Protecting Microsoft Active Directory Part 2: Attack Paths

The Microsoft Active Directory (AD) ecosystem consists of all accounts, devices, groups, applications, and other objects that are managed by AD. In their quest to compromise the Domain Controllers (DC), attackers can follow a route that spans any combination of these objects.

The adversaries look at the AD as a graph, not as a relational database of users, computers, and groups. Figure 1 below shows an example to illustrate this point when the AD ecosystem is viewed as a graph. The AD has several objects, e.g., users, computers, groups, ACEs, and GPOs. Users such as John, Frank, Joe are members of various groups, e.g., Domain Users, Everyone, Helpdesk, IT Admin, and Domain Admin.

In this example, user John has admin access to the HR-Win10-AR-1 computer. He also has sessions on the HR-Win10-AD-1 and HR-Win10-AR-1 computers. Typically, attackers would aim to first take over the account of a domain user (like John or Frank) via a phishing campaign. Next, they would use PowerShell scripts, such as PowerSploit, PowerShell Empire, or native PowerShell commands to enumerate users and admins on that computer. They could then list the local admins and admins with higher privileges, accessible from the compromised computer. For security teams, detecting such a recon attack is a difficult task because common Windows events are being triggered, and investigating each such event is a demanding and time-consuming exercise.

Using various techniques, the attackers would then laterally move from one computer to the next or one compromised user account to the next and escalate privileges along the way. In the example shown in Figure 1, the attackers are likely to exploit Frank’s account, a member of the Helpdesk group, because they can gain membership to the IT Admins group via Frank’s account. Also, the IT Admin group is a member of the Domain Admin group. So, Frank’s account would give the attackers more privileges to advance their attack.

A path that attackers can take on their way to reach a “crown jewel asset”, such as the Domain Admin account or Domain Controller, is called an AD Attack Path. As described in the example above, this path can consist of nearly any combination of user and administrator accounts, computers, groups, and other AD objects.

Figure 2 shows an example of an AD attack path. The attackers use a Kerberoastable account in this example. A Kerberoasting attack involves employing tools, (e.g. PowerSploit, JohnTheRipper, or hashcat) to crack the password of a service account offline. This attack provides a way for the attackers to get higher privileges and maintain persistence in the enterprise. This attack is difficult to detect because detection primarily relies on monitoring abnormal service ticket requests in the event logs. Typically, such abnormal tickets are extremely common, and basing alerts on them will result in many false positives. In the example shown in Figure 2, the attackers take over Ashley’s account via a Kerberoasting attack and then laterally move to take over the Domain Controller. So, the attack path is

Ashley > Everyone > DNS Server > DC.
Alternatively, the attack path can be Ashley > Nt-Authenticate > DNS Server > DC.

A typical enterprise may have hundreds or even thousands of attack paths that could potentially lead attackers to the Domain Controllers. Attackers assess and use attack paths based on various factors, such as the shortest number of hops to the DC, the most vulnerable set of objects along the path, and so on. An attacker can use one of many possible AD attack paths to reach the DC. A wide attack surface therefore leads to more potential attack paths and consequently creates a bigger challenge for the security teams trying to protect and secure Active Directory.

In the next blog, we’ll see how an enterprise can use Acalvio ShadowPlex to effectively detect, respond to, and foil attacks against Active Directory.