Report: How Active Directory Attacks Went Mainstream

Not too long ago, sophisticated attacks on Active Directory and other identity infrastructure were considered 'artisan' level hacks. These days, threats like "Golden Ticket" and "Silver Ticket" attacks are business as usual. What happened? Our new report: ManyKatz:How Active Directory Hacks Went Mainstream tells a story 30 years in the making.

One thing is clear: in 2020, technical debt is weighing heavily on enterprises. And nowhere is that more evident than in the area of identity infrastructure, where attackers are taking full advantage of vulnerabilities created by years of security compromises.

Take the Kerberos authentication protocol. A pillar of modern network security, Kerberos was a byproduct of Project Athena, a 1980s-era experiment to design a campus-wide distributed computing infrastructure at The Massachusetts Institute of Technology (MIT). Athena’s purpose was to extend computing access to the broad student population, not to build a next-generation file security architecture. But project leaders soon realized that building the former required them to create the latter. Kerberos - named after the mythic three headed dog that guards the gates to Hades - was the result.

Technical Debt takes hold

State of the art in the 1980s and available at no cost from MIT, Kerberos quickly became the most popular authentication system embraced by Wall Street firms and by firms including Microsoft, which was searching for a successor to NT LAN Manager (NTLM), a Microsoft protocol that was standard on Windows systems prior to Windows 2000.

In the nearly 30 years since Kerberos launch, however, the whole world has changed. Attackers have perfected ways to exploit organizations’ ubiquitous Internet access, while circumventing monitoring and security tools. Today, spear phishing attacks on employees via email or web based attacks give malicious actors a foothold on networks.

In the last ten years, the emergence of tool kits like Metasploit, Impacket and Rubeus have empowered sophisticated and unsophisticated attackers alike, while growing their ranks. Mimikatz, created by Benjamin Delpy (@gentilkiwi), made it easy to conduct “Pass the Hash” and “Pass the Ticket” attacks, retrieving specific “hashes” (or strings used to authenticate with NTLM Kerberos) from the memory or file system on a compromised computer, then re-using those values to access other computers in a network.

More, better Tools fuel Identity Attacks

The widespread availability of such tool kits has made the path from “proof of concept” to “push-button” access ever shorter. “Golden Ticket” attacks on Kerberos authentication systems were first demonstrated by Mimikatz creator Delpy and Alva (“Skip”) Duckwall in 2014 and immediately made available via Mimikatz.

They allow attackers to generate a Kerberos Ticket Generating Ticket (TGT), effectively giving them domain administrator credentials to any computer on the network for the life of the Ticket.

Newer tools with names like CrackMapExec, Bloodhound and GoFetch, DeathStar and Angry Puppy make it easier than ever for attackers who can gain just a foothold on a target environment to quickly forge tickets, replay credentials, or map the plan to expand their control..

Attackers have also found ways to couple techniques like Kerberoasting with ticket forgeries, creating a powerful means of lateral movement and privilege escalation within organizations, says Jason Crabtree, the CEO of QOMPLX. These days, that list includes  actors seeking to support mass ransomware deployments across enterprises.

Growing Challenges for Defenders

The growing accessibility of such attacks greatly complicates the work of de- fenders. “It is extremely challenging to spot these attacks,” said Sean Metcalf, the founder and principal consultant at Trimarc, a security consulting firm. “Detecting forged Kerberos tickets is not trivial.”

One problem is that security tools that organizations rely on are ill-suited to modern attacks against platforms like Kerberos. “We have a security ecosystem in which nothing is designed to work together,” said Crabtree of QOMPLX.

“It’s a hodge-podge, and that’s true at every big (security operations center) I’ve walked in to.”

And those security tools often have big blind spots. For example: “It’s pretty easy to get past endpoint detection tools “by just renaming and/or recompiling Mimikatz.exe,” Crabtree points out.

In fact, both black- and white hats have adapted Mimikatz to do just that: creating variants of it for specific use cases or deployment scenarios. Security tools that use heuristics to detect anomalies in Kerberos ticket information are also limited. Over time, attackers have developed ways of evading detection based tell-tale heuristics like ticket expiry times, encryption type downgrades and other metadata.

What's the fix? Our new report discusses ways that organizations can get in front of these attacks and establish "ground truth" within their sensitive IT environments. Download the report to see for yourself.