Cyber Attack

Most Common AD Misconfigurations Leading to Cyberattacks

by Esmeralda McKenzie
written by Esmeralda McKenzie
Most Common AD Misconfigurations Leading to Cyberattacks

Most Common AD Misconfigurations Leading to Cyberattacks

Most frequent Active Listing misconfigurations that lead to cyber assaults

Active Listing (AD) is one in every of basically the most in most cases old products and companies that allow organizations to control users, computers, and other sources interior their interior community as it offers centralized authentication and authorization mechanisms for Windows and applications.

Furthermore, Directors can with out considerations manage the adjust to procure entry to community sources, assign in pressure security insurance policies, manage instrument configuration, and powerful more. Furthermore, the atmosphere up of Active Listing is barely more straightforward for organizations, which makes it broadly adopted by organizations worldwide.

EHA

Though there are several security implementations in position interior Active Listing, Directors ought to be wide awake about some default configurations and take compulsory actions to right the atmosphere with most attention-grabbing practices and security measures.

Modern Active Listing Misconfigurations

In accordance with the NVISO Labs file, organizations imposing Active Listing have several probabilities of misconfiguration, that would possibly even allow threat actors to infiltrate the organizations. About a of the frequent misconfigurations are,

  • Administrator accounts are allowed for the delegation
  • AES encryption just will not be forced on provider accounts
  • Print Spooler is enabled on Domain controllers
  • Customers can form machine accounts
  • Unchanged GPOs are not processed on Domain Controllers
  • Password policy and least privilege
  • Carrier accounts
  • KRBTGT legend

Administrator accounts are allowed for the delegation

There might perchance be a default legend delegation in Active Listing in which an software program can act below the name of a user (Kerberos delegation), impersonate a user anywhere at some level of the community (unconstrained delegation), or completely impersonate the user to a explicit provider on a explicit computer (constrained delegation).

If an attacker positive aspects procure entry to to a designated administrator legend, he would possibly even strive to impersonate an administrator legend and transfer laterally or compromise the domain.

AES encryption just will not be forced on provider accounts

A kerberoasting assault is doable if AES encryption just will not be enabled on provider accounts and RC4 just will not be specifically disabled, which is able to permit a threat actor to search files from a Kerberos tag for a explicit SPN and brute pressure its password.

Print spooler is enabled on Domain Controllers

The print spooler provider, which is an executable that manages the printing course of, can even be abused by a threat actor to perform procure entry to to the hash of the KRBTGT legend. This would possibly even cease up in gaining practically limitless procure entry to to the Active Listing domain.

Customers can form machine Accounts

A machine legend is an Active Listing object that represents a computer or a instrument connected to the domain and can have diversified attributes that store files relating to the instrument, can even be a member of security teams, can have Community Policies utilized, and so forth.

Notify a Public Key Infrastructure (PKI) is display hide in the domain. If that is the case, an attacker can relate it to take income of the default Machine certificates template in dispute to affect a DCSync assault and dump hashes of all users and computers.

Unchanged GPOs are not reprocessed on Domain Controllers

Most GPO settings are completely utilized as soon as they’re unusual or as soon as they’ve been changed since the final time the consumer requested them, which would possibly even allow a threat actor to adjust a registry key that is generally managed by technique of a GPO for disabling explicit security measures.

Password policy and least privilege

Carrier accounts

More generally than not, there aren’t any password insurance policies for provider accounts. Furthermore, directors are allowed to enviornment feeble passwords that can even be with out considerations brute-forced. In other circumstances, the passwords for the provider accounts were included in their description.

KRBTGT legend

The KRBTGT legend is a default legend that exists in all Active Listing domains and handles all Kerberos requests in the domain. A compromise of this legend will allow threat actors to perform procure entry to to domain sources.

A entire file relating to the frequent misconfigurations in Active Listing has been published by NVISO labs which offers detailed files on the assault, exploitation, and mitigations.

Source credit : cybersecuritynews.com

Related Posts

R0bl0ch0n Rogue TDS Impacted Over 110 Million Internet...

Patchwork Hackers Upgraded Their Arsenal With Advanced PGoShell

8.5 Million Windows Systems Hit by CrowdStrike Faulty...

Hackers Exploits CrowdStrike Issues to Attack Windows System...

Cybercriminals Heavily Preparing For 2024 Paris Olympic Games...

Tools Used By NullBulge Actor, Who Released Disney's...

Hackers Attacking Windows Users With Internet Explorer Zero-Day...

CRYSTALRAY Hackers Exploiting Popular pentesting Tools To Evade...

OilAlpha Hacker Group Attacking Humanitarian & Human Rights...

Hackers Weaponizing Shortcut Files With Zero-day Tricks To...