Illusive Blog March 21, 2019

Attackers Use Privileged Credentials in Domain Persistence

By Beth Ruck

The top risk cyberattackers face is the risk of getting caught. But executing an attack is typically a labor-intensive process. Attackers also worry that the access they’ve worked so hard to establish might suddenly get cut off if a password gets changed or an account they’re using is retired or removed from the domain.

So as they progress through a network, advanced attackers also try to establish domain persistence—the ability to maintain their foothold over time—with minimal risk of detection.

Guard your Azure AD credentials

One way of doing this is to leverage an account with DCSync permissions. This is a Microsoft function within Azure Active Directory that is essential for the creation of domain controllers, and for replicating and synchronizing directory structures across multiple domain controllers.

A domain controller functions as the central trust authority in the network, resolving requests to connect to particular resources by verifying with Active Directory that the user or entity making the request has adequate permissions. To provide this service, the domain controller must store password hashes for every account in the domain.

A user with DCSync permissions, therefore, has the power to replicate the entire domain, leverage or manipulate the attributes and privileges of any entity or account, and extract hashes for all passwords.

In a recent tweet, security researcher Dirk-jan Mollema shows how easy it is to acquire these powerful privileges. He’s created a tool to perform a remote dump of Azure AD credentials from domain controllers—and he can apparently accomplish this without executing code on the domain controller itself. In other words, he can replicate an entire domain without leaving a trace.

A Wake-up Call for Privileged Access Management

We’ve seen for ourselves what a broad-scale risk this is. During a recent customer tour that we conducted across the US, in every environment where Azure AD was implemented, we found that the default account set up automatically by Azure AD had elevated, “shadow admin” privileges. This is a high-risk situation—and while these permissions may need to exist, it warrants very careful attention by the security team.

This is emblematic of the much larger and very serious problem of hidden credentials—conditions that exist in every environment we have seen—in greater numbers than most security leaders would imagine.

Is your network susceptible to Living-off-the-Land attacks?

The inability to automatically unearth and properly manage domain admins, shadow admins and other high-privilege credentials is probably the single greatest factor that makes networks vulnerable to Living-off-the-Land attacks—a bigger risk than software vulnerabilities or the likelihood of users clicking on a phishing email. Through daily activity, privileged access becomes more readily available than anyone intends. Most organizations today lack the ability to continuously discover, monitor and remediate these conditions.

We don’t believe in exploiting fear, but this is a critical situation—and with Illusive’s Attack Surface Manager it is—ironically, one of the easiest problems to solve.

Request a complimentary Attack Risk Assessment today to see:

  • What your vulnerability management and privileged access management efforts are missing
  • The power of lateral movement visibility in reducing risk to your critical business assets.

Learn more – read our whitepaper, Use Cases for Attack Surface Manager, which looks at how security teams are given unprecedented power to easily implement a cyber hygiene program to harden their networks against malicious lateral movement of cyberattackers.