Attackers will still try to hack into your DC to escalate privileges or enable lateral movement throughout your network. Want to see how it works? Researching and writing about data security is his dream job. Last Week in Ransomware: Week of August 16th. Last Week in Ransomware: Week of August 9th. Last Week in Ransomware: Week of August 2nd. Last Week in Ransomware: Week of July 26th. See why moving to a cloud directory platform mordernizes your IT management needs. But before we can move to the next generation, we have to have a solid foundation on what came before it, so as to learn from our successes and failures and understand why we need to do things differently today.
The concept of the domain controller was first introduced by Microsoft in relation to the Windows NT networks of old. The domain controller was established for precisely this reason. In this environment, all user requests are sent to the domain controller for authentication and authorization. The domain controller then authenticates the user identity, typically by validating a username and password, then authorizes requests for access accordingly. In the days when everything was on-prem, it made sense to have a physical computer dedicated to administering user identities and validating requests for access.
Fast forward a few years and they still play a critical role for a lot of organizations. You can find them lurking in the server room for most organizations that are still locked into AD. In fact many IT organizations and admins would not build their IT infrastructure without one.
These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts. For more information about the Active Directory data store, see Directory data store. Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network.
Policy-based administration eases the management of even the most complex network. For more information about Active Directory security, see Security overview. A set of rules, the schema , that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names.
For more information about the schema, see Schema. A global catalog that contains information about every object in the directory. On a domain-joined client machine, commands like whoami will allow for the discovery of the system owner or user , and show an output similar to what is shown below. This lets the attacker build an account profile of the compromised system to see what that account has access to.
A quick look at the Active Directory groups that the machine is a part of lets the attacker discern that the user is for example, on the Finance team. The threat actor can also use a simple yet effective command like net users and associated switches to discover the name of the domain controller their compromised machine is joined to and the list of user accounts that exist on the domain controller. From here, there is a clear set of important details that can aid their path to the domain controller.
They can also see what is reachable given the routing table. This gives the attacker enough information to build out a basic map of network level connections. They can decipher whether or not their compromised machine is sitting on the same subnet as the Domain Controller or DNS Server.
For this reason, it is imperative to have a micro-segmentation approach for which the security is workload dependent rather than network dependent even in a flat network architecture. Security that follows the workload like a Domain Controller irrespective of subnet or location.
They may also be able to decipher additional subnets and routes and their corresponding Gateways and corroborate that routing information with reverse DNS details of for example network share server names. Most organizations use network shares for employees within the same team to share and sometimes archive information.
Threat actors can leverage Windows network share detail from built-in utilities such as net use to locate File Servers or even domain controllers. These can be used to facilitate the spreading malware to other machines over the local SMB network or through a valid remote access VPN connection connected to an SMB network.
With this information, we can now see what shares and servers we have access to in Windows, below. Once the attacker has a bit more information about the compromised system under their control, they can formulate the next plan of action. Since a core aim is to get access to the Domain controller, the attacker has a few options like trying to escalate privileges which can be used for lateral movement.
0コメント