Active Directory Attack Kill Chain Checklist for 2024

An organized method for comprehending the series of actions or phases of an Active Directory (AD) assault and the related defenses to thwart or avoid such attacks is known as the "Active Directory Kill Chain Attack & Defense" concept. For Windows domain networks, Microsoft created the Active Directory service, which allows for resource and user management in business environments.

To defend against active directory-based attacks, you can also download the Incident Response Plan Template. An example of an Active Directory kill chain attack and how to defend against it is shown below:

Reconnaissance:

  1. Attack: An assailant collects data regarding the target network's configuration, machine names, domain names, and user accounts.
  2. Defense: Restrict the amount of information you reveal. Segment your network and keep an eye on directory visibility.

Initial Compromise:

  1. Attack: To obtain first access, the attacker takes advantage of weaknesses. This could be accomplished by unpatched vulnerabilities, phishing, or taking advantage of weak passwords.
  2. Defense: Put in place multi-factor authentication, frequent patching, employee awareness training, and strong password policies.

Establish Foothold:

  1. Attack: After gaining access, the attacker installs malware, makes new accounts, or builds backdoors to get a foothold.
  2. Defense: It includes using technologies for endpoint detection and response, routinely auditing accounts and permissions, and keeping an eye out for odd activity.

Escalation of Privilege:

  1. Attack: The attacker uses system vulnerabilities or administrator accounts as a means of attempting to obtain higher-level privileges.
  2. Defense: It includes using privileged access management tools, performing frequent privilege audits, and using the least privilege principle.

Internal Reconnaissance:

  1. Attack: Using elevated privileges, the assailant delves deeper into the network in search of high-value targets, such as domain controllers.
  2. Defense: Utilize intrusion detection systems, partition your network, and keep an eye on network traffic.

Move Laterally:

  1. Attack: The perpetrator navigates the network to gain access to other computers and maybe disseminate malicious software.
  2. Defense: Use network security technologies, keep an eye on lateral movement, and enforce stringent access controls.
  3. Attack: The attackers devise strategies to stay in the network even if any of their access points are located and shut off.
  4. Defense: Event response strategies, frequent network scans, and ongoing monitoring.

Complete Mission:

  1. Attack: The attacker succeeds in achieving their objective, which may include causing operational disruption, data exfiltration, or data encryption for ransom.
  2. Defense: Comprehensive incident response plans, frequent backups, and methods for preventing data loss.

It takes a mix of technological restrictions, security guidelines, and continual user education to comprehend and combat each step of the Active Directory death chain. Reducing the likelihood of such attacks requires regular evaluations of security procedures, fast incident reaction, and ongoing monitoring.

In this article, we'll go into more detail on the Strategies, Techniques, and Procedures (TTPs) that hackers use to access active directory accounts and provide advice on how to mitigate, detect, and prevent these attacks. Additionally, comprehend the Modern Post Exploitation Adversary Tradecraft Activity and Active Directory Kill Chain Attack.

How Can Active Directory Attacks Be Secured?

A comprehensive checklist is essential for protecting Active Directory (AD) against intrusions. This is a systematic manner:

  1. Update and Patch Frequently: Ensure that all systems, especially those that use Active Directory, are regularly patched and up to date with the newest security upgrades.
  2. Domain Controllers (DCs): Known as secure domain controllers, they are physically secure and only have access to AD services. Refrain from using DCs for other purposes.
  3. Create Sturdy Password Policies: Passwords ought to be intricate and regularly altered. You should use multi-factor authentication (MFA) and passphrases to improve security.
  4. Keep an eye on user accounts and deactivate any that aren't being used or have too many privileges.
  5. Limit Privileged Accounts: One crucial security precaution is to cut down on the amount of users who have administrative access. Using the least privilege principle, restrict user access to only what is necessary for them to perform their job.
  6. Monitor & Audit Actions & Logins: Put procedures in place to keep an eye on and audit all actions and logins, especially those that make use of privileged accounts. Keep a watch out for anything unusual that might indicate an attack is taking place.
  7. Protect Network Access to AD: Preserve Active Directory by Limiting Network Server Access. Using firewalls & network segmentation prevents unauthorized users from accessing the network.
  8. Use Organizational Units & Group Policies: To guarantee that the network's security configurations are consistent, apply Group Policies for security settings and arrange resources in Organizational Units (OUs).
  9. Disaster Recovery & Data Backup: Make frequent backups of Active Directory and be ready for anything. Examine your backup and recovery procedures regularly.
  10. User Education: Train staff members on how to recognize and steer clear of social engineering and phishing scams. Increasing awareness can significantly reduce the chance that an attack will be successful.
  11. Conduct Frequent Security Audits of Your Active Directory Environment: It ensures that it complies with best practices and applicable security standards.
  12. Implement State-of-the-Art Security Solutions: Consider Implementing State-of-the-Art Security Products Such as Endpoint Protection Platforms, SIEM, and IDS/IPS.
  13. Strengthen the Configuration of Active Directory: Put suggested security measures for Active Directory in place, like requiring Server Message Block (SMB) signature whenever possible and safeguarding the Lightweight Directory Access Protocol (LDAP).
  14. Physical Access Control: Give only authorized individuals physical access to servers and other network devices.
  15. Stay Up to Date on Developing Threats: Read up on new attack vectors and vulnerabilities that could affect AD to stay informed on developing threats. After that, adjust your security protocols accordingly.

You must regularly review and update this checklist to take new threats and organizational changes into account if you want to maintain your Active Directory system secure.

Security Checks for Active Directory (By Sean Metcalf – @Pyrotek3)

Here are some security checks you must consider for your active directory:

General Recommendations

  1. Take care of LAPS or local administrator passwords.
  2. When necessary, activate RDP Restricted Admin mode.
  3. Get unsupported operating systems off the network.
  4. Keep an eye on assigned duties on delicate systems (DCs, etc.).
  5. Ensure that the passwords for OOB management (DSRM) are securely kept and changed regularly.
  6. Apply SMB v2/v3+.
  7. The KRBTGT password and default domain administrator should be updated annually and whenever an AD administrator departs.
  8. Disable any trusts that are no longer required and activate SID filtering if needed.
  9. “Send NTLMv2 response only refuse LM & NTLM” should be the setting for all domain authentications, if at all possible.
  10. Prevent DCs, servers, and all administration systems from accessing the internet.

Secure Admin Details

  1. Admin groups do not contain any "user" or computer accounts.
  2. Verify that "sensitive & cannot be delegated" applies to every admin account.
  3. To protect a domain, add admin accounts to the "Protected Users" group.
  4. Remove all dormant admin accounts from privileged groups and disable them all.

Protect AD Admin Credentials

  1. Use custom delegation groups only, and restrict AD admin membership.
  2. Tiered” Administration reducing the effect of credential theft.
  3. Ascertain that administrators only sign in to authorized workstations and servers.
  4. Make use of temporary, time-limited group membership for each admin account.

Protect Service Account Credentials

  1. Restrict systems with equivalent levels of security.
  2. Use “Managed Service Accounts” to reduce the risk of identity theft.
  3. Increase the PW requirements for administrators and SAs by implementing FGPP.
  4. Logon Restrictions: restrict the computers that can log in and avoid interactive logon.
  5. Remove inactive SAs from privileged groups and disable them.

Protect Resources

  1. Segment the network to safeguard administrative and vital systems.
  2. Use IDS to keep an eye on the company's internal network.
  3. OOB management and network devices on different networks.

Protect Domain Controller

  1. Use software and services exclusively to assist AD.
  2. Very few individuals and groups have DC admin/login privileges.
  3. Verify that patches are installed before launching DCPromo.
  4. Verify scripts & plan tasks.

Protect Workstations (& Servers)

  1. Quickly patch, particularly vulnerabilities that allow privilege escalation.
  2. Apply the KB2871997) security back-port fix.
  3. Change the Wdigest reg key (KB2871997/Windows 8.1/2012R2+) to 0: Key Home Computer SystemPresentControlDigest Security Providers' Control Set.
  4. Install Microsoft AppLocker workstation whitelisting to prevent code execution in user folders, such as the home directory and profile path.
  5. Implement workstation application sandboxing technology (EMET) to reduce the impact of zero-day application memory attacks.

Logging

  1. Allow for improved auditing.
  2. Audit: Make the audit policy category settings take precedence over the audit policy subcategory settings.
  3. Activate logging for PowerShell modules and send logs to a central log server.
  4. Turn on the CMD Process enhancement and logging, and send logs to the central log server.
  5. To consolidate as much log data as possible, use SIEM or an equivalent.
  6. A system for analyzing user behavior to gain a better understanding of user behavior.

Security Pro’s Checks

  1. Determine who has domain/forest AD admin rights.
  2. Determine who has administrator access to the virtual environment that hosts virtual DCs and who may log in to Domain Controllers.
  3. Check for improper custom permissions in OUs, GPOs, AdminSDHolder, and Active Directory Domains.
  4. Make sure domain administrators, or AD admins, safeguard their login credentials by refraining from accessing untrusted computers.
  5. Restrict the rights of service accounts that are DA (or comparable) at the moment.

These security checks will efficiently allow you to protect your active directory.

Important Security Updates

CVE

Title

Description

Link

CVE-2020-1472

Elevation of Privilege Vulnerability on Netlogon

When an attacker uses the Netlogon Remote Protocol (MS-NRPC) to create a weak Netlogon secure channel connection to a domain controller, this presents an elevation of privilege vulnerability. If the vulnerability is successfully exploited, an attacker may use one of the networked devices to execute a specially created application.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

CVE-2019-1040

Tampering Vulnerability in Windows NTLM

The "Windows NTLM Tampering Vulnerability" refers to a tampering vulnerability in Microsoft Windows that arises when an attacker can successfully circumvent the NTLM MIC (Message Integrity Check) security.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040

CVE-2019-0683

Elevation of Privilege Vulnerability in Active Directory

The "Active Directory Elevation of Privilege Vulnerability" is a default option in Active Directory Forest trusts that allows an attacker in the trusting forest to request delegation of a TGT for identity from the trusted forest.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683

CVE-2019-0708

Services for Remote Desktop Exploit for Remote Code Execution

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects transmits specially designed requests, also known as "Remote Desktop Services Remote Code Execution Vulnerability," to the target system over Remote Desktop Protocol.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

CVE-2018-8581

Microsoft Exchange Server: Privilege Vulnerability Elevation

Microsoft Exchange Server has an elevation of privilege vulnerability, sometimes known as the "Microsoft Exchange Server Elevation of Privilege Vulnerability." Microsoft Exchange Server is impacted by this.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518

CVE-2017-0143

Vulnerability to Remote Code Execution via Windows SMB

The "Windows SMB Remote Code Execution Vulnerability" refers to the ability of remote attackers to execute arbitrary code via crafted packets in Microsoft Windows RT 8.1, Windows 10 Gold, Windows Server 2012 Gold and R2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, and Windows 8.1, 1511, and 1607, as well as Windows Server 2016. The vulnerabilities listed in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148 are not the same as this one.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143

CVE-2016-0128

Vulnerability for Windows SAM and LSAD Downgrade

In Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511, the SAM and LSAD protocol implementations fail to properly establish an RPC channel. This vulnerability, known as “Windows SAM and LSAD Downgrade Vulnerability,” or “BADLOCK,” permits man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by altering the client-server data stream.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128

CVE-2014-6324

Kerberos Vulnerability May Allow Privilege Elevation (3011780)

The "Kerberos Checksum Vulnerability," which was first discovered and exploited in November 2014, affects the Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. It allows remote authenticated domain users to gain domain administrator privileges by using a forged signature in a ticket.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068

CVE-2014-1812

Deficiencies in Group Policies Preferences may permit privilege elevation.

The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 poorly handles the sharing of passwords. This vulnerability, known as "Group Policy Preferences Password Elevation of Privilege Vulnerability," allows remote authenticated users to obtain sensitive credential information and subsequently gain privileges by using access to the SYSVOL share. The exploit was first discovered in the wild in May 2014.

https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

Detection

Attack

Event ID

Account & Group Listing

4798: The membership of a user in local groups was listed.

4799: A local group membership with security enabled was listed.

AdminSDHolder

4780: Accounts that belong to administrator groups have the ACL configured.

Kekeo

4624: Account Logon

4672: Admin Logon

4768: Kerberos TGS Request

Silver Ticket

4624: Account Logon

4634: Account Logoff

4672: Admin Logon

Golden Ticket

4624: Account Logon

4672: Admin Logon

PowerShell

4103: Script Block Logging

400: Engine Lifecycle

403: Engine Lifecycle

4103: Module Logging

600: Provider Lifecycle

DCShadow

4742: A computer account was altered.
5137: A directory service object was created.
5141: The directory service object was deleted.
4929: An Active Directory replica source's name context was removed.

Skeleton Keys

4673: An invitation-only service was held.
4611: The Local Security Authority has received registration for a trusted logon procedure.
4688: A fresh procedure has been established.
4689: A fresh procedure has concluded.

PYKEK MS14-068

4672: Admin Logon

4624: Account Logon

4768: Kerberos TGS Request

Kerberoasting

4769: A Kerberos ticket was requested

S4U2Proxy

4769: A Kerberos ticket was requested

Lateral Movement

4688: A fresh procedure has been established.
4689: The operation is over.
4624: A successful login has been made to the account.
4625: The account could not be logged in.

DNSAdmin

770: There is a DNS Server plugin DLL loaded.
541: is the setting serverlevelplugindll on the scope.
150: The plug-in DLL could not be loaded or initialized by the DNS server.

DCSync

4662: A thing had a surgery.

Password Spraying

4625: The account could not be logged in.

4771: Pre-authentication with Kerberos failed.

4648: Explicit credentials were used in an attempt to log in.

Wrapping It Up

The blog post explores the idea of Active Directory Kill Chain Attack & Defense to provide a thorough grasp of Active Directory (AD) assault. It provides details on tools, strategies, and preventive measures and lays out a methodical methodology to identify and counteract AD attacks at different phases, from reconnaissance to full operations. For effective protection, the article stresses ongoing assessment of security protocols, incident response, and user education.