Active Directory (AD) is a crucial component in many corporate environments, and its security is paramount. However, attackers often target AD with various exploits to gain unauthorised access, escalate privileges, or maintain persistence in a compromised network. In this blog post, we will explore three common AD exploits: Kerberoasting, Unconstrained Delegation, and Active Directory Certificate Services (AD CS) compromise. We’ll discuss their mechanics, how attackers leverage them, and strategies for defending against these threats.
🛈 Active Directory is a directory service that manages user accounts, computers, and other network resources in a Windows domain environment
Kerberoasting
Kerberoasting is an attack that targets Service Principal Names (SPNs) associated with user accounts. Attackers first identify user accounts with SPNs and request a Ticket Granting Service (TGS) ticket for these accounts. The TGS ticket is encrypted using the password hash of the target account, which can be cracked offline using tools like Hashcat or John the Ripper. Once the password is obtained, the attacker can authenticate as that user, gaining unauthorised access.
🛈 A Service Principal Name (SPN) is a unique identifier for a service instance within an Active Directory domain
Attacker’s Perspective
Kerberoasting is a relatively straightforward but highly effective attack. Since the TGS ticket is encrypted with the user’s password hash, attackers with access to a network can request tickets for SPNs and attempt to crack them offline. This method is especially effective if the targeted user accounts have weak or reused passwords, enabling attackers to escalate privileges quickly. With powerful password-cracking tools available, attackers can exploit weak AD configurations, making this a go-to method for lateral movement within compromised networks.
Defender’s Perspective
Organizations can mitigate Kerberoasting risks by implementing the following defences:
Minimise the number of SPNs: Reducing the number of accounts with SPNs minimizes the attack surface.
Use Group Managed Service Accounts (gMSAs): gMSAs automatically rotate long, complex passwords, reducing the likelihood of successful password cracking.
Enforce the principle of least privilege: Restricting permissions for accounts with SPNs ensures that they have only the minimum required access, limiting the damage if compromised.
Conclusion
Kerberoasting remains a prominent attack vector in AD environments, especially in organisations with weak password policies and poor SPN management. Strengthening password hygiene, reducing SPNs, and leveraging gMSAs can significantly reduce the risk of Kerberoasting attacks.
Unconstrained delegation allows certain computer objects to impersonate any user that authenticates to them. When a user logs into a system configured for unconstrained delegation, their Ticket Granting Ticket (TGT) is stored in the system’s Local Security Authority Subsystem Service (LSASS). If an attacker compromises the system and gains administrative access, they can extract the TGT from LSASS using tools like Mimikatz, enabling them to impersonate the user and potentially escalate their privileges across the network.
🛈 A TGT is a ticket-granting ticket, a security token issued by a Kerberos KDC to authenticate a user to other services within a domain.
Attacker’s Perspective
Unconstrained delegation offers attackers a powerful avenue for privilege escalation and lateral movement. Once a computer with unconstrained delegation is compromised, attackers can extract cached TGTs, impersonate high-privilege accounts, and gain access to sensitive resources. Tools like Mimikatz make this attack accessible, allowing attackers to harvest credentials quickly.
Defender’s Perspective
Key defence strategies to mitigate unconstrained delegation include:
Prevent unconstrained delegation: Regularly audit AD environments to identify computer objects configured for unconstrained delegation and change their settings to constrained delegation or disable delegation entirely.
Mark privileged accounts as non-delegable: Configuring privileged accounts as “sensitive and cannot be delegated” prevents their TGTs from being stored in systems that support delegation.
Disable unnecessary services: Disabling non-essential services like the Print Spooler, particularly on Domain Controllers, reduces potential attack surfaces for delegation abuse.
Conclusion
Unconstrained delegation is a serious risk in AD environments, but organizations can defend against it by regularly auditing delegation settings, securing privileged accounts, and disabling unnecessary services. Proper configurations and regular monitoring are essential to mitigating this attack.
Active Directory Certificate Services (AD CS) Compromise
Active Directory Certificate Services (AD CS) provides PKI (Public Key Infrastructure) services, enabling encryption, code signing, and user authentication. A specific vulnerability in AD CS, known as ESC1, allows any user to request a certificate on behalf of another account, even privileged ones, using misconfigured certificate templates. Once issued, these certificates remain valid even if the account’s password is changed, providing attackers with persistent access to sensitive systems.
🛈 Certificates are digital credentials issued by a trusted authority to verify the identity of a user, device, or service.
Attacker’s Perspective
AD CS misconfigurations provide attackers with a means of creating persistence within a network. By requesting certificates using the built-in tools available in Windows, attackers can perform lateral movement without raising red flags. A certificate issued via a vulnerable template (ESC1) allows attackers to authenticate as any user indefinitely, bypassing password changes or multi-factor authentication (MFA) requirements.
Defender’s Perspective
To mitigate AD CS compromises, organizations should adopt the following defences:
Restrict certificate template permissions: Limit which users can request or modify certificates by tightening access controls on certificate templates.
Enforce certificate manager approval: For sensitive certificate templates, require manual approval by a certificate manager to ensure each request is properly vetted.
Restrict access to AD CS servers: Limit access to the AD CS servers to only a small group of privileged administrators and apply network segmentation to prevent unauthorized users from accessing the systems.
Conclusion
Misconfigured AD CS environments can open doors for attackers to gain persistent access, even after remediation efforts like password changes. By auditing and securing certificate templates, enforcing manual approval for sensitive requests, and restricting access to AD CS systems, organisations can better protect themselves from this exploit.
Active Directory remains a prime target for attackers due to its central role in managing network access and resources. Exploits like Kerberoasting, Unconstrained Delegation, and AD CS compromise highlight the importance of strong security practices in AD environments. By adopting a layered defence strategy, regularly auditing configurations, and implementing key security measures, organizations can significantly reduce their attack surface and protect against these common AD-based threats.
Written by: Ben Jones
Ben Jones serves as an L2 Threat Detection & Response Analyst at NormCyber, where his expertise in security analysis, plays a pivotal role in assisting our clients. With a keen eye for detail and a proactive approach, Ben is well-equipped to confront threats head-on, ensuring our clients’ continued safety
Get in touch to take a different approach to cyber security.