Active directory domain services definition11/14/2022 ![]() ![]() This is where the ATT&CK Discovery Phase is important to an attacker. They are also going to be mainly oblivious of the full details of the compromised system such as user accounts, privileges and network resource access. The attack up to this stage will be mostly automated so the attacker will likely get a C&C notification about a new shell and therefore a new compromised machine. This is the starting point for this article’s ‘assume breach’ premise. This then leads to a reverse shell command and control (C&C) backdoor from the compromised user’s Windows laptop back to the attacker. In conjunction with javascript execution and in some cases vulnerability, such a link automatically runs a memory-only malware leveraging Windows Powershell. This phishing attack contains a link to a fake Office 365 OneDrive login which the employee falls for. The initial attack involves a phishing email to an employee. Let’s look at a hypothetical attack flow following this pattern: This will also imply that the threat actor is more than likely trying to work their way to a higher privileged account and subsequently crown jewel system such as the domain controller. ![]() For example, this could be the compromise of a user account via phishing that may, in turn, lead to business email compromise (BEC). The premise here is aligned with the assume breach philosophy which implies that a threat actor may already have unauthorized access to your systems or network, albeit possibly with lower-level privileges. Source: (v=ws.10) Path to the Domain Controller The challenge is that if we decided to close ports, to reduce attack surfaces, Active Directory ceases to function properly. This amounts to an expansive attack surface that bad actors can make use of. The table below shows the ports and protocols likely to be used by a typical domain controller that must be left open. All these services come with associated ports and protocols. Most of these attacks are heavily facilitated by network traversal. This broadens the attack surface and indeed there are many attacks against components such as: Roles such as DNS for name internal resolution, Kerberos ticketing for authentication, Server Message Block, Certificate services and a whole lot more. Windows Server 2012 – Server Manager Dashboard showing three roles: AD directory server, DNS and file services.Īs a result of the heavily intertwined roles on a Windows domain, the domain controller hosts many different services depending on the number of roles it is provisioned to perform. Although quite heavily GUI driven, a domain controller and active directory server are very complex, especially in a typical corporate network where there is likely to be several for replication and fault tolerance. It is also installed with a DNS server to manage name resolution and other internal network services. A server provisioned with the Active Directory Domain Services roles becomes a domain controller. It holds a directory of users, groups and computers and is a repository of network services such as file shares, network shares and printers. You likely know this already, but a Microsoft Domain Controller server, Active Directory, is responsible for authenticating access (verifying users logging on) to a Windows domain and associated network resources. Let’s examine an attack, assuming breach-that an attacker will eventually find a way in.īut first, let’s look at domain controllers. Once an attacker has access to it, they are effectively an IT admin, so “living off the land” could not be easier. Once they do get in, it is a matter of moving laterally, often to reach the domain controller in order to orchestrate an attack. Our next post will examine some ways attackers move laterally, and lastly, we’ll explore mitigations for preventing lateral movement. Many of the techniques effectively “live off the land” of an endpoint or server to eventually get to domain controllers and launch an attack. ![]() This blog looks at the approach attackers use, after gaining an initial foothold on a domain controller, to discover and understand an environment prior to moving laterally. It also enforces security policies, stores a user’s account information, and authenticates users for a domain. The controller is a gatekeeper for allowing host access to domain resources. A domain controller is a type of computer server that responds to security authentication requests and verifies users on the domain of a computer network. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |