Identity-based attacks are rapidly becoming more important in the threat landscape. One study found that ID-based attacks are involved in three out of every four cyberattacks, making them the dominant attack vector in cybercrime.
The nature of ID-based attacks varies widely. A run-of-the-mill ID-based attack might target an employee with a phishing email linked to a fraudulent website that captures the employee’s work login credentials.
However, identity-based attacks can also be more sophisticated, attacking deep into an organization by exploiting weaknesses in Microsoft Active Directory (AD).
AD attacks are sophisticated attacks that can give hackers deep access into your network, opening the door to an advanced persistent threat (APT). Security leaders and organizations playing defense don’t usually have these attacks on their radar, making them especially risky. As a result, many organizations might not know how to defend themselves.
Here’s our deep dive into AD attacks and how to protect your organization from them.
Active Directory is Microsoft’s Directory Service, which is a central database that stores and maintains information about a network’s users and resources. It’s an on-prem solution, although Microsoft now also offers Microsoft Entra ID to manage access to cloud resources such as Office 365.
AD provides centralized control and access to an organization’s resources on a Windows network. It runs from a central Windows Server called the Domain Controller, which handles all authentication and authorization requests for domain resources.
A “domain” is a logical group of objects that share a common database and security policies. IT admins use AD to connect services, software, and resources to users and roles. It’s a central location to easily set permissions and manage access. IT admins can also set group policies.
AD is typically used alongside legacy infrastructure because of its on-prem nature. It’s also widely used in regulated industries where cloud access is limited due to regulations. Cloud-first organizations would use Entra ID, which is significantly more secure than AD. Over 90% of all Fortune 1000 companies use Active Directory, making it a prime target for hackers.
An Active Directory compromise typically gives hackers the keys to the kingdom. By gaining access to the service that authenticates users, they can sometimes pose as any user with the highest privileges.
Once an Active Directory is compromised, it typically leads to one or more of the following:
Here are the four most common Active Directory exploits facing organizations today:
Credential abuse is the most common Active Directory attack vector, and it opens the door to the other, more sophisticated attacks on this list.
Hackers will attempt to gain user credentials through tried and tested methods such as social engineering or phishing emails.
Verizon’s latest Data Breach Investigations Report (DBIR) says that social engineering is involved in 23% of all data breaches.
If the hacker obtains the credentials for a user with elevated privileges, they have all they need to carry out a devastating attack. However, even with credentials for users with more restrictive roles, the hacker can start carrying out the attacks below because of weaknesses in how AD handles authentication.
Kerberos is the primary authentication protocol used in Active Directory, named after the Greek mythological creature that stood sentry outside the gates of the Underworld. The Kerberos protocol works as a gatekeeper to provide access to services. At the heart of this is something called the key distribution center (KDC), which handles the authentication.
When a user authenticates, KDC issues the user a master ticket, known as a Ticket Granting Ticket (TGT). The TGT, in itself, doesn’t provide access to any services. You need a service ticket for that. To access a service, the user sends a request to the Ticket Granting Service (TGS), which is also handled by the KDC. The request includes the TGT that lets KDC know this user is already authenticated.
The KDC responds to the request with a “TGS ticket,” which has been encrypted by the service account’s password. The system was designed this way to ensure that only the target service can grant the user access, and not KDC. Unfortunately, this is also Kerberos’s greatest flaw.
KDC doesn’t limit who can access TGS tickets. Any authenticated user can show up, present a TGT, and then obtain the encrypted TGS ticket. Hackers take this TGS ticket offline, use brute force to extract the plaintext password, then log in directly with the service account.
Kerberoasting is an escalation technique because it requires an authenticated user. Even a minor stolen account can turn into full access. These attacks are especially hard to detect because the brute force actions are carried out offline.
The Golden Ticket attack gives threat actors nearly unrestricted access to an organization’s AD domain. The attack works by allowing intruders to forge authentication tickets, giving them the ability to move laterally inside the network while bypassing authentication checks.
The attack is only possible when the hacker already has admin privileges for the domain, so it depends on a prior successful intrusion to obtain these, such as a phishing or social engineering campaign.
The admin privileges allow the attacker to gain access to the Kerberos Ticket-Granting Ticket (KRBTGT) service account. The KRBTGT account is the one that creates and signs all TGT tickets to gain access to services within the system.
To execute the attack, the hacker must extract the KRBTGT hash using a tool such as Mimikatz. They then use this hash to sign their own TGT with arbitrary permissions, effectively giving them access to any service.
The attacker can even set the ticket’s expiration to many years later, thus securing deep, persistent access. However, doing that is a bit risky because issuing a ticket with an anomalous expiry might trigger a security alert.
Unlike the Golden Ticket, a Silver Ticket attack is more targeted at a specific service. In a Golden Ticket attack, the hacker obtains a TGT, whereas the Silver Ticket forges a TGS ticket for a specific service.
The attackers obtain credentials of a local administrator. They then use those to obtain the hash of a specific service. After that, they forge a ticket that gives them access to that service.
Although Silver Ticket attacks provide fewer privileges, they’re stealthier because they don’t require interaction with the KDC for ticket issuance. The attack can remain undetected unless someone specifically looks for it or implements measures to detect it.
Each of the above attacks is a post-exploitation attack, meaning it’s only possible to carry out if the attacker already has access to someone’s account. These attacks begin the same way as many others —through social engineering, phishing, spearphishing, key loggers, or other methods that obtain a user’s credentials.
Free and open-source tools to extract hashes also make it a trivial task to obtain ticket hashes so hackers can gain deeper access to corporate networks. Once the hacker gains access, Kerberos-based attacks become extremely difficult to detect unless your organization has robust systems in place.
To protect yourself from these attacks, follow Microsoft’s guidance to mitigate the chances of becoming a victim. Some of the key takeaways from the guidelines are:
Other recommendations are more advanced, and we recommend checking them out if you’re using AD in your business. Alternatively, you could sign up for one of SolCyber’s comprehensive security packages that include AD assessments and hardening.
If you have any questions about the packages, feel free to reach out to us for more info.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
