In our previous blog, we delved into Active Directory, its functionality, and significance. Now, let's explore the Top 10 Active Directory Attacks and their methodologies.
Attackers try a small set of commonly used passwords against multiple user accounts to evade detection.
Attackers use stolen hashed credentials to authenticate to systems and services, bypassing the need for plaintext passwords.
Attackers target Kerberos ticket-granting tickets to extract password hashes of domain user accounts, which can be cracked offline.
Attackers forge Kerberos tickets with unlimited access privileges, granting persistent access to domain resources.
Methodology:
Attackers gain initial access to the domain controller to extract the NTLM hash of the KRBTGT account, allowing them to create valid Kerberos tickets with arbitrary group memberships and privileges.
Similar to golden ticket attacks, attackers forge Kerberos tickets for specific services to access targeted resources without domain controller authentication.
Methodology:
Attackers gain access to a service account's NTLM hash to create forged Kerberos tickets, granting access to specific services without authentication.
Attackers modify Active Directory objects, injecting changes that replicate to other domain controllers, compromising directory service integrity.
Methodology:
Attackers use Mimikatz or other tools to inject malicious changes into the Active Directory database, which are then replicated to other domain controllers.
Attackers impersonate domain controller replication requests to retrieve password data from Active Directory objects, extracting sensitive information like password hashes.
Methodology:
Attackers use Mimikatz or other tools to simulate domain controller replication requests, allowing them to retrieve password data without alerting security mechanisms.
Attackers utilize BloodHound, a tool for AD reconnaissance, to identify and exploit security vulnerabilities within Active Directory environments.
Methodology:
Attackers perform reconnaissance to identify vulnerable user accounts, group memberships, and trust relationships, leveraging this information to escalate privileges and move laterally within the network.
The attackers use stolen Kerberos tickets to access network resources without needing the user’s password. This attack exploits the Kerberos authentication system to impersonate legitimate users and gain unauthorized access to systems.
Methodology:
Attackers initially obtain a valid Kerberos Ticket Granting Ticket (TGT) or service ticket from a compromised system. They then inject this stolen ticket into a different system or session, enabling them to impersonate the legitimate user and access resources with equivalent privileges.
Attackers exploit insecure trust relationships between domains to gain unauthorized access across domains, facilitating lateral movement and privilege escalation.
Methodology:
Attackers exploit weak or misconfigured trust relationships between domains to gain unauthorized access to resources in trusted domains, allowing them to move laterally and escalate privileges within the network.
Happy Learning !!