs. Unfortunately, this also is one of its biggest security drawbacks. User provisioning, computer/server management, groups management, ACLs, ACEs, GPOs, attribute populating for multiple object types are managed using various scripts. As a standard practice, IT teams rely heavily on native methods for administration, such as PowerShell.

Although administration scripts provide a lot of flexibility, they create a very high level of management complexity in the environment. As complexity grows, it causes numerous unknown dependencies and security misconfigurations. Such misconfigurations can create security holes and widen the attack surface. The issue is compounded by the fact that these misconfigurations are hard to find and fix. They can also lead to undesired exposure.

Availability of Advanced Tools

Over the last few years, the cybersecurity community has made many technological advances in developing and open-sourcing Red Team tools. This has delivered tremendous benefits for security teams, but attackers are also aggressive in adopting these tools. BloodHound, PowerSploit, MetaSploit, Mimikatz, Hashcat, Rubeus, ADRecon, Kekeo, DeathStar, PowerView, and many others are relatively easy to obtain. A tool like BloodHound can be used to very quickly discover relationships between various entities in the domain and calculate the shortest path between entities.

In addition to these open-source tools, attackers often use Living-off-the-Land (LotL) techniques by employing tools like Windows PowerShell, which are already available on endpoints and servers in the enterprise network. This approach helps attackers evade detection and stay hidden in the network for a long time.
Figure 1 below illustrates a few example AD elements and their misconfigurations that could create a high-risk attack surface. For instance, Read-Only Domain Controllers (RODCs) can be used by adversaries as a pathway to execute credential access attacks on privileged hosts or members of protected groups. Similarly, misconfigurations of non-human or service accounts may lead to accounts that can be used to obtain Kerberos service tickets that adversaries can use to gather service passwords by offline cracking methods.

The following examples show how attackers can leverage specific elements and factors that make up the AD attack surface:

  • An enterprise often runs critical applications, non-Windows servers, and systems that have been configured via older versions of AD. Such a situation makes upgrading an existing AD deployment a non-trivial task. Administrators may choose to defer even a recommended AD upgrade. This gives attackers a chance to exploit known vulnerabilities in AD.
  • Users are given privileges by adding their accounts to groups such as the Domain Administrators and Enterprise Administrators groups. These privileges are based on users’ roles and responsibilities, which change over time. These changes result in new privileges being granted. But privileges granted earlier are not always withdrawn when they are no longer applicable. Group memberships are left as is without periodic review. Attackers look at such accounts as prime targets for compromise.
  • A Domain Controller (DC) sometimes runs additional applications and utilities unrelated to Active Directory. These applications and utilities significantly add to the AD attack surface by requiring configuration settings that open ports, access users who should not be connected to the DC, and create high-privileged service accounts. Users often use a high-privilege account to log in to a DC and then use the same account, for example, to access the Internet and download freeware utilities. If such an account is compromised, attackers gain direct access to the DC.
  • Constant changes in AD object configurations may also lead to a transient attack surface. In such situations, a dormant, persistent threat can exploit these for attack progression.
  • An enterprise may have gaps in its patch management systems and processes. Non-Windows operating systems, commercial applications, networking devices may get patched sporadically. Patching that is incomplete or terminates with errors may not be reviewed and rectified. Because all assets are managed in AD, a compromise of any poorly patched asset gives the attackers a path to reach AD.
  • Antivirus and antimalware in server subnets may be misconfigured or outdated. Attackers can exploit these weaknesses to compromise a server, gain a foothold in the network, and reach AD.
  • An enterprise may configure AD to store LAN Manager hashes or reversibly encrypted passwords to support outdated applications that use legacy authentication protocols. This situation presents attackers with the opportunity to employ well-known methods to crack admin passwords.

Identifying all elements and factors that make up the AD attack surface is the first step toward securing AD. But this is a challenging task for security teams because the attack surface is constantly changing and expanding. Given the central function of AD, managing and minimizing its attack surface is not just a security responsibility. It requires cross-functional collaboration and commitment to AD attack surface monitoring and minimization.

In the next blog, we will cover how attackers can use various attack paths within the AD attack surface to achieve their objectives.