Gaining Visibility Into Active Directory Enumeration

Background

Adversary use of legitimate system functionality for malicious purposes remains a vexing problem in information security. Frequently viewed through legitimate system tools as “living off the land” binaries (LOLBins), adversaries can also leverage techniques for system survey, reconnaissance, and other actions that mimic legitimate system administrator behaviors for malicious purposes. As with LOLBins, formulating binary, absolute security detections or controls around these items is difficult, as monitoring for adversarial use will almost certainly capture legitimate activity in addition to malicious implementation.

Gigamon Applied Threat Research (ATR) recently concluded an in-depth research and analysis project focused on one specific type of adversary survey activity mimicking legitimate behaviors: Active Directory (AD) enumeration. For enterprise Windows environments, AD serves as a focal point for account and authentication management across a given domain. Additional extensions to non-Windows assets, federated services, and other items expand the scope of AD functionality even further. AD services are therefore critical for the functioning of enterprise environments — and a target of primary interest during network intrusions.

An organization’s AD instance contains a wealth of information on user accounts, user permissions, and related items. From an attacker’s perspective, gathering this information facilitates follow-on lateral movement within a victim environment and can be leveraged to enable activities such as credential capture. For example, once an adversary gains an initial foothold in a victim environment, they may proceed to map connected hosts and dump local credentials from that initial access point. But to accurately leverage the access and information gained, the adversary will need to determine the scope and nature of the accounts and credentials and where they might be applicable within the victim network.

Enumerating the AD environment for the victim network — through built-in system commands or a wealth of publicly available tools — provides intruders this context and enables subsequent activity. Played out to completion, AD enumeration represents a fundamental, often necessary, step for adversaries to gain domain administrator privileges — essentially, complete network compromise. These actions may be accomplished through malicious use of system administrator tools such as AdFind and abuse of domain controller synchronization (such as DCSync attacks), or with dual-use frameworks for enumeration such as BloodHound. In all cases, legitimate AD functionality is abused to map out the network, accounts, and dependencies to facilitate follow-on adversary actions.

Adversary Dependencies

AD enumeration forms a critical step for many adversaries in breaching enterprise networks. Following initial access into a victim environment, adversaries must develop some degree of situational awareness and mechanisms for moving laterally to achieve objectives. Given the overwhelming use of credential capture and reuse for lateral movement post-intrusion by adversaries, from ransomware affiliates to advanced persistent threats (APTs), surveying the local domain to enumerate users and accounts becomes a common and critical step in the cyber kill chain.

Defenders can take advantage of this adversary dependency by viewing AD enumeration as an important signifier of possible intrusion activity. Understanding how adversaries may leverage enumeration of the AD environment for information gathering and post-intrusion lateral movement, defenders can build security and monitoring around such behaviors to enable robust defense in depth.

While not preventing an initial intrusion, identifying critical adversary prerequisites for further exploitation enables defenders to identify and potentially disrupt follow-on exploitation activity before adversaries can attain intended goals. With appropriate detections in place to identify adversary AD enumeration activity, defenders can reduce time to detection for adversary activity and potentially thwart adversaries before they can achieve their actions on objectives.

Detection Opportunities

Most organizations focus on endpoint-related observations to detect AD enumeration and abuse. While effective, such techniques face the risk that successful adversaries may disable defensive tools, block logging frameworks, or even delete or modify potential artifacts to evade discovery. By layering internal network visibility and monitoring onto existing host-focused analysis, organizations and defenders can close potential gaps while achieving a level of certainty with respect to behavioral visibility in the monitored environment.

In the case of AD enumeration, this technique will require significant internal network communication to poll and retrieve information from AD systems and other network devices. Although such activity will mirror legitimate AD operations, identifying especially widespread, promiscuous, or unusual spikes can be a warning of abuse. Especially when pairing those patterns with other observations, either tied to endpoint notifications or additional network observations, defenders will have opportunities to observe such activity for further investigation.

A good starting point for detection methodology is identifying artifacts such as querying for sensitive or privileged users and groups, or extensive communication resulting from mapping domain environments. By understanding how AD communication operates, defenders can begin building models or recognition of normal environment operations to identify anomalous spikes in activity or unusual sources of high-volume query sets.

Of note, AD services will utilize the Lightweight Directory Access Protocol (LDAP) for communication and coordination. Therefore, network defenders will need to capture and monitor LDAP traffic for the most desired level of enriched visibility. Although NetFlow traffic may enable identification of certain egregious or noisy LDAP query sources, content analysis allows for higher-fidelity observations and detections. Unfortunately, network visibility tools such as Zeek currently do not possess a native LDAP parsing functionality. However, possibilities for content analysis exist through packet analysis as well as alternative, nonstandard frameworks.

To close gaps identified above, Gigamon ATR developed a variety of content analysis items and models to achieve greater visibility into AD-related LDAP traffic and AD enumeration activity more broadly. Through these items, we are able to present high-fidelity detections and alerts around post-access network reconnaissance activity to assist defenders. Provided sufficient network visibility and traffic analysis capabilities, defenders can implement similar techniques to identify traffic patterns of interest that align with adversary domain enumeration behaviors.

Situational Awareness

In addition to alerting on potentially malicious behaviors, network defenders and operators must establish and maintain persistent visibility and monitoring of “dual-use” activities for situational awareness. Toward this end, defenders need to move beyond atomic (single-observation), binary (“benign” or “malicious”) security alerting to persistent monitoring and analysis of network activity. Identification of trends, baselines, and tendencies is key to understanding how anomalies or deviations reflect on the organization’s security posture. This awareness, combined with an understanding of threat activity, enables robust response and monitoring of the network environment.

Defenders must therefore pursue not only explicit security alerts but also environmental awareness when analyzing and dispositioning security events. For activities that overlap with legitimate operations, such as AD enumeration, such preparatory work becomes even more critical as a mechanism to differentiate “known good, expected” from “anomalous, potentially malicious.” Absent such understanding and awareness, security practitioners are left in a position of recreating legitimate relationships and activity every time a given alert fires, wasting time and resources while contributing to burnout and frustration.

Persistent visibility, through dashboards or other mechanisms to facilitate analysis, allows network operators and defenders to gain the insights necessary to disposition potentially anomalous events as items of security interest. Through constant analysis and awareness, personnel will build the background necessary to investigate alerts surrounding abuse of legitimate functionality and the context required to resolve alarms when they emerge.

Conclusion

Identifying intrusion lifecycle dependencies for adversaries represents a viable strategy for defenders to spot and counter threats before they can achieve their objectives. Ideally, organizations seek to prevent intrusions from happening in the first place. However, once an adversary gains access, defenders must know what behaviors to look for to establish a viable defensive posture.

In examining AD enumeration, Gigamon ATR identified a critical step in most adversary operations that represents an ideal detection point for intrusion activity. When applied in isolation, this approach is potentially rife with false positives due to overlap with legitimate activity, but further refinement and increased visibility across protocols and actions allow defenders to more accurately triage events and locate threats. Through this nuanced and measured approach, defenders can gain valuable insight into a key aspect of adversary operations to improve security outcomes and enhance an organization’s defensive posture.