Active Directory (AD) is an essential component for managing the network resources of Windows-based organizations. This hierarchical system provides centralized authentication and authorization, making it a key target for cybercriminals. Using tools such as BloodHound and SharpHound, you can audit your AD environment, identify vulnerabilities, and protect your organization from threats. The article details the structure of AD, its main components, security techniques, and the ways in which attackers attempt to gain control of the system using vulnerabilities such as PrintNightmare and Zerologon.
Active Directory (AD) is a directory system used to manage Windows-based networks. It plays a key role in the centralized administration of organizational resources, including users, computers, groups, network devices, file shares, group policies, and cross-domain trusts. AD’s hierarchical and distributed architecture allows it to scale to large organizations, supporting millions of objects in one domain with the ability to create new domains as the company grows.
However, it is the centralization of data that makes Active Directory an attractive target for cybercriminals, who often use it as a central element in their attacks. Approximately 95% of Fortune 500 companies rely on AD, making it a critical target for attackers looking to gain access to corporate networks. One common threat is phishing attacks, which can give hackers access to AD through a regular domain user account, opening up opportunities to explore the internal structure and find vulnerabilities.
One of the reasons why AD has become a frequent target is its functionality, which simultaneously provides both authentication and authorization on Windows networks. Many AD features, due to backward compatibility, are not secure by default, opening the way to possible misconfigurations and exploits. What’s more, root user accounts can access much of the information about AD objects, making it critical to properly secure this environment.
Recently, more and more attacks are aimed directly at AD. In particular, cybercriminal groups using ransomware actively attack this service, as it is a critical part of organizations’ IT infrastructure. For example, the Conti ransomware group has been involved in more than 400 attacks worldwide using new Active Directory vulnerabilities such as PrintNightmare (CVE-2021-34527) and Zerologon (CVE-2020-1472) to increase privileges and further penetration into the network.
The domain controller acts as the main control element in Active Directory, performing the functions of managing the directory and ensuring its correct operation. Its main task is to provide access to network resources and user accounts by providing authentication and authorization services for all users and services in the system. A domain controller occupies the highest position in the Active Directory hierarchy, having maximum administrative authority and full control over the environment. In essence, a domain controller acts as a key figure who acts as an administrator in the AD infrastructure.
The Active Directory data store is a collection of database files and processes that are responsible for storing and processing information about users, services, and applications on the network. The main element of this repository is the “NTDS.DIT” file, which is stored in the “%SystemRoot%\NTDS” directory on all domain controllers. This file is critical because it contains all information about the structure of Active Directory and is only accessible through specialized processes and protocols of the domain controller. NTDS.DIT is considered the most important component in the AD architecture, because without it the correct operation of the system is impossible.
A domain serves as an organizational unit that groups objects and provides management of those objects. A domain creates a boundary for authentication and authorization, allowing you to control access to resources within that particular domain. For example, think of http://abc.com as a domain.
Trees in Active Directory are groups of domains that share a contiguous namespace, starting at the parent domain. This structure includes the main domain and all child domains associated with it. Trees provide transitive trust relationships between domains, meaning that a trust established between two domains within the same tree automatically extends to all other domains in that tree. This allows domains within the tree to interact with each other, providing unified access to resources and simplifying management.
In the context of Active Directory, a tree can be visualized as a hierarchy of domains with a parent domain at the top and child domains extending from it. An example of a tree structure would be a parent domain such as “abc.com” with various geographic locations represented as child domains such as “ca.abc.com” for Canada, “na.abc.com” for North America, and “au.abc.com” for North America. abc.com” for Australia.
Organizational units (OUs) are containers in Active Directory used to structure and manage objects such as user groups, computers, and other units. OUs create a hierarchical organizational structure that facilitates the administration and management of objects. They also allow you to delegate rights to administrators at different levels and apply policies to specific units, making the management of large organizations more efficient.
In simple terms, Active Directory trusts are a means of establishing access between resources to obtain permission to use resources in another domain. Trusts can generally be divided into two types: a directed trust and a transitive trust.
Directional trust: This type of trust is established in a one-way direction when a trusting domain provides access to a trusting domain. A visual representation of this concept is shown in the diagram.
Transitive trust: This type of trust extends the relationship beyond the trust of one domain to include other trusted domains. A diagram is provided to better understand this concept.
It is important to note that trust relationships are created to provide secure access to resources across multiple domains, making them a key component of Active Directory security.
Download the latest version of BloodHound from the GitHub repository: https://github.com/BloodHoundAD/BloodHound/releases
Extract the downloaded ZIP file to a folder on your system.
Install Neo4j Community Edition (required for BloodHound) with: https://neo4j.com/download-center/#community
After installing Neo4j, run it and create a new graph database. Remember the database password.
Go to the folder where you extracted BloodHound and run the “BloodHound.exe” file.
Connect to the Neo4j database by entering the default username “neo4j” and the password you set for the graph database.
Once connected, BloodHound will display its main interface.
Download the latest version of SharpHound from the GitHub repository: https://github.com/BloodHoundAD/SharpHound3/releases
Extract the downloaded ZIP file to a folder on your system.
Run SharpHound on the target domain using a command prompt with administrative privileges. Navigate to the folder containing the “SharpHound.exe” file and run the following command:
SharpHound.exe --CollectionMethod All
Once the data collection is complete, SharpHound will create a ZIP file containing the JSON files. This file is usually called “BloodHound-yyyyMMddhhmmss.zip”.
In BloodHound, click the “Upload Data” button (the cloud icon with an up arrow) in the upper right corner.
Navigate to the location where the ZIP file created by SharpHound is stored and select it.
BloodHound will begin importing the data, which may take several minutes depending on the size of the data.
After importing the data, you can use BloodHound to analyze the results and identify potential vulnerabilities and attack paths.
Use the search bar in the upper left corner to find specific users, computers, or groups.
Click nodes and view their properties, input and output connections to analyze their connections and privileges.
Use the built-in queries in BloodHound to identify potential attack paths, such as “Shortest paths to domain administrators” or “Find all domain administrators.”
By following these steps and using BloodHound, you can effectively analyze your Active Directory environment and identify potential vulnerabilities that attackers can exploit.