Active Directory Attack & Defense

The “Active Directory Kill Chain Attack & Defense” concept is a structured approach to understanding the sequence of events or stages involved in an Active Directory (AD) attack and the corresponding defensive measures to counteract or prevent such attacks. Microsoft developed the service Active Directory for Windows domain networks for user and resource management in corporate settings.

You can also download the Incident Response Plan Template to prevent active directory-based attacks.

Here’s a breakdown of a typical Active Directory kill chain attack and its defense:

Reconnaissance:

Attack: An attacker gathers information about the target network, structure, domain names, machine names, and user accounts.

Defense: Limit information exposure. Use network segmentation and monitor directory visibility.

Initial Compromise:

Attack: The attacker exploits vulnerabilities to gain initial access. This could be through phishing, exploiting weak passwords, or unpatched vulnerabilities.

Defense: Implement strong password policies, regular patching, employee awareness training, and use of multi-factor authentication.

Establish Foothold:

Attack: Once access is gained, the attacker establishes a foothold by creating backdoors, creating new accounts, or installing malware.

Defense: Use endpoint detection and response tools, regularly audit accounts and permissions, and monitor for unusual activities.

Escalation of Privilege:

Attack: The attacker attempts to gain higher-level privileges, often targeting administrator accounts or exploiting system vulnerabilities.

Defense: Apply the principle of least privilege, conduct regular privilege audits, and use privileged access management solutions.

Internal Reconnaissance:

Attack: With higher privileges, the attacker explores the network more deeply to identify high-value targets (like domain controllers).

Defense: Network segmentation, monitor network traffic, and use intrusion detection systems.

Move Laterally:

Attack: The attacker moves through the network, accessing other systems and potentially spreading malware.

Defense: Implement strict access controls, monitor lateral movements, and employ network security tools.
Maintain Presence:

Attack: Attackers establish methods to maintain their presence within the network, even if some of their access points are discovered and closed.

Defense: Continuous monitoring, regular network scans, and incident response plans.

Complete Mission:

Attack: The attacker achieves their goal, which could be data exfiltration, data encryption for ransom, or causing operational disruption.

Defense: Data loss prevention tools, regular backups, and a comprehensive incident response strategy.

Understanding and defending against each stage of the Active Directory kill chain requires a combination of technical controls, security policies, and ongoing user education. Continuous monitoring, rapid incident response, and regular reviews of security practices are essential in mitigating the risks of such attacks.

Here, we are elaborating on the tactics, techniques, and procedures (TTPs) attackers leverage to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.

How to Secure Active Directory Attacks

A thorough checklist is vital for securing Active Directory (AD) from threats. This is a methodical approach:

Update and Patch Regularly: Make that all systems, particularly those using Active Directory, are patched and up-to-date with the most recent security updates on a regular basis.

Domain Controllers (DCs) that are physically secure and whose responsibilities are restricted to AD services are known as secure domain controllers. Stay away from alternative uses for DCs.

Establish Robust Policies Regarding Passwords: Passwords should be complicated and changed frequently. To enhance security, you might consider using passphrases and multi-factor authentication (MFA).

Keep an eye on user accounts: If you see any that aren’t being utilized, or have excessive rights, deactivate them.

Limit Privileged Accounts: Reducing the number of users with administrative access is an important security measure. Limit user access to just what their job description requires by the concept of least privilege.

Monitor and Audit Logins and Activities: Implement measures to monitor and audit all logins and activities, notably those using privileged accounts. Keep an eye out for anything out of the ordinary that could suggest an assault is underway.

Secure Network Access to AD: Safeguard Active Directory by Restricting Access to Servers on the Network. Block all but necessary users from accessing the network by using firewalls and segmenting the network.

Use Organizational Units and Group Policies: Apply Group Policies for security settings and organize resources in Organizational Units (OUs) to ensure that the network’s security configurations are consistent.

Data backup and disaster recovery: Back up Active Directory regularly and prepare for the worst. Regularly evaluate your backup and recovery processes.

User Education: Educate employees on how to spot and avoid phishing and other social engineering threats. Raising awareness can greatly lessen the likelihood of successful assaults.

Perform security audits of your Active Directory environment regularly and check for compliance with applicable security standards and best practices.

Think About Deploying Cutting-Edge Security Solutions: Think About Deploying Cutting-Edge Security Solutions Like SIEM, IDS/IPS, and Endpoint Protection Platforms.

Strengthen Active Directory configuration: Implement recommended security measures for Active Directory setup, such as protecting the Lightweight Directory Access Protocol (LDAP) and mandating Server Message Block (SMB) signature wherever feasible.

Physical Access Control: Limit physical access to servers and other network equipment to authorized persons only.

Keep Up-to-Date on Emerging Threats: Keep yourself apprised of emerging threats by reading up on new attack vectors and vulnerabilities that might impact AD. Then, modify your security procedures appropriately.

If you want to keep your Active Directory system secure, you need to review and update this checklist often to account for new threats and organizational changes.

Discovery

SPN Scanning

Data Mining

User Hunting

LAPS

AppLocker

Active Directory Federation Services

Privilege Escalation

Abusing Active Directory Certificate Services

PetitPotam

Zerologon

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability

DNSAdmins

Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts

DCShadow

RID

Microsoft SQL Server

Red Forest

Exchange

NTLM Relay & LLMNR/NBNS

Lateral Movement

Pass The Hash

System Center Configuration Manager (SCCM)

WSUS

Password Spraying

Automated Lateral Movement

Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion

OPSEC

Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools

Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)

Kerberoasting

Kerberos AP-REP Roasting

Windows Credential Manager/Vault

DCSync

LLMNR/NBT-NS Poisoning

Others


Persistence

Golden Ticket

SID History

Silver Ticket

DCShadow

AdminSDHolder

Group Policy Object

Skeleton Keys

SeEnableDelegationPrivilege

Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • Certify – Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
  • PSPKIAudit – PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Degrees of Domain Admin
  • Impacket – Impacket is a collection of Python classes for working with network protocols
  • aclpwn.py – Active Directory ACL exploitation with BloodHound
  • CrackMapExec – A swiss army knife for pentesting networks
  • ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • zBang – zBang is a risk assessment tool that detects potential privileged account threats
  • SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit tools
  • RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
  • MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Red Teaming Defense for Windows Environments
  • ldapdomaindump – Active Directory information dumper via LDAP
  • SpoolSample – PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
  • adconnectdump – Azure AD Connect password extraction
  • o365recon – Script to retrieve information via O365 with a valid cred
  • ROADtools – ROADtools is a framework to interact with Azure AD. I
  • Stormspotter – Stormspotter creates an “attack graph” of the resources in an Azure subscription.
  • AADInternals – AADInternals is PowerShell module for administering Azure AD and Office 365
  • MicroBurst: A PowerShell Toolkit for Attacking Azure – MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.

Ebooks

Cheat Sheets

Other Resources

Azure Active Directory

Defense & Detection

Tools & Scripts

  • Invoke-TrimarcADChecks – The Invoke-TrimarcADChecks.ps1 PowerShell script is designed to gather data from a single domain AD forest to performed Active Directory Security Assessment (ADSA).
  • Create-Tiers in AD – Project Title Active Directory Auto Deployment of Tiers in any environment
  • SAMRi10 – Hardening SAM Remote Access in Windows 10/Server 2016
  • Net Cease – Hardening Net Session Enumeration
  • PingCastle – A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
  • Aorato Skeleton Key Malware Remote DC Scanner – Remotely scans for the existence of the Skeleton Key Malware
  • Reset the krbtgt account password/keys – This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
  • Reset The KrbTgt Account Password/Keys For RWDCs/RODCs
  • RiskySPN – RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
  • Deploy-Deception – A PowerShell module to deploy active directory decoy objects
  • SpoolerScanner – Check if MS-RPRN is remotely available with powershell/c#
  • dcept – A tool for deploying and detecting use of Active Directory honeytokens
  • LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • DCSYNCMonitor – Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
  • Sigma – Generic Signature Format for SIEM Systems
  • Sysmon – System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
  • SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log
  • ClrGuard – ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes.
  • Get-ClrReflection – Detects memory-only CLR (.NET) modules.
  • Get-InjectedThread – Get-InjectedThread looks at each running thread to determine if it is the result of memory injection.
  • SilkETW – SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection.
  • WatchAD – AD Security Intrusion Detection System
  • Sparrow – CISA’s Cloud Forensics team created Sparrow.ps1 to help detect possible compromised accounts and applications in the Azure/m365 environment.
  • DFIR-O365RC – The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
  • AzureADIncidentResponse – Tooling to assist in Azure AD incident response
  • ADTimeline – The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.

Sysmon Configuration

  • sysmon-modular – A Sysmon configuration repository for everybody to customise
  • sysmon-dfir – Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
  • sysmon-config – Sysmon configuration file template with default high-quality event tracing

Active Directory Security Checks (by Sean Metcalf – @Pyrotek3)

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions – prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controller

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).

Logging

  • Enable enhanced auditing
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro’s Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).

Important Security Updates

CVETitleDescriptionLink
CVE-2020-1472Netlogon Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
CVE-2019-1040Windows NTLM Tampering VulnerabilityA tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka ‘Windows NTLM Tampering Vulnerability’.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040
CVE-2019-0683Active Directory Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka ‘Active Directory Elevation of Privilege Vulnerability’.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683
CVE-2019-0708Remote Desktop Services Remote Code Execution VulnerabilityA remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
CVE-2018-8581Microsoft Exchange Server Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists in Microsoft Exchange Server, aka “Microsoft Exchange Server Elevation of Privilege Vulnerability.” This affects Microsoft Exchange Server.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518
CVE-2017-0143Windows SMB Remote Code Execution VulnerabilityThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143
CVE-2016-0128Windows SAM and LSAD Downgrade VulnerabilityThe SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka “Windows SAM and LSAD Downgrade Vulnerability” or “BADLOCK.”https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128
CVE-2014-6324Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka “Kerberos Checksum Vulnerability.”https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068
CVE-2014-1812Vulnerability in Group Policy Preferences could allow elevation of privilegeThe Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle the distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka “Group Policy Preferences Password Elevation of Privilege Vulnerability.”https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

Detection

AttackEvent ID
Account and Group Enumeration4798: A user’s local group membership was enumerated
4799: A security-enabled local group membership was enumerated
AdminSDHolder4780: The ACL was set on accounts which are members of administrators groups
Kekeo4624: Account Logon
4672: Admin Logon
4768: Kerberos TGS Request
Silver Ticket4624: Account Logon
4634: Account Logoff
4672: Admin Logon
Golden Ticket4624: Account Logon
4672: Admin Logon
PowerShell4103: Script Block Logging
400: Engine Lifecycle
403: Engine Lifecycle
4103: Module Logging
600: Provider Lifecycle
DCShadow4742: A computer account was changed
5137: A directory service object was created
5141: A directory service object was deleted
4929: An Active Directory replica source naming context was removed
Skeleton Keys4673: A privileged service was called
4611: A trusted logon process has been registered with the Local Security Authority
4688: A new process has been created
4689: A new process has exited
PYKEK MS14-0684672: Admin Logon
4624: Account Logon
4768: Kerberos TGS Request
Kerberoasting4769: A Kerberos ticket was requested
S4U2Proxy4769: A Kerberos ticket was requested
Lateral Movement4688: A new process has been created
4689: A process has exited
4624: An account was successfully logged on
4625: An account failed to log on
DNSAdmin770: DNS Server plugin DLL has been loaded
541: The setting serverlevelplugindll on scope . has been set to <dll path>
150: DNS Server could not load or initialize the plug-in DLL
DCSync4662: An operation was performed on an object
Password Spraying4625: An account failed to log on
4771: Kerberos pre-authentication failed
4648: A logon was attempted using explicit credentials

Resources

Source & Credits: @infosecn1nja

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]