How attackers exploit Windows Active Directory and Group Policy

Attackers have learned to use Active Directory and Group Policy to find weaknesses in Windows networks and identify targets. Here's what you can do to prevent that.

Windows security and protection [Windows logo/locks]
Thinkstock / Microsoft

Active Directory, part of Windows Server since Windows 2000, is the foundation for many, many businesses. It allows firms to authenticate and authorize all users and computers in a Windows domain. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. It allows administrators to set many security policies and settings to enforce certain actions and preferences.

In other words, it allows firms to set standards in an organization. It also allows attackers to identify patterns in a network as well as use the Group Policy features to gain more rights. I often joke that attackers know how to better manage and maintain our networks than we do ourselves.

I recently interviewed Darren Mar-Elia, vice president at Semperis, whom I've known for many years as the guru of Group Policy. Initially, his focus was ensuring that IT professionals used and understood the power of Active Directory (AD) and Group Policy. Over time he's realized that attackers are understanding the power of Group Policy and silently gaining more rights into the network. 

We assume that attackers launch a phishing attack and immediately take control of a network. Often, they lay in wait and investigate the network, taking the time to understand the organizational structure and relationships before they launch attacks. Attackers also target administrators and those with control over key assets. The public attack on Twitter is evidence of attackers targeting administrators and roles that had control over certain tasks. They then ensured that they were able to take over those duties and functions.

Know the tools attackers use

Mar-Elia described the number of parsing tools that allowed attackers to determine what policies in Active Directory were active and what policies were deployed to the network. Tools like PowerSploit are well known in the attacker community along with BloodHound and Mimikatz. These tools are well known by attackers and allow them to better understand your network as well as review the relationships of users and assets to determine where you are weak or who has control over key assets.

We often label organizational units with descriptive names that identify what the group has rights to. This identification process gives the attacker key information that they can use to better target and damage your firm.

Take the time to learn more about BloodHound and similar tools that use graph theory to identify relationship. With BloodHound, you can identify the shortest attack paths and weak points in your environment that need extra attention, It also lets you quantitatively evaluate possible mitigations or changes proposed, comparing your security posture between two points in time.

A Microsoft Digital Defense Report released in September, 2020, showcased that attackers use RDP, vulnerable systems and weak application settings to initially obtain access to systems. Then they use various processes such as Mimikatz, LSA Secrets and various credential attacks to gain a foothold of authorization. Next, they use tools such as Cobalt Strike, WMI, management tools and PSExec to perform lateral movement. Various ransomware has used Group Policy to gain more persistence in the network. As noted in a Semperis post about various Group Policy-based attacks, attackers used Group Policy objects and “inserted Ryuk into the AD logon script, infecting everyone who logged into that AD server.”

Mar-Elia also indicated that a recent strain of ransomware was “observed using the SYSVOL share on AD domain controllers to propagate throughout the environment. Accessing the SYSVOL share, which is used to deliver policy and logon scripts to domain members, typically requires elevated privileges and indicates a serious AD compromise.”

Audit Group Policy changes

A key way that you can better protect your network, Mar-Elia stated, is to audit and review who has the ability to edit and link to Group Policy objects. Too often organizations do not segregate and protect administrative assets. We do not flag and audit when Group Policy changes are made in the organization. We have delegated too much control over Group Policies to roles and positions that attackers then find during their investigations and use to drop firewalls, adjust user rights, and build paths for movement in organizations. We don't review and monitor for these changes. 

There are many ways to audit Group Policy changes. You can set up auditing manually with various settings, or you can look to third-party products to provide you with reports. The key is to be alerted when something happens in your environment. Actions such as a user being elevated to domain admin are not normal. Changes to AppLocker protection are not normal and should only be done with proper change management processes. 

Test domain controller recovery

Mar-Elia also discussed the impact of ransomware on how firms set up protection and backups for their network. The now infamous story of ransomware destruction is the shipping firm of Maersk. They considered domain controllers as expendable and recoverable by merely standing up another domain controller when needed. Yet when ransomware attacked the Maersk network, they had no viable recovery of their Active Directory structure other than an offline domain controller in a remote location. They had to physically bring the solitary clean domain controller back to the network to recover the domain.

Think of your own Active Directory infrastructure. If (or rather when) your network is hit with ransomware, do you have the necessary tools and techniques to first to determine if your domain controller can be recovered without reintroducing the infection or can be recovered to alternative infrastructure? A 2020 study revealed that although 97% of organizations surveyed said that Active Directory is mission-critical, more than half never actually tested their Active Directory cyber disaster recovery process or did not have a plan in place at all. This discovery is alarming given the rise of fast-moving ransomware attacks and the widespread impact of an Active Directory outage. Review your options and abilities to recover from an attack. It's a matter of when, not if.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)