Microsoft Active Directory and Azure Active Directory are directory services products used for identity and access management at most major enterprises all over the world. All Active Directory (AD) environments are vulnerable to a type of attack called identity attack paths.
In these attacks (also called identity snowball attacks), the adversary first compromises a host using a phishing email or some other method. Once they have their code running on a computer in the target network, they use the privileges of the users logged into that host (as well as tools like Responder and Mimikatz) to compromise other machines and systems.
There are many techniques for doing this, including searching for passwords in SYSVOL in Active Directory, cracking service account passwords with the “Kerberoast” attack, or repeatedly moving laterally and dumping credentials until getting Domain Admin credentials (more details on all of these methods are available in this post). These steps form a “path” from the adversary’s initial access point to their final objective.
In most cases, getting credentials for a domain administrator and taking control of Active Directory is the penultimate step before reaching that final objective. In this powerful position, the adversary can take control of endpoints remotely and give themselves whatever access they need – in practice, giving them control over any system, user, or business process. This control almost always allows them to accomplish their goal, whether that is deploying malware, accessing valuable data, or something else entirely.
Unfortunately, attack paths are inevitable in Active Directory thanks to several factors. One is the size of an enterprise AD environment, with hundreds or thousands of users and systems. Given the opaque nature of how privileges are granted in AD, AD and system administrators can easily make mistakes or misconfigurations like giving all-inclusive security principals any kind of special privilege (for example, it’s common to see the “Domain Users” group granted local admin rights on one or more systems). AD itself gives admins very little visibility into user permissions, so it’s nearly impossible to audit user privileges and spot these misconfigurations once they’ve been created. The misconfiguration debt builds up over time. Security teams need capabilities to map and prioritize the resulting attack paths to even attempt to take corrective action.
Who uses attack paths anyway?
This isn’t just a theoretical question – attack paths are widely used by adversaries today for all types of attacks. Here are several examples:
- Microsoft recently published an analysis of malware, dubbed FoggyWeb, that steals credentials in order to get admin-level access to Active Directory Federation Services. The malware is from NOBELIUM, the actor behind the SolarWinds attack, and was observed in the wild as early as April 2021.
- Active Directory Certificate Services has several vulnerabilities, including one quite serious one, that allow adversaries to achieve domain persistence by stealing the private key for the certificate authority and forging “golden” certificates that cannot be revoked!
- These vulnerabilities can be used in combination with the “PetitPotam” attack, published in July 2021 by security researcher Gilles Lionel, to gain full Domain Admin permissions starting from just network access. This is only one of many ways that Active Directory can be compromised.
Attack paths: A means to an end
The scary part about an attacker gaining control of Active Directory is the power that gives them – and there are many ways they can use that power. Defenders should pay attention to the security of AD because attack paths can be used to launch significant attacks. Here are some example scenarios of how an attacker might abuse attack paths to deploy ransomware, steal sensitive data, or achieve persistence.
Control of Active Directory means control of all systems, users, and processes in the enterprise. With control of all systems, the adversary can deploy ransomware to all systems through several mechanisms, such as Group Policy, SCCM, and third-party software deployment products that – you guessed it – usually run on domain-joined Windows systems.
With Domain Admin rights, there’s no data in the enterprise the adversary can’t get access to – if anyone can access it, so can a Domain Admin. Even if data is protected by encryption or out-of-band multi-factor authentication (MFA), an adversary need only ride the legitimate access users use to access protected data.
Achieving Domain Admin level access affords the adversary nearly limitless options for maintaining persistence in the network or adding backdoors to immediately re-gain high privileges in the future. From kernel-level rootkits to deploying agents on network infrastructure, the levels of sophistication range and can be incredibly difficult for even the most skilled incident response professionals to identify and eliminate.
Attack paths are attractive to attackers because they’re harder to detect and quantify than a software vulnerability, they exist in every organization thanks to the scope and complexity of Active Directory, and there’s virtually no way to stop an adversary from trying again if they are caught and kicked off the network. Attack paths can be closed by hardening AD, reducing, or fixing misconfigurations, and assessing over-privileged users. But the first step is for defenders to understand their current attack path risk.