Skip to content

Active Directory Security Advisory: How to disrupt and prevent ransomware attacks

January 2021

Ransomware attacks are currently the fastest growing criminal activity on earth. While discussion of disaster recovery post-ransomware is important, it is equally if not more crucial to identify first point of compromise, including the delivery method and have an open conversation about how we can address weaknesses in a layered defense that leads to successful ransomware attacks. 

What do we know so far? 

The REvil ransomware has been around for a long time. It is preventable and its delivery and spread rate is entirely controllable through existing controls and practices that are already available within Active Directory. 

The ransomware relies on a separate malware for delivery (such as trickbot or emotet) that are able to identify complex nested open attack paths that currently exist due to misconfigurations in your Active Directory. These criminal groups are also known to use powerful open source offensive tools such as Bloodhound for attack pathways analysis

Once AD is compromised, attackers are known to maintain access through Active Directory and often will prove they have successfully compromised Active Directory though a series of screenshots. 

Figure 1: Sample ransomware extortion proof. 

What can you do? 

Alsid has been engaging customers suffering post-ransomware attacks, especially those compromised with post exploitation attacks including detection of backdoors and persistence attacks through Active Directory. Based on historical 2020/2019 attack patterns, our research on how to gain some quick wins on assessing your level of exposure and applying necessary remediations is as per the following table: 

Active Directory
weakness  

Powershell commands
to identify exposure. 

Reversible password in GPO 

MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014 (microsoft.com) 

Or use the following cmd 

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml 

 

Passwords kept in GPO 

findstr /S /I password \\<FQDN>\sysvol\<FQDN>\policies\ 

RBCD on sensitive objects or Unconstrained Delegation 

ADSecurityScripts/DiscoverDelegation.ps1 at master · knethteo/ADSecurityScripts (github.com) 
these script will give you a lot of unfiltered results, but will be helpful to look at 

Abusing S4U2Self: Another Sneaky Active Directory Persistence – Alsid 

AdminSDHolder 

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights – Active Directory Security (adsecurity.org) 

Check the groups and users in the ACL entries of AdminSDHolder, remove all unknown, unverified groups and users. Be sure to check the user in these groups do not belong to unknown users. 

SIDHistoryA way to hide privileges 

Sneaky Active Directory Persistence #14: SID History – Active Directory Security (adsecurity.org) 

Retrieving and removing  

How To Remove SID History With PowerShell | Microsoft Docs 

Start collecting AD changes now and send them to SIEM for safe keeping 

 

Check for the trust relationship between group of companies 

Best to detach the trust, you can also consider to disable TGT delegation between trust, enable sid filtering 

Validate and check for highly privileged users (domain admins, etc) and the ACEs (suspicious users with control through ACEs of sensitive objects), including Domain Controllers and IDPs. 

 

Information for Alsid Customers 

Alsid customers benefit from automated and continuous monitoring with  remediation advice for the common vulnerabilities, misconfigurations and weaknesses that are being exploted by ransomware operators. 

Alsid Indicator of Exposure and 
sub-IoEs to monitor 

Indicator of Exposure 

Sub-IoEs 

Notes 

Reversible passwords in GPO 

 

GPOs must be audited to ensure that no passwords can be retrieved. 

Dangerous delegation 

RBCD Backdoor 

making sure that privileged resources (Active Directory administrative accounts for example) do not have the associated attribute set (msDS-AllowedToActOnBehalfOfOtherIdentity attribute) 

 

Unconstrained Delegation 

Unconstrained Delegation should only be used on Domain Controllers. 

Ensure SDProp consistency 

Unsafe permissions on AdminSDHolder 

Validate the deviant objects raised in Alsid. Follow Alsid’s good practices for whitelisting. 

Accounts having a dangerous SID History attribute 

Privileged SID History on a user 

SID History allows administrators to keep user privileges when migrating them to a new domain and could be misused. Validate the alerts in deviant objects and remove them if not needed. 

Domain controllers managed by illegitimate users 

Unsafe permissions on DC 

Check that ALL domain controllers’ ACE/ACL is secured and remove any suspicious users/groups. Alsid have them flagged out automatically. 

 

Unsafe permissions on DC container 

Check that ALL domain controllers’ OU ACE/ACL is secured and remove any suspicious users/groups. Alsid have them flagged out automatically. 

Verify sensitive GPO objects and files permissions 

Unsafe permissions set on the GPO object 

Check that ALL sensitive GPO objects and files’ ACE/ACL is secured and remove any suspicious users/groups. Alsid have them flagged out automatically. 

 

V Unsafe permissions set on the GPO file 

Check that ALL sensitive GPO objects and files’ ACE/ACL is secured and remove any suspicious users/groups. Alsid have them flagged out automatically. 

Topology 

 

Check for unknown trust with other domain/forest as well as follow Alsid’s guide on securing trusts. 

Trailflow 

 

Review the trail-flow since the suspected first point of entry for suspicious changes in AD. Check for and scurtinze before and after value. 

Comments are closed.

Download pdf

Need more information?

Have any questions? Get in touch with us.

Contact us