Active Directory (AD) is the backbone of identity and access management for most enterprises, making it a prime target for cyberattacks. As a crucial part of managing permissions, users, and systems within a network, securing Active Directory is essential for cybersecurity. When compromised, AD can give attackers control over the entire network, leading to data theft, espionage, or ransomware attacks.
In a previous blog post, I discussed the deprecation of NTLM by Microsoft. However, NTLM is not the only aspect of Active Directory that can be exploited. There are several other vulnerabilities within Active Directory that require attention.
In this guide, we’ll explore common Active Directory attack techniques, outline mitigations that significantly reduce risk, and provide detection mechanisms (including Event IDs) for early threat identification. Additionally, we’ll discuss some popular tools that can help you monitor and protect your AD environment effectively.
Why Active Directory is a key target for cyberattacks
Active Directory handles centralized authentication and authorization services, controlling access to both on-premises and cloud-based resources like Microsoft Azure. Compromising AD allows attackers to:
- Escalate privileges and impersonate high-privilege accounts.
- Move laterally across systems, gaining access to sensitive data.
- Maintain persistence in the network, bypassing multi-factor authentication (MFA).
- Compromise cloud environments through connected services.
Without proper security measures, an AD compromise can result in serious consequences, including ransomware attacks, data breaches, and long-term espionage.
Common Active Directory attack techniques, mitigations, and detection
Securing Active Directory involves implementing strong defenses against attack techniques used by malicious actors. Below, we describe these techniques, provide detailed mitigations, and outline the tools you can use to bolster AD security.
1. Kerberoasting: exploiting service accounts
Attack Overview:
Kerberoasting exploits service principal names (SPNs) tied to service accounts. Attackers request a Kerberos service ticket and attempt to crack it offline to obtain the service account’s password, often giving them high-level privileges.
Mitigations:
- Minimize the use of SPNs: Only use SPNs for services where absolutely necessary. Reducing the number of service accounts with SPNs will limit the attack surface for Kerberoasting.
- Use gMSAs (Group Managed Service Accounts): These accounts provide long, complex passwords that rotate automatically. Tools like Microsoft LAPS (Local Administrator Password Solution) can help manage this process.
- Enforce strong password policies: Service accounts should have at least 30-character passwords, with a mix of random letters, numbers, and symbols.
- Restrict service account privileges: Ensure service accounts are not members of highly privileged groups like Domain Admins unless absolutely necessary.
Tools for Mitigation:
- BloodHound: Helps identify and analyze AD relationships, including SPNs and potentially vulnerable service accounts.
- Microsoft LAPS: Manages password complexity and rotation for local admin accounts and gMSAs.
Detection Mechanisms:
Event ID | Description |
---|---|
4769 | TGS ticket requests; look for numerous requests in a short timeframe, especially with RC4 encryption. |
4738 / 5136 | Detects modifications to user accounts, particularly changes to SPNs. |
2. AS-REP Roasting: targeting accounts without pre-authentication
Attack Overview:
AS-REP Roasting targets accounts that do not require Kerberos pre-authentication, allowing attackers to obtain an encrypted ticket that can be cracked offline to reveal the account’s password.
Mitigations:
- Enforce Kerberos pre-authentication: Ensure all accounts require pre-authentication, which prevents attackers from requesting an encrypted ticket.
- Use strong passwords: Accounts that need to bypass pre-authentication should still have strong, randomly generated passwords (15+ characters).
Tools for Mitigation:
- PingCastle: Provides a security report for AD environments, including checks for weak configurations such as accounts without pre-authentication.
Detection Mechanisms:
Event ID | Description |
---|---|
4768 | Detects TGT requests; monitor accounts that bypass pre-authentication. |
4625 | Monitors failed logons targeting pre-authentication-disabled accounts. |
3. Password Spraying: exploiting weak password policies
Attack Overview:
Password spraying involves trying commonly used passwords (e.g., “Password123”) across many accounts, attempting to gain access without triggering account lockouts.
Mitigations:
- Implement strong password policies: Passwords should be long (15+ characters) and unpredictable, such as passphrases consisting of random words.
- Use Multi-Factor Authentication (MFA): Implement MFA for all accounts, especially privileged ones. This adds an extra layer of security that password spraying alone cannot bypass.
- Set account lockout thresholds: Configure lockouts after a certain number of failed logon attempts (e.g., five). Ensure that administrators are alerted when an account is locked.
- Disable NTLM: Since NTLM (an older protocol) doesn’t support MFA, it should be disabled in favor of Kerberos.
Tools for Mitigation:
- Microsoft Defender for Identity: Detects and investigates attacks targeting AD, including password spraying.
- DomainPasswordSpray: A testing tool to simulate password spraying attacks and test your AD’s defenses.
Detection Mechanisms:
Event ID | Description |
---|---|
4625 | Failed logons; a high volume of failed attempts over a short period could indicate password spraying. |
4740 | Detects account lockouts; sudden spikes may suggest a password spraying attack. |
2889 | Tracks unsigned LDAP binds, which attackers might use for password spraying. |
4. MachineAccountQuota exploitation: abuse of default settings
Attack Overview:
By default, AD allows users to create up to 10 machine accounts. Attackers can exploit this to escalate privileges or move laterally within the network.
Mitigations:
- Set MachineAccountQuota to zero: Prevent non-administrators from creating machine accounts by configuring the MachineAccountQuota setting to zero.
- Audit permissions regularly: Regularly review permissions for the Domain Computers group and ensure no excessive privileges are granted.
- Enable LDAP signing: LDAP signing ensures secure communication between AD and LDAP clients, reducing the risk of attacks that abuse this default setting.
Tools for Mitigation:
- PingCastle: Detects misconfigurations like MachineAccountQuota abuse.
- Purple Knight: An AD security tool that identifies weaknesses in your AD configuration.
Detection Mechanisms:
Event ID | Description |
---|---|
4741 | Tracks the creation of new computer objects. Non-administrative user activity creating accounts may indicate abuse. |
5. Unconstrained Delegation: exploiting privileged accounts
Attack Overview:
Attackers exploit unconstrained delegation to impersonate user accounts, particularly privileged users, by extracting their Kerberos tickets from memory. This often gives them Domain Admin-level access.
Mitigations:
- Disable unconstrained delegation: Replace it with resource-based constrained delegation, which limits impersonation rights.
- Mark privileged accounts as non-delegatable: Ensure accounts like Domain Admins and sensitive user accounts cannot be delegated by setting them as “sensitive.”
- Disable the Print Spooler service on Domain Controllers: This prevents attackers from using PrintNightmare-type vulnerabilities to exploit unconstrained delegation.
Tools for Mitigation:
- BloodHound: Detects systems configured for unconstrained delegation and helps analyze attack paths involving Kerberos tickets.
- Microsoft Defender for Identity: Identifies suspicious activity involving delegation and privilege escalation.
Detection Mechanisms:
Event ID | Description |
---|---|
4624 | Successful logons; unusual logons to systems with unconstrained delegation may indicate abuse. |
4104 | PowerShell execution; monitor for scripts related to unconstrained delegation exploitation. |
6. Active Directory Certificate Services (AD CS) compromise: exploiting misconfigured certificates
Attack Overview:
Misconfigured Active Directory Certificate Services (AD CS) allow attackers to issue certificates that can impersonate any user, including privileged ones.
Mitigations:
- Harden AD CS configurations: Remove vulnerable certificate templates, especially those that allow user-supplied subject alternative names (SANs).
- Restrict who can modify templates: Limit certificate template modifications to only authorized personnel to prevent exploitation.
- Use Hardware Security Modules (HSMs): HSMs protect the private keys of the CA, preventing attackers from extracting sensitive information.
Tools for Mitigation:
- Certify: A tool that helps security teams identify misconfigured AD CS templates.
- PSPKIAudit: An open-source tool to audit your AD Certificate Services for vulnerabilities.
Detection Mechanisms:
Event ID | Description |
---|---|
4887 | Tracks the issuance of certificates; suspicious certificates or SAN requests should be investigated. |
4876 | Backup of CA databases; unauthorized backups may indicate an attempt to exfiltrate sensitive certificate data. |
The importance of proactive monitoring and early detection
Mitigating Active Directory attacks is crucial, but early detection can significantly reduce the damage caused by a compromise. Implementing robust monitoring tools and setting up alerts for unusual behavior ensures that potential breaches are caught quickly.
- Track security events: Regularly review event logs for password changes, Kerberos ticket requests, and privilege escalations.
- Monitor Kerberos tickets: Identify any unusual patterns in service ticket requests, especially those targeting high-privilege accounts.
- Log PowerShell activity: Many attackers use PowerShell for post-exploitation activities, making it essential to monitor scripts for suspicious behavior.
Final thoughts on Active Directory security
Securing Active Directory is essential for maintaining the overall security posture of your enterprise. By understanding common attack techniques, implementing mitigations, using the right tools, and employing effective detection mechanisms, organizations can significantly reduce their attack surface and improve cyber resilience. Stay proactive in monitoring your AD environment and regularly audit its security configurations to maintain control and prevent potential compromises.