Securing Active Directory: Thinking

Like an Attacker, Securing Like an

Admin
Derek Melber, Chief Technology & Security Strategist
Tenable
dmelber@tenable.com

1
1
 PLATFORM INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Platform Windows can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Experiencing technical difficulties? Try REFRESHING your browser!

2
 CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.

• Please be patient. This process could take up to 48 hours for your CPE Certificate
and the CPE credit to be applied to your account.

• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate
documents to your personal records.

3
 TODAY’S SPEAKER

Derek Melber

Chief Technology & Security Strategist

Tenable

dmelber@tenable.com

4
 Scary Active Directory Security

18%

55
 Attackers Know AD is not Secure

FireEye Analysis of SolarWinds Attack Code

“The backdoor also determines if the system is

joined to an Active Directory (AD) domain and, if
so, retrieves the domain name. Execution ceases
if the system is not joined to an AD domain.”

66
 Attackers Know AD is not Secure

FireEye Analysis of SolarWinds Attack Code

“The backdoor also determines if the system is

joined to an Active Directory (AD) domain and, if
so, retrieves the domain name. Execution ceases
if the system is not joined to an AD domain.”

77
 Attackers Know AD is not Secure

MountLocker new variant:

FireEye Analysis of SolarWinds Attack XingLocker
Code
“In essence, the new ransomware
“The backdoor also determines if will query the compromised computer
the system is joined to an Active to see if it is joined to an Active
Directory (AD) domain and, if so, Directory domain. If the computer is
retrieves the domain name. not joined to AD, the ransomware will
Execution ceases if the system is fail and move to another device to
not joined to an AD domain.” perform the same query.”

88
 Attackers Know AD is not Secure

MountLocker new variant:

FireEye Analysis of SolarWinds
XingLocker
Attack Code
“In essence, the new ransomware
“The backdoor also determines if
will query the compromised computer
the system is joined to an Active
to see if it is joined to an Active
Directory (AD) domain and, if so,
Directory domain. If the computer is
retrieves the domain name.
not joined to AD, the ransomware
Execution ceases if the system is
will fail and move to another device
not joined to an AD domain.”
to perform the same query.”

99
 Active Directory Proven to be Target of Attacks

Lapsus$
On March 22, 2022, Microsoft stated

"DEV-537 (LAPSUS$) used DCSync attacks and Mimikatz to perform privilege escalation routines. Once Domain
Admin access had been obtained,.."
THE defining step in LAPSUS$'s methodology is "Active Directory Privilege Escalation"

MSFT also said

"They (LAPSUS$) have been CONSISTENTLY observed to use AD Explorer, to enumerate all users and groups in the
said network... this allows them to understand which accounts might have higher privileges" <to escalate privilege
to in AD.>

*Source: lnkd.in/guca2AAp

10
 Typical Attack Tactics

11
Vulnerabilities
Misconfigurations

Privileged accounts
Password attacks

Advanced attacks
Persistence
Backdoors
 Attacks and Defenses

13
 Vulnerability Management
Defensive Actions Secure privileged users
Vulnerability Management Secure service accts
LAPS Secure computer accts
Unique passwords Clean up old security
Vulnerability Management Common passwords Password spray detect Vulnerability Management
AV Change PW often Brute force detect DCSync detect
EDR Strong Password Policy LSASS detect DCShadow detect
Educate users Golden Ticket detect
Least privilege Password spray detect DCSync detect
Email security LSASS detect
User is not local Administrator Brute force detect DCShadow detect
Application Restriction MFA SPN modification SIDHistory modification
UEBA PAM Kerberos delegation mod Primary Group ID modification

0 2 4 6 8

1 3 5 7

Target Initial Entry Point Company’s Credentials replay on Post exploitation

recognition Phishing and compromise infrastructure privileged accounts (persistence,
Lateral Privileges
exploits Local privilege cartography backdooring)
movement Escalation
on selected targets escalation
on AD
Attacker Tactics

SPN/Kerberoasting Set user attributes

Mine credentials
Kerberos delegation Modify group members
Mine credentials Password spray
Phish users Password spray Set user rights
Install enumeration tool Brute force
Exploit Vulnerabilities Brute force Modify group policy
Enumerate AD Cleartext password
Exploit Misconfigurations Cleartext password Create Golden Ticket
Exploit Vulnerabilities No password required
LSASS credential dump adminSDHolder
Exploit Vulnerabilities
14
14 Exploit Vulnerabilities Exploit Vulnerabilities
 Attacker Attack Path Tools

15
 Powershell for AD Enumeration
The following are a few examples of Powershell cmds that an authenticated,
non-privileged user can easily run and that attackers leverage:

Get-ADUser –Filter {Name –like “*admin*”}

Retrieves all users the admin in the username.
Get-ADUser –Filter {serviceprinciplename –ne “$null”}
Retrieves all users that have an SPN
Get-ADDefaultPasswordPolicy
Retrieves Domain Password Policy located in default domain policy
Get-ADGroup | select name
Retrieves all AD group names
Get-ADDomain
Gets Domain info including DC info
Get-ADDomainControllerReplicationPolicy
Retrieves DC replication info
Get-GPO (or even better Get-GPOReport)
Retrieves all GPOs. Get-GPOReport will even export them as an
XML or CSV

16
16
 Attack Path Visualization
A need for graph visualization

2014: Emmanuel Gras and Lucas Bouillot

presented their work titled “Chemins de contrôle
en environement Active Directory” (“Active
Directory Control Paths”)

2017: Open source version of BloodHound v1.3

is provided to the community

17
17
 Attacker Requirements

18
Attacker Process – Entering the Enterprise

Phishing Vulnerability Misconfiguration

Phishing is a type of social A security vulnerability is a A configuration for hardware,
engineering where an attacker weakness or hole in hardware or software, application, operating
sends a fraudulent ("spoofed") software – a bug or programming system, object, etc. that is not set
message designed to trick a mistake – that can be exploited to at the most secure level, which
human victim into revealing comprise systems and give can be exploited to compromise
sensitive information to the attacks access to data and systems and give attacks access
attacker or to deploy malicious information. to data and information.
software on the victim's
infrastructure.
Attacker Process – Enumerating AD

Obtain Local Privileges Enumeration of AD and

Attackers want local privileges so
all settings
they can gather locally cached Every AD user can read Active
credentials, install software, Directory and run commands to
disable security software, etc. in report on existing configurations
order to scan the network to and objects, this includes
obtain additional information, as attackers that have compromised
well as move to other systems. devices that are connected to
AD.
 Enumeration – Determine Privileged Accounts
2. Query AD privileges

1. Run installed tools

3. Get users with privileges

What Attackers Have What Attackers Obtain

● Mined credentials from 4. Compare ● List of users that have
local cache(s) mined privileges in AD
credentials
against AD
privileged
accounts

21
21
 Enumeration – Attack Accounts
2. Query AD accounts

1. Run installed tools

3. Get users with exploitable
attributes
What Attackers Have What Attackers Obtain
● Ability to Enumerate AD ● List of users/computers
that have exploitable
attributes

4. Attack users/computers
to gain privileges

22
22
 MITIGATE EXISTING THREATS
● Immediately discover, map, and score

SECURE YOUR existing weaknesses

Follow step-by-step remediation
ACTIVE DIRECTORY
●

tactics and prevent attacks

AND DISRUPT MAINTAIN HARDENED SECURITY

ATTACK PATHS ● Continuously identify new vulnerabilities and

misconfigurations
● Break attack pathways and keep your threat
exposure in check

DETECT ADVANCED ATTACKS IN REAL TIME

● Get alerts and actionable remediation plans on AD attacks
● Help your SOC team visualize notifications & alerts in your SIEM

23
 Privileged Groups
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Privilege escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure group members are correct

24
24
 Primary Group ID
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Privileged Escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Set primaryGroupID to 513

25
25
 GPO Permissions
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Privileged Escalation, Ransomware deployment
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure GPO permissions are correct

26
26
 adminSDHolder
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Privileged Escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Remove users from AdminSDHolder ACL (via groups too)

27
27
 Kerberos Delegation
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Impersonation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Configure contrained delegation

28
28
 Service Principal Name
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Kerberoasting
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Remove SPN users from privileged groups

29
29
 KRBTGT User Password
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : Kerberoasting, Golden Ticket
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Reset KRBTGT password 2X/year

30
30
 AD Root Permissions
- Availability : In every AD domain
- Level of Threat : Critical
- Attack Method : DCSync
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure AD root permissions are correct

31
31
 QUESTIONS?

Derek Melber, MVP

dmelber@tenable.com

32
THANK YOU FOR
ATTENDING THIS
THANK YOU
ISACA WEBINAR FOR ATTENDING