Active Directory Infiltration Methods Employed by Cybercriminals


Active Directory infiltration methods exploit vulnerabilities or weaknesses in Microsoft’s Active Directory to gain unauthorized access.

Active Directory is a central component in many organizations, making it a valuable target for attackers seeking access to:-

  • Sensitive information
  • User accounts
  • Network resources

While successful infiltration allows threat actors to:-

  • Establish persistence
  • Exfiltrate data
  • Disrupt operations

Cybersecurity researchers at ASEC recently discovered that threat actors are actively exploiting Microsoft’s Active Directory infiltration methods.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Active Directory Infiltration Methods

Active Directory (AD) in Windows manages user and resource data in a network. Domain Controllers control domains in AD, and compromising one means the entire domain is at risk. 

In short, the domain Admins have ultimate control, and this ability makes them prime targets for threat actors aiming to exploit the entire domain. 

To achieve this, threat actors seeking vulnerabilities first analyze the domain structure using tools like:-

Port scanning extracts network info, including running services and port numbers from a target domain. Threat actors use it to uncover network structure, subnet, and host details. 

Cobalt Strike’s default port scanning aids reconnaissance. The tool checks security vulnerabilities in company networks. It encompasses features like:-

  • Internal reconnaissance
  • Privilege escalation
  • Lateral movement
  • Command and control
Log detecting a port scanning tool (Source – ASEC)

Default in Windows the net commands manage network resources that is useful for user and network data lookup, especially in Active Directory.

Threat actors seize control and then deploy net commands for basic network info collection. While the main net commands were used in attacks on Active Directory environments.

Here below, we have mentioned all the commands:-

  • net time
  • net user
  • net group /domain
  • net group /domain “Domain Admins”
  • net group /domain “Enterprise Admins”
  • net group /domain “Domain Computers”
  • net group /domain “Domain Controllers”
  • net localgroup Administrators

PowerView in PowerSploit gathers and displays Windows domain info that helps threat actors in:-

  • Understanding the network structure 
  • Targeting for privilege escalation 

AdFind is also similar to PowerView, which is a command line tool for Active Directory info that offers a stealthier approach. 

Ryuk ransomware employed AdFind to covertly collect domain data, surpassing typical anti-malware detection.

Besides this, the BloodHound maps attack paths for privilege escalation in Active Directory, utilizing SharpHound for info collection through executable or PowerShell script formats. 

Result of parsing the collected information through BloodHound
Result of parsing the collected information through BloodHound (Source – ASEC)

Infiltrators in Active Directory environments deploy tools like PowerView and AdFind for:-

  • Reconnaissance
  • Targeting domain admin privileges

While the BloodHound optimizes lateral movement paths, traditional security software may miss these threats.



Source link