Six attack paths in Active Directory and how to remediate them 

One of the crown jewels for an attacker who infiltrates an enterprise environment is Active Directory Domain Services (AD DS). There are several attack paths the “blue team” needs to remediate to bolster the security of Active Directory. Remediating and protecting against these attacks can require days or weeks of work, but the effort is well worth the security benefits.  

We’ll look at six of the most important attack paths to remediate when aiming to improve your organization’s Active Directory security: 

  • Weak passwords 
  • Pass-the-hash attacks 
  • Kerberoasting 
  • Golden ticket attacks 
  • DCSync attacks 
  • Targeting weak AD-integrated applications 

1. Weak and compromised passwords 

Why waste time attempting to hack into an environment when you can simply walk in the front door with stolen credentials? Weak passwords lead to all kinds of security issues in an Active Directory environment. When passwords in the environment are weak, attackers can easily guess or “crack” them using common attacks like brute force or password spraying attacks. 

Organizations can quickly implement new password rules to increase security. For example, blocking commonly used terms, keyboard walks, and custom dictionaries of words relevant to specific organizations. Users will be prompted to change their password at their next login to meet these new requirements.  

However, compromised passwords need to be considered too. Even strong passwords can become breached through password reuse. There’s huge value in choosing a solution that can continuously scan your Active Directory for known compromised passwords and prompt end users to change them.  

2. Pass-the-hash attacks 

Unlike brute force password attacks, the pass-the-hash attack goes after the “hashed” or cryptographic form of the password. Client operating systems often store this value inside memory. Attackers can use malware to extract a hashed password from memory and gain access to Active Directory resources without having to guess the password. 

Admins can help by making end users create longer passwords (over 15 characters) that are stored in the strong Windows NT hash format. Passwords shorter than 15 characters can also have a LAN manager hash created with weaker encryption. However, new installs of Active Directory don’t have the LAN manager hash enabled. Older Active Directory’s will have it switched on as default and require a manual change to switch it off. It’s worth bearing in mind that even if LAN manager hash is switched off in Active Directory, other systems might still cache the LAN manager hash, so setting a minimum password length of 15 is the only surefire way of making sure they don’t exist anywhere 

There are additional layers of security for this type of attack which may take longer to implement. Adding MFA will offer additional protection if the password was to become compromised. Although it’s worth bearing in mind MFA is far from bulletproof.  For example, bolstering endpoint security to help secure clients and protect against malware. Admins can also roll out new OS features like virtualization-based security (VBS) in modern Windows OSes. With VBS, Windows holds secrets in a protected space.   

3. Kerberoasting 

Kerberoasting is an attack targeting service accounts in Active Directory Domain Services. An attacker carries out a Kerberoasting attack by gaining initial access to the network — this could be through a low-privileged or standard user account. They then request a service ticket for high-level service accounts from the Key Distribution Center (KDC) in Active Directory.  

The KDC will reply with a ticket for the service account encrypted with the service account’s password. The attacker can then extract the service account from the memory of the local machine they have compromised. After extracting the encrypted ticket, they take it offline and attempt to crack the password using password-cracking software. It’s highly effective since service accounts often have high privileges and permissions, and attacking the password offline has less risk of detection. 

Tactics to help defend against kerberoasting: 

  • Implement strong password policies – use complex and strong passwords for service accounts. Continuously scan for compromised passwords 
  • Regularly change service account passwords. By stopping accounts and passwords from becoming stale, it’s less likely that an attacker will be able to use an old ticket. However, this is only really practical when you have an effective third party solution to manage the process  
  • Monitor the network for service account ticket requests – look for abnormal patterns in service ticket requests 
  • Make sure password polices are applied to stale and inactive accounts, as well as active and privileged accounts 

4. DCSync attacks 

Domain controllers that host Active Directory Domain Services synchronize changes through replication. An attacker can imitate this replication process of a domain controller. They do this by using the GetNCChanges request to capture credential hashes from the primary domain controller. Tools such as Mimikatz, which are freely available and open-source, allow this attack to be carried out easily. 

Defensive measures against DCSync attacks: 

  • Make sure to have strong security rules for domain controllers. Keep important accounts safe by using strong passwords 
  • Purge your Active Directory of stale and inactive accounts, including those used for services 
  • Vigilantly track modifications to domain groups and other related activities 

Similar to Kerberoasting, safeguarding against DCSync attacks will take a layered approach over time. You’ll need to implement security protocols for your domain controller and audit Active Directory to identify essential and removable accounts. Interested in auditing? Download our free tool to run a read-only scan of your Active Directory and get an exportable, interactive report.  

5. Golden ticket attacks 

A golden ticket attack involves an intruder obtaining the NTLM hash of the Active Directory Key Distribution Service Account (KRBTGT). With access to the KRBTGT password, the attacker can authorize themselves and others to generate tickets. This attack is challenging to detect and can result in prolonged network compromise. 

Strategies to protect against Golden Ticket Attacks: 

  1. Regularly updating the KRBTGT account password, ideally rotating at least every 180 days 
  2. Implement and maintain a policy of least privilege across your Active Directory setup. Implementing least privilege access may require several phases to implement correctly 
  3. Ensure the use of robust, strong passwords via your password policy. Don’t give attackers an easy initial foothold in your environment 

6. Targeting weak AD-integrated applications 

Organizations may have weak AD-integrated legacy applications that use hard-coded credentials, weak encryption, weak network security protocols, or other risky software architecture. These could all provide an opening for hackers to breach their Active Directory. However, bear in mind remediating legacy business-critical applications can be a significant undertaking that may require months or longer.  

Software applications may need to be refactored or replaced altogether, which can be difficult. Correctly understanding the software landscape with a proper audit is essential. Afterward, businesses must decide if the risks from a security front justify refactoring or rewriting applications. If this isn’t possible, implementing other security safeguards to help mitigate the risk may be an option. 

The common theme? Password security.  

Understanding attack paths to protect Active Directory is essential for businesses using Active Directory Domain Services. Some attack paths can be remediated more quickly than others, but one of the most critical steps to help protect against most attack paths is bolstering user credential security.  

You’ll have noticed that from a hacker’s perspective, the key to many of these attack paths is gaining an initial foothold via an account within your organization. The easiest way for them to do this is by exploiting a weak or compromised password.  

Specops Password Policy can help you quickly get strong password policies in place that go beyond the default settings in Active Directory. Your Active Directory will also be continuously scanned for over 4 billion unique known compromised passwords. Speak to an expert to learn how Specops Password Policy could fit in with your organization.  

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog

Related Articles

  • Password reuse: A hidden danger you can’t ignore

    Reusing passwords is common, despite years of warnings to end users. It’s a problem that’s difficult for IT teams to get a handle on, especially if people are reusing work passwords at home. This means a breach elsewhere can bring cybersecurity problems to an organization’s doorstep, even if their own Active Directory password policy is…

    Read More
  • How does a brute force password attack work?

    Compromising login credentials is the goal of many modern cyber-attacks. If successful, they can result in the worst types of data breaches, especially when high-level accounts are breached. One of the oldest and most common methods for guessing a user’s password is the brute force attack. We’ll explore what they are, how they work, and…

    Read More
  • Kerberoasting attacks: How to keep your Active Directory safe

    A domain administrator account is the holy grail of privileged accounts in a Microsoft Active Directory environment. If an attacker can get their hands on a Domain Administrator account in the domain, they’ll have access to basically everything. Kerberoasting is one technique attackers may use to escalate privileges within Active Directory. We’ll walk through what…

    Read More