Cover
Horizon Security
PostPost

Active Directory Cyber Security

Horizon Security offers tailored technical Active Directory security assessments, organizations can have a comprehensive analysis of their Active Directory ecosystem, understand all the possible attack paths and the countermeasures to adopt to run their business in a security fashion.

Active Directory (AD) is the Microsoft enterprise product adopted by the majority of the companies to manage their internal directory-based and identity-related services.

In a Windows-based environment, almost every application is integrated with Active Directory for authentication, resource access, and single sign-on. It is one of the most critical components of an enterprise IT infrastructure.

It is not surprising that AD is a prime target in cyberattacks.


Installing the latest security patch does not mean having a secure system. More and more adversaries' strategies are leveraging misconfigurations to compromise internal networks and perform malicious activities.

The Active Directory deployments of most organizations are insecure and vulnerable to known exploits, but even if a company has a fully patched environment, administrators have to deal with complex sets of different configurations. Due to lack of time and misleading tools, even seasoned IT administrators deploy insecure configurations that could lead to potential breaches.

Active Directory Resilience

Microsoft tools do not help system administrators to have a clear view of their entire infrastructure, security configurations, users, groups, joined servers, GPOs, ACLs and trusts between domains or forests. All these components may carry security misconfigurations introduced in the past and dragged unconsciously until nowadays.

Horizon Security Active Directory Resilience service builds a map of your Active Directory ecosystem. It will identify critical assets, trusts, security misconfigurations and build potential breach paths.
With a clear view of the Active Directory infrastructure it will be possible to quantify the security risk and select the countermeasures to adopt to harden your environment and improve your cyber resilience.

AUDIT AREAS

LOCAL ADMINISTRATORS PASSWORD
Local administrators' password of workstations and servers are not managed so well. Operating Systems are often installed with the same administrative password. If a workstation is compromised, then all workstations are compromised as well.

DOMAIN PASSWORD POLICY
Default domain password policy are not compliant with strong passwords policies. This permits users to set insecure credentials, which could be vulnerable to password spray attacks and facilitate cracking attempts.

SECURITY FEATURES NOT ENFORCED
Sometimes, security features like anti-tampering and encryption are not enforced because the consequences are not well understood. These misconfigurations may allow attackers to gain a foothold on the domain.

OVERPRIVILEGED ACCOUNTS
Sometimes, the service accounts used by know applications (e.g. Sharepoint, MSSQL, etc.) are configured with high privileges and weak passwords.

EXCESSIVE SHARING
Too often, file shares with sensitive data are overshared. Any user could access those data facilitating attackers' job.

NESTED GROUPS
Multi-level nested groups often give high privileges over a critical set of hosts to users who should not be granted to such privileges.

KERBEROS DELEGATION
Delegation allows a service to impersonate a domain user. These services are valuable targets from an attacker perspective because they can be leveraged to escalate privileges.

SECURITY BOUNDARY MISCONCEPTION
A common misconception is that a Domain is a security boundary, which is not true. Active Directory domains architecture are often built with a false sense of security which can lead to unexpected accesses to critical resources by unprivileged users.

MISCONFIGURED GPO AND ACLs
Group Policy Objects and Access Control Lists are used to manage domain assets. Sometimes specific privileges are granted to users and/or computers, which are not required by them to perform their intended functions.







Active Directory Adversary Simulation

As new countermeasures have been put in place against software exploits, adversaries are becoming more and more sophisticated. Horizon Security Adversary Simulation services mimics adversary's technology and techniques to evaluate your company's security capabilities against modern adversary tactics.

Specifically focused on Active Directory, Horizon Security AD Adversary Simulation service mimics the actions that a sophisticated adversary would take while attacking your infrastructure, from the discovery of potential paths, which lead to compromising your system via licit operations, to the exploitation of common weaknesses of the AD ecosystems.

You will understand how an attacker may break in your organization, compromise sensitive assets and establish persistence or exfiltrate large amounts of data.

CORE ATTACKS

ENUMERATION
Due to its design, attackers can leverage several techniques, such as querying licit Windows API, integrated DNS service and directory service database, to enumerate Active Directory environments. These techniques facilitate the attacker's job of gaining initial knowledge about the internal infrastructure.

PRIVILEGE ESCALATION
Privilege escalation attacks, targeting a system or a domain, are used by attackers to increase their user's privileges within the environment. Even well-hardened infrastructure may have an attack surface; process privileges, named pipes, ACLs, windows services, history and logs files if not properly configured might be leveraged by seasoned attackers to perform the aforementioned attacks.

PERSISTENCE
Persistence techniques ensure that attackers get continuous access to a previously compromised environment. One of the main techniques is Golden Ticket, where if the Kerberos service account (krbtgt) is compromised, it is possible to access all the resources protected by Kerberos authentication. An attacker can gain full control of the domain, its resources, and its users. This ''privilege'' results in a backdoor within the domain.


LATERAL MOVEMENT
The ability of gaining access to multiple machines is the key for attackers to increase their privileges inside a domain. Due to legacy protocols, such as NTLM, weak credentials, insecure configurations or disabled security features, it is possible to move laterally within the domain by bypassing security defenses.

NTLM still one of the main weaknesses for host compromise. Man-in-the-Middle (MitM) attacks allow intercepting NTLM hashes and relay them to targeted hosts (with anti-tampering features disabled).
Insecure configurations allow pass-the-hash attacks where shared credentials (usually local Administrator) can be used to get access to other hosts where remote authentication is enabled. Moreover, disabled security features let to perform pass-the-ticket attacks to extract Kerberos tickets from an operating system process memory and being able to impersonate the user for a limited amount of time.

FOREST EVASION
Security boundary misconception in multi-forest environments, if not properly configured, may expose critical assets to known attacks. Companies' acquisitions are a common scenarios where a new trust relationship between two forests is set up without considering its related security implications.