Active Directory in the crosshairs

Microsoft Active Directory (not to be confused with Azure Active Directory!) is perhaps the most ubiquitous piece of infrastructure software worldwide. It is the directory service included in Windows Server operating systems and used for centralized domain management and other identity services. Many other technologies and products are dependent or integrated with it: from Group Policy and printing services, over DNS to Exchange and Sharepoint servers. Protocols such as SMB (or CIFS) used for communicating with domain member clients (such as Windows laptops) are all enabled by Active Directory.

Precisely because of its popularity but also ageing technology, Active Directory (AD) opens up a huge opportunity for threat actors to move laterally, by exploiting various Active Directory related vulnerabilities and misconfigurations. Successful attacks such as the one against Maersk have in large part been enabled and enhanced by global AD deployments. In fact, AD imposes a very costly and heavy burden on administrators as it must be scanned, secured and maintained 24/7. Once an attacker gains a foothold via phishing and logs into a domain member computer, it is often very hard to prevent lateral movement, elevation of privileges or vulnerability exploitation.

Tenable, a security company, is doing a good job at highlighting the AD weaknesses used by attackers and ransomware operators in particular. In its Ransomware Ecosystem whitepaper, Tenable identifies that Active directory plays a pivotal role in ransomware attacks. Once inside, the attackers often set their sights on Active Directory, as gaining domain privileges provides attackers the necessary capabilities to distribute their ransomware payloads across the entire network.

As documented by the DFIR Report, AD is a huge enabler: the attackers are nowadays able to own and ransom an entire organizational AD domain within 2 hours since the initial phishing email, leveraging vulnerabilities and popular tools along the way.