Cybersecurity agencies in the United States and other countries are urging organizations to harden the security around Microsoft’s Active Director (AD) solution, which has become a prime target of hackers looking to compromise enterprise networks.

CISA and the FBI joined with counterparts from Canada, the UK, Australia, and New Zealand in issuing a recent report that detailed more than a dozen techniques that threat actors use when targeting Active Directory and steps organizations can take to protect against them.

The agencies – which make up the Five Eyes intelligence alliance – noted that Active Directory is the most widely used authentication and authorization tool in enterprise networks. Its ubiquity in IT environments, combined with its complex nature, make it an attractive target for cybercriminal organizations.

“It is routinely targeted as part of malicious activity on enterprise IT networks,” they wrote in the report. “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory.”

Every AD user has enough permission within Active Directory to enable them to both identity and exploit its weaknesses, creating an attack surface that is both large and difficult to defend, according to the report. The agencies also described the “complexity and opaqueness” of relationships within AD between users and systems.

“It is often these hidden relationships, which are overlooked by organisations, that malicious actors exploit, sometimes in trivial ways, to gain complete control over an organisation’s enterprise IT network,” they wrote.

Privileged Access Opens the Gates

Bad actors that get control of an enterprise’s AD can gain privileged access to all systems and users that the tool manages, giving them multiple avenues for running their attacks. With this access, they can bypass controls and access systems like email, file servers, and key business applications. They also can access cloud environments and services through Microsoft’s cloud-based features in its Entra ID feature.

“This allows users to access cloud-based systems and services,” the agencies wrote. “However, it can also be exploited by malicious actors to maintain and expand their access. Gaining control of Active Directory can enable malicious actors with a range of intentions, whether they be cyber criminals seeking financial gain or nation states conducting cyber espionage, to obtain the access they need to achieve their malicious objectives in the victim’s network.”

There are other ways hackers can leverage AD to compromise organizations, including establishing persistence in their IT systems. Through this persistence, they can remotely log into organizations, bypass multi-factor authentication (MFA) controls, and remain undetected in Active Directory for months or years. Getting them out of it can be costly and time-consuming, possibly requiring such actions as resetting all users’ passwords or rebuilding Active Directory.

They also noted that there are multiple services within AD, including Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), and Active Directory Certificate Services (AD CS).

“These services provide multiple authentication options, including smart card logon, as well as single sign-on with on-premises and cloud-based services,” the agencies wrote.

AD a Longtime Target

Active Directory has long been known as a popular target of threat groups. SentinelOne two years ago wrote that the AD infrastructure “continues to be a key element in ransomware campaigns and post-compromise extortion, representing a significant threat to businesses. With the time between initial breach and impact being so short in a ransomware attack, the main area of concern for businesses is the challenge of quick detection.”

Ransomware and other groups see AD “as a neat gateway into the entirety of a network,” the cybersecurity firm wrote. “Compromising AD allows adversaries to move laterally through the rest of the network, escalate privileges, obtain administrative access rights, and ultimately, encrypt and exfiltrate sensitive data.”

Semperis last year wrote about protecting Active Directory from Kerberoasting, a technique used by threat groups to exploit the Kerberos authentication protocol to extract service account credentials. It’s a common attack vector because it’s difficult to detect and protect against, according to the company.

“Kerberos is engineered for both security and efficiency,” Semperis wrote. “However, its strength hinges on the confidentiality of the encryption keys that secure tickets during the authentication phase. If attackers manage to acquire these encryption keys (passwords), they can craft their own tickets, giving them a gateway to privileged information and network assets.”

Multiple Compromise Techniques

The Five Eyes agencies noted a range of compromise techniques hackers use, from password spraying (a brute-force attack using a list of common passwords) to compromising Group Policy Preferences passwords or AD Certificate Servers and creating golden certificates, a persistence tactic.

They also outlined how to detect and mitigate the attacks. The includes using canary objects – fake files or folders used to detect unauthorized access, copying, or data modifications – in AD.

“The benefit of this technique is that it does not rely on correlating event logs, providing a strong indication a compromise has happened,” the agencies wrote. “Notably, this technique does not rely on detecting the tooling used by malicious actors (like some other detection techniques do), but instead detects the compromise itself. As such, it is more likely to accurately detect compromises against Active Directory.”

They pointed to commercial and open source tools enterprises can use to protect AD, including BloodHound for identifying misconfigurations and other weaknesses that can be exploited, Netwrix PingCastle, which creates an AD security report, and Purple Knight, which similarly provides security information about an AD environment.