Hackers of India

Threat Hunting in Active Directory Environment

By  Anurag Khanna   Thirumalai Natarajan Muthiah  on 06 May 2021 @ Blackhat

Abstract

Mandiant conducted multiple investigations and observed techniques that attackers preferred as they conducted privilege escalation to move laterally, persist in the environment, and blend in. Backdoors and misconfigurations on Active directory systems provided attackers with long term privileged access to the environment.

Based on our learnings dealing with remediation on the frontlines, we observed closely the challenges customers had in recognizing and remediating these attacker techniques. These challenges were further influenced by the adoption of controls, and attacker sophistication in APJ.

We will cover, in depth, different methods used by attackers to maintain persistence, covertly elevate privileges at will, and maintain and exert control over systems managed by Active Directory. We will talk about different methods of hunting for misconfigurations and backdoors to help find these faster and respond effectively.

Some of the hunt use cases that may be discussed include:

  1. DACL Based Backdoors
  2. Constrained, Unconstrained and RBCD Delegation Misuse
  3. Excessive Permissions on Active Directory Objects
  4. AdminSDHolder Based Persistence
  5. Cross Forest Trust Abuses
  6. Credential Stealing Techniques
  7. Misconfigurations of Authentication Methods
  8. GPO for Lateral Movement and Maintaining Access
  9. Domain Dominance Attack Skelton Keys, DC Shadow, DCSync
  10. Hybrid Active Directory Malicious Configurations