The “Active Directory Kill Chain Attack & Defense” concept is a structured approach to understanding the sequence of events or stages involved in an Active Directory (AD) attack and the corresponding defensive measures to counteract or prevent such attacks. Microsoft developed the service Active Directory for Windows domain networks for user and resource management in corporate settings.
Here’s a breakdown of a typical Active Directory kill chain attack and its defense:
Attack: An attacker gathers information about the target network, structure, domain names, machine names, and user accounts.
Defense: Limit information exposure. Use network segmentation and monitor directory visibility.
Attack: The attacker exploits vulnerabilities to gain initial access. This could be through phishing, exploiting weak passwords, or unpatched vulnerabilities.
Defense: Implement strong password policies, regular patching, employee awareness training, and use of multi-factor authentication.
Attack: Once access is gained, the attacker establishes a foothold by creating backdoors, creating new accounts, or installing malware.
Defense: Use endpoint detection and response tools, regularly audit accounts and permissions, and monitor for unusual activities.
Attack: The attacker attempts to gain higher-level privileges, often targeting administrator accounts or exploiting system vulnerabilities.
Defense: Apply the principle of least privilege, conduct regular privilege audits, and use privileged access management solutions.
Attack: With higher privileges, the attacker explores the network more deeply to identify high-value targets (like domain controllers).
Defense: Network segmentation, monitor network traffic, and use intrusion detection systems.
Attack: The attacker moves through the network, accessing other systems and potentially spreading malware.
Defense: Implement strict access controls, monitor lateral movements, and employ network security tools.
Maintain Presence:
Attack: Attackers establish methods to maintain their presence within the network, even if some of their access points are discovered and closed.
Defense: Continuous monitoring, regular network scans, and incident response plans.
Attack: The attacker achieves their goal, which could be data exfiltration, data encryption for ransom, or causing operational disruption.
Defense: Data loss prevention tools, regular backups, and a comprehensive incident response strategy.
Understanding and defending against each stage of the Active Directory kill chain requires a combination of technical controls, security policies, and ongoing user education. Continuous monitoring, rapid incident response, and regular reviews of security practices are essential in mitigating the risks of such attacks.
Here, we are elaborating on the tactics, techniques, and procedures (TTPs) attackers leverage to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.
A thorough checklist is vital for securing Active Directory (AD) from threats. This is a methodical approach:
Update and Patch Regularly: Make that all systems, particularly those using Active Directory, are patched and up-to-date with the most recent security updates on a regular basis.
Domain Controllers (DCs) that are physically secure and whose responsibilities are restricted to AD services are known as secure domain controllers. Stay away from alternative uses for DCs.
Establish Robust Policies Regarding Passwords: Passwords should be complicated and changed frequently. To enhance security, you might consider using passphrases and multi-factor authentication (MFA).
Keep an eye on user accounts: If you see any that aren’t being utilized, or have excessive rights, deactivate them.
Limit Privileged Accounts: Reducing the number of users with administrative access is an important security measure. Limit user access to just what their job description requires by the concept of least privilege.
Monitor and Audit Logins and Activities: Implement measures to monitor and audit all logins and activities, notably those using privileged accounts. Keep an eye out for anything out of the ordinary that could suggest an assault is underway.
Secure Network Access to AD: Safeguard Active Directory by Restricting Access to Servers on the Network. Block all but necessary users from accessing the network by using firewalls and segmenting the network.
Use Organizational Units and Group Policies: Apply Group Policies for security settings and organize resources in Organizational Units (OUs) to ensure that the network’s security configurations are consistent.
Data backup and disaster recovery: Back up Active Directory regularly and prepare for the worst. Regularly evaluate your backup and recovery processes.
User Education: Educate employees on how to spot and avoid phishing and other social engineering threats. Raising awareness can greatly lessen the likelihood of successful assaults.
Perform security audits of your Active Directory environment regularly and check for compliance with applicable security standards and best practices.
Think About Deploying Cutting-Edge Security Solutions: Think About Deploying Cutting-Edge Security Solutions Like SIEM, IDS/IPS, and Endpoint Protection Platforms.
Strengthen Active Directory configuration: Implement recommended security measures for Active Directory setup, such as protecting the Lightweight Directory Access Protocol (LDAP) and mandating Server Message Block (SMB) signature wherever feasible.
Physical Access Control: Limit physical access to servers and other network equipment to authorized persons only.
Keep Up-to-Date on Emerging Threats: Keep yourself apprised of emerging threats by reading up on new attack vectors and vulnerabilities that might impact AD. Then, modify your security procedures appropriately.
If you want to keep your Active Directory system secure, you need to review and update this checklist often to account for new threats and organizational changes.
| CVE | Title | Description | Link |
|---|---|---|---|
| CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability | An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 |
| CVE-2019-1040 | Windows NTLM Tampering Vulnerability | A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka ‘Windows NTLM Tampering Vulnerability’. | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040 |
| CVE-2019-0683 | Active Directory Elevation of Privilege Vulnerability | An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka ‘Active Directory Elevation of Privilege Vulnerability’. | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683 |
| CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability | A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’. | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
| CVE-2018-8581 | Microsoft Exchange Server Elevation of Privilege Vulnerability | An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka “Microsoft Exchange Server Elevation of Privilege Vulnerability.” This affects Microsoft Exchange Server. | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518 |
| CVE-2017-0143 | Windows SMB Remote Code Execution Vulnerability | The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148. | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143 |
| CVE-2016-0128 | Windows SAM and LSAD Downgrade Vulnerability | The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka “Windows SAM and LSAD Downgrade Vulnerability” or “BADLOCK.” | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128 |
| CVE-2014-6324 | Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) | The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka “Kerberos Checksum Vulnerability.” | https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068 |
| CVE-2014-1812 | Vulnerability in Group Policy Preferences could allow elevation of privilege | The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle the distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka “Group Policy Preferences Password Elevation of Privilege Vulnerability.” | https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati |
| Attack | Event ID |
|---|---|
| Account and Group Enumeration | 4798: A user’s local group membership was enumerated 4799: A security-enabled local group membership was enumerated |
| AdminSDHolder | 4780: The ACL was set on accounts which are members of administrators groups |
| Kekeo | 4624: Account Logon 4672: Admin Logon 4768: Kerberos TGS Request |
| Silver Ticket | 4624: Account Logon 4634: Account Logoff 4672: Admin Logon |
| Golden Ticket | 4624: Account Logon 4672: Admin Logon |
| PowerShell | 4103: Script Block Logging 400: Engine Lifecycle 403: Engine Lifecycle 4103: Module Logging 600: Provider Lifecycle |
| DCShadow | 4742: A computer account was changed 5137: A directory service object was created 5141: A directory service object was deleted 4929: An Active Directory replica source naming context was removed |
| Skeleton Keys | 4673: A privileged service was called 4611: A trusted logon process has been registered with the Local Security Authority 4688: A new process has been created 4689: A new process has exited |
| PYKEK MS14-068 | 4672: Admin Logon 4624: Account Logon 4768: Kerberos TGS Request |
| Kerberoasting | 4769: A Kerberos ticket was requested |
| S4U2Proxy | 4769: A Kerberos ticket was requested |
| Lateral Movement | 4688: A new process has been created 4689: A process has exited 4624: An account was successfully logged on 4625: An account failed to log on |
| DNSAdmin | 770: DNS Server plugin DLL has been loaded 541: The setting serverlevelplugindll on scope . has been set to <dll path>150: DNS Server could not load or initialize the plug-in DLL |
| DCSync | 4662: An operation was performed on an object |
| Password Spraying | 4625: An account failed to log on 4771: Kerberos pre-authentication failed 4648: A logon was attempted using explicit credentials |
Source & Credits: @infosecn1nja