What are the main threats against Active Directory in 2023?
Active Directory can be susceptible to a number of different attacks, with varying levels of reach and impact. Some are easier to effect than others, but the result of an attack could be credential compromise, data loss, denial of service, and reputational damage, all of which are clearly undesirable. These threats include:
- Pass-the-Ticket (PTT) / Pass-the-Hash (PTH) Attacks
Attackers can steal Kerberos tickets or NTLM hashes and use them to impersonate legitimate users within the network.
Attackers with access to the Key Distribution Center (KDC) can create a “Golden Ticket” that allows them to access any resource within the domain.
Attackers can intercept NTLM authentication sessions and relay them to another host, gaining unauthorised access.
Attackers can manipulate LDAP queries to gain unauthorized access to directory objects.
By manipulating Access Control Lists (ACLs), attackers can escalate privileges or gain unauthorised access to resources.
Attackers can inject additional SIDs into their token, allowing them to assume the rights associated with those SIDs.
- DNS Reconnaissance and Poisoning
Attackers can gather information about the AD infrastructure or poison DNS records to redirect traffic.
- Group Policy Object (GPO) Abuse
Attackers with lower level privileges can create or modify GPOs to execute malicious code or change security settings to elevate their permissions using lateral movement.
Attackers can request service tickets and attempt to crack the tickets offline to obtain service account credentials.
Attackers can mimic a Domain Controller (DC) and push malicious changes to other DCs within the network.
With the integration of AD with cloud services, attackers may attempt to exploit misconfigurations or vulnerabilities in these connections.
New, or previously undiscovered vulnerabilities in AD or related components could be exploited by attackers.