The Australian Signals Directorate (ASD), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint comprehensive advisory detailing the tactics threat actors use to target Microsoft Active Directory (AD) environments. The guidance highlights the techniques used to compromise the widely used authentication and authorization solution.
“Active Directory’s pivotal role in authentication and authorisation makes it a valuable target for malicious actors. It is routinely targeted as part of malicious activity on enterprise IT networks,” the authoring agencies said. “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory.”
The advisory identifies several techniques used by attackers to exploit Active Directory, including:
Kerberoasting: Harvesting service account credentials from AD to crack offline.
AS-REP Roasting: Extracting password hashes for offline cracking by targeting accounts not requiring pre-authentication.
Password Spraying: Testing common passwords against many accounts to identify weak credentials.
MachineAccountQuota Exploits: Abusing default AD settings to create machine accounts without oversight.
Unconstrained Delegation Attacks: Exploiting delegation settings to impersonate other users.
Group Policy Preferences (GPP) Password Compromise: Retrieving stored plaintext credentials from GPP.
Certificate Services Compromise: Gaining unauthorized access to certificate authorities to forge certificates.
Golden Ticket/Silver Ticket Attacks: Forging Kerberos tickets to grant unauthorized domain access.
Golden SAML Attacks: Exploiting SAML tokens to bypass identity providers for cloud services.
DCSync Attacks: Using directory replication privileges to extract password hashes from domain controllers.
Skeleton Key: Implanting malware in the AD domain controller to allow unauthorized access with a master password.
The advisory also offers recommendations on how organizations can mitigate these risks.