This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
Attacks against identity infrastructure such as Active Directory are the harbinger of many catastrophic data breaches. Once threat actors establish a network foothold in an environment, Active Directory accounts and, eventually, domain controllers are among their first targets. From there, privilege escalation and lateral network movement as a credentialed user can allow attackers to dwell on a network for months posing as legitimate, credentialed user or administrator.
What attackers do with that access - their "end game" - varies. Some may choose to drop ransomware on servers, locking down sensitive data and critical services in exchange for a large ransom. Others may decide to exfiltrate source code, legal documents, customer data, or intellectual property they can re-sell, or use to extort the victim. Regardless, organizations that suspect an intrusion or merely intent on minimizing their exposure to one should take steps to shore up the security of Active Directory. But how?
Active Directory Health Checks to Consider
When screening your Active Directory environment for security holes and other exposures, start with the architectural elements of Active Directory, including proper configurations, segmentation of users and groups, and management of trust relationships across domains. Health checks on these areas are crucial to routine oversight of identities and privileges, and important clues to identify when out-of-policy changes have been made—including those by a malicious actor.
Within that broad outline, here are 10 effective health checks for your Active Directory environment to consider:
- Users: Defined privileges and configuration parameters are crucial policy decisions that must be enforced. Managing users means having insight into account activity, password changes, delegation of permissions, group privilege allocations, and more. Any changes that undercut your overall security model, such as forwarding of sensitive domain admin credentials to less privileged groups, applications or users, for example, should be flagged.
- Domains: Healthy domain configurations should start with reducing Active Directory’s Machine Account Quote to fewer than the default 10 machines. Doing so reduces the AD attack surface. The domain functional level must also be monitored; functional levels determine which servers are supported in a domain and which AD features are available to users.
- Sessions: Given that Active Directory credentials—including administrator credentials—may be stored in memory, administrators should take measures, such as Logon Type 3 Network Logon, to ensure that sensitive account credentials are not stored on LSASS or disk when sessions are established.
- Groups: Admins should have the ability to audit groups for potentially malicious changes as they’re added or removed from domains. Nested groups, where child groups inherit permissions from parent groups, should be avoided to reduce security risks. Group Policy Objects (GPOs) are policy settings that must be monitored to observe, for example, changes in password requirements or installation restrictions. Admins should protect access to Group Policy Containers, settings that would be of value to an attacker.
- Trusts: Unnecessary domain and/or forest trusts should be addressed in order to reduce the likelihood of needlessly exposing information. For example, two-way trust between AD forests, where permissions extend from both objects in a relationship, should be limited.
- Access Control Entries: These define permissions on objects for users or groups, e.g., read or write. Access Control Entries are powerful and should be limited, given that they enable a number of potentially risky behaviors including: password changes; the addition of users or groups; updating of object parameters; updating object ownership; writing new Access Control Entries to an object’s discretionary access control list, or granting extended AD rights against objects—all of which a threat actor would exploit to elevate privileges and move laterally.
- Forgotten Accounts, Old Passwords: Inactive accounts should be disabled, whether they belonged to former employees or are stale accounts that haven’t been used for months.. These forgotten accounts are common in large and complex AD environments and increase the attack surface available to a threat actor already on the network. Old passwords that haven’t been changed should be investigated and, if appropriate, changed. They may indicate a forgotten account.
- Administrator Passwords: The necessity of password resets at regular intervals may be up for debate, but there isn’t any debate about the need to frequently update administrator account credentials. Since these passwords are the ultimate target for many nation-state actors and cybercriminals, policies should be stricter around these accounts. Multifactor authentication and passphrases should be required for admin accounts, and delegation should be limited as well.
- Limit Non-Admin User Accounts: Only administrators should be able to add computers to the Active Directory forest. By default, the number of computers any user may add to a domain is 10. This should be sharply reduced, or eliminated altogether for users and offered only to administrators.
- KRBTGT Account: This type of AD account encrypts and signs Kerberos tickets. Should they be compromised, KRBTGT accounts give attackers the ability to forge Ticket Granting Tickets and carry out dangerous Golden Ticket Kerberos forgery attacks, affording them access to any service in the domain. As a result these privileged account credentials should be changed regularly. Account activity should be closely monitored for anomalous behavior, as well.
Active Directory deployments are complex, sprawling environments that are regularly targeted by advanced attackers and lower-level script-kiddie types of threat actors. A host of freely available software tools designed to test the resilience of AD can be abused by attackers, and can significantly lower the barrier to entry to Active Directory attacks. These 10 health checks are by no means comprehensive, but they’re a solid foundation for defenders who need guidance on potential weak spots inside their AD environments.
Here are the previous entries in our QOMPLX Knowledge series; look for more in our QOMPLX Knowledge series in the days and weeks ahead:
QOMPLX Knowledge: Golden Ticket Attacks Explained
QOMPLX Knowledge: Silver Ticket Attacks Explained
QOMPLX Knowledge: Responding to Golden Ticket Attacks
QOMPLX Knowledge: DCSync Attacks Explained
QOMPLX Knowledge: DCShadow Attacks Explained
QOMPLX Knowledge: Pass-the-Ticket Attacks Explained
QOMPLX Knowledge: Kerberoasting Attacks Explained
QOMPLX Knowledge: Kerberos Delegation Attacks Explained