Multi-tier active directory

Management summary

Securing Active Directory (AD) is not a simple task, but nonetheless a task that every organization should be focused on, if they want to increase their defensive capabilities when it comes to lateral movement and exploitation in their network/AD.

Typical attack chain

When we look at a typical cyber-attack we can identify 7 different phases.

  1. In the Reconnaissance phase, hackers will scan the environment remotely for weaknesses. Some of the most common used techniques are phishing, social engineering and port scans.
  2. Once information is gathered, hackers will build a deliverable payload (for example a PDF file) that will be used to install exploits on the end users computer. This phase is called the Weaponization phase.
  3. Once the payload is created, the payload is delivered to the end user obtained in the reconnaissance phase through, for example, a completely legit email.
  4. When the user clicks the attachment in the email, in the background code starts running exploiting existing bugs in either the operating system or applications installed on the end user’s device.
  5. Once the exploit has been abused, a backdoor is created to download malicious software to the device and installed on the end user’s device without the user noticing it.
  6. The software create a channel for the malicious user to gain control to the environment
  7. Once the malicious user gains control to the infected system, the attacker carries out its intended actions. During the actions phase, a hacker typically makes use of Lateral Movements to hunt for more and more privileges until he controls the entire Active Directory domain. This behavior can be undiscovered for months causing a lot of damage.

Why is AD security so important

As seen in the cyber-attack kill chain, hackers are targeting Active Directory (AD), performing reconnaissance to discover users, servers and computers in an enterprise network and then move laterally to carry out multi-stage attacks to gain access and abuse organization resources and data.

In most organizations, network and physical infrastructure layers have received all the security attention where AD security has lagged. Permissions granted to end users to gain access to valuable assets (data, servers, devices,..) is exactly the data that’s being abused, stolen and exploited.

« One of the key technologies
used within Active Directory
is Kerberos »

Active directory vulnerabilitites

One of the key technologies used within Active Directory is Kerberos. Kerberos is an authentication protocol which has numerous vulnerabilities, such as

• Pass the Hash
• Pass the Ticket
• Golden Ticket
• Silver Ticket.

Another most common attack is brute forcing where attackers “force” their way in by attacking the NTLM encryption

User threats in active directory

The most common way to enter a house is to use the key.
To obtain the key of your Active Directory environment, hackers