Ghost in the shell: Preventing Active Directory Lateral Movement
Microsoft’s Detection and Response Team (DART) recently published an article about an internet-facing web server getting infected and an attacker uploading web-shell to perform Active Directory reconnaissance.
Once uploaded to the web server, web shells, allow attackers to remotely perform various tasks on the compromised system and move laterally in the network.
When an intruder manages to get a foothold onto a domain-joined system, by default, Active Directory allows users to execute LDAP queries and perform domain reconnaissance. Domain reconnaissance involves gathering information about users, the locations of critical servers (Ex: Exchange servers, IIS Web servers, MSSQL servers, etc.), identifying various groups such as domain admins, users with directory replication permissions, service accounts, and mapping assigned privileges.
Bloodhound is a tool that can identify attack paths that a non-privileged, domain user can use to escalate their privileges. In the figure below, BloodHound finds the shortest attack path for the user on the left to the Domain Admins group on the right.
Attackers can use relationships identified by Bloodhound to navigate inside the enterprise and escalate the privileges that allow them to move laterally inside the network.
Compromise of service accounts and domain accounts:
According to the Microsoft blog “DART’s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbtstat.exe, and eventually move laterally using PsExec.”
Attackers, once they have access to a landing machine, try to find interesting credentials and use them to move around to identify higher-value targets.
(T1087 | Account Discovery)
Attackers attempt to gather information on the local system or domain accounts to compromise.
In the below example, net user /domain will show all users in the Contoso.Azure domain.
Attackers can also use Powershell scripts to discover all domain users.
([adsisearcher]”(&(objectClass=user)(objectCategory=person))”).FindAll() | ForEach-Object { “Name: $($_.properties.name)””CN:$($_.properties.cn)””distinguishedname: $($_.properties.distinguishedname)”””}
T1069 | Permission Groups Discovery
Attackers will attempt to find local or domain-level groups, the members belonging to each group, and the trust relationships between the groups.
net group /domain will return all group accounts in the domain.
Attackers can query members of various groups using ‘net’ commands. They can also find members of the “Helpdesk” group, which is not the default group.
net group “domain admins” /domain to find all domain administrators
Recon using net.exe and nbtstat.exe
Attackers can use net.exe commands to perform reconnaissance and discover various systems in the network.
net group “domain computers” /domain to find all computers in the domain
Attackers can also use Powershell queries to discover operating systems, types of servers, etc. from Active Directory.
([adsisearcher]”objectcategory=computer”).findall() | ForEach {([adsi]$_.path).operatingsystem}
Lateral movement using PsExec
Once attackers obtain “domain admin” credentials and discover critical servers from domain reconnaissance, they can use tools like PsExec to drop scripts or payloads to target machines and launch them.
The blog mentions that “attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an Exchange transport agent, which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information”
Protecting Active Directory with Deception
Enterprises can also deploy deception to protect against Active Directory domain reconnaissance. Active Directory deception prevents attackers from enumerating critical assets in Active Directory, finding domain administrators, etc. and prevents attackers from escalating their privileges using “net” commands, Powershell LDAP queries or other mechanism.
Attivo Networks ADSecure module can hide critical assets like “domain admins”, critical systems like “Exchange servers, IIS Web servers”, etc. and prevent domain reconnaissance. The deception platform also leads attackers to decoy systems when they engage.
ADSecure module provides detailed information on the LDAP queries performed by attackers for threat hunting teams to investigate and take action.
Conclusion
Organizations should take steps to prevent attackers from landing inside the network. They should also adopt a multi-layered security approach of detecting attackers if they bypass perimeter security. Preventing domain reconnaissance using deception, helps detect attackers earlier in the cycle and prevent lateral movement.
