Chaining together Active Directory attack techniques to give your organization the edge against attackers

Posted by: Michael Greenberg
May 30, 2022
Getting your Trinity Audio player ready...

Debuting at RSA 2022 we will show the industry how we can link the use of Active Directory (AD) into the entire attack path, bringing multiple attack techniques together, offering a complete and accurate view of an organization’s cybersecurity risk, across on-prem and cloud environments. 

So, what inspired us? Microsoft Active Directory is a platform that enables authentication,  authorization, and management for the entire organization. Since Active Directory is very widespread in both small and large organizations to manage permissions to resources and actions in the Windows operating system domain, it is imperative we pay closer attention to it. Approximately 90% of the Global Fortune 1000 companies use it as a primary method to provide seamless authentication and authorization.

Active Directory – how is it built and why does this make everything so complicated? 

In AD every object that can be authenticated gets a set of permissions. You can manage your users, computers and services in groups and your Organizational Units (OU). So every user, computer, or service can have multiple permission sets, sometimes contradicting and the hierarchy will determine who rules. Ultimately it is very  complicated to figure out what to do with it and see where certain configurations and policies may actually expose the organization to greater risk.

One of the most untamed threats to organizations

A real problem – XM Cyber Research team reported 73% of the top attack techniques used to compromise critical assets involve mismanaged or stolen credentials; and at least 50% of attacks in organizations are due to AD compromise. In many cases, abused domain credentials give the attacker the ability to work their way through your network, allowing them to do further reconnaissance, pick a target, and move laterally until they compromise the critical asset. 

The disconnect: you can see what permissions you’ve set for users to grant them access to do their jobs but you can’t see which expose your critical assets and can be used in attack paths to put your business at risk.

So how did it get this way? It is because Active Directory abuse goes unseen in organizations’ due to the inherent nature of dynamic configuration issues in addition to just trying to keep it updated – this blind spot – of what seemingly looks secure but poorly configured puts organizations at risk as traditional siloed security tools can not identify the risk and potential compromise of critical assets in the network.

What’s even more concerning is that exploiting AD has great potential to gain access to your Azure environments by abusing the inherent trust relationships between the two.

Active Directory – what kind of actions can the attacker perform?

An attacker that has compromised an AD user could use this to:

  • Elevate privileges
  • Conceal malicious activity in the network
  • Achieve persistency by using AD capabilities to execute malicious code
  • Make their way into the cloud environment to compromise assets, particularly Azure

Additional Active Directory privilege escalation techniques

  • Attacking Users
  • Attacking Groups
  • Attacking Contain Objects (Domains, OUs)
  • Attacking Group Policies and GPLinks

An example of this would be an attacker infiltrating an enterprise environment through sending a phishing mail that when opened, executes code using a vulnerability on an unpatched machine. The next step for the attacker would be to exploit the compromised AD user’s local and domain credentials through credential dumping techniques. This user has the permissions to add themself to an AD group so the attacker can now add the compromised AD user to an AD helpdesk group. The helpdesk group has the AD permissions to reset other users passwords and now the attacker can reset a password to another user, preferably an old, out of use admin. Now that they are an admin they can do many harmful activities in the network – for example, the attacker can run malicious code through adding a script logon to other users in AD. This way every time a user logs on the script will run and the attacker can gain access to other computers and conceal his lateral movement for a long and persistent presence in the network. With privileges of being a domain admin they can access your business critical assets such as the exchange server, financial data, production servers and so on. The quick progress towards being a domain admin can facilitate a quick takeover of your critical assets for ransomware. If this compromise wasn’t of concern enough, in addition the attacker has access to basically all the users in the domain and can locate users that have an Azure access token store on their machine. This way he can use it to connect to the Azure environment and continue compromising critical assets.

See how an attacker leverages a vulnerability to compromise an AD user and exploit a legitimate set of configurations to escalate privileges and compromise the enterprise domain.

What do we do for better Active Directory Security?

According to Gartner, “It is critical to make concentrated efforts to comprehensively secure and monitor AD, proactively look for threats and misconfigurations, and remediate to prevent dangerous actions from taking place.”

XM Cyber is the first in the industry to show how Active Directory abuse comes into play in the entire attack path, bringing multiple attack techniques together to pinpoint highest risks and offer step-by-step remediation guidance.

With XM Cyber you benefit from:

Continuously eradicating Active Directory risks across on-prem and cloud environments – discover how attackers can move laterally in the network through impersonating an AD user, escalating privileges allowing them to run malicious code in the network covertly, and even gain access to the cloud environment by moving from a compromised enterprise AD user to his joined Azure AD user. 

Extensive attack technique arsenal for Active Directory and Azure AD – including privilege escalation in Active Directory, credential grabbing/dumping, vulnerabilities and taking advantage of misconfigurations and legitimate structuring of your Active Directory users, services, computers, and even files. 

Prioritized remediation for all Active Directory changes and malicious threats – highlight the riskiest credentials and permissions across users, endpoints and services managed in your Active Directory, enabling you to direct resources to remediate the most impacting risks first with step-by-step guidance. Enrich your SOC, SIEM or SOAR with attack path insights to quickly prevent attacks.

Comprehensive security posture analysis reflecting Active Directory weaknesses in real time – continuous security score that directly correlates with the likelihood of an attack that can compromise your critical assets based on the entirety of your environment and what’s managed by Active Directory.

A big advantage of seeing all the possible attack techniques an attacker can use in a unified attack path is reflecting not just the risk, but also the focal points that might be easier to remediate and will help security teams break the chain of events in a way that otherwise wouldn’t be possible. 

For example, it’s almost impossible to remove permissions from built-in administrators because many times they need them for their daily tasks but creating visibility to all the full attack paths could reveal that most of the attack paths towards your admin groups or domain controllers utilize excessive permissions given to an HR group by mistake or a specific vulnerable machine that might have remained unpatched for a reason. Leveraging attack path management insights provides a new understanding of the risk this machine causes and the high value from remediating it, this would become the focus of remediation efforts. A unified attack path that includes all the tools that an attacker has in his arsenal can reveal not only the risk but also bring to light the solutions needed that otherwise wouldn’t be visible.

Don’t miss your opportunity to see our new Active Directory capabilities live at RSAC 2022. Join us for a demo and see how we reveal entire attack paths across AD and other vectors, aiding remediation and continuously protecting critical assets.

 Learn more about Active Directory Security from XM Cyber.

Michael Greenberg

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.