Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A lot of attention gets paid to preventing pass-the-hash and pass-the-ticket attacks, but these tactics limit adversaries to what they can perform from the command line. Compromising a plaintext password gives an attacker unlimited access to an account — which can include access to web applications, VPN, email and more. One way to extract plaintext passwords is through Kerberoasting, but this brute-force technique takes a lot of time and patience.

Active Directory accounts with elevated privileges pose a serious security risk: They are a top target for attackers because they provide administrative access to systems and data, and they can also be misused by their owners, either deliberately or accidentally. Therefore, it’s critical for IT teams to keep close track of accounts with elevated permissions.

Knowing the credentials for any user account in your network gives an adversary significant power. After logging on as a legitimate user, they can move laterally to other systems and escalate their privileges to deploy ransomware, steal critical data, disrupt vital operations and more. Most organizations know this, and take steps to protect user credentials.

In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request. This results in a leak of credentials that allows an attacker to authenticate to Active Directory Certification Services (ADCS) and to generate a client certificate that enables remote code execution on a domain controller.

Have you looked into some of the most well-known Active Directory (AD) attacks from around the world? Do you understand the nuances of these popular attacks and can you put the AD fundamentals you learned in the earlier parts of this blog series to good use?

How and why do attackers target an organization’s Active Directory (AD)? This blog, which is part 8 of the series A Practical approach to Active Directory Domain Services, will provide you with the answers. In this part, we will examine what attackers gain by compromising the AD setup. We will also look at some of the most noted means by which AD is compromised. There are two main sections to this blog.

If you have been researching Active Directory (AD), chances are that you will come across the concept of Kerberos for user authentication and other service request-related functionalities. It is worthwhile to examine the Kerberos protocol in depth and, in turn, appreciate the dependency of AD on Kerberos. Given that Kerberos is an industry standard, you will see that it has become the most widely used network authentication protocol for all Windows environments with operating systems 2000 and later.

On Wednesday, June 29, 2022, Horizon3.ai published a proof-of-concept (PoC) exploit that targets CVE-2022-28219, a critical attack chain that includes unauthenticated XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities that could lead to remote code execution (RCE) if successfully chained together. CVE-2022-28219 impacts Zoho’s ManageEngine ADAudit Plus builds prior to 7060. ManageEngine patched CVE-2022-28219 on March 30, 2022.

In the first six parts of this blog series, we laid the foundation for beginning to work with and manage Active Directory (AD). With the groundwork out of the way, it is now time to explore the relationship between cybersecurity and AD. Taking this series one step further, this blog provides an overview of which design considerations are important in securing your AD infrastructure against potential security breaches.