Active Directory (AD) is a critical asset in the digital world, underpinning the operations of around 90% of Fortune 1000 companies. Its central role in governing user identity and authentication makes it a primary target for threat actors. Compromising AD can grant a cyber attacker access to the most critical systems and assets on the network or even gain administrator privileges to take over the domain.
Why is AD Often Exposed?
AD is so intrinsic to a functional business that many often treat it more akin to operational plumbing. It is something to be installed and then left well alone as much as possible in case tinkering with it accidentally breaks something. The size and intricacy of AD mean effective management demands significant expertise and resources, and its complex nature means it is easy to miss vulnerabilities and security gaps.
How Do Threat Actors Attack and Exploit AD?
As with most other forms of cyberattack, strikes targeting AD usually begin with an initial endpoint compromise, likely carried out via phishing. Once the adversary has gained access, they can exploit the AdminSDHolder Access Control List (ACL) by adding accounts that grant them the same privileged access as other protected accounts, thereby gaining lateral movement and access to restricted systems.
Attackers can also exploit AD’s capabilities around creating group policies to manage operational configurations. Gaining access to AD means an adversary can change policies to achieve domain persistence, setting them up for several attack types.
Taking a Proactive Approach to Keep AD Safe from Attack
Keeping AD secure is a serious challenge, but not an insurmountable one. Organisations should first prioritise getting the basics right and identifying and resolving commonly overlooked vulnerabilities such as privileged account exposure.
From here, organisations can move on to Identity Detection and Response (IDR) solutions, which focus on detecting live attacks targeting AD objects and preventing attackers from making AD changes that grant them control. Innovations in technology will also enhance zero trust security controls by proactively hiding and denying access to AD objects and efficiently redirecting attackers away from their targets.
Deeper Technical Insights
SID Injection Attacks
Security Identifier (SID) injection attacks involve the adversary inserting SID values into an account to gain elevated access, such as impersonating a member of the domain admin group. To mitigate the risk of this technique, organisations should use PowerShell to identify any accounts with well-known privileged SID values proactively. After completing account migration, they should also clean up SID history attributes to reduce their exposure to threat actors.
Ticket Attacks
Pass-the-ticket (PTT) attacks are among the most effective and dangerous techniques threat actors use to move laterally and escalate privileges. The attack involves the adversary extracting a Kerberos ticket granting ticket (TGT) from the local security authority subsystem service (LSASS). They then use the TGT to request Kerberos ticket granting service (TGS) tickets on another system, granting network access.
Kerberoasting, DCSync and DCShadow
Adversaries will also seek to exploit Kerberos in an attack type known as Kerberoasting. Here, the attacker extracts service account credential hashes from AD and then cracks them offline to gain privileged access. Once the attacker has gained domain controller-level credentials, they can also execute other attacks such as DCSync, where the attacker impersonates an AD domain controller to obtain credentials from other domain controllers. Similarly, DCShadow sees the attacker use privileged credentials to register a new domain controller to push domain changes.
By protecting their AD environments, organizations can now effectively detect lateral movement and the exploiting of AD so that they can shut the attacker down before they can truly strike.
How to restrict access to ntdsutil to authorized users only
Here are some ways to restrict access to Ntdsutil to authorized users only:
- Grant permissions to use Ntdsutil only to authorized users.
- Use Group Policy to restrict access to Ntdsutil.
- Use the principle of least privilege to ensure that only users who need to use Ntdsutil have access to it.
- Use role-based access control (RBAC) to restrict access to Ntdsutil.
- Use a privileged access management (PAM) solution to manage access to Ntdsutil.
It is important to restrict access to Ntdsutil to authorized users only to prevent unauthorized access to Active Directory