30 September 2024

Five Eyes partners provide tips on how to detect and mitigate Active Directory attacks


Five Eyes partners provide tips on how to detect and mitigate Active Directory attacks

The Australian Signals Directorate (ASD), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint comprehensive advisory detailing the tactics threat actors use to target Microsoft Active Directory (AD) environments. The guidance highlights the techniques used to compromise the widely used authentication and authorization solution.

“Active Directory’s pivotal role in authentication and authorisation makes it a valuable target for malicious actors. It is routinely targeted as part of malicious activity on enterprise IT networks,” the authoring agencies said. “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory.”

The advisory identifies several techniques used by attackers to exploit Active Directory, including:

  • Kerberoasting: Harvesting service account credentials from AD to crack offline.

  • AS-REP Roasting: Extracting password hashes for offline cracking by targeting accounts not requiring pre-authentication.

  • Password Spraying: Testing common passwords against many accounts to identify weak credentials.

  • MachineAccountQuota Exploits: Abusing default AD settings to create machine accounts without oversight.

  • Unconstrained Delegation Attacks: Exploiting delegation settings to impersonate other users.

  • Group Policy Preferences (GPP) Password Compromise: Retrieving stored plaintext credentials from GPP.

  • Certificate Services Compromise: Gaining unauthorized access to certificate authorities to forge certificates.

  • Golden Ticket/Silver Ticket Attacks: Forging Kerberos tickets to grant unauthorized domain access.

  • Golden SAML Attacks: Exploiting SAML tokens to bypass identity providers for cloud services.

  • DCSync Attacks: Using directory replication privileges to extract password hashes from domain controllers.

  • Skeleton Key: Implanting malware in the AD domain controller to allow unauthorized access with a master password.

The advisory also offers recommendations on how organizations can mitigate these risks.

Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024