4 AD Attacks and How to Protect Against Them

4 AD Attacks and How to Protect Against Them

I was speaking with an Active Directory Security Engineer from a large, global pharmaceutical company recently and asked him the most classic question in the Product Management handbook: “What keeps you up at night?” So cliché (I know), but sometimes instead of an eye roll, you get a real gem, which is exactly what happened.

He said, “We’ve got a lot of good protections in place and run a pretty tight ship, but the worst thing that I think could happen is someone stealing our ‘dit’ file.” I’d heard about this before. If an attacker can get a copy of the Domain Controller’s NTDS.dit file (essentially the Active Directory database), they could take it offline, crack every user’s password, and log in using valid user credentials without anyone being the wiser. But how could an attacker actually steal this file? It’s locked because it’s always in use! You’d have to take the Domain Controller down, which someone would obviously notice. The questions started to pile up…

Long story short, the conversation got me going down a very interesting path. The more I learned about and researched the .dit mystery, the more I came across other clever and crafty ways attackers are cracking and compromising AD. It makes sense too. Active Directory is a prime target in virtually any attack, and attackers know just how crucial it is in their quest to find and steal what they’re looking for.

Over the next four weeks, I’m not only going to detail four (4) Active Directory attacks you need to know about, but I’m going to explain how they work, the techniques and tools real attackers use to perpetrate these attacks, and what you can do about them. Here’s the lineup:

  • AD Attack #1 – LDAP Reconnaissance (PowerSploit and PowerShell) Read Now
  • AD Attack #2 – Local Admin Mapping (Bloodhound) Read Now
  • AD Attack #3 – NTDS.dit Extraction (VSSAdmin, PowerSploit, and Hashcat) Read Now
  • AD Attack #4 – Stealing Passwords from Memory (Mimikatz) Read Now

To watch the AD Attacks webinar, please click here.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other