A plan for recovering Active Directory (AD) should be a priority for your identity threat detection and response (ITDR) plan. After all, we live in a federated world of hybrid identities, zero-touch login, and distributed work. In this digital landscape, everything is connected. For most organizations, AD is at the heart of authenticating workers so that they can use globally connected apps and services. If AD isn’t secure, nothing is.
Every organization would rather prevent an AD attack than recover from one. Yet many attempted AD attacks succeed. According to a report from Enterprise Management Associates, 50% of organizations experienced an attack on AD in the last one to two years, and more than 40% indicate that the AD attack was successful. Another sobering stat from the report: Penetration testers reported that they successfully exploited AD exposures 82% of the time.
Why you need a plan for recovering Active Directory
Unfortunately, Active Directory is often the weak link in the identity security chain. The problem isn’t AD itself. When properly configured and deployed, AD can be incredibly versatile. Unfortunately, AD can be misconfigured in as many ways as it’s deployed.
And threat actors know this. It’s why 90% of the attacks investigated by cybersecurity consultancy Mandiant involved AD in some form. In those cases, AD was the initial attack vector, it was targeted to achieve persistence, or it was used to gain privileges and allow lateral movement through the network.
The problem is twofold:
- First, systemic weaknesses in AD make it a soft target. Because cloud identity extends from AD, it’s a prime target for credential abuse, a tactic involved in 80% of all data breaches.
- Second, the zero-trust model for network access has an oversight: It implicitly assumes that the systems on which it’s applied, including AD, maintain their integrity.
For these reasons, AD is frequently a primary part of the cyberattack kill chain. Threat actors use AD to facilitate everything from persistence techniques to privilege escalation to defense evasion.
A real-world worst-case scenario
We recently witnessed firsthand just how much damage threat actors can cause through a compromised instance of Active Directory.
One of our partners in EMEA contacted us in early January. A critical infrastructure client in the Middle East had been compromised. Our partner was in the middle of an endpoint detection and response (EDR) deployment when it discovered malware on the client’s domain controllers. Not only were various clients and servers already under the intruders’ control, but the AD forest was completely compromised and controlled by the bad guys.
So, they called us in.
Helping the victim survive required a coordinated and well-orchestrated lockdown and recovery operation between the client and Semperis. The first thing we did was create a safety net via our Active Directory Forest Recovery (ADFR) tool. We began by creating a backup of the customer’s AD, decoupled from its operating system. This enabled us to avoid nasty surprises such as rootkits and backdoors embedded in the client’s OS.
To that end, we also quarantined everything sitting in Group Policy — shutting down malicious tactics that leverage script injection like the Ryuk ransomware. We also made sure to adhere to Microsoft Forest Recovery Guidance. We rotated the Kerberos ticket twice to prevent Golden Ticket attacks.
Our safety net established, we moved to the analysis stage, where we sought answers to several core questions:
- How did threat actors get in?
- How did they compromise AD?
- How did they acquire domain credentials?
- Could they use additional exposures to regain access?
- Were there any backdoors that needed to be closed?
- What was the client’s baseline security posture?
- What best practices did the client have in place?
While this all took place, the client — a critical infrastructure operator — continued with business as usual. Extended downtime simply wasn’t an option. The organization needed to keep providing service to its own customers, even as we probed its systems for signs of threat actors.
Evaluating the root cause
What we soon discovered was that the client was being attacked from multiple directions and by multiple attackers, each independent of the others. There were at least four attackers, each at a different stage in the kill chain. Some already had domain accounts, and some were attempting password spraying.
We had a cybersecurity nightmare on our hands.
To check for system exposures such as Group Policy Object (GPO) linking and reversible passwords, we leveraged Purple Knight. We also applied additional scripts, manual checks, and solutions as the situation demanded.
We found multiple user accounts, including administrator accounts, with defined SPNs: prime targets for Kerberoasting. We also found that the domain computers lacked the capacity to define any certificate in the system. And we found a helpdesk account that could reset any and all passwords on the system, including those of system administrators.
Recovering Active Directory
We’d never faced a scenario quite like this one. Fixing the problem seemed akin to being shot at from multiple directions while we tried to change the tires on a car that was speeding down the highway at 100 miles per hour.
Ultimately, we decided that our best bet was to divide and conquer. The EDR team continued to deploy their EDRs on the servers, while seeking out and neutralizing the command-and-control centers. We spent a full day and a half hardening Active Directory. Our actions included:
- Introducing a tiering model (administrators had been logging into their email on ordinary workstations)
- Creating completely new accounts leveraging the MS Protected user group
- Identifying and removing potential Kerberoasting targets
- Configuring organizational unit (OU) permissions and GPO adaptations
Our last step was the most challenging. We needed to preserve the core of this critical infrastructure organization’s deployment — something akin to a digital heart transplant.
We waited for the weekend, when traffic would be at a minimum, and then set to work taking everything offline.
Just 30 minutes later, we’d transplanted a clean, hardened AD back into the system. ADFR took care of details, such as RID pools and Kerberos tickets, while the EDR team dealt with 20 command-and-control systems and blocked hundreds of IP addresses. A quick restart later, and all that remained was a fully functional, secure AD deployment — one enabled with Azure AD Passthrough for Office 365.
Pulled out of the fire
Active Directory is incredibly versatile, but it can also be a huge security threat if improperly configured. Our client learned that the hard way. Thankfully, they had solutions in place that enabled it to course-correct — without significant service interruptions.
Although recovering Active Directory in this situation put a lot of strain on everyone involved, the reward of fending off the attackers was priceless. As Semperis CEO Mickey Bresman often says, our mission is to be a Force for Good. Our Breach Preparedness & Incident Response (BP&IR) team takes this responsibility seriously — as do all of us at Semperis. As we head into the new year, our resolution is to continue to help organizations around the globe fend off cyberattacks by strengthening their ITDR stance and to use every resource available to help you recover Active Directory should the worst happen.