Unveiling Active Directory Security Risks: A Comprehensive Analysis of Management Issues and Vulnerabilities
By FIRSTCON24 Diamond Sponsor: CyCraft Friday, June 21st, 2024
In this report, CyCraft research team analyzes 27 listed companies in Taiwan, Level-A government agencies and healthcare institutions, covering 46 AD Domains, with 1,057,000 objects included. These statistics from the real-world environment provide solid evidence for readers to comprehend the general management issues and security vulnerabilities of Active Directory (AD). The report includes various AD security issues, such as plaintext passwords, password cracking, misconfiguration, and misusage/misconfigured problems commonly observed in enterprises.
By reviewing issues mentioned in this report, readers are encouraged to examine their own environments whether similar security problems exist and whether their enterprise's remediation plans or management policies can really solve these issues.
100% of the Reported Environments Contain Risks of Password Cracking on User Accounts
Discovered in 2014, Kerberoasting is a technique frequently exploited in the post-exploitation attack. According to our statistics, every environment has on average 6 accounts vulnerable to Kerberoasting attacks. This type of attack mostly appears in red teaming, serving as the best route to gain initial access to the targeted domain. Most environments are vulnerable to this attack due to not regularly changing passwords or obsolete service accounts whose purposes are unknown to anyone. By cracking these passwords, attackers can further infer the setting patterns of their targets.
The most common scenario is that when installing MSSQL, it automatically adds SPN to AD accounts, rendering these accounts vulnerable to Kerberoasting. This automated adding action would not trigger any notifications, and in most cases, users unknowingly put their accounts at risk. Since MSSQL is basically installed by IT administrators or developers, the value of cracking such accounts is extremely high. It guarantees access to other computers and attackers can even directly crack passwords of Domain Administrator members.
Management Passwords are Plaintext Passwords
Even though it's already 2024, according to our statistics, there are still 18.52% of the observed enterprises that contain plaintext passwords in their AD attributes or descriptions. However, these are often generic passwords used within the enterprise, whose patterns can be easily discerned from these attributes. Reasons that these environments have plaintext passwords include old Linux/Unix systems, formerly relying on designated fields to store passwords, needing to be compatible with AD. Or IT management software modifying the schema to add specific fields for password storage fails to implement proper access controls.
Based on our experiences, these passwords often reveal the enterprise’s password management policies, commonly used password patterns, or project names. Even if these passwords are old or no longer in use, they may still undergo slight variations or be reused without modification in other systems. According to our experiences in red and blue teaming, these plaintext passwords assist attackers to accurately crack passwords, especially since most of these plaintext passwords are previously used by IT administrators.
Is the Password Management Policy Really Being Implemented?
Password management policies, such as those outlined in ISO 27001, provide comprehensive guidance on various aspects of passwords, including complexity requirements and periodic password changes. It is common in some environments to change passwords every 90 to 365 days. However, we discover 95.65% of the reported environments do not fully implement their own password changing policies. In one of the largest environments, approximately 40% of accounts do not update their passwords regularly.
Why is there a discrepancy between the policy and actual implementation? The CyCraft research team finds out that the financial industry strictly adheres to such rules, while other industries, although they have similar policies, tend to have longer password changing cycles. In addition to regular user accounts, accounts most likely not adhering to the password management policy are automated service accounts. These accounts are often exempt from password management policies to ensure the proper functioning of services, or because the software itself does not support automatic password changes. Even if the entire AD is compromised, these service accounts are often excluded in the password changing list during incident response. The service users are often unsure where the new password should be updated after changing the service account password.
Permissions Have Not Been Revoked during Maintenance
It is a common process for IT administrators to create computer accounts first when assisting new employees with their accounts’ establishment, or when new servers are added to the domain. During this process, the creator gains Owner permissions for the user/computer in AD, but ultimately these users/computers may be responsible for Tier0 accounts or core system assets. In the organizational structure of most large enterprises, the personnel assisting this process are typically not the actual administrators of the computers, resulting in unexpected control relationships.
Up to 84.78% of the observed environments add users/computers to the domain following the above process. This creates extra attack paths of privilege escalation, where the helpdesk administrators responsible for adding users/computers to the domain can actually control more assets than originally intended. The correct practice should be to regularly revoke Owner permissions. Due to their potentially large number, enterprises tend to choose a more convenient yet not entirely secure way to primarily revoke permissions of important assets such as domain controllers, Tier0 computers and so forth. In our observation, approximately 69.57% of all computers are configured this way, without permissions being revoked.
The distribution of this issue among different enterprises is as follows: 15.22% in large enterprises (over 10,000 users), 41.30% in medium-sized enterprises (1,000 to 10,000 users), and 28.26% in small enterprises (1 to 1,000 users).
CyCraft Technology stands as a pioneering force in AI plus cybersecurity, bolstered by the support of leading venture capitalists. CyCraft has developed the world’s first Autonomous Threat Exposure Management Platform called XCockpit, focusing on managing attack surface paths of enterprises to anticipate potential threats and exposures before breaching. This innovative platform is specifically designed to cater to the needs of organizations prioritizing security investments based on threat exposure management.
Founded in 2017 and headquartered in Taiwan, CyCraft has overseas offices in Japan and Singapore, serving government agencies, major banks, the defense industry, leading semiconductor foundries, and IC design houses. The company has garnered multiple recognitions from top international research institutions such as Gartner, IDC, and Frost & Sullivan.
FIRST runs a blog open to members and invited guest authors. It publishes contributions relevant to incident responders. Articles should focus on general topics interesting to members. It will not be used to promote individual organisations, products or services. If you are interested in contributing, please get in touch with first-blog@first.org.
Learn more about the Forum of Incident Response and Security Teams through regular blog posts about our organization, events and other programs. Questions or comments? Contact first-press@first.org.
