Why Active Directory Attack Paths are the Secret to Many Successful Ransomware Attacks

It’s no secret that most major enterprises across the globe use Microsoft Active Directory (AD) for identity and access management. This ubiquity is also one of the predominant reasons AD is such a popular and attractive target for adversaries. What remains a mystery to many enterprises, however, is how adversaries – including the malicious actors behind the Conti, REvil, and DarkSide attacks use Attack Paths in AD to deploy ransomware. In fact, AD Attack Paths are the secret to many successful ransomware attacks. To demystify this regularly used – and often, extremely lucrative tactic, let’s take a closer look at how and more importantly, why these attacks work in the wild.

At its core, AD’s primary function is to enable administrators to manage permissions and control access to network resources. Therefore, control of an organization’s AD means control of all the users, processes, and systems within that organization. By gaining control of an organization’s AD, the adversary seizes the power to deploy ransomware to all systems through several mechanisms, including (but not limited to) Group Policy, System Center Configuration Manager (SCCM), and third-party software deployment products that typically run on domain-joined Windows systems. For adversaries, the common denominator in these scenarios, and the secret to their success, is the abuse of Attack Paths.

Attack Paths allow adversaries to reliably take control of almost any enterprise’s AD environment because every AD environment in the world is vulnerable to identity Attack Paths, a type of attack that’s also commonly known as an identity snowball attack. To execute such an attack, the adversary compromises a user with access to a machine on a network – perhaps through a phishing attack to escalate privilege while avoiding detection.

Once the adversary has their malicious code up and running on a computer in the target network, they can use the privileges of the users logged into that host (as well as tools like Mimikatz and Responder) to compromise other systems and machines. These steps chart a “path” from the adversary’s initial point of access to their final objective. Attack Paths allow adversaries to deploy ransomware without abusing vulnerabilities or software exploits that could be noticed by defenders. Since AD Attack Paths largely use legitimate user credentials, they’re more difficult to prevent and more likely to slip past security controls.

Ransomware is only getting more dangerous over time, and ransomware operators continue to abuse the highly complex nature of AD to find and execute attack paths. Unsurprisingly, this past year several ransomware operators concentrated their focus on AD in order to take full control of their targets’ enterprises before deploying ransomware to most or all domain-joined systems. Take the Conti ransomware for example, which recently focused more on unpatched vulnerabilities to gain privileges in AD. As detailed in a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) in September:

According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges and move laterally across a victim’s network:

2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities;
“PrintNightmare” vulnerability (CVE-2021-34527) in Windows Print spooler service;
and “Zerologon” vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.

Attack Paths can enable much more than ransomware. In AD, Attack Paths are the mechanism attackers use to gain privileged access to a network. Once they have that access, they can do more than deploy ransomware; they could steal sensitive data, launch other types of malware attacks, achieve persistence in the network or add backdoors that will allow them to instantly re-gain privileged access in the future, and more.

An adversary that is well versed in the dark art of attacking AD can gain privileges and move freely across Attack Paths leaving minimal risk of discovery from defenders, achieving persistence, and gaining the keys to the kingdom. To reduce their vulnerability to all these attacks and stop problems like ransomware at their source, organizations should work on eliminating the Attack Paths in their AD environment.

To combat such threats, it’s becoming more and more common for AD administrators to use the free and open-source software (FOSS) BloodHound to proactively remove or mitigate the most critical, or high-risk, attack paths before adversaries like ransomware groups can get to them–and use those Attack Paths to take full control of their target’s AD–first. Using tools like BloodHound FOSS (as well as resources like ADSecurity.org) defenders can better understand their exposure to attack paths, audit the most highly sensitive objects in AD, and execute targeted remediation to help eliminate the most dangerous Attack Paths before an attacker can find and exploit those same Attack Paths themselves.

Fortunately, this particular secret is out and gaining traction with both the United States Department of Homeland Security and professional services network PricewaterhouseCoopers recently recommending organizations do the very same in order to protect their enterprises.