Tuesday, October 15, 2024
HomeCyber CrimeActive Directory Infiltration Methods Employed by Cybercriminals - ASEC Report

Active Directory Infiltration Methods Employed by Cybercriminals – ASEC Report

Published on

Malware protection

Active Directory infiltration methods exploit vulnerabilities or weaknesses in Microsoft’s Active Directory to gain unauthorized access.

Active Directory is a central component in many organizations, making it a valuable target for attackers seeking access to:-

  • Sensitive information
  • User accounts
  • Network resources

While successful infiltration allows threat actors to:-

- Advertisement - SIEM as a Service
  • Establish persistence
  • Exfiltrate data
  • Disrupt operations

Cybersecurity researchers at ASEC recently discovered that threat actors are actively exploiting Microsoft’s Active Directory infiltration methods.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Active Directory Infiltration Methods

Active Directory (AD) in Windows manages user and resource data in a network. Domain Controllers control domains in AD, and compromising one means the entire domain is at risk. 

In short, the domain Admins have ultimate control, and this ability makes them prime targets for threat actors aiming to exploit the entire domain. 

To achieve this, threat actors seeking vulnerabilities first analyze the domain structure using tools like:-

  • AdFind 
  • PowerView

Port scanning extracts network info, including running services and port numbers from a target domain. Threat actors use it to uncover network structure, subnet, and host details. 

Cobalt Strike’s default port scanning aids reconnaissance. The tool checks security vulnerabilities in company networks. It encompasses features like:-

  • Internal reconnaissance
  • Privilege escalation
  • Lateral movement
  • Command and control
Log detecting a port scanning tool (Source - ASEC)
Log detecting a port scanning tool (Source – ASEC)

Default in Windows the net commands manage network resources that is useful for user and network data lookup, especially in Active Directory.

Threat actors seize control and then deploy net commands for basic network info collection. While the main net commands were used in attacks on Active Directory environments.

Here below, we have mentioned all the commands:-

  • net time
  • net user
  • net group /domain
  • net group /domain “Domain Admins”
  • net group /domain “Enterprise Admins”
  • net group /domain “Domain Computers”
  • net group /domain “Domain Controllers”
  • net localgroup Administrators

PowerView in PowerSploit gathers and displays Windows domain info that helps threat actors in:-

  • Understanding the network structure 
  • Targeting for privilege escalation 

AdFind is also similar to PowerView, which is a command line tool for Active Directory info that offers a stealthier approach. 

Ryuk ransomware employed AdFind to covertly collect domain data, surpassing typical anti-malware detection.

Besides this, the BloodHound maps attack paths for privilege escalation in Active Directory, utilizing SharpHound for info collection through executable or PowerShell script formats. 

Result of parsing the collected information through BloodHound
Result of parsing the collected information through BloodHound (Source – ASEC)

Infiltrators in Active Directory environments deploy tools like PowerView and AdFind for:-

  • Reconnaissance
  • Targeting domain admin privileges

While the BloodHound optimizes lateral movement paths, traditional security software may miss these threats.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...