Cybersecurity services provider Mandiant has released its M-Trends 2022 report, based on data from the company’s investigations between October 2020 and the end of 2021, and it shows that while cyber defenses and techniques are improving, attackers are also continuing to adapt to new trends. Based on the company’s investigations, the report also outlines some common Active Directory misconfigurations for both on-premises and cloud-based systems.
Mandiant says about 90% of the Global Fortune 1000 uses Active Directory, the most commonly-used on-premises identity provider solution. The tool is now commonly used in hybrid models to managed and sync user identities across on-premises and cloud environments, with many organizations using it to achieve a single integrated identity solution for accessing applications and services, Mandiant says.
However, that kind of robust usage expands the attack surface and presents the possibility of a misconfiguration. According to Mandiant, here are the 12 most common misconfigurations the company has seen during its investigations.
On-prem misconfigurations
Kerberoasting highly privileged user account-based Service Principal Names
According to Mandiant, threat actors commonly target Service Principal Names (SPNs) with high privileged user accounts to extract the password hash and escalate privileges within Active Directory (AD), a technique known as Kerberoasting. A service principal name (SPN) within AD is a representation of a service instance, and an SPN can be registered for a computer or user account to associate a service instance. Any authenticated account within AD can request and receive the Ticket Granting Service for the associated SPN account, which will be encrypted with high privileged user accounts.
Mandiant recommends:
- Generating strong unique passwords and changing passwords regularly for user accounts configured with SPNs
- Following the concept of least privilege
- Automating those processes via Managed Service Accounts
GPO edit permissions for non-privileged users
Another common Active Directory misconfiguration is when accounts in specific groups can edit Group Policy Objects (GPO) to modify domain-based security settings, according to Mandiant. Ransomware actors often target those accounts to push malicious binaries (encryptors) in many systems in short timeframe, and attackers can also abuse GPOs to gain privileged access on endpoints.
GPOs are used to centrally configure and manage user and computer security settings within AD. Privileged users with delegated rights can modify GPO settings, which can impact the security state for objects within AD, according to Mandiant.
Mandiant recommends reviewing GPO settings to identify groups and accounts that have GPO edit permissions.
Privileged user account usage over non-tier 0 asset
According to Mandiant, a commonly seen Active Directory misconfiguration occurs when architecture allows highly privileged accounts to be used for access across all endpoints. This can result in privileged account credentials being exposed in the memory on endpoints and then access and used by attackers using various credential dumping tools, including Mimikatz. Some authentication methods that expose credentials in memory on endpoints include interactive logons, logons using RDP, RunAs, PowerShell WinRM with CredSSP and PsExec with explicit credentials.
Mandiant recommends admins implement explicit restrictions that only allow for privileged accounts to be used from specific privileged access workstations to Tier 0 assets that reside in restricted an deprotected VLANs and segments.
Use of unconstrained delegation
According to Mandiant, attackers often target systems with unconstrainted delegation to extract Kerberos tickets from memory and impersonate accounts within an environment, taking advantage of delegation within AD that impersonates the client for a single sign-on experience. When unconstrained delegation is enabled on a front-end service, the service can receive the Kerberos ticket of the user who requests access to the destination service. Attackers can escalate privileges if they access privileged accounts that are accessing endpoints configured with unconstrained delegation.
Mandiant recommends organizations identity endpoints configured with unconstrained delegation and migrate them to use constrained delegation for specific services only. The firm explains that Microsoft introduced the “Protected Users” security group starting with Windows Server 2021 R2 and Windows 8.1 to manage credential exposure for privileged accounts and provide non-configurable protections.
Certificate template permits Domain Admin escalation
Mandiant says another common misconfiguration observed was certificate templates that could permit the requestor to specify a subject alternative name (SAN) using AD Certificate Services, a Microsoft platform that offers public key infrastructure functionality to facilitate features such as Encrypting File System (EFS), domain authentication, digital signatures and email security. The platform issues certificates based on the Certificate Signing Request (CSR) from the user or machine based on published templates.
If a template enables certificate request with both domain authentication and a SAN, an authenticated domain user could feasibly request and receive a certificate with a privileged account included as a SAN, and then access domain-based resources within the context of a privileged user.
Configuration Risks in Azure and Microsoft 365
Identities without multi-factor authentication (MFA) enforcement resulted in unauthorized access
According to Mandiant, organizations that didn’t enforce MFA authentication to protect identities to cloud-based services were easy prey for attackers using stolen credentials or conducting password spraying attacks. In addition to cloud-based resources, on-premises applications were also vulnerable, including VPN gateways, remote access services, virtual desktop infrastructure, and email and messaging services.
To prevent this common Active Directory misconfiguration, Mandiant recommends enforcing the use of MFA authentication to access external-facing resources from remote or untrusted locations via Azure Active Directory features, including Conditional Access Policies.
Legacy authentication to bypass MFA in Azure AD
One of the most common methods used to gain access to Azure tenants observed by Mandiant is credential theft or password spraying with legacy authenticate protocols that don’t support MFA authentication. Mandiant identifies commonly kwon legacy authenticate protocols often used to gain access to Microsoft 365 including:
- Exchange Active Sync (EAS)
- Autodiscover
- IMAP4
- MAPI over HTTP (MAPI/HTTP)
- Offline Address Book (OAB)
- Outlook Service • POP3
- Reporting Web Services
- Exchange Representational State Transfer (REST)
- Outlook Anywhere (RPC over HTTP)
- Authenticated SMTP
- ActiveSync
Mandiant recommends organizations:
- Determine if legacy authentication protocols are enabled for Microsoft 365 access
- Implement the security defaults or Conditional Access policies to disable legacy authentication protocols
- Enforce modern authentication, including MFA using smart cards, certificate-based authentication and third-party SAML identity providers
Privileged Identities Synced from On-Premises Infrastructure
According to Mandiant, attackers often exploit another common Active Directory misconfiguration where on-premises accounts are configured with global admin permissions within Azure AD, allowing for vertical movement from on-premises to the cloud. In many cases the company observed, organizations had conditional access policies configured to not require MFA when accessing Azure from trusted IP ranges that correlated to IP ranges used for on-premises configurations. Once attackers had access to on-premises infrastructure, they moved vertically to the cloud and created new accounts to expand their access.
Mandiant recommends organizations:
- Review the scope of on-premises accounts synced to Azure AD
- Have the Global Administrator and additional elevated roles assigned
- Configure assigned elevated roles as dedicated cloud-only accounts that require MFA regardless of location
- Use Microsoft Privileged Identity Management to enforce time-and approval-based role assignments
Relaxed firewall rules on cloud-hosted virtual machines
Another common trend observed in 2021 was relaxed firewall rules on cloud-hosted virtual machines. This allowed attackers to remotely access external-facing virtual machines hosted in cloud tenants. Attackers that remotely accessed virtual machines could extract data, deploy ransomware binaries or backdoors, and move laterally or vertically.
Mandiant recommends organizations:
- Filter the scope of the network traffic that can flow in and out of virtual subnets and network interfaces using a stringent Azure network security group.
- Remove unused ports and protocols
- Block ports and protocols used for remote management from external networks
- Use bastion hosts to govern connectivity if remote access to virtual machines in cloud tenants is required
Overly-permissive roles assigned to non-privileged users
According to Mandiant, the company observed overly permissive roles being assigned to non-privileged accounts using Azure role-based access control (RBAC). If compromised, non-privileged accounts can be used to elevate privileges to move laterally, compromise other accounts and resources and access data in either Azure or on-premises infrastructure.
The most exploited Azure subscription roles were:
- The Contributor role
- The Virtual Machine Contributor role
- The Application Administrator role
- The Application Impersonation role
Mandiant recommends organizations:
- Move away from assigning permanent privileged roles to designated accounts
- Focus on integrating a just-in-time method for approving and assigning elevated roles
- Use Microsoft PIM to provide both time and approval-based role assignments
Illicit consent grants attacks
According to Mandiant, another common attack technique against an Active Directory misconfiguration was to create and register malicious apps with Azure to attempt to gain persistent access to data and applications, including Exchange Online. Attackers used this method when organizations had allowed non-privileged users to approve consents for external applications to access data housed in Azure or Microsoft 365. Phishing attacks trick users into providing the consent required for this level of access, and the application can then collect the access token and access account-level data without needing user credentials.
Mandiant recommends organization:
- Enforce user-consent settings so users cannot consent allow third-party application access, or only allow consents for verified publishers or specific low-risk permissions
- Regularly review consented permissions for eternal apps
- Implement an application governance policy to monitor third-party app behavior, such as Microsoft Cloud App Security
Risky Azure API permissions delegated to single or multi-tenant applications
Mandiant says it identified instances over the course of 2021 where an attacker compromised an account assigned the Application Administrator role in Azure, giving them a way to gain persistent access. This happens because an Azure registered app can use applications or delegated permissions without an interactive user signed into the application. These kinds of permissions require administrator consent, and once given, the permissions are assigned to the service principal associated with the app.
According to Mandiant, attackers could add an application or service principal credential to use the legitimate permissions assigned to the app. In some cases, the apps were assigned permissions within multiple Azure tenants, thus opening the pathway for a supply chain attack and allowing the attacker to pose as an authorized app and move laterally.
Mandiant recommends organizations:
- Review the API permissions assigned to apps and understand the scope of permissions assigned to registered apps in Azure.
- Monitor app behavior using playbooks, including Azure Monitor Workbooks.
Read Mandiant’s M-Trends 2022 Report for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply