Active Directory Attacks Hit the Mainstream

Understanding the limitations of authentication protocols, especially as enterprises link authentication to cloud services to Active Directory, is essential for security teams in the modern federated enterprise.

Jason Crabtree, CEO & Co-Founder, QOMPLX

April 1, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

There was a time when attacks against identity and authentication infrastructure were the domain of well-financed and, likely, state-backed threat actors. These groups crave persistence on critical networks and would invest heavily in tactics that would allow them not only a foothold on vital systems but also stealthy lateral movement from resource to resource.

Access to Active Directory, domain controllers, and exploitation of known weaknesses in the Kerberos authentication protocol were often key in these efforts, and for a long time required significant dwell time in order to, for example, forge Kerberos tickets and move about a network making legitimate service requests.

However, the advent of open source pen-testing tools such as Mimikatz — a credential-dumping tool capable of recovering plaintext or hashed passwords from systems — narrowed the knowledge gap necessary to leverage these types of attacks. Dwell times went from days or weeks to minutes, and what was almost exclusively the domain of advanced persistent threat groups was now also within reach of script kiddies.

Mimikatz, in particular, has been integrated into the arsenals of close to 30 state-sponsored groups and has been used in devastating attacks, including 2017's NotPetya, which burrowed into the supply chain of governments and private sector organizations across Europe, and 2011's hack of Dutch certificate authority DigiNotar, which eventually bankrupted the company.

Since Active Directory is recognized as the de facto identity platform for businesses and governments running Windows, and it enables authentication for numerous enterprise services, it stands to reason that hackers would invest in attacks leveraging it as well. The stateless nature of the Kerberos protocol, which authenticates requests to enterprise services, is especially attractive.

As a stateless protocol, Kerberos transactions during the authentication process are not retained throughout or after the session. This dynamic leaves it vulnerable to known attacks that allow bad actors to forge Kerberos tickets or reuse stolen credentials to move laterally through the network undetected, escalating privileges until they obtain full control over files, servers, and services.

Three Decades of Kerberos
Kerberos is no youngster. Its roots go back 30 years to MIT's Project Athena, and it was quickly adopted as a successor to NTLM (Windows NT LAN Manager), which was Microsoft's standard authentication protocol pre-Windows 2000. NTLM was also plagued by vulnerabilities that put the credentials it processed at risk to theft. Kerberos was superior to pre-existing authentication methods, including NTLM. But backward compatibility with these non-Kerberos methods created exposures, especially with legacy applications that could not be easily discarded.

It became quickly apparent that some Kerberos implementations were shaky, and tools such as Mimikatz, Metasploit, and others developed for legitimate security research have been co-opted many times by threat actors to target these implementations.

Benjamin Delpy, the French researcher who built Mimikatz, along with Alva Duckwall demonstrated at the 2014 Black Hat conference the next iteration of attacks against Kerberos. Delpy's and Duckwall's Golden Ticket attack allows attackers to generate a Kerberos Ticket Generating Ticket (TGT), effectively giving them domain administrator credentials to any computer on the network for the life of the ticket. Newer tools, including CrackMapExec, Bloodhound, DeathStar, Angry Puppy, and Go Fetch, make it easier than ever for attackers to gain a foothold on a target environment in order to quickly forge tickets, replay credentials, or map the plan to expand their control.

In the matter of a few years, dwell time dropped to minutes because of these tools that can rapidly audit a network and provide a path that enables lateral movement and privileged access to the complete networking environment. And even the most resourced defenders, meanwhile, continue to struggle.

UN Hack Demonstrates Defenders' Bind
Most recently, an espionage attack disclosed in January targeted three United Nations offices in Europe. Attackers exploited a vulnerability in Microsoft SharePoint to gain access to Active Directory at the three UN locations, and eventually move laterally on those respective networks.

While attribution has not been made in the UN attack, there are signals of a long-term presence on the organization's network, and a targeting of Active Directory to steal information on hundreds of individuals, as well as human resources information, and other databases and network resources, according to reports. There are close to 4,000 staffers at the three compromised UN offices, and the attack was detected last August, close to a month after the initial intrusion, The New Humanitarian, formerly a UN publication, reported in January.

Dozens of servers hosted by the UN at its Vienna and Geneva offices, as well as at its Office of the High Commissioner for Human Rights (OHCHR) were compromised; some of those servers were used for user and password management, system controls, and network firewalls, The New Humanitarian reported. The attackers were able to view data stored on its servers in Vienna, and they were also able to extract Active Directory listings from the OHCHR, which handles reports of human rights violations.

The UN hack demonstrates that defenders are in a bind and need more visibility into authentication systems to ensure they have not been subverted, and that their other security controls, tools, and processes continue to operate as intended.

Understanding the limitations of authentication protocols like NTLM, Kerberos, and SAML — especially as enterprises link authentication to cloud services to Active Directory — is essential for security teams in the modern federated enterprise.

The smartest organizations will find a way to leverage modern distributed systems and analytics platforms, enhanced by machine learning, to master the huge data sets that cloud deployments will engender, while integrating security operations more closely with development and IT management.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: " How to Evict Attackers Living Off Your Land."

About the Author

Jason Crabtree

CEO & Co-Founder, QOMPLX

Jason Crabtree co-founded QOMPLX in 2014 with Andrew Sellers. As the CEO of QOMPLX, Mr. Crabtree is responsible for the overall vision and long-term direction of the company, in addition to overseeing all aspects of company operations. Prior to QOMPLX, Jason most recently served as a Special Advisor to the senior leaders in the Department of Defense cyber community, with responsibilities ranging from policy advice and operational support, to research direction and technology transition. Mr. Crabtree is the co-author of Driven by Demand: How Energy Gets Its Power (Cambridge University Press, 2015). He received a B.S. in engineering from the United States Military Academy at West Point was selected as the First Captain and Brigade Commander of the Corps of Cadets and elected as a Rhodes Scholar. He received an M.Sc.(R) in Engineering Science at the University of Oxford before leading infantry troops in Afghanistan in 2012.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights