Professional Documents
Culture Documents
When the first version of Active Directory was released two decades ago, it was built on the philosophy of inherent trust
models within the boundaries of a network. Fast forward 20 years – the ever-expanding enterprise boundaries, the need to
support a mobile workforce, rapid digital transformation, fast-paced cloud adoption, and the IoT and connected Industrial
Control Systems infrastructures have all lead to unprecedented complexity for security management. This means an
explosion in attack surfaces that are well exploited by adversaries using very sophisticated and advanced attack methods.
Security practices and maturity vary significantly across small and medium businesses to large enterprises. The varied
network complexity and enterprise boundary definition pose a different and unique challenge for every organization.
However, what is consistently reported by leading industry threat analysts is that the central identity directory service of
Active Directory deployment is perhaps the most vulnerable aspect of the entire infrastructure. Active Directory has over
95% of the market share among the Fortune 500 organizations. Attacks against AD can have far-reaching consequences for
every organization across multiple industries.
Copyright © 2021 Acalvio Technologies. All Rights Reserved. This document may have been furnished under license for use only within the terms of that license or
NDA. Written and designed at Acalvio Technologies, 2520 Mission College Boulevard, Suite 110, Santa Clara, CA 95054, USA.
2 Active Directory Threat Landscape and ShadowPlex AD Protection
For many enterprises, the current solutions for AD Protection in the market are only as strong as the solution that protects
the endpoints in the enterprise. Unfortunately, of late, it has become rather trivial to target and compromise an enterprise
endpoint using various attack methods such as phishing, spear-phishing, malware, or ransomware infection. When an
endpoint in the enterprise is compromised, attackers perform a local privilege escalation and run a complete reconnaissance
against the enterprise AD and assess the lay of the land. With powerful tools such as Mimikatz, Metasploit, BloodHound,
DeathStar, and Rubeus among many others that are accessible to the attackers, the dwell time for the threat to compromise
the domain controller is significantly minimized. In multiple instances, attackers successfully carry out attacks such as
Kerberoasting and AS-REP Roasting, even without special permissions on the domain to escalate privileges to get to the
domain controller. Even measures such as hardening endpoints and disabling AD Recon can do very little to stop the attack
progression. In certain APT techniques (APT15, also known as K3chang), attackers have been able to run patched copies of
CLI or PowerShell to bypass policies to progress the attack.
As an example, a classic attack path can involve endpoint compromise – using domain credentials to enumerate SPNs –
Kerberoast, AS-REP roasting or Pass-the-Hash attack to obtain service account access – exploit unconstrained delegation to
obtain access to an account for lateral movement – employ stealthy techniques to coerce the Domain Controller to
authenticate the compromised service credential – extract the Domain Controller’s TGT out of memory – impersonate the
Domain Controller account – Complete DC compromise. In most cases, such a compromise comes to light after the damage
has been caused, mainly because the monitoring and defense systems largely rely on authentication and activity log
monitoring.
The type of attacks in the news that weaponize Active Directory to compromise, propagate, or bring down the entire
operational ability reiterates the reach of damage AD compromise can cause. Some of the key attack types that exploit or
use AD as a conduit include:
➢ Advanced Persistent Threats (APTs): It is well established that APTs target Active Directory for the benefits they
can reap with one core compromise. As an example, APT15, also known as K3chang or Playful Dragon, a cyber-
espionage group employs a custom tool called Comma Separated Value Data Exchange (CSVDE) that can export the
entire Active Directory data out. Also, once the AD is compromised, they can get to high-value assets such as MS
SQL Database and export the entire DB data using another tool called Bulk Copy Program (BCP), resulting in a total
compromise of the enterprise data. This attack was carried out against a global company that provides services to
the UK Government in 2018 that led to a widespread leak of military information.
➢ Ransomware Propagation through Active Directory: The modern ransomware campaigns utilize tools like
Mimikatz, BloodHound, and PowerSploit for the AD environment recon, and then to steal credentials, move deeper
into the network, and establish persistence. A rather infamous ransomware strain called LockerGoga routinely taps
into Active Directory to use the AD management service to distribute the ransomware payloads to the thousands of
endpoints managed by the AD. Similarly, another strain of ransomware called SaveTheQueen propagates its
malware payload by modifying the GPO on the SYSVOL share on the Domain Controller. Similarly, Ryuk and Maze
have compromised Active Directory to propagate the infection across the network.
➢ Attacks on Industrial Control Systems: With the increased digitization of Industrial Control Systems, the attacks
against these critical infrastructure systems have also exploded. These enterprises use Active Directory for their IT
segment and even though best practices recommend physical isolation and hard firewall-based segmentation
between the IT and OT networks, there are often instances where these recommendations are violated and Active
Directory installed on the OT network segment. This could be for any number of reasons – from the ease of user
management to ensuring common credentials across IT and production floor systems. Examples suggest that the
AD DC between the IT-OT network segments are configured for automatic synchronization, creating massive attack
and penetration surface. The breach at Norsk Hydro, the world’s largest Aluminum producer, is a clear example of
how the Active Directory was compromised by APT-style Ransomware LockerGoga to distribute the malware
payload across their IT and OT segments. In a similar style, attacks against crucial oil and gas infrastructures
3 Active Directory Threat Landscape and ShadowPlex AD Protection
indicate that the Active Directory compromise was carried out using insecure RDP access and putting in a Trickbot
in the windows logon script.
While many may consider complete AD protection as somewhat of a moving target, it is clear, however, that only traditional
audit-logging and monitoring solutions are insufficient. In addition to solutions that protect the endpoints such as EDR or
EPP, SIEM/SOAR alerting systems, adhering to hardening and least-privilege protocols, and building restoration and
resiliency plans for the AD infrastructure, a good protection solution for AD in any enterprise would be to adopt an Active
Defense strategy. The best AD protection strategy is the one that prevents an attack on the enterprise’s core infrastructure
as much as possible by providing continuous visibility into possible attack surfaces, predicting the attacker’s path, slowing
down, confusing or diverting the attacker, predict and detect the TTP at every stage, and ultimately, even change the
attacker’s perception of the network.
This paper covers some of the most prevalent attack vectors on AD, some of the stealthy attack paths and exploits that most
often evade existing detection systems, and how Acalvio ShadowPlex - an Advanced Deception Platform, can provide a
comprehensive and compelling solution for AD Protection for any enterprise.
Attack surfaces that may open up exploit paths to compromise the Active
Directory can stem from multiple vectors, but can be broadly summarized
into the following categories as discussed in the following sections.
4 Active Directory Threat Landscape and ShadowPlex AD Protection
Unfortunately, what’s worse is that these misconfigurations are hard to find and fix. Each of these can lead to an
undesired exposure and in most cases, they come into light only after a malicious even has occurred because of the
misconfigurations. When it comes to securing the enterprise and a proactive security posture, "learning the hard way”
is too expensive an approach to adopt. The accompanying infographic depicts a few misconfigurations that not only
punch holes in the wall, but leave the door wide open for attackers to simply make their way in.
5 Active Directory Threat Landscape and ShadowPlex AD Protection
Protecting a hybrid AD environment traditionally is still faced with similar AD security challenges, but on a different
landscape, against blurring lines of control. Deployment choices such as Azure AD Connect, Password hash sync
optional, Azure AD Pass-through Authentication, Azure AD Domain Services - all need heightened vigilance and
extremely close monitoring to keep attack surfaces and unforeseen attack paths under check. In deployments that
use Azure AD Connect, sophisticated attackers may gain access to the AD Connect that synchronizes on-prem AD
with Azure AD and obtain access to user accounts. The Pass-through Authentication can even be exploited to use
what is called as a Skeleton Key to even escalate privileges to Global Admin for the Azure tenant. This can lead to a
land-and-expand attack stemming from on-premises and reaching Azure, spelling a devastating breach.
Contrasting this with attackers’ fast-paced adoption of these powerful tools, they always seem to be ahead in the game. In
addition to these open source tools, attackers often use Living-off-the-Land (LotL) techniques to fully utilize powerful tools
such as Windows PowerShell already available in the environment. This assists them in evading detection easily, even in
environments that have alerting mechanisms set up against the use of such powerful tools on endpoints. A simple renaming
6 Active Directory Threat Landscape and ShadowPlex AD Protection
of a PowerShell script or modifying the offensive code to a certain degree can throw the detection system off-balance. Also,
in the absence of automated responses for such events, manual investigation, triaging and response lifecycle simply loses
the time criticality battle.
The illustration below shows a sample attack path concept using open source and in-built tools that can lead to a complete
domain compromise.
In general, ICS architectures are based on the 5-Level Purdue Model that layers the Enterprise IT layers and Production or
Manufacturing Zone and Security Zones. However, recently, the ICS enterprises have seen attackers pivoting from the IT to
the OT segments by compromising IT endpoints, using the same attack paths as in any IT network, escalating privileges,
moving laterally until they find vulnerable ICS interfaces such as remote terminals and HMI systems. Along the way,
multiple documented attacks have compromised the Active Directory to enumerate control systems of the OT devices.
Some prominent examples are Black Energy (attacking HMIs), Shamoon (attack against Saudi Arabia’s civil aviation sector),
APT33 (cyber espionage targeting aviation), NotPetya (Ukraine Power Grid), Dragonfly (attacking the energy sector) among
many others. In summary, digitization of the ICS sector has created a wider attack surface for the enterprises and
cybersecurity posture must include detection, monitoring, and proactive protection of the ICS segment.
7 Active Directory Threat Landscape and ShadowPlex AD Protection
Certain deception solutions in the market offer AD protection using non-scalable solutions such as creating complete fake
AD forests, hiding real production assets and domain controllers on parts of the network segment, intercepting DNS lookups,
or deploying a large number of deceptions on enterprise endpoints’ memory. Such solutions cannot offer holistic AD
protection covering multiple bases and are largely static and cannot cover a complex and diverse enterprise network that
comprises a variety of OSes, Azure, or Hybrid AD models.
Contact Acalvio
Get in touch with Acalvio to schedule a demo of ShadowPlex, or to Try-and-Buy the Deception-based Active Directory
Protection.
About Acalvio:
Acalvio is an inventor of industry-leading advancements in Deception Technology for Advanced Threat Protection. With over 25 issued patents, Acalvio has integrated
Deception technology with advanced AI to provide an autonomous deception solution that is effective, easy to use and can be deployed at enterprise-scale with minimal
overhead. Acalvio ShadowPlex reduces attacker dwell time by early detection of advanced threats and increases SOC efficiency through sophisticated investigation and active
threat-hunting capabilities. Extensive partner integrations allow ShadowPlex to leverage the customer’s ecosystem for rapid and comprehensive threat containment.
Acalvio Technologies| 2520 Mission College Boulevard, Suite 110, Santa Clara, CA 95054, USA | www.acalvio.com