Navigating the Five Eyes Alliance’s Guide to Detecting and Mitigating Active Directory Compromises

The Five Eyes Alliance, led by the Australian Signals Directorate (ASD), recently released a key document titled Detecting and Mitigating Active Directory Compromises, highlighting the rise in ransomware attacks on Active Directory environments, especially in the APAC region. In this blog, we’ll examine some of the most common compromises described in the guidance, and highlight how Silverfort can help.

What is the Detecting and Mitigating Active Directory Compromises Guidance?

The guidance on Detecting and Mitigating Active Directory Compromises outlines common tactics, techniques, and procedures (TTPs) used by attackers to breach Active Directory infrastructure, and provides mitigation strategies. This guidance is a timely response to the growing reliance on identity threats in ransomware attacks in APAC, including some notable breaches: 

The MediSecure Ransomware Attack (November 2023, Revealed July 2024)

MediSecure, a digital prescription company based in Australia, experienced a ransomware attack last year that exposed health and personal information of nearly 13 million people. This also resulted in the company filing for insolvency. The breach appeared to originate from one of MediSecure’s third-party vendors, suggesting the attackers may have gained access to MediSecure’s data using compromised credentials.

Port of Nagoya Ransomware Attack (July 2023)

An attack attributed to the LockBit group disrupted trade and logistics in Port of Nagoya, the busiest shipping port in Japan – a major hub for car exports and an important engine for the Japanese economy. Two days were lost to the attack, which restricted the port’s ability to receive shipping containers. While it has not been publicly disclosed how LockBit gained initial access, their ransomware strategy is typically based on phishing emails and purchasing stolen credentials. As soon as they gain access to the network, they move laterally, extract additional credentials, escalate privileges, broaden their access, and encrypt critical data. In this case, the Nagoya United Terminal System (NUTS), which manages container operations, was compromised. The ransom note left by the attackers claimed that data from NUTS had been encrypted and a ransom was demanded.

The ICBC Attack (November 2023)

The Industrial and Commercial Bank of China (ICBC), the world’s largest lender by assets, was hit by a ransomware attack directed at the bank’s financial services division, U.S. ICBC Financial Services. It was reported that the attack had caused major disruptions to Treasury Trades. According to reports, the attackers gained unauthorized access to ICBC by exploiting a Citrix NetScaler ADC and NetScaler Gateway vulnerability named “Citrix Bleed”. Exploitation of this vulnerability, warns CISA (the US Cybersecurity and Infrastructure Security Agency), “could allow for the disclosure of sensitive information, including session authentication token information that may allow a threat actor to ‘hijack’ a user’s session”.

Common AD Compromises Outlined in the Guidance

While they outlined over 15 AD-related compromises, we’ll focus on some of the more common ones, namely Kerberoasting, AS-REP Roasting, Password Spraying, Unconstrained Delegation, and AD CS Compromise.

Kerberoasting 

What is Kerberoasting?
Kerberoasting is exploiting the Kerberos authentication protocol. Specifically, Kerberoasting targets service accounts, exploiting the fact that any authenticated user can request Ticket Granting Service (TGS) tickets for any service. Attackers request TGS tickets associated with Service Principal Names (SPNs), then crack the encrypted tickets offline to get passwords. In this way, they can access restricted areas without being detected.

How Silverfort Helps Detect and Protect Against Kerberoasting in Real Time

Detection 

  • Track service requests to users with SPNs, and detect Kerberoasting attacks using anomaly detection.
  • Monitor suspicious MFA denials and virtual fencing violations to detect compromised credentials.

Real-Time Protection

  • Automatically deny service ticket requests identified as Kerberoasting 
  • Enforce MFA policies for human accounts and virtual fencing for service accounts to prevent identity compromise.

Overview of Kerberoasting (Source: Detecting and Mitigating Microsoft Active Directory Compromises)

AS-REP Roasting

What is AS-REP Roasting?

Authentication Server Response (AS-REP) Roasting is an attack method targeted at user objects configured not to require Kerberos pre-authentication. If an attacker manages to crack an AS-REP ticket encrypted with a user’s password hash, they can obtain the user’s cleartext password and authenticate as the user.

How Silverfort Helps Detect and Protect Against AS-REP Roasting in Real Time

Detection

  • Silverfort detects AS-REP requests without pre-authentication and flags suspicious authentication attempts.
  • Monitor suspicious patterns of MFA denials and virtual fencing violations to detect successful AS-REP Roasting attempts.

Real-Time Protection

  • Set MFA policies for human accounts and virtual fencing for service accounts to defend against AS-REP Roasting.
  • Automatically deny authentications without pre-authentication.

Overview of AS-REP Roasting (Source: Detecting and Mitigating Microsoft Active Directory Compromises) 

Password Spraying 

What is Password Spraying? 

In password spraying, attackers attempt to authenticate to multiple users using different combinations of passwords until they are successful. These passwords can come from public password lists, or identified as being reused in the target environment, or even the same password tried on multiple accounts. 

How Silverfort Helps Detect and Protect Against Password Spraying in Real Time 

Detection   

  • Detect brute-force attempts by tracking repeated authentication failures across multiple accounts.
  • Monitor unusual activity involving built-in admin accounts, which are common targets for password spraying attempts. 
  • Monitor enumeration of multiple SMB resources, a technique often used to discover credentials in unprotected file shares.

Real-Time Protection  

The guidance describes MFA as an effective way to mitigate password spraying when attackers try to gain initial access, but once they’ve already gained access, it isn’t as effective because they can then authenticate directly to the Domain Controller (DC) with the NTLM protocol, which does not support MFA. 

While it is true that NTLM does not support MFA, it doesn’t mean there is no way around it. Actually, there is, and it is part of our integration with Active Directory. Without requiring any changes, AD forwards every access request to us for a second opinion. This allows us to enforce MFA verification on any resource that uses AD, including legacy systems and on-prem infrastructure that use NTLM.

  • Secure human accounts by implementing MFA, and service accounts with virtual fencing.
  • Reduce the use of NTLM wherever possible, as well as NTLMV1, LDAP, and other weak protocols. 
  • Enforce MFA verification policies for legacy protocols such as NTLM.

Unconstrained Delegation 

What is Unconstrained Delegation? 

With unconstrained delegation, a computer object can impersonate any authenticated user and access any service. When a user object authenticates to a computer object with unconstrained delegation, a copy of the user’s TGT is stored locally. 

If an attacker gains local admin access to a computer configured for unconstrained delegation, they can extract the TGTs for any user object that has previously authenticated to the computer object. The attacker can then use these TGTs to impersonate other user objects in the domain, including domain admins. 

How Silverfort Helps Detect and Protect Against Unconstrained Delegation in Real Time 

Detection   

  • Users’ TGTs can be stolen if they authenticate to computers configured with unconstrained delegation.
  • Use Deny/Notify/MFA policies to monitor computers with unconstrained delegation for suspicious MFA denials and virtual fencing violations. 

Real-Time Protection  

  • Setup a Deny/MFA policy for authentications to computers with unconstrained delegation.
  • Enforce MFA policies for human accounts and fencing for service accounts to prevent identity compromise. 

AD CS Compromise 

What is an AD CS Compromise? 

AD CS (Active Directory Certificate Services) is used for the issuance and management of Public Key Infrastructure (PKI) certificates, which are commonly used for authentication purposes (as well as for other purposes, such as encryption and digital signing of documents, but this is not related to our topic). AD CS Certificate Authority (CA) offers a variety of certificate templates to help users and computers obtain certificates for various uses. 

One of the most common AD CS compromises is exploiting misconfigured templates like ESC1. The ESC1 template allows any user to request a certificate on behalf of any other user. In this way, attackers are able to authenticate as that user and inherit their privileges. 

How Silverfort Helps Detect and Protect Against AD CS Compromises in Real Time 

Detection   

  • Silverfort monitors for suspicious authentications. Specifically, TGT requests in which a certificate was used.

Real-Time Protection  

  • If certificate-based authentication is not widely used in your organization, limit its usage with a deny policy.
  • Ensure MFA is enabled on human accounts and virtual fencing is enabled on service accounts.

What’s Next?

The good news is that despite all the darkness, there is light, and all these compromises (and more, which you will soon be able to read in our full guide on aligning with Detecting and Mitigating Active Directory Compromises) are indeed detectable and mitigateable. For each attack, there’s a detailed counter-strategy, including limiting privileged access, enforcing strong authentication practices, and minimizing the risks of legacy protocols. 

Bottom line, dealing with Active Directory threats requires direct and active measures. It’s all about identifying and preventing the mechanisms attackers use. Did anyone say “detecting and mitigating”?

Stop Identity Threats Now