In a move to enhance cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with several international cybersecurity agencies, has released a comprehensive guide on detecting and mitigating Active Directory compromises.
This guidance, co-authored by the Australian Signals Directorate (ASD), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), aims to inform organizations about the common techniques used by malicious actors to target Microsoft Active Directory.
Active Directory is the cornerstone of authentication and authorization in enterprise IT networks globally, providing services such as Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), and Active Directory Certificate Services (AD CS).
However, its pivotal role makes it a prime target for cyber attackers. The guide highlights that Active Directory’s susceptibility to compromise stems from its permissive default settings, complex relationships, and support for legacy protocols, as well as a lack of adequate tooling for diagnosing security issues.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
Common Techniques Exploited by Malicious Actors
The guide details 17 common techniques used by malicious actors to compromise Active Directory.
Key Techniques Include:
Kerberoasting: This involves exploiting user objects configured with a service principal name (SPN) to obtain their ticket-granting service (TGS) tickets, which can be cracked to reveal the cleartext password.
Authentication Server Response (AS-REP) Roasting: This technique targets user objects that do not require Kerberos pre-authentication, allowing attackers to crack the Authentication Server Response (AS-REP) ticket to obtain the password.
Password Spraying: A brute-force attack method where attackers attempt to log in with common passwords across multiple accounts.
MachineAccountQuota Compromise: Exploiting the default quota of machine accounts that can be created by a user to gain unauthorized access.
Unconstrained Delegation: Allowing attackers to impersonate any user in the domain.
Mitigation Strategies
The guide provides robust mitigation strategies to protect against these threats:
Implementing Microsoft’s Enterprise Access Model: This tiered model ensures that Tier 0 user objects (those with significant access) do not expose their credentials to lower-tier systems and that Tier 0 computer objects are only managed by Tier 0 user objects.
Minimizing SPNs: Reducing the number of user objects configured with SPNs to limit the attack surface for Kerberoasting.
Ensuring Kerberos Pre-authentication: Configuring all user objects to require Kerberos pre-authentication to mitigate AS-REP Roasting.
Using Group Managed Service Accounts (gMSAs): Automatically rotating passwords and using complex, unpredictable passwords to protect service accounts.
Monitoring and Logging: Centrally log and analyze events such as TGS ticket requests to detect suspicious activity.
Detecting Active Directory compromises can be challenging due to the similarity between legitimate and malicious activities.
The guide suggests using tools like BloodHound, PingCastle, and Purple Knight to understand and identify misconfigurations and weaknesses.
It also recommends analyzing specific event IDs, such as 4769 for TGS ticket requests, to identify potential Kerberoasting activity.
The release of this guide underscores the critical need for organizations to prioritize the security of their Active Directory environments.
By understanding the common techniques used by malicious actors and implementing the recommended mitigation strategies, organizations can significantly enhance their cybersecurity posture and protect against potentially devastating compromises.
As cyber threats continue to evolve, staying informed and proactive is essential for maintaining the integrity of enterprise IT networks.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free