To begin dissecting Active Directory (AD), it's important to grasp the concept that a domain essentially constitutes a sizable collection of "objects" that necessitate communication among themselves. These objects encompass various entities such as User objects, system objects (servers, workstations, laptops, etc.), and even software objects.
In order to effectively manage these objects, it is necessary to organize them within a Directory Structure, which is why the term "Active Directory" is used.
Objects possess attributes, and these attributes within the directory are subject to constant modification to align with the organization's requirements. In the diagram below, various user groups (Blue, Green, Red) could potentially possess distinct attributes and privileges. Furthermore, the provided example illustrates a scenario where a user departs from the organization while another user is introduced into the system.
The organizational framework, known as the directory structure, is stored on a specialized server referred to as a Domain Controller (DC). Furthermore, the directory's information is housed within a distinctive file on this server, named ntds.dit, with DIT standing for "Directory Information Tree." For further insights on ntds.dit, you can refer to the following link: https://windowstechno.com/what-is-ntds-dit/
AD is very complex and does a lot of things. See this article for 12 essential tasks of Active Directory https://fallbackstatus.com/the-12-essential-tasks-of-active-directory-domain-services/
Before delving further into AD, it's important to touch on a few additional key concepts: Replication, Schema, and Global Catalog. Replication serves as the mechanism through which Domain Controllers back up and synchronize the Active Directory across an organization. The absence of these backups could lead to a significant delay in rebuilding the Directory Structure, which might have taken years to establish. This, in turn, could translate to prolonged downtime for the essential business systems, potentially lasting weeks or even months.
A real-life scenario exemplifying the concept of Domain replication occurred in 2018 with the company Maersk. During this incident, all of Maersk's Domain Controllers were encrypted by ransomware, leading to a complete standstill in their operations. The attackers not only encrypted their domain controllers but also prevented them from restoring their servers. However, a unique situation emerged in Africa where a Domain Controller had previously undergone directory replication and remained uninfected due to telecommunication issues that hindered the ransomware's spread from its source in Europe. Recognizing the significance of this discovery, incident responders promptly directed the administrators at the African site to disconnect the unaffected Domain Controller from the network. Subsequently, the responders traveled to the African site to acquire a backup of Maersk's Directory. This backup was then transported to London, enabling the rebuilding of Maersk's Active Directory and the restoration of the company's functionality. For more details about the Maersk ransomware incident and their response, you can refer to this informative article by Wired magazine.
The AD Schema is the way the information is stored in AD, and Global Catalog is an efficient way for applications and users to pull AD attributes without pulling the entirety of AD information.
Active Directory & Authentication
A fundamental role of AD is authentication, which grants both users and systems network access while defining their permissible access points. In the realm of Windows, two primary authentication protocols come into play: NTLM and Kerberos. This discussion will delve into Kerberos authentication in greater detail due to its superior security compared to NTLM. Kerberos is progressively supplanting NTLM in Windows deployments.
Windows authentication relies on the Kerberos authentication protocol developed by MIT, comprising three central components:
Client
Server
Key Distribution Center (KDC)
Kerberos is guided by several overarching authentication objectives:
Facilitate mutual authentication among numerous interconnected systems.
Rely on a shared secret for authentication (known solely to the authorized user and the authenticating server).
Address the possibility of a hostile network that could eavesdrop on communication.
Avoid the direct use of passwords for security reasons.
Minimize key storage across systems.
Enable seamless logon without repeated password requests (single sign-in).
In the initial phase of authentication, the client establishes its identity, leading to the issuance of a session key and a Ticket Granting Ticket (TGT) by the authentication server. The TGT functions as a master ticket, permitting the client to request additional tickets. Notably, the default validity period for these TGTs is set at 10 hours.
Currently, the user/client hasn't gained access to the desired server/application. Subsequently, they initiate a request for access to the specific service. If the authorization is granted, they receive a Ticket for that particular service, valid for a predetermined period.
They then present that ticket to the server (server Z below) they are trying to access, and the server verifies the ticket.
Active Directory & Federations
Active Directory Federation Services (AD FS) is a technology introduced by Microsoft that facilitates single sign-on (SSO) capabilities and identity federation across different systems, applications, and organizations. AD FS serves as a bridge between an organization's Active Directory and other trusted systems or services, enabling seamless access to resources without the need for multiple logins.
Key functions of Active Directory Federation Services (AD FS) include:
Single Sign-On (SSO): AD FS enables users to authenticate once and gain access to multiple applications or services without needing to provide credentials again. This streamlines the user experience and reduces the need to remember numerous login details.
Identity Federation: AD FS allows organizations to establish trust relationships with external entities, such as partner organizations or cloud services. This enables users from different domains or organizations to access resources using their own credentials while maintaining security and control.
Security Assertion Markup Language (SAML) Support: AD FS employs SAML, an industry-standard protocol, to facilitate secure authentication and authorization between different systems. SAML tokens are used to convey identity and authorization information.
Web-Based SSO: AD FS enables web-based SSO for applications and services that support SAML or WS-Federation protocols. Users can log in to a central identity provider (IDP), and the IDP authenticates them to access various applications.
Multi-Factor Authentication (MFA): AD FS can be configured to support multi-factor authentication, adding an extra layer of security by requiring users to provide additional verification beyond just a password.
Security and Compliance: By centralizing authentication and authorization through AD FS, organizations can enforce security policies, audit access to resources, and maintain compliance with industry regulations.
Hybrid Environments: AD FS is often used in hybrid environments where organizations have a mix of on-premises and cloud-based resources. It facilitates secure access to cloud services without exposing internal credentials.
In essence, Active Directory Federation Services enables organizations to extend the benefits of their on-premises Active Directory to external systems, services, and partner organizations while maintaining a secure and streamlined user experience.
The diagram below from Microsoft shows federation where an on-premise domain controller is syncing to a cloud Azure Active Directory through an Azure AD Connect sync.
Anatomy of attacks on Active Directory and Authentication Windows Authentication Processes
The Kill Chain concept holds significance in the realm of cyberattacks. It delineates the sequential steps that attackers follow to achieve their hacking goals. Within Windows environments, a primary objective for hackers is gaining domain admin privileges on the domain controller, granting them unrestricted control within the system. The following image illustrates the Active Directory Kill Chain.
Various techniques and tools are available for targeting Windows systems, and within these, several widely recognized methods possess distinct labels:
Internal Reconnaissance: Involves server reconnaissance to identify Service Principal Names (SPNs).
Local Privilege Escalation/Credential Compromise:
OS credential dumping LSASS memory
Golden Ticket, Silver Ticket
Explores SPNs to escalate privileges using techniques like Kerberoasting
DCSync.
Remote Code Execution (Lateral Movement): Enables lateral movement between servers using Domain Admin credentials. Methods include Pass-the-Ticket (PtT) and Pass-the-Hash (PtH), DNSAdmins exploitation, PetitPotam, Password spraying
Domain Domination - DC Admin: Gaining administrator privileges on the domain controller:
Zerologon exploitation
DCShadow.
Domain Domination - persistence:
NTDS Extraction. Downloading and cracking the ntds.dit file on the domain controller.
LSASS Memory dumping, Pass-the-Hash (PtH), and Pass-the-Ticket (PtT)
In our previous conversation about Windows authentication, we covered the concept of granting a ticket to the requesting system, which is valid for 10 hours by default. This means that attackers could potentially pilfer the Hash or acquire the ticket and subsequently exploit it for unauthorized access.
There are two specific techniques employed:
Pass-The-Hash: Pertaining to Windows NTLM authentication.
Pass-The-Ticket: Associated with Windows Kerberos authentication.
In these scenarios, attackers seize the active Ticket Granting Ticket (TGT) or password hash from a compromised system's memory. They then inject this information into a user session, enabling them to impersonate the rightful owner of the stolen ticket or hash.
There is a very popular hacking tool called Mimikatz that facilitates obtaining this TGT or Hash from the systems memory.
Dumping the hash not only exposes it but also makes it susceptible to cracking. In previous Windows versions, the hash was even stored in memory in plain text, allowing direct extraction of user passwords from memory. While Windows has addressed this issue, there are still registry settings that can be manipulated to store the hash in plain text. Illustrative instances of this manipulation are provided below.
Even if the hash cannot be directly acquired in plain text, it remains susceptible to cracking if a weak password was used. The diagram below illustrates a dictionary or dictionary variation attack, wherein hashes for common passwords and their variations are pre-computed. The stolen hash is subsequently compared against this pre-computed hash list in an attempt to identify a matching password.
Kerberoasting
Kerberoasting capitalizes on a Windows concept known as "Service Principal Names" (SPNs). An SPN functions as a distinctive identifier for services operational on hosts. Primarily linked to Windows application service accounts, SPNs play a pivotal role. This technique is commonly employed when an attacker possesses local account credentials for a user devoid of administrative privileges. The attacker's objective is to locate accounts with associated SPNs. In this context, the attacker employs the domain User context to solicit a Kerberos service ticket from the Ticket Granting Service. This yields a ticket from the Kerberos Key Distribution Center (KDC) encrypted with a hashed variant of the account's password. Subsequently, the attacker captures the TGS ticket (hash) and removes it from the online sphere for subsequent cracking.
The process unfolds as follows:
Scan the Active Directory (AD) for user accounts with SPN designations. An SPN represents a distinct marker for a service operational on a particular host. An attacker with access to the domain can identify service accounts with weak encryption and known SPNs. These accounts are often associated with services such as email, databases, and web applications.
Solicit service tickets from AD employing the SPN designation. These tickets are encrypted using a hashed rendition of the password linked to the SPN account.
Once the attacker obtains the encrypted service tickets (TGS tickets), they can extract these tickets and take them offline. Since the tickets are encrypted with the service account's password hash, the attacker can use offline tools to attempt to crack the hash and recover the plaintext password.
The hash value within the service ticket undergoes a brute force attack in the pursuit of decryption.
DCSync
In the DCSync attack the attacker pretends to be another domain controller and get replication of the active directory from legitimate domain controllers. This request is called DCSync. The DC responds to the DCSync request by providing the attacker with Active Directory data, including sensitive information like password hashes of user accounts, without requiring high-level privileges. This data is often encrypted using the attacker's credentials. The stolen hashes are then taken offline for password cracking.
Golden Ticket & Silver Ticket
Golden and Silver ticket attacks are types of ticket forgery attacks against the implementation of the Kerberos protocol. A Golden Ticket attack is a type of cyberattack where an attacker forges a highly privileged Kerberos ticket, granting them unrestricted access and control within a Windows domain. This attack takes advantage of the Kerberos authentication protocol's design and its use of long-lived tickets. Once a Golden Ticket is created, the attacker can impersonate any user or service, granting them virtually unlimited authority within the compromised environment. A Silver Ticket attack is a cyberattack method that involves forging a valid Kerberos service ticket for a specific service using compromised credentials. Unlike a Golden Ticket attack, which targets the Ticket Granting Ticket (TGT), a Silver Ticket attack targets a specific service's ticket. Attackers can use Silver Tickets to access services and resources associated with the compromised service account, potentially escalating privileges within a Windows domain.
Attacking NTDIS.dit
The "ntds.dit" file, also known as the Active Directory database file, is a critical component of the Windows Active Directory infrastructure. It plays a central role in storing and managing directory data for a Windows domain. In this attack, the perpetrator gains access to the "ntds.dit" file located at "C:\Windows\NTDS," which contains the hashed representations of all user passwords. The attacker proceeds to extract the user hashes from this file and then endeavors to crack these hashes by employing both a hash dictionary and dictionary variation attack methods.
Ways attackers can copy ntdis.dit from the server.
Copy Volume Shadow Copy (vssadmin tool)
Raw access to file from disk (ninjacopy from powersploit)
For attackers there are some complexities in hacking the ntdis.dit file.
First, the DC operating system has this file opened exclusively for its use so you can't just copy it off the C: drive
Second the file is encrypted with a syskey which is in the registry system hive HKLM\SYSTEM
Within this attack scenario, certain valid inquiries emerge:
Why engage in hash cracking when the hashes themselves can be stolen?
Why dedicate effort to hash cracking if the attacker is already positioned on the Domain Controller with sufficient privileges to extract the ntds.dit file?
The explanation lies in the attacker's desire to establish a stronger foothold within the environment, operating stealthily. By successfully cracking other user passwords, the attacker can advance their goals. Moreover, there might exist web-based non-Windows applications where the use of a hash for logging in is unfeasible for the attacker.
Common Active Directory Attack Tools
Some of the most common active directory attack tools are:
Mimikatz - Mimikatz is a tool that can retrieves sensitive data like passwords and authentication tokens from Windows memory.
Impacket - Impacket is a collection of Python scripts and tools designed to facilitate network protocol analysis, penetration testing, and exploitation of various network services and protocols. Impacket includes tools for extracting password hashes from various protocols and services, which can be used for offline cracking and analysis. mpacket offers tools for manipulating and interacting with Kerberos authentication, including Kerberos ticket extraction and manipulation.
Rebeus - Rubeus is designed to exploit and manipulate Kerberos tickets and perform various Kerberos-related attacks in Windows environments. It primarily focuses on Kerberos authentication and ticket manipulation. Key features and capabilities of Rubeus include:
Ticket Extraction: Rubeus can extract Kerberos tickets from memory, allowing an attacker to obtain credentials of logged-in users without needing administrative privileges.
Ticket Renewal and Renewal Check: Rubeus can renew Kerberos tickets without needing the original password. It can also check if tickets can be renewed and their validity period.
Ticket Request and TGT Renewal: Rubeus allows attackers to request TGTs (Ticket Granting Tickets) for specified users using harvested credentials, enabling attackers to impersonate users.
Kerberoasting and AS-REP Roasting: Rubeus can launch Kerberoasting attacks to request encrypted service tickets, which can then be cracked offline. It can also perform AS-REP Roasting to request AS-REP (Authentication Service Response) responses, which contain encrypted data that can be targeted for password cracking.
Silver Ticket and Golden Ticket Attacks: Rubeus can forge both Silver Tickets and Golden Tickets, allowing attackers to impersonate users or services and gain unauthorized access to systems.
Overpass-the-Hash Attack: Rubeus can manipulate Kerberos keys and tickets to achieve "Overpass-the-Hash" attacks, bypassing certain authentication security measures.
Kerberos Ticket Renewal and Validation: Rubeus provides options to renew and validate Kerberos tickets, allowing attackers to prolong their access without the need for credentials.
Bloodhound - BloodHound is a powerful open-source hacking tool designed to assist security professionals and penetration testers in identifying and visualizing attack paths within Windows Active Directory environments. It focuses on analyzing the complex relationships and permissions within Active Directory to uncover potential attack vectors and privilege escalation opportunities. BloodHound The tool identifies potential attack paths an attacker could exploit to escalate privileges or move laterally within the network. It pinpoints paths that lead to high-privileged accounts, helping organizations proactively address vulnerabilities. BoodHound can determine the shortest path an attacker would need to take to achieve Domain Admin privileges, offering insights into potential security risks.
Baltimore City Ransomware Case
Attackers were able to determine that the servers used a Veam data backup solution. the attackers were able to pull a base64 encoded password from the Veam backed SQL database. With this service account they were able to gain access to the domain controller and dump the ntdis.dit file and crack several domain account passwords. Witha administrator accounts on all the servers they were able to steal all the data and encrypt everything.
Active Directory Log Sources
Active Directory has tons of logs.
AD Server object modification
AD Server Logon
Log activity Related to Kerberos
AD Server object modification
This event shows up as Event ID 5136 from the Domain Controller.
What's the significance of this log? Well, it varies. If an unauthorized user is being added or user privileges are being elevated without permission, it becomes crucial. The challenge in analyzing this log lies in the multitude of legitimate object modifications. Distinguishing between beneficial and malicious changes becomes difficult due to the volume of legitimate modifications.
AD Server Logon
Domain Admins have the Windows IT power of Kings/Queens. They may have to logon to DCs to do work, but no one else should be logging onto the domain controller servers.
Log activity Related to Kerberos
KDC logs relate to activity on DC, and there is a lot of it.
4768 - Kerberos Auth TGT requested
Account Name = user requested ticket
Computer accounts are distinguished by $ at the end of the account name
Service Same = krbtgt "Kerberos Ticket Granting Ticket"
Result Code = 0x0 (0=success, else failure code)
Sometimes failures show 4771 - Kerberos Pre-Authentication Failed
4769 - Kerberos service ticket was requested
4770 - Kerberos service ticket was renewed
Service Name = Service name (optional field)
Service ID = Lists the account or computer objects that the ticket was requested for. Pivoting to this system you should see logon activity from the client. Logon 4624 will show 'Kerberos" event fields: Logon Process, and Authentication Package. If Kerberos is not used these fields will have NTLM.
Client Address = Client requesting ticket
Ways to Detect and Prevent Windows AD and Authentication Attacks
Detecting DCSync
Detecting regular users (Not other DCs) replicating to domain controllers. Event ID 4662 with keyword replication. The problem is that this event does tie back to server name, so you need to connect back to logon event which is hard.
Detecting Pass-The-Ticket attacks
Securing ntds.dit
Limit users who can logon to DCs
Protect backups including VM files
Don't logon into lower systems with AD privilege accounts
Configure Sysmon to alert on raw access reads.
Monitor Volume Shadow Copy Service (VSS) copies
Securing against Kerberoasting
Use password vaulting for service accounts
Honey accounts
Adding SPNs
Does event 4679 make sense to servers like sql servers
Unusual logon events 4624 logon events using the Kerberoasted service accounts
Other Detection Techniques
Group and stack logs by: Account name, domain, and result codes. This could indicate malicious patterns.
A More precise Way to detect Windows AD and Authentication Attaks
The Active Directory settings and logs can be complex. A subset of security tools was developed that assist cyber security teams perform the complex analysis needed of Active Directory configurations and logs. One of the most popular of these tools on the market is, Tenable Active Directory (AD) renamed to Tenable Identity Exposure.
Two things Tenable Identity Exposure does are:
Auditing settings for insecure configurations. These are referred to as Indicators-of-Exposure (IoE)'s
Alerting on suspicious activity (i.e., Kerberoasting, DCSync, etc). These are referred to as Indicators-of-Exposure (IoA)'s
Secure AD settings
Account tiering (Red Forrest architecture)
Yorumlar