If we’ve learned nothing else about cybercriminal organizations over the last few years, we know for certain these folks are experts on Microsoft security. They’re no longer simply opportunistically gaining access to your network; instead, they’re leveraging known vulnerabilities in operating systems and applications and using the very network they’ve compromised to assist them in finding their intended target (be it data to be exfiltrated, multiple systems to hold for ransom, applications to use to commit fraud, and so on).
Along the way from initial compromise in your network to achieving their intended malicious actions, there’s a need for attackers to achieve a number of interim goals following the MITRE ATT&CK Framework: establish persistence, privilege escalation, credential access, discovery, and lateral movement. And, as it turns out, the primary means of doing most of this is through the compromise and misuse of valid accounts [CrowdStrike, Global Threat Report (2019)]. These accounts are used to move around your network, access Active Directory (AD), and gain additional control over the environment.
IT organizations not continually reviewing their state of security are allowing it to evolve uncontrolled. Often ignored aspects of your security include permission assignments providing access to data, applications, systems, and services, as well as the groups and group memberships used to provide access.
Accounts with too much access in AD, to systems, or to your virtual environment all exist today, giving attackers more access than you’re aware of.
So, after years of disregarding the need to manage the very foundation of your security, cyberattackers take advantage of your mismanagement. Below are a few examples of ways the bad guys leverage your environment.
- Modifying Group Memberships – Once an attacker has access to some level of administrative access within Active Directory—could be Domain Admin, an “OU admin,” or even just someone with the ability to manage AD group members—this simple act is the single easiest way to elevate privileges, provide access to valuable resources, or allow lateral movement to specific systems.
- Creating Lots of Users – Attackers can achieve a degree of persistence in your network by creating many user accounts with which to log on should the initial set of compromised accounts be discovered and disabled. If discovered, they can simply use another user account to get back in and continue their activities.
- Use Nested Groups – The bad guys need ways to make sure you don’t pick up on them granting themselves access to parts of your environment. The creation and nesting of groups within other AD groups sitting under a target group to access some critical resource is a way to obfuscate a set of compromised accounts with the desired access.
- Access to Resources and Data – The level of granularity used in permission assignments to data and applications tends to be a bit broad; granting access to an entire directory of files is the age-old standard with no regard for the specific content within and the possible need to further restrict access. Attackers leverage accounts to perform discovery in file systems, databases, applications, on servers, and within AD.
These are just a sample of the kinds of actions taken by cyberattackers. IT needs to minimize the risk of these kinds of actions taking place by proactively taking steps to audit the current permissions in Active Directory, make changes in process and policy to reestablish a known state of security, and continually monitor this new state to ensure the years of mismanagement don’t come back, enabling the cyberattacker to more easily achieve their goals.
For more detail on the specific steps you can take to eliminate your mismanaged state of permissions, read the whitepaper Mismanaged Rights: A Cyberattacker’s Greatest Ally.