The complete guide to protecting Active Directory against Brute-force Attacks
Thank you for downloading this e-book. Please check your Inbox (or spam) to access this e-book.
Active Directory (AD), the technology that lets IT administrators manage permissions and access to network resources is a couple of decades old now. Yet, organizations continue to build their IT infrastructure around it. Because AD facilitates central management by tying together servers, workstations, applications, and other network components in an IT network, it's a key target for attackers. The volume of information stored in AD attracts the attention of attackers, and its weak passwords make them easy pickings.
This guide explores the various ways in which threat actors exploit poor password security, and how you can thwart their plans. We will walk you through how ManageEngine's solutions help you strengthen your password management.
What is AD? Imagine a box filled with every computer, user, application and service that runs in an organization's network. That box is AD, a critical application because it stores large amounts of data, and controls and organizes everything residing in it. AD is of high value to attackers because within it they can find identity-related information, including user permissions, passwords, and devices in the network.
To gain a foothold into your network, all the attacker needs to do is to compromise the domain user credentials of one of the thousands of accounts that might reside in your AD.
This explains why the bulk of cyberattacks today involve targeting the employee credentials of the increasing number of remote workers. 61% of all the attacks in 2021 involved credential data1. With remote work, Active Directory platform has become more vulnerable to attacks as it tries to serve the authentication request from users who use their unsecured personal devices to connect to corporate network and or use their home or other public wifi-networks to establish a connection. Also, the number of cloud applications and services organizations use are only growing and enabling authentication for these services through AD is a priority for many organizations. If the AD passwords in use are weak or are compromised passwords, then they put AD under great risk. These challenges have made AD more vulnerable than ever before.
In the next chapter, we will see, when the security defenses are not configured properly, how easy it is for attackers to compromise accounts using just one technique and the various tools that they use.
Attackers usually take down domain user accounts with basic privileges. However after intrusion, attackers have plenty of tricks up their sleeves to raise the compromised account's privileges or move laterally in the network to discover vulnerable high privileged accounts.
For instance, dumping the passwords of domain admins stored in SYSVOL is one of the common methods attackers use to compromise local administrator accounts. SYSVOL is a folder that exists in every domain controller. It's a shared folder and every authenticated user of the domain has read access to it.
The passwords present in SYSVOL XML files are usually the local admin passwords and are also often encrypted using the AES-256 encryption standard. Yet, attackers have access to PowerShell functions like the Get-GPPPassword, using which they can decrypt passwords. As you can see, within a few steps, the adversaries can get hold of a local admin account.
Once attackers have access to a domain admin account the possibilities are endless— they can either create backdoor accounts, in the local or systems within the domain to lurk in the network or install a malware on the compromised system for extorting sensitive data.
The consequences of an AD breach are dire. If you are looking to improve your AD security, the best place to start is by understanding attack techniques that are being used to compromise networks and take measures that can prevent them . Brute force attacks are the most common technique attackers are leveraging to infiltrate into corporate networks. They were used in over 80% of the data breaches in 20202. The low barrier to entry for carrying out brute force attacks is why it's such a widely used technique. Skilled adversaries usually build their own versions of the available tools. However script kiddies too can do more damage than what organizations would want.
In a brute force attack, attackers persistently pound an account with multiple combinations of credentials until they can unlock it.
Understanding brute-force attacks, the most common hacking technique in an attacker's arsenal, will enable you to understand the risks they pose and the ways you can safeguard your organization against them.
In a simple brute-force attack a large combination of random values are input as passwords and they are iterated one after the other until the target cracks. The iteration is accomplished with the help of automated scripts. Attackers don't use this method while targeting resources that might be covered by an account lockout policy. Instead it's used to crack local files in systems that are protected by passwords.
Here, common words or phrases are input as passwords. Today's attackers also use tools that can make minor substitutions to the password list available, say replacing "w" with "W" or "a" with "@" to improve their chances of cracking an account.
This is a combination of a dictionary attack and a simple brute-force attack. Often the phrases that would be used in a dictionary attack are appended with a pattern of numbers, usually a birth year. This technique is particularly effective when the attacker has performed social profiling on the target.
In contrast to the multiple password bombardment style of other brute-force attacks, a password spray attack tries only one password but against multiple accounts. Since the attack resembles a normal login pattern, often times it goes undetected and won't disturb any account lockout policy in place.
Here are basic details, provided for educational purposes, about five popular open source tools used in brute-force attacks.
A tool that's used in almost all Remote Desktop Protocol (RDP) attacks. In particular, it's used to crack local accounts in the system after the initial compromise.
A password cracking software that can be used for over 15 different operating systems including Unix, Windows and DOS. It's an attacker's favorite as it can easily identify hashes of encrypted passwords.
A tool used to take down network authentication protocols including RADIUS and Lightweight Directory Access Protocol (LDAP). It can also perform dictionary attacks on over 30 protocols, including HTTP, HTTPS, and the Server Message Block (SMB) protocol that's used to communicate with remote computers and servers.
A tool tailor-made for cracking Windows passwords. It can not only perform various types of brute-force attacks such as dictionary and hybrid attacks, but can also extract hashes of 64-bit Windows operating systems and decode them.
A CPU-based password cracking tool. It's used to carry out various types of brute-force attacks, including dictionary and hybrid attacks.
Besides manual operation, adversaries also use botnets to automate brute force attacks. Botnets are a group of computers that are infected by malware and are centrally controlled by a hacker. Attackers might choose to brute-force target several websites. Say attackers choose to hack into some websites of an organization using a brute force attack technique.
Because, in all the brute force attack techniques, the attacker is only going to try out various combinations of credentials mostly from the same IP address. However, if security systems website are configured to limit the login attempts after a specific number of failed logins from an IP address, the attack will fail or take too long to succeed.
In a botnet brute force attack, each bot receives a list of target IP addresses or websites and two or three credential pairs from botnet master or command and control (C2C) server. The botnets try out these credential pairs on a target IP address. If they are unable to crack the password, the target IP address is passed on to another bot having a different IP address tries to break in. With bots, not only the number of attempts is kept below the account lockout threshold, but the attacks also don't originate from the same IP address, making them harder to detect.
The IT security community generally agrees that there's nothing you can't do with PowerShell. Here, we are going to show you how simple it is for an attacker to carry out a password spray attack on your AD users using PowerShell. Watch the demo to see how an attacker uses publicly available scripts to compromise accounts, discover account lockout restrictions in place, and determine the users to target.
The Dharma ransomware, a variant of the CrySIS malware, was first discovered in 2016. It continues to be active even today due to its ability to intrude into victim's systems through multiple vectors. Though it spread using phishing campaigns and malware vulnerabilities in the beginning, RDP became it's most favored delivery vehicle.
Over 85% of all Dharma attacks3 conducted so far have exploited open RDP connections. In most cases, attackers used brute-force techniques to barge in, while in others they made use of leaked RDP credentials available from the dark web.
Dharma has been thriving for so long due to the unique Ransomware-as-a-Service (RaaS) model it's part of. Experienced malware developers create new variants of Dharma just by making minimal changes to the source code such as changes to the encryption key used in the attack or the message the ransomware note displays.
Security researchers say this strategy of not chopping and changing few things in the source code is what makes it difficult to identity which threat group carried out a particular Dharma attack, since there is no unique signature.
Dharma malware developers add a package of tools and best practices that affiliates can follow and execute attacks without much hassle. Affiliates are mostly entry-level cyberattackers. The package consists of prebuilt scripts and tools that leverage built-in Windows tools, publicly available exploits, and third-party freeware tools all tied together with PowerShell, batch, and AutoIT scripts.
Access to the target's device, and eventually the network, is mostly through exploitation of the open RDP ports- 3389. Simple brute-forcing or password spraying is the usual tactic deployed. Attackers either take over a user workstation or, in some cases, the domain controller if they can break into a domain admin's account. With the latter, they can affect multiple systems at once.
Once the initial infection is complete, in most dharma attacks, attackers proceed to make entries in the Windows registry to enable persistence. The Windows registry is a database that stores information used by the operating system and the programs in it. Details of the software programs, hardware devices present, operating system configurations, everything can be found in the Windows registry.
After establishing persistence, PCHunter and ProcessHacker, two freely available utilities that help detect, monitor and remove malware, are run to disable all security software that are installed in the system. From endpoint security systems, to SIEM alerting software, they can disable them all. In addition, PowerShell programs like Disable-WinDefend.ps1 are also executed to disable Windows Defender functions.
It doesn't stop there. To ensure maximum impact, attackers use more tools from their toolkit to brute-force into any local user accounts, get access to passwords stored in encrypted files—NirSoft CredentialsFileView tool does the job for them—and attempt to compromise more systems in the network.
Before executing the ransomware payload, any host backups and system logs present are erased, and existing services are halted, to ensure the data parts of those services can also be encrypted. For instance, dharma ransomware attacks are known to terminate database services such as sqlwriter, mssqlserver, sqlserveradhelper, to ensure data files that are in process by these services are also encrypted.
The payload that encrypts data is often an executable file (.exe). In the case of the domain controller being compromised, attackers always create a script to alter the Default Domain Policy so this file is run during startup in each machine connected to the domain.
All files in the host infected with the ransomware are encrypted using AES-256 combined with a RSA-1024 asymetric encryption. Only the malware files and the system files are spared. Once the encryption is complete, a ransom note is left with two email addresses that the victim can contact.
It isn't always easy to get users to follow password best practices, like setting long and complex passwords, skipping passwords that are common dictionary words, and avoiding already compromised passwords.
With ManageEngine ADSelfService Plus' password policy enforcer, IT admins can ensure users follow one or all of these rules when the password is set:
54% of all employees reuse passwords for many of their work accounts, a recent survey4 by hardware authentication device manufacturer Yubico revealed. Thanks to password reuse, attackers need to compromise only one pair of corporate credentials to sneak into your network.
With ADSelfService Plus' password history check feature, IT admins can ensure that users can't reuse any of their past 24 AD passwords.
In addition to internal applications, today's organizations use multiple cloud applications and services. SSO is crucial if you are looking to improve user experience and identity security. With SSO, since employees need to remember only one pair of credentials, which in most cases is their AD credentials, the danger of password reuse is averted. However, an SSO implementation without MFA does more harm than good from a security standpoint as it only makes the job for attackers easier. All they have to do is compromise one account to gain access to all your applications.
With ADSelfService Plus, you can enable SSO for over 100 pre-integrated applications and for any custom application that supports Security Assertion Markup Language (SAML)-based authentication. It also shows the user all the applications they have access to in a single dashboard. Access to applications can be secured using MFA. Additionally, IT admins can decide who has access to which applications by creating policies based on AD organizational units and groups.
Passwords, the most common authentication factor used to verify identity, is the most vulnerable one too, because users tend to set easy-to-remember passwords, and are likely to use the same weak password for other devices and services. MFA provides an extra layer of security, as it involves verification of an additional factor that the user owns, like a smartphone, or the user is, like a fingerprint or any other biometric attribute. With MFA, even if the password is compromised, the attacker can't complete the heist, as they don't have access to the additional factor.
One the best ways to protect your RDP connections from attacks like the Dharma ransomware we saw earlier, is to grant RDP access only through a VPN and further strengthen security by securing the VPN access with MFA. Other steps to take are ensuring unnecessary open RDP ports are locked down, periodically reevaluating users who can RDP into the network, and keeping the Network Level Authentication of your RDP server always ON.
ADSelfService Plus supports over 15 authentication techniques, including YubiKey authentication, biometrics, and RSA SecurID. With ADSelfService Plus' MFA options, IT admins can secure VPN connections, Windows, Mac, and Linux endpoints, safeguard access to SSO-enabled applications, and ensure users can use the self-service password reset or account unlock features only after their identity is verified.
In today's remote-first organizational setup, the likelihood of a cyberattack is enormous. The context behind any login attempt, especially ones after failed attempts or from an unknown location or device, should be examined and access should be provided only for those who don't pose any security threat to the organization.
For example, in many RDP attacks, threat researchers found the RDP server under attack received a barrage of authentication requests either from IP addresses that never connected to the network before, or from locations that the company didn't have employees in. Had there been a mechanism to block such authentication requests, the attacks wouldn't have made it even to the second stage.
Organizations can analyze various risk factors such as IP address, time of access, device and user's geolocation, and configure conditional access policies based on them. IT admins can also create policies that check either one or all of the factors. Based on the risk, a user can be asked to prove their identity by submitting an additional authentication factor, granted full or partial access, or be denied access.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.