Thursday, June 13, 2024

Active Directory Infiltration Methods Employed by Cybercriminals – ASEC Report

Active Directory infiltration methods exploit vulnerabilities or weaknesses in Microsoft’s Active Directory to gain unauthorized access.

Active Directory is a central component in many organizations, making it a valuable target for attackers seeking access to:-

  • Sensitive information
  • User accounts
  • Network resources

While successful infiltration allows threat actors to:-

  • Establish persistence
  • Exfiltrate data
  • Disrupt operations

Cybersecurity researchers at ASEC recently discovered that threat actors are actively exploiting Microsoft’s Active Directory infiltration methods.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Active Directory Infiltration Methods

Active Directory (AD) in Windows manages user and resource data in a network. Domain Controllers control domains in AD, and compromising one means the entire domain is at risk. 

In short, the domain Admins have ultimate control, and this ability makes them prime targets for threat actors aiming to exploit the entire domain. 

To achieve this, threat actors seeking vulnerabilities first analyze the domain structure using tools like:-

  • AdFind 
  • PowerView

Port scanning extracts network info, including running services and port numbers from a target domain. Threat actors use it to uncover network structure, subnet, and host details. 

Cobalt Strike’s default port scanning aids reconnaissance. The tool checks security vulnerabilities in company networks. It encompasses features like:-

  • Internal reconnaissance
  • Privilege escalation
  • Lateral movement
  • Command and control
Log detecting a port scanning tool (Source - ASEC)
Log detecting a port scanning tool (Source – ASEC)

Default in Windows the net commands manage network resources that is useful for user and network data lookup, especially in Active Directory.

Threat actors seize control and then deploy net commands for basic network info collection. While the main net commands were used in attacks on Active Directory environments.

Here below, we have mentioned all the commands:-

  • net time
  • net user
  • net group /domain
  • net group /domain “Domain Admins”
  • net group /domain “Enterprise Admins”
  • net group /domain “Domain Computers”
  • net group /domain “Domain Controllers”
  • net localgroup Administrators

PowerView in PowerSploit gathers and displays Windows domain info that helps threat actors in:-

  • Understanding the network structure 
  • Targeting for privilege escalation 

AdFind is also similar to PowerView, which is a command line tool for Active Directory info that offers a stealthier approach. 

Ryuk ransomware employed AdFind to covertly collect domain data, surpassing typical anti-malware detection.

Besides this, the BloodHound maps attack paths for privilege escalation in Active Directory, utilizing SharpHound for info collection through executable or PowerShell script formats. 

Result of parsing the collected information through BloodHound
Result of parsing the collected information through BloodHound (Source – ASEC)

Infiltrators in Active Directory environments deploy tools like PowerView and AdFind for:-

  • Reconnaissance
  • Targeting domain admin privileges

While the BloodHound optimizes lateral movement paths, traditional security software may miss these threats.


Latest articles

Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which...

CISA Warns of Scammers Impersonating as CISA Employees

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a surge...

Microsoft Windows Ntqueryinformationtoken Flaw Let Attackers Escalate Privileges

Microsoft has disclosed a critical vulnerability identified as CVE-2024-30088.With a CVSS score of 8.8, this flaw affects Microsoft...

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote...

Indian National Jailed For Hacked Servers Of Company That Fired Him

An Indian national was sentenced to two years and eight months in jail for...

JetBrains Warns of GitHub Plugin that Exposes Access Tokens

A critical vulnerability (CVE-2024-37051) in the JetBrains GitHub plugin for IntelliJ-based IDEs (2023.1 and...

Critical Flaw In Apple Ecosystems Let Attackers Gain Unauthorized Access

Hackers go for Apple due to its massive user base along with rich customers,...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles