Open in app

Sign in

Write

Sign in

Detecting and Mitigating Active Directory Compromises — Part I, Prevention

SOCFortress
7 min readSep 28, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

The Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises.
This guide informs organisations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
Active Directory is the most widely used authentication and authorisation solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.
Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.
Reference: https://www.cyber.gov.au/sites/default/files/2024-09/PROTECT-Detecting-and-Mitigating-Active-Directory-Compromises.pdf

What’s Microsoft AD

Microsoft Active Directory (AD) is a directory service primarily used for authentication and authorisation, allowing administrators to manage permissions and access to network resources.

Active Directory is essentially a centralised database that stores information about users, computers, and other resources on a network. AD authenticates users when they log in and ensures they are granted the right access levels based on group memberships, policies, and roles. Administrators can manage network resources, user accounts, and security settings centrally through AD.

Using Group Policies administrators can define a set of rules that control the working environment of user accounts and computers.

Active Directory Components

  • Domain: The basic unit in an Active Directory setup. It is essentially a logical group of objects (like users, computers, and devices) that share the same AD database.
  • Domain Controllers (DC): Servers that run AD and store the database. They authenticate users and enforce security policies.
  • Forest: A collection of one or more domains that share a common schema and configuration, forming a security boundary.
  • Organizational Units (OUs): Containers that allow administrators to organize users, computers, and other resources within a domain, making it easier to apply policies and manage them.
  • Global Catalog (GC): A distributed data repository that contains information about every object in the AD forest, allowing faster searches across domains.
  • Schema: The definition of objects and their attributes in AD, defining the classes of objects that can exist in the directory.

Key Functions of Active Directory

  • User and Group Management: Admins can create user accounts, assign users to groups, and control access based on group membership.
  • Resource Management: Resources like file shares, printers, and network access are centrally controlled.
  • Security Management: Policies can be enforced at different levels, such as password policies, software restrictions, and access control lists (ACLs).
  • Replication: AD data is replicated across multiple domain controllers to ensure high availability and fault tolerance.

Microsoft AD and Cybersecurity

Active Directory’s pivotal role in authentication and authorisation makes it a valuable target for malicious actors. It is routinely targeted as part of malicious activity on enterprise IT networks.

Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy
protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory.
Specifically, Active Directory’s susceptibility to compromise is, in part, because every user in Active Directory has sufficient permission to enable them to both identify and exploit weaknesses. These permissions make Active Directory’s attack surface exceptionally large and difficult to defend against. Also contributing to its vulnerability is the complexity and opaqueness of relationships that exist within Active Directory between different users and systems. It is often these hidden relationships, which are overlooked by organisations, that malicious actors exploit, sometimes in trivial ways, to gain complete control over an organisation’s enterprise IT network.

Gaining control of Active Directory gives malicious actors privileged access to all systems and users that Active Directory manages. With this privileged access, malicious actors can bypass other controls and access systems,
including email and file servers, and critical business applications at will. This privileged access can often be extended to cloud-based systems and services via Microsoft’s cloud-based identity and access solution, Microsoft Entra ID (note: Microsoft Entra ID is a paid feature). This allows users to access cloud-based systems and services, however, it can also be exploited by malicious actors to maintain and expand their access.

Active Directory can also be misused by malicious actors to establish persistence in organisations. Some persistence techniques allow malicious actors to log in to organisations remotely, even bypassing multi-factor authentication (MFA) controls. Many of these persistence techniques are resistant to cyber security incident response remediation activities intended to evict malicious actors. Additionally, sophisticated malicious actors may persist for months or even years inside Active Directory.

Prevention: Hardening Microsoft AD

The joint guide “Detecting and Mitigating Active Directory Compromises” focuses on mitigation and detection. SOCFortress recommends the use of the CIS benchmarks as baseline for systems hardening.

Here are the most relevant CIS Benchmarks applicable to Microsoft Active Directory hardening:

CIS Microsoft Windows Server Benchmarks

  • Version: Various versions depending on the Windows Server version (2012, 2016, 2019, 2022). Active Directory typically runs on Windows Server operating systems. These benchmarks outline security configurations for the server operating system that directly affect AD’s security.
  • Key Areas:
    — Hardening of Local Security Policies
    — Audit Policies and Logging
    — Securing Authentication Methods (e.g., NTLM, Kerberos)
    — Configuring User Rights Assignment
    — Limiting Access to AD Tools (like Active Directory Users and Computers)
  • — Securing domain controllers by limiting physical and network access.
    — Best practices for configuring Group Policy Objects (GPOs), including password policies, Kerberos, and auditing.
    — Minimizing and controlling permissions within AD, reducing exposure to privilege escalation.
    — Ensuring adequate logging and monitoring of AD events, such as user logins, changes to AD objects, and administrative actions.
    —Secure management of service accounts, including the use of managed service accounts (MSAs).

Password Policy Recommendations

  • Minimum password length (recommendation: at least 14 characters).
  • Password complexity requirements (using uppercase, lowercase, numbers, and symbols).
  • Password expiration policies (regularly rotating passwords).
  • Implementing password history to prevent reuse of previous passwords.

Auditing and Monitoring Recommendations

  • Ensuring that all login attempts (successful and failed) are logged.
  • Tracking changes to AD objects (especially privileged accounts).
  • Monitoring and auditing administrative actions and changes to Group Policies.
  • Implementing Security Information and Event Management (SIEM) systems to consolidate AD logs and perform real-time analysis.

DNS and DHCP Benchmarks

  • Securing DNS zones used by Active Directory.
  • Preventing DNS cache poisoning and securing DNS server configurations.
  • Hardening DHCP configurations to prevent unauthorised devices from joining the network.

Privileged Access Management (PAM) Benchmarks

  • Enforcing least-privilege policies for AD administrators.
  • Using Just-In-Time (JIT) access for admin roles.
  • Rotating and controlling administrative passwords.

Security Controls for LAPS (Local Administrator Password Solution)

  • Implementing LAPS to enforce unique, random local administrator passwords.
  • Ensuring only authorised personnel can retrieve passwords from AD.

Securing Group Memberships

  • Auditing membership of sensitive groups (e.g., Domain Admins, Enterprise Admins, and Schema Admins).
  • Limiting membership to essential personnel only.
  • Implementing alerts for changes to membership in these groups.

Patch Management and System Updates

  • Ensuring all domain controllers and AD-related services are kept up to date with security patches.
  • Applying security patches to AD-related software such as DNS and DHCP servers.

CIS Benchmarks — Recommended actions

Collect and maintain a good inventory of all assets registered in Active Directory and classify these assets by criticality:

Use KPIs to track down your progress in applying hardening policies

Pay special attention to CIS benchmarks policies for Windows Servers, all releases.

For MS-AD hardening, prioritise controls applicable to the categories listed above

What’s next

There are many known and observed techniques used to compromise AD DS, AD CS and AD FS. Malicious actors target these services to escalate their privileges and move laterally across enterprise IT networks.

In the next article we’ll addresses the most common AD DS, AD CS and AD FS techniques, providing an overview of each technique, as well as how to
detect it. We’ll organise the outlined compromises in the sequence they are typically executed against Active Directory, beginning with those used to escalate privileges and move laterally, and concluding with compromises aimed at establishing persistence.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Active Directory
Microsoft
Cybersecurity
Azure
Threat Intelligence

--

--

SOCFortress
SOCFortress

Written by SOCFortress

3.7K Followers
2 Following

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams