SentinelOne has recently announced the acquisition of Attivo Networks to bring new capabilities to its customers. Amongst these new features includes Ranger AD Assessor. In this blog post, we give you the rundown on the state of AD security and how Singularity Ranger AD Assessor can provide you visibility into your security gaps.
Why do threat actors target AD?
Microsoft estimates that 95 million AD accounts come under attack each day, with 94% of organisations having experienced an identity-related breach. AD is a key target for attackers as compromising AD can give them access to all network resources and the necessary rights and privileges to make changes. These changes could make it harder to detect any malicious activity.
Almost every major ransomware attack includes a step in which the attacker leverages AD for information, privileges, or both.
How are attackers targeting AD?
Misconfigurations and vulnerabilities – Attackers can quickly exploit unpatched applications, OS, and firmware on AD Servers, giving them a critical first-foothold within your environment.
Admin users and privileged access - AD allows administrators to grant access to specific applications and data based on employee roles. Roles are assigned to groups that determine access levels. It’s important to only allow the levels of access to individuals and roles need to perform their job functions.
Passwords - Brute force attacks on AD services often target passwords. Uncomplicated passwords and easily guessable passwords put your AD at risk.
Default settings - AD has a set of predetermined, default security settings created by Microsoft. These security settings may not be ideal for your organisation’s needs. Additionally, these default security settings are well-understood by threat actors, who will attempt to exploit gaps and vulnerabilities.
Many open-source and freely available tools, including Bloodhound and Mimikatz, make attacking and compromising AD dangerously simple. Attackers use these tools to identify accounts capable of granting them administrative rights and conduct their attacks in a way that allows them to elevate their privileges.
Some of the key threat groups and malware that leverage AD as part of their tactics and techniques include:
PYSA - PYSA ransomware has at least three known infection vectors: Brute-force attacks against management consoles and Active Directory (AD) accounts, phishing emails, and unauthorised Remote Desktop Protocol (RDP) connections to domain controllers. In March 2021, an FBI FLASH alert was issued concerning the noticeable increase in PYSA campaigns, particularly those against healthcare and educational targets.
TrickBot - TrickBot is typically downloaded and installed on a computer through other malware, the most common malware that installs TrickBot is Emotet. As part of the malware’s evolution, in 2020 it was found that there was a new TrickBot module that executes a variety of Windows commands that allows the trojan to steal a Windows Active Directory database.
LAPSUS$ - LAPSUS$ group is a financially motivated threat group that first appeared in December 2021. The group use AD Explorer, a publicly available tool, to enumerate all domain users and groups and discovered further high-privilege account credentials to access other sensitive information. The group used DCSync attacks and Mimikatz to perform privilege escalation routines. Once obtaining domain administrator access, the group used the built-in Ntdsutil utility to extract the AD database.
What can you do?
There are certain best practices that enterprises should adhere to, including hardening AD, keeping privileged accounts to a minimum, using jump boxes, and following secure technical implementation guides. However, these alone will not keep your AD safe, as threat actors will continue to develop new methods of attack.
Responsible organisations should implement identity security solutions that provide visibility into exposed credentials that create potential attack paths and allow access to AD. Visibility into AD exposures and vulnerabilities is essential.
What is SentinelOne Ranger AD?
SentinelOne Singularity Ranger AD is a continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD. It provides you with actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.
With Ranger AD you can:
See clearly into the state of your AD and Azure AD with hundreds of real-time vulnerability checks
Uncover domain-level exposures such as weak policies, credential harvesting, and Kerberos vulnerabilities
Reveal user-level exposures through AD object analysis, privileged account evaluation, stale account identification, and identifying shared credential use
Understand device-level AD attack paths, including rogue domain controllers, OS issues, and vulnerabilities
Ensure continuous visibility to AD attack indicators without impacting business operations
Detect identity and service account misuse
Reduce mean time to respond to unauthorized mass account changes and suspicious password changes
Receive proactive notifications related to AD attacks.
SentinelOne is offering a free AD Assessment to provide you with actionable insight into your identity security, including misconfigurations, excessive privileges, or data exposures.