[et_pb_section fb_built=”1″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”In a previous blog, we provided an overview of” _builder_version=”4.7.0″ _module_preset=”default” link_font=”|600||||||#000000|” link_text_color=”#a21d20″ hover_enabled=”0″ sticky_enabled=”0″]

In a previous blog, we provided an overview of the (unfortunately quite complex) Active Directory Attack Surface. In Part 2 of this series, webll explore how attackers plan their movement and traverse attack paths once they have discovered AD vulnerabilities and misconfigurations that they can exploit.

[/et_pb_text][et_pb_text admin_label=”The Microsoft Active Directory (AD) ecosystem” _builder_version=”4.7.0″ _module_preset=”default”]The Microsoft Active Directory (AD) ecosystem consists of all accounts, devices, groups, applications, and other objects that are managed by AD. In their quest to compromise the Domain Controllers (DC), attackers can follow a route that spans any combination of these objects.[/et_pb_text][et_pb_text admin_label=”The adversaries look at the AD as a graph” _builder_version=”4.7.0″ _module_preset=”default”]The adversaries look at the AD as a graph, not as a relational database of users, computers, and groups. Figure 1 below shows an example to illustrate this point when the AD ecosystem is viewed as a graph. The AD has several objects, e.g., users, computers, groups, ACEs, and GPOs. Users such as John, Frank, Joe are members of various groups, e.g., Domain Users, Everyone, Helpdesk, IT Admin, and Domain Admin. [/et_pb_text][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2021/08/ActiveDirectoryGraph-5.png” title_text=”ActiveDirectoryGraph-5″ align=”center” admin_label=”Figure 1 Image: View of Active Directory as a Graph” _builder_version=”4.7.0″ _module_preset=”default” background_color=”#ffffff” custom_margin=”0px|0px|0px|0px|false|false”][/et_pb_image][et_pb_text admin_label=”Caption Figure 1: View of Active Directory as a Graph” _builder_version=”4.7.0″ _module_preset=”default” text_orientation=”center”]Figure 1: View of Active Directory as a Graph[/et_pb_text][et_pb_text admin_label=”In this example, user John has admin access” _builder_version=”4.7.0″ _module_preset=”default” custom_margin=”24px||||false|false”]In this example, user John has admin access to the HR-Win10-AR-1 computer. He also has sessions on the HR-Win10-AD-1 and HR-Win10-AR-1 computers. Typically, attackers would aim to first take over the account of a domain user (like John or Frank) via a phishing campaign. Next, they would use PowerShell scripts, such as PowerSploit, PowerShell Empire, or native PowerShell commands to enumerate users and admins on that computer. They could then list the local admins and admins with higher privileges, accessible from the compromised computer. For security teams, detecting such a recon attack is a difficult task because common Windows events are being triggered, and investigating each such event is a demanding and time-consuming exercise.[/et_pb_text][et_pb_text admin_label=”Using various techniques, the attackers ” _builder_version=”4.7.0″ _module_preset=”default”]Using various techniques, the attackers would then laterally move from one computer to the next or one compromised user account to the next and escalate privileges along the way. In the example shown in Figure 1, the attackers are likely to exploit Frankbs account, a member of the Helpdesk group, because they can gain membership to the IT Admins group via Frankbs account. Also, the IT Admin group is a member of the Domain Admin group. So, Frankbs account would give the attackers more privileges to advance their attack.[/et_pb_text][et_pb_text admin_label=”A path that attackers can take on their way ” _builder_version=”4.7.0″ _module_preset=”default”]A path that attackers can take on their way to reach a bcrown jewel assetb, such as the Domain Admin account or Domain Controller, is called an AD Attack Path. As described in the example above, this path can consist of nearly any combination of user and administrator accounts, computers, groups, and other AD objects.[/et_pb_text][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2021/08/Figure2KerberoastableUser6.png” title_text=”Figure2KerberoastableUser6″ align=”center” admin_label=”Figure 2 Image: AD Attack Path Via Kerberoastable User” _builder_version=”4.7.0″ _module_preset=”default” background_color=”#ffffff” custom_margin=”0px|0px|0px|0px|true|true” custom_padding=”0px||0px||true|false”][/et_pb_image][et_pb_text admin_label=”Caption Figure 2: AD Attack Path Via Kerberoastable User” _builder_version=”4.7.0″ _module_preset=”default” text_orientation=”center”]Figure 2: AD Attack Path Via Kerberoastable User[/et_pb_text][et_pb_text admin_label=”Figure 2 shows an example of anAD attack path” _builder_version=”4.7.0″ _module_preset=”default”]Figure 2 shows an example of an AD attack path. The attackers use a Kerberoastable account in this example. A Kerberoasting attack involves employing tools, (e.g. PowerSploit, JohnTheRipper, or hashcat) to crack the password of a service account offline. This attack provides a way for the attackers to get higher privileges and maintain persistence in the enterprise. This attack is difficult to detect because detection primarily relies on monitoring abnormal service ticket requests in the event logs. Typically, such abnormal tickets are extremely common, and basing alerts on them will result in many false positives. In the example shown in Figure 2, the attackers take over Ashleybs account via a Kerberoasting attack and then laterally move to take over the Domain Controller. So, the attack path is

Ashley > Everyone > DNS Server > DC.
Alternatively, the attack path can be Ashley > Nt-Authenticate > DNS Server > DC.

[/et_pb_text][et_pb_text admin_label=”A typical enterprise may have hundreds or even thousands” _builder_version=”4.7.0″ _module_preset=”default”]A typical enterprise may have hundreds or even thousands of attack paths that could potentially lead attackers to the Domain Controllers. Attackers assess and use attack paths based on various factors, such as the shortest number of hops to the DC, the most vulnerable set of objects along the path, and so on. An attacker can use one of many possible AD attack paths to reach the DC. A wide attack surface therefore leads to more potential attack paths and consequently creates a bigger challenge for the security teams trying to protect and secure Active Directory.[/et_pb_text][et_pb_text admin_label=”In the next blog, webll see how an enterprise ” _builder_version=”4.7.0″ _module_preset=”default”]In the next blog, webll see how an enterprise can use Acalvio ShadowPlex to effectively detect, respond to, and foil attacks against Active Directory.[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]