Learn more about Active Directory security, AD modernization, identity threat detection and response (ITDR), and more.
A part of an access control list (ACL), an access control entry (ACE) defines who has access to a resource and what operations they can perform. Inappropriately configured ACEs can lead to unauthorized access to resources or privilege escalation.
See also: access control list (ACL)
An access control list (ACL) is a list of access control entries (ACE) that apply to an AD object (i.e., a user, group, or computer object). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. Incorrectly configured ACLs can lead to unauthorized access or data exposure.
See also: access control entry (ACE)
An access token is a security token that contains user and group security identifiers (SIDs). User rights and some group SIDs from the token can be used for authorization. If access tokens are hijacked or manipulated, an attacker can impersonate a user or escalate privileges.
In an ACL persistence attack, an adversary manipulates the discretionary access control list (DACL) of an Active Directory object to maintain certain privileges or permissions. This attack enables the attacker to persist on the network even after the initial intrusion vector is remediated.
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. AD uses hierarchical, structured data storage for services and components. AD is primarily used for storing objects like users, groups, and computers, enabling management of these resources, including their permissions. AD performs user authentication and controls access to an organization’s resources and data. More than 90 percent of organizations use AD, Azure AD, or a combination of the two (hybrid AD) as their core identity solution. AD is often a target for cyberattackers due to its central role in network management. Misconfigured AD settings have been exploited in multiple high-profile attacks.
Active Directory Administrative Center (ADAC) is a management console in Windows Server that uses a task-based administration model for managing users, groups, computers, and other objects in a domain.
Attacks on AD environments typically follow a certain path: lateral movement between systems, privilege escalation, malware or ransomware insertion on domain controllers, establishing persistence, data exfiltration, and (in the case of ransomware) detonation/encryption. Therefore, AD security depends on defense at every stage of this lifecycle: before, during, and after an attempted cyberattack.
See also: cyber kill chain, domain dominance
An Active Directory-specific backup separates AD components (e.g., database, logs, registry hives) from backups of the system drives of a physical or a virtual machine, including applications, operating systems, and so on. AD-specific backups enable your organization to quickly recover AD safely and free of pervasive malware or ransomware. In contrast, system state or bare metal recovery can re-introduce malware hidden in the backups.
See also: system-state restore
Active Directory Certificate Services (AD CS) provides identity and access control solutions for an organization. If an attacker compromises AD CS, they can issue fraudulent certificates, leading to man-in-the-middle attacks or other unauthorized activities.
For 90% of enterprise organizations, Active Directory controls access to all users, systems, and resources. If AD isn’t working, nothing is. Recovering AD after a cyberattack or other disaster is the most important step in restoring operations and proving cyber resilience.
Active Directory Domain Services (AD DS) is the core function of AD. AD DS provides the methods for storing directory data and making this data available to network users and administrators. A compromise of AD DS can lead to unauthorized access to network resources.
The Active Directory Domain Services (ADDS) PowerShell module provides a collection of cmdlets that enable you to use PowerShell to manage and administer various aspects of AD, such as users, groups, computers, and organizational units.
Active Directory Federation Services (ADFS) is a software component developed by Microsoft. ADFS can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. If not properly secured, ADFS can be a target for attacks aiming to gain unauthorized access.
Semperis ADFR is a backup and recovery solution purpose-built for recovering Active Directory from cyber disasters. Semperis ADFR fully automates the AD forest recovery process, reduces downtime, eliminates risk of malware reinfection, and enables post-breach forensics.
Active Directory hardening involves practical techniques to protect your AD environment. AD plays a critical role in the IT infrastructure and ensures the harmony and security of different network resources in a global, interconnected environment.
No organization with an IT infrastructure is immune from attack, but appropriate policies, processes, and controls can help to protect key segments of your organization’s computing infrastructure, including AD. Hardening AD can help to prevent a breach or other threat from growing to a wholesale compromise of the computing environment.
Regularly assessing the risk and health of your organization’s Active Directory is an important step in reducing the AD attack surface. A robust AD security assessment solution like Purple Knight can provide a prioritized list of recommendations, specific to your deployed infrastructure, to improve your AD health.
Active Directory Lightweight Directory Services (AD LDS), previously known as Active Directory Application Mode (ADAM), is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications. AD LDS can be used to create a separate directory for applications that require authentication and user information without having to create additional user accounts in the primary AD DS. For instance, a web application can use AD LDS to store user profiles and access control information separately from the main Active Directory, reducing the attack surface and minimizing potential security risks. AD LDS instances running on a server can lead to additional security risks, as they could be exploited to gain unauthorized access to information.
Active Directory Migration Tool (ADMT) is a Microsoft utility that enables administrators to migrate objects (i.e., user accounts, security groups, and computers) from one Active Directory Domain Services (AD DS) domain to another, often during a restructure or consolidation project.
See also: Active Directory Domain Services (AD DS)
Cyberattackers who manage to breach an organization’s environment typically seek to gain privileges in Active Directory in an attempt to access data and resources. Once threat actors gain a toehold, they use it to increase their reach, ideally until they compromise an administrative account. This increase in access is known as privilege escalation.
AD recovery restores each domain in the forest to its state at the time of the last trusted backup. Restoring Active Directory from backup or reinstalling AD Domain Services on every domain controller in a forest can be a time-consuming and complicated task. However, ransomware that locks down or corrupts AD makes this step necessary.
When coupled with an AD-specific backup, an AD recovery solution that automates steps in the restoration process can significantly reduce AD downtime. For example, Semperis Active Directory Forest Recovery speeds AD forest recovery by as much as 90%.
Active Directory Recycle Bin (AD Recycle Bin) is an AD feature that enables deleted objects to be restored without a reboot, service interruption, or restore from backup. If not properly secured, the AD Recycle Bin can be exploited to restore deleted malicious accounts or groups.
Active Directory Replication Status Tool (ADREPLSTATUS) is a diagnostic tool that provides detailed replication status information for domain controllers within an AD forest. ADREPLSTATUS helps identify replication issues and troubleshoot replication-related problems.
Active Directory Rights Management Services (AD RMS) is a Microsoft technology that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate emails, Word documents, and web pages.
An Active Directory risk assessment looks for indicators of exposure (IOEs) or indicators of compromise (IOCs) to determine your organization’s risk during a cyberattack or other catastrophic event. A robust risk assessment provides specific actionable guidance to help you mitigate security risks to the AD and to your organization.
See also: Active Directory health check, indicators of compromise, indicators of exposure
Because Active Directory is used to configure permissions and network access, it is a prime target for cyberattackers. Years of growth, mergers, and so on often result in sprawling “configuration creep” and misconfigurations that leave AD open to attack. Closing security gaps in AD is therefore an important part of an organization’s overall cybersecurity strategy.
An evaluation of an organization’s AD environment to help your organization identify, quantify, and reduce the risks affecting your AD. This analysis generates a list of issues to address and might also offer remediation guidance and best practices to improve the performance or security of the AD infrastructure.
See also: Active Directory security auditing
The process of collecting data about AD objects and attributes and analyzing and reporting on that data to determine the overall health of the directory, the adequacy of system controls, compliance with established security policy and procedures, any breaches in security services, and any changes that are indicated for countermeasures.
AD security auditing helps you detect and respond to insider threats, privilege misuse, and other indicators of exposure (IOEs) or indicators of compromise (IOCs), thereby strengthening your security posture.
See also: Active Directory security assessment
AD security indicators fall into several categories:
Solutions such as Semperis Purple Knight and Directory Services Protector (DSP) use these indicators to help organizations identify attack vectors that threat actors can use to gain access to the AD environment. These vulnerabilities which can lead to an escalation of privileges and eventually to deployment of malware.
Active Directory Service Interfaces (ADSI) is a set of COM interfaces that is used to access the features of directory services from different network providers. ADSI is a programmatic interface to AD that enables developers to perform common tasks such as adding new users. Cyberattackers can use ADSI to manipulate directory entries.
The Active Directory Service Interfaces Editor (ADSIEdit) Microsoft Management Console (MMC) snap-in acts as a low-level editor for Active Directory. ADSIEdit provides access to objects’ properties that aren’t exposed in other AD interfaces, offering a detailed view of every object and attribute in an AD forest.
Active Directory Sites and Services (ADSS) is a Microsoft Management Console (MMC) snap-in used to administer the replication of directory data among all sites in an AD forest. Misconfigurations can affect AD performance and also cause replication of faulty security data.
Active Directory trusts (AD trusts) enable users in one AD domain to access resources in another AD domain. Carefully manage trust relationships to prevent unintended escalation of privileges or exposure of resources.
Active Directory Users and Computers (ADUC) is a Microsoft Management Console (MMC) snap-in that enables administrators to manage user accounts and various other objects in AD. Incorrect usage can lead to unintentional privilege assignments or data exposure.
An evaluation of the vulnerabilities in your organization’s Active Directory environment can help to identify, quantify, and reduce security and configuration risks to AD. Such analyses generate a list of issues to address and might also offer remediation guidance and best practices to improve the performance or security of the AD infrastructure.
See also: Active Directory security assessment
Active Directory Web Services (ADWS) is a web service hosted on domain controllers running Windows Server 2008 R2 and later. ADWS provides a protocol to access and manage directory services over the standard HTTP and HTTPS web protocols.
Add-ADComputer is a PowerShell cmdlet that can be used to create a new computer object in Active Directory. If misused, this cmdlet can lead to the creation of unauthorized computer accounts, potentially used for persistence or lateral movement.
Add-ADComputerServiceAccount is a PowerShell cmdlet that can be used to add a service account to a computer object in AD. An attacker who compromises this cmdlet can associate service accounts with unintended systems, potentially gaining unauthorized privileges.
Add-ADGroupMember is a PowerShell cmdlet that can be used to add one or more users, groups, service accounts, or computers to an AD group. Misuse of this cmdlet can lead to unauthorized privilege escalation.
Add-ADPrincipalGroupMembership is a PowerShell cmdlet that can be used to add a user, group, service account, or computer to one or more AD groups. If used maliciously, this cmdlet can grant an attacker access to resources.
Add-ADUser is a PowerShell cmdlet that can be used to create a new user object in Active Directory.
Address Resolution Protocol (ARP) is used to map an IP address to a physical (MAC) address on a local network. Although not specific to AD, spoofing ARP responses is a common attack vector in LAN environments.
Part of the Sysinternals Suite from Microsoft, ADExplorer is a legitimate tool that is used to view Active Directory structure and objects and edit them. Attackers can use this tool to explore AD structures, analyze objects, permissions, and more.
ADfind is a command line tool developed by Joe Richard (DS-MVP) to query Active Directory.
Administrative tiering helps an organization better secure its digital environment by defining three or more layers of access to resources and systems. This layering creates buffer zones that separate administration of high-risk or valuable assets such as Active Directory domain controllers.
AdminSDHolder is an Active Directory object that holds the security descriptor for objects that are members of privileged groups. The SDProp process ensures that protected objects’ access control lists (ACLs) are always consistent with the AdminSDHolder object. A compromised AdminSDHolder object can lead to an SDProp attack.
Adprep is a command-line tool that is used to prepare a forest or domain for a Windows Server upgrade. Adprep performs necessary schema and infrastructure updates to support the newer version of Windows Server.
ADRecon is a tool that gathers information about AD and generates a report that can provide a holistic picture of the current state of the target AD environment. Cyberattackers can use ADRecon for reconnaissance to identify potential vulnerabilities.
Advanced Group Policy Management (AGPM), a feature of Microsoft Desktop Optimization Pack (MDOP), enables enhanced control and management over Group Policy Objects (GPOs). AGPM includes capabilities for version tracking, role-based delegation, and change approval.
The Anonymous Logon security principal allows anonymous access to certain services on a machine. In the context of AD, Anonymous Logon represents connections from users that don’t present a valid set of credentials. This can pose a security risk and is often limited or disabled.
Active Directory uses an application directory partition to hold data specific to a certain application or service, such as DNS. If not properly secured, this partition can be exploited by malicious entities for persistence or data extraction.
Active Directory objects have attributes, which define the object’s characteristics (e.g., user phone number, group name). Manipulating attributes can sometimes lead to unauthorized activities or information disclosure.
Audit policies define the types of security events to be recorded in the Security log on domain controllers and computers. A poor audit policy might fail to detect intrusion attempts or other malicious activities.
The authentication process validates the credentials of a person, computer process, or device. Active Directory authentication involves proving the identity of a user logging in to an AD environment, and if compromised, can lead to unauthorized access.
An authoritative restore updates existing domain controllers with restored data, which then replicates to all other DCs in a multi-DC environment.
See also: non-authoritative restore
The authorization process, which determines which permissions and rights an authenticated user has, follows the authentication process. In AD, authorization is often managed through group memberships. Improper authorization configurations can lead to unauthorized access or privilege escalation.
See also: authentication
The auxiliary class is an optional class in AD schema that can be used to extend the attributes of other classes. Misconfiguration of auxiliary classes can lead to security vulnerabilities.
Availability is one of the three pillars of information security (along with confidentiality and integrity). Availability refers to the ability to access resources as expected. In the context of Active Directory, availability might relate to the resiliency of domain controllers and the network infrastructure supporting AD.
Microsoft Azure Active Directory (Azure AD or AAD, now renamed Entra ID) is the Microsoft cloud-based identity and access management (IAM) service. Azure AD helps organizations manage and secure access to applications, data, and networks both in the cloud and on-premises. In the context of cybersecurity, cyberattackers often target Azure AD to gain unauthorized access or escalate privileges, using tactics such as password spray attacks, consent phishing, or exploiting misconfigurations in security policies and access controls. Therefore, securing Azure AD is critical.
Although Azure AD shares part of its name with the on-premises AD, it has a completely different security model. If your organization uses Microsoft 365, it also uses Azure AD.
Azure Active Directory join (Azure AD join) is a process that registers a device to a specific Azure AD tenant, enabling the device to be managed and secured through cloud-based policies and services.
A back link attribute is a type of attribute in the schema of an Active Directory forest. This attribute is linked to a forward link attribute. Together, these are used to create and manage linked attributes.
The BackSync process replicates objects and properties back to a global catalog server from a domain controller within the same domain.
The BadPasswordTime attribute of an AD user object records the time of the last bad logon attempt.
The BadPwdCount attribute of an AD user object tracks incorrect password attempts. This attribute can be monitored to detect potential brute force attacks.
A BMR restores a system state backup plus all non-user data on critical volumes on the server. Since it is an expanded version of a system state backup, a BMR is subject to the same restrictions (same hardware, malware residence) as a system state backup.
See Active Directory backup (AD backup)
An LDAP search begins with the base DN. This DN can be a potential starting point for an attacker with unauthorized access to start exploring the Active Directory structure.
Base64 is a binary-to-text encoding scheme. In the context of Active Directory, certain attributes, like userPhoto, are Base64-encoded.
Best Practice Analyzer (BPA) is a server management tool that is available in Windows Server. BPA can help an administrator reduce best practice violations by scanning an AD DS role and reporting when a role is not in compliance with best practices.
A BLOB is a collection of binary data stored as a single entity in a database, including Active Directory. BLOBs are typically images, audio, or other multimedia objects, though sometimes binary executable code may also be stored as a BLOB.
In the context of Active Directory, binding is the process of setting up a connection to the directory service, which can then be used to carry out operations. If attackers can bind to your Active Directory, they can begin to execute queries and potentially make changes if permissions allow.
BitLocker is a full volume encryption feature included with Microsoft Windows versions from Windows Vista onward. BitLocker is designed to protect data by providing encryption for entire volumes. If an attacker gains physical access to a server, BitLocker can prevent unauthorized access to the data stored within.
If this recovery key for the BitLocker drive encryption is compromised, an attacker could decrypt a BitLocker-encrypted drive.
BitLocker To Go extends BitLocker data protection to removable drives, such as external hard drives and USB flash drives. These drives can be locked and unlocked only by a password, smart card, or a recovery key.
BlackCat/ALPHV is the first high-profile malware written in Rust, a modern, cross-platform programming language. Able to compromise Windows- and Linux-based operating systems, BlackCat operates as ransomware as a service (RaaS) by ALPHV, a Russian-speaking group of cyberattackers. It uses compromised user credentials to gain initial access to targeted systems and then leverages that access to further compromise user and administrator accounts in Active Directory (AD). BlackCat attacks often employ a triple-extortion tactic, whereby they make individual ransom demands for decrypting infected files, not publishing stolen data, and not launching denial-of-service (DoS) attacks.
A blacklist is a basic security control in which a list of IP addresses, users, computers, and so on are blocked or denied access. In the context of Active Directory, a blacklist can help to protect the directory from known malicious entities.
BloodHound is an AD reconnaissance tool. BloodHound visualizes AD environments, highlighting relationships that can be exploited for privilege escalation. It is often used in advanced persistent threat (APT) attacks.
See also: BloodHound attacks
An attacker can use BloodHound, a tool that can map AD relationships, to understand the structure of an organization’s AD environment and plan attacks based on the information.
See also: BloodHound
In cybersecurity testing, a blue team is the group of individuals responsible for analyzing and securing an information system, identifying its security vulnerabilities and flaws, and defending the environment against potential attackers (i.e., the red team).
See also: red team
BlueKeep is a remote code execution (RME) vulnerability that spreads through computer networks as a worm. BlueKeep emerged in 2019 as a threat to older versions of the Microsoft Windows operating system. Microsoft responded by releasing patches for its unsupported operating systems at risk of exploitation by BlueKeep. However, this type of threat highlights the importance of having a hardened recovery process established to respond quickly, should Active Directory and other crucial network services become compromised.
Bootstrap replication is the initial replication of data when a new domain controller is added into a domain.
A bridgehead server is the contact point for replication between sites in an Active Directory forest. If an attacker compromises a bridgehead server, they can potentially manipulate replication data.
BYOD refers to employees bringing their own computing devices — such as smartphones, laptops, and PDAs — to the workplace for use and connectivity. BYOD can pose security challenges for Active Directory if not properly managed and controlled.
The process of viewing objects within Active Directory. An attacker who can browse your directory can start to map out the structure and details of your AD environment.
The term built-in refers to default groups and user accounts that are automatically created when you install Active Directory Domain Services (AD DS). These groups and accounts have default permissions and rights that are assigned, so it is important to review these defaults to ensure they align with your organization’s security policies.
A built-in container is a special Active Directory container that exists in the security context of the local domain controller. This container holds groups that are local to the domain controller and is created by default when AD is installed.
A process by which large amounts of data can be imported into the Active Directory, often using tools like CSVDE. If an attacker can manipulate this process, they can potentially create numerous malicious entries in AD.
A Business Continuity Plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. In the context of Active Directory, a BCP can include plans for how to restore service after a major outage or attack.
Cain & Abel is a password recovery tool for Microsoft operating systems. This tool enables easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks.
A canonical name is the DNS name for an object in Active Directory and is used to reference objects in scripts or other programmatic administration tasks.
In Active Directory, a central access policy (CAP) is a set of rules that you can apply to multiple servers in a domain to control access to files. These rules are part of Dynamic Access Control (DAC) in Windows Server.
A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. It’s crucial to keep this list updated in an AD environment to maintain the integrity of secure communications.
Certificate Services is a server role that enables your organization to issue and manage digital certificates that can be used for secure communications and other security-related functions within Active Directory.
A child domain in a multi-domain Active Directory structure falls under a parent domain. The child domain shares the namespace of the parent, and trust relationships are automatically established between them.
Claim type represents an aspect of a user’s identity, such as group membership and is used in Dynamic Access Control (DAC) for authorization decisions. Misconfigured claim types can lead to privilege escalation or unauthorized access.
Claims-based authentication is a process in which a user obtains a digitally signed token from a trusted source and presents that to a system. The system can then validate the token and use the claims inside it (e.g., username, role) to identify the user.
Users run applications on computer workstations also known as client machines. If a workstation is connected to a network, then users can take advantage of services provided by servers. Client machines typically do not store data locally but rather receive the requested data from servers by running client-server applications.
Cloud services are available over the internet from a cloud computing provider. Although not specific to Active Directory, many organizations use cloud services like Azure Active Directory in conjunction with or as an alternative to their on-premises AD.
The 2021 Colonial Pipeline ransomware attack is one of the most well-known critical infrastructure attacks in recent history. The Colonial Pipeline attack demonstrated the importance of maintaining a robust Active Directory security posture.
A comma separated value (CSV) file stores tabular data. Improperly secured CSV files can lead to data leakage, especially when used for importing or exporting bulk data from Active Directory.
CSVDE is a tool for importing and exporting Active Directory data. Comma separated value (CSV) files can be manipulated leading to wrong data import or export if not validated properly, which can pose security threats.
A common name (CN) is the name of an object in Active Directory and must be unique within its container. The CN is part of the object’s distinguished name (DN), which uniquely identifies an object in the LDAP directory. For example, “cn=Daniel Petri,ou=Engineering,dc=semperis,dc=com”.
This maintenance operation reduces the size of the database file (NTDS.DIT). This operation requires high privilege access and if misused can lead to Denial of Service (DoS) attacks.
In Active Directory, a computer object is a representation of a computer that’s part of the domain. It holds various attributes about the computer, such as its name, security settings, and association with user accounts or groups.
In the context of Active Directory, a conditional expression can refer to conditional statements in a Group Policy Object (GPO) or within a script or tool used for AD management.
The Configuration container in Active Directory holds information about the logical structure of the forest, including details about sites, services, and directory partitions. This data is replicated to all domain controllers in a forest. From a cybersecurity perspective, unauthorized changes to the Configuration container could lead to replication issues, impact network performance, or alter the behavior of services relying on this information. Therefore, access to modify the Configuration container should be strictly controlled and monitored.
In Active Directory, a container is an object that can store other AD objects such as user accounts, groups, and even other organizational units (OUs). Containers cannot have group policies applied to them. OUs are also containers and can contain the same objects, plus other OUs, and can have group policies applied.
A context menu in a graphical user interface (GUI) appears on user interaction, such as a right-click mouse operation. In Active Directory Users and Computers (ADUC), context menus offer various options like resetting passwords, moving objects, or initiating replication.
Create, Read, Update, Delete (CRUD) operations are the fundamental functions performed in any database system, including Active Directory.
Credential roaming is a feature of Active Directory that enables users’ credentials and certificates to be copied and transferred securely across multiple devices. Credential roaming helps in managing digital identities across different systems.
Credentials are the user name and password that a user provides to authenticate. If credentials are not properly secured, they can be targeted in credential stuffing or brute-force attacks.
A cross-forest trust relationship can be created between two Active Directory forests. This relationship enables users in one forest to access resources in the other forest, expanding collaboration while maintaining security boundaries.
A cross-reference object is an object in the configuration partition that associates a naming context with a directory server. An attacker compromising this can cause replication issues and lead to outdated security data.
Cross-site scripting is a type of security vulnerability that is not specific to Active Directory but can potentially affect any web-based interface used for AD administration if the interface doesn’t properly validate input.
Cryptography is the practice and study of techniques for secure communication. In Active Directory, cryptography is used in multiple places including secure LDAP, Kerberos authentication, and Encrypting File System (EFS).
The cyber kill chain is a framework that outlines the steps of a cyberattack. It is generally considered to have seven steps:
Within hybrid and multi-cloud environments, Semperis supports integrity and availability of critical enterprise directory services at every step in the cyber kill chain.
Cyber warfare is a series of cyberattacks on the critical computer systems of a country, state, or organization. One of the most infamous examples is NotPetya, malware that originated in Russia in 2017, targeted Ukraine, and quickly spread worldwide with devastating effects.
“NotPetya ushered in an entirely new era of cyber warfare, and AD is in its crosshairs,” said Semperis CEO Mickey Bresman. “Cybersecurity programs, big and small, are on the front lines of a new war that has virtually no boundaries and no rules of engagement. If you think about hospitals that can’t access their systems to save a life, or cities that get held hostage, we have a responsibility to help organizations take back control.”
A cyberattack is a malicious attempt to gain unauthorized access to computer information system resources for the purpose of stealing, altering, exposing, and destroying data or disrupting operations. Identity systems such as Active Directory are prime targets for cyberattackers. As such, Gartner and other analyst firms have pointed out that organizations need AD-specific security and recovery solutions to adequately protect their hybrid AD environments.
The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security that is responsible for strengthening cybersecurity and infrastructure against threats.
A discretionary access control list (DACL) backdoor attack involves an attacker adding an entry to an object’s DACL. This grants the attacker certain permissions or rights to that object without requiring them to compromise an account with those rights.
A cyberattack that occurs with the purpose of stealing or exposing confidential, sensitive, or protected information to an unauthorized person.
In a DCShadow attack, an adversary modifies the Active Directory schema by registering a rogue domain controller. The attacker can then propagate malicious replication changes to the actual domain controllers.
DCSync attacks leverage the Active Directory replication feature, using Directory Replication Services (DRS) to impersonate and request password data from a domain controller (DC). The attack can be used to effectively “pull” password hashes from a DC, without needing to run code on the DC itself. This type of attack is adept at bypassing traditional auditing and detection methods.
Defense in depth uses multiple security measures in a layered approach to protect an organization from cyberattacks.
See also: layered defense.
Kerberos delegation is a feature that allows a service to impersonate a user to other services. If improperly configured, it can be exploited by an attacker to escalate privileges or move laterally through the network.
See also: Kerberos
Semperis Directory Services Protector (DSP) is the only identity threat detection and response (ITDR) solution that provides a single view of security vulnerabilities across hybrid Active Directory/Azure AD environments. With DSP, you can correlate changes across on-prem AD and Azure AD, detect advanced attacks, automate remediation of suspicious changes, and minimize the AD attack surface.
Active Directory forests often contain multiple security risks, ranging from management mistakes to unpatched vulnerabilities. With access to AD or Azure AD, threat actors can gain dominance over your entire infrastructure. Cyberattackers target AD to elevate privileges and gain persistence in the organization. To defend AD, administrators need to know how attackers are targeting the environment and which vulnerabilities they might exploit.
See also: Active Directory privilege escalation, indicators of compromise, indicators of exposure
Active Directory heavily relies on DNS for name resolution and service location. DNS attacks, such as DNS spoofing or DNS poisoning, can redirect or manipulate DNS requests, leading to unauthorized access or disruption of AD services.
Members of the DnsAdmins group have access to network DNS information. This group exists only if the DNS server role is or was installed on a domain controller in the domain. Attackers who gain access to this group can use that access to compromise Active Directory.
An attacker with membership in the DNSAdmins group can load an arbitrary DLL into the DNS service, which runs with system-level privileges, thus achieving privilege escalation.
If an attacker gains unauthorized control over a domain controller (DC), they can manipulate Active Directory objects, modify permissions, create backdoors, or perform other malicious actions that compromise the entire AD infrastructure.
During a cyberattack, threat actors often seek access to Active Directory. Such access can enable attackers to eventually gain administrative privileges and ultimate power over Active Directory domains, and thus all application and data that rely on Active Directory.
See also: Active Directory attack lifecycle, cyber kill chain
In an environment with multiple trusted domains, an attacker with admin access to a lower trust level domain can leverage the trust relationship to gain access to a higher trust level domain.
Local Security Authority Subsystem Service (LSASS) stores credentials in memory that can be dumped and extracted by an attacker. Tools like Mimikatz are often used for this purpose.
Effective permissions are a set of permissions granted to a user or group based on a combination of explicit and inherited permissions. Understanding effective permissions is critical for security auditing and risk assessments.
Elevated privileges are higher-level permissions, typically administrative privileges, that are granted to a user account. An attacker who gains elevated privileges can cause significant damage or data breaches.
A PowerShell and Python post-exploitation framework, Empire offers a range of tools for exploiting Windows systems. Among its capabilities are features for harvesting credentials, creating backdoors, and establishing persistence in an AD environment.
This PowerShell cmdlet is used to enable a disabled user account in Active Directory. Misuse can reactivate previously disabled malicious accounts.
This Windows feature enables the transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Although EFS can enhance data security, it should be properly managed to avoid unauthorized access or data loss.
Encryption is the process of converting data into a coded form to prevent unauthorized access. AD uses encryption in various forms for secure communication, like Kerberos tickets or LDAPS connections.
Endpoint protection is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. If improperly managed, infected endpoints can compromise AD security.
This high-level group in AD has full control over all assets within the entire forest. The Enterprise Admins group is a high-value target for attackers, as the compromise of an Enterprise Admins account can lead to complete domain takeover.
A common directory, such as Microsoft Active Directory, enables a more secure environment for directory users and common expectations of the role the directory can provide to both users and applications. A common enterprise directory resource facilitates role-based access to computing resources.
EMM is a set of services and technologies designed to secure corporate data on employees’ mobile devices. EMM is used in conjunction with AD for identity and access management.
Enumeration is the process of extracting detailed information about objects within AD. Uncontrolled enumeration can lead to information disclosure that could aid an attacker.
Escalation of privilege (or privilege escalation) is a type of network intrusion that takes advantage of programming errors or design flaws to grant the intruder elevated access to the network and its associated data and applications. In an AD context, an attacker who can leverage misconfigurations or vulnerabilities to escalate their privileges can potentially gain full control over the domain.
Ethernet is a family of computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN), and wide area networks (WAN). Ethernet was commercially introduced in 1980 and has since been refined to support higher bit rates and longer link distances. Today, Ethernet is the most widely installed local area network technology. Ethernet cables, such as Cat 5e and Cat 6, are commonly used in wired networks. The latest versions of Ethernet can support data transfer rates up to 400 gigabits per second.
Event logs are records of significant incidents in an operating system or other software. In the context of AD, monitoring event logs can help detect security incidents or problematic configurations. However, some attacks are designed to evade event logging.
This Microsoft Management Console (MMC) snap-in provides a view of the event logs in Windows. Administrators use Event Viewer to monitor, manage, and troubleshoot issues within AD, and the tool is crucial in identifying signs of potential cyberattacks.
Exchange Server is the Microsoft email, calendaring, contact, scheduling, and collaboration platform deployed on the Windows Server operating system for use within a business or larger enterprise environment. Exchange Server interacts with AD for user information and authentication.
Explicit group membership occurs when a user or group is directly added to an AD group rather than gaining membership through nested groups. Understanding explicit and implicit (nested) group memberships is important for managing permissions and access controls.
This Group Policy setting enables the export of user and computer settings. Enabling this capability can be a security concern if not properly controlled, as it can lead to the exposure of sensitive configuration information.
EPA is a security feature that enhances the protection and handling of authentication credentials when they are transmitted over the network. This technology is designed to counter man-in-the-middle (MitM) attacks, which steal or manipulate credentials during transmission. Enabling EPA can enhance the security of protocols used for communication and data exchange. For instance, when used with LDAP, EPA can prevent attacks such as NTLM relaying.
Extended rights are a set of non-standard permissions that can be granted to a security principal. Extended rights provide specific control access rights to the object to which they are applied. Misconfiguring extended rights can lead to security vulnerabilities.
An extended schema is an AD schema that is modified or extended with additional attributes or classes, typically to support third-party applications. However, improper modifications can lead to functionality issues or security vulnerabilities.
XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. In the context of Active Directory, XML can be used in many ways, such as creating custom scripts for specific operations, defining Group Policy settings, or formatting data reports.
This Jet-based ISAM data storage technology (previously known as Jet Blue) is used in Active Directory and Exchange Server. The ESE database engine enables fast and efficient data storage and retrieval using indexed and sequential access.
An external trust is a type of trust in Active Directory that is manually defined and does not extend beyond two domains. Security risks can arise from improperly configured trusts, as they can enable unauthorized access across domains.
An extranet is a controlled private network that enables access for partners, vendors and suppliers, or an authorized set of customers, typically to a subset of information accessible from an organization’s intranet. In relation to AD, proper authentication and authorization are essential to secure extranet resources.
Failback is the process of restoring a system or another component of a system to its original state after a failover.
In Active Directory, failover refers to the process by which network services are moved to a standby server in case of a primary server failure. It’s a crucial part of ensuring high availability.
Failover clustering is a technology in Windows Server that enables you to create and manage failover clusters, which provide high availability for network services and applications.
This network feature allows a computer to share data files and connected printers with other computers and devices on the network.
FRS is a Microsoft Windows Server service for distributing shared files and Group Policy Objects (GPOs). FRS has been replaced by Distributed File System Replication (DFSR) in newer versions of Windows Server.
File system security pertains to the access controls and permissions assigned to files and directories. In an Active Directory context, file system security often refers to permissions set via Group Policy Objects.
FAS attributes are not replicated to Read-Only Domain Controllers (RODCs).
In the context of Active Directory, filtering is used to limit the objects or attributes that a replication or query operation acts on. Improper filtering can lead to inefficient replication or inaccurate query results, affecting performance and possibly leading to incorrect data.
In Windows Server 2008 and later, these policies enable you to specify multiple password policies within a single domain. In this way, you can apply different restrictions for password and account lockout policies to different sets of users in your domain.
FOCA is a tool that is used to find metadata and hidden information in documents. FOCA can be used to extract information from public files hosted on a company’s website, providing attackers with insights into the internal structure of an AD environment.
This network security device monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
The settings and rules that determine how your firewall will manage inbound and outbound traffic. Misconfigurations can leave ports open for attackers to exploit, making the firewall a critical aspect of network security.
Firewall exceptions are configurations that allow specific network traffic to bypass security controls, often necessary for certain applications or services to function properly across a network.
The policies that govern how a firewall operates. These rules can define the types of traffic allowed or blocked by the firewall, and where that traffic is allowed to go. Proper configuration and management of firewall rules are crucial to maintaining network security.
A flat name is the NetBIOS name of the domain and can different from the domain’s DNS name.
The process of forcibly transferring FSMO roles from a non-operational domain controller to a functioning domain controller within an Active Directory domain. FSMO seizure is an emergency recovery process where an Active Directory domain controller forcefully takes over an FSMO role from another domain controller that is malfunctioning or permanently offline. This is typically a last-resort measure, as seizing an FSMO role can lead to data inconsistencies in the directory service if the original role holder becomes available again.
The process of transferring FSMO roles from one domain controller to another. FSMO role transfer is usually a planned process, as opposed to FSMO role seizure, which is typically an emergency process. FSMO transfer needs to be securely managed to prevent an attacker from taking control of these crucial roles.
See also: Flexible Single Master Operations (FSMO) role seizure
FSMO roles are special roles assigned to one or more domain controllers in an Active Directory environment. These roles manage operations that can be performed by only one DC at a time. The roles help to ensure consistency and to eliminate the potential for conflicting updates in an Active Directory environment. However, improper management or a failure of a server with one of these roles can lead to disruptions in the AD environment.
There are five FSMO roles:
Folder Redirection is a Group Policy feature that changes the location of certain folders like Desktop, Documents, and Pictures to a new location on the network.
In this type of attack, an attacker forces a user or service account to change its password. The attacker captures the new password hash as it is transmitted to the domain controller, then uses it to authenticate as the user or service account.
An object that represents a security principal (such as a user or security group) located in a trusted domain external to the forest. These objects enable external security principals to become members of security groups within the domain.
In Active Directory, a forest is a collection of one or more domain trees, each with a different DNS namespace. All domain trees in a forest share a common schema and configuration container. When you first install Active Directory, the act of creating the first domain also creates a forest. Forests serve as the topmost logical container in an Active Directory configuration, encapsulating domains.
Forest Druid is a free Semperis community security tool that identifies and prioritizes attack paths that lead to Tier 0 assets. The tool helps cybersecurity defensive teams quickly prioritize high-risk misconfigurations that could represent opportunities for attackers to gain privileged domain access. Rather than chasing down every avenue, defenders can use Forest Druid to quickly identify undesired or unexpected attack paths for remediation, accelerating the process of closing backdoors into Active Directory.
Forest Druid helps you:
The FFL setting determines the available Active Directory Domain Services (AD DS) capabilities that can be used in a forest.
See also: Active Directory Domain Services (AD DS)
The forest root domain is the first domain created in the forest. This domain contains some special features and is crucial for the functioning of the entire AD forest. The forest root domain cannot be removed.
A forest trust relationship is established between two Active Directory forests. A forest trust allows users in different forests to access resources in a reciprocal manner, subject to the permissions configured. Misconfiguring these trusts can expose resources to unauthorized users, potentially leading to data breaches.
A forward link in Active Directory is a type of link attribute that points from one object to another. When the forward link is modified, the system automatically updates the link table for the back link attribute. For example, the member attribute of a group object is a forward link, pointing to the users that are members of the group, whereas the memberOf attribute is the related back link.
A forward lookup zone is a part of DNS server in Active Directory that is used to translate domain names into IP addresses. If not properly secured, this could potentially be exploited by attackers to gain unauthorized access or to launch a DNS poisoning attack.
The act of forcibly transferring FSMO (Flexible Single Master Operations) roles from one Domain Controller to another. This is typically done when the original Domain Controller is no longer available and it should be used as a last resort, as it can potentially lead to issues within the domain. Improper seizure can disrupt AD functionality and introduce security issues.
The process of returning a computer system to its original state, usually using a full system backup in case of a critical system failure or corruption.
The FQDN is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name. In the case of Active Directory, the FQDN is used to precisely identify the location of an object within the directory.
In Active Directory, the functional level determines the available AD DS domain or forest capabilities. It also determines which Windows Server operating systems you can run on domain controllers in the domain or forest. However, once the functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the domain or forest.
This PowerShell command retrieves the resultant password replication policy for an AD account. An attacker can potentially use this information to understand which passwords are being replicated and where, aiding in attack planning.
This PowerShell cmdlet retrieves a domain controller object or performs a search to retrieve multiple domain controller objects from AD. Inappropriately used, it can provide an attacker with valuable information about the domain controller in an AD environment.
This PowerShell cmdlet retrieves fine-grained password policies from the AD. If these policies are incorrectly configured or leaked, it could aid an attacker in planning a password cracking attack.
This PowerShell cmdlet retrieves a group object or performs a search to retrieve multiple group objects from AD. Misuse or inappropriate exposure can provide an attacker with valuable information about group structure and membership in an AD environment.
This PowerShell command retrieves the members of an AD group. An attacker could use this to identify high-privilege accounts to target.
This PowerShell command retrieves an AD object or performs a search to retrieve multiple objects. It is commonly used in reconnaissance by an attacker to understand the objects within AD.
This PowerShell cmdlet retrieves the attribute replication metadata for AD objects, which can be used for troubleshooting replication issues. However, in the hands of an attacker, it could potentially reveal sensitive information.
This PowerShell command retrieves the root of the directory information tree (DIT) of an AD domain. This can be used by attackers to gather information about the domain’s structure.
This PowerShell cmdlet retrieves a trust object or performs a search to retrieve multiple trust objects from AD. Inappropriately used, it can provide an attacker with valuable information about trust relationships in an AD environment.
This PowerShell cmdlet retrieves a user object or performs a search to retrieve multiple user objects from AD. Inappropriately used or exposed, it can provide an attacker with valuable information about user accounts in an AD environment and identify potential targets for attacks within the AD.
The GAL is an accessible directory of all the users, groups, shared contacts, and resources recorded in an organization’s Active Directory Domain Services (AD DS). Inappropriate access or manipulation of the GAL can lead to unauthorized information access or phishing attacks.
The Global Catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multi-domain Active Directory Domain Services (AD DS) forest. The GC is used to speed up searches and logins, especially in large environments. If a GC server becomes unavailable or compromised, it can lead to issues with logins and searches.
Global groups can have members from their own domain but can be granted permissions in any domain in the forest. If used incorrectly, these groups can lead to unwanted privilege escalation.
A unique reference number used in programming, created by the system to uniquely identify an AD object. A GUID in Active Directory is a 128-bit number that’s used to uniquely identify objects. Every object created in an Active Directory gets a GUID which remains the same for the life of the object, even if the object is moved or renamed. Manipulation of GUIDs can potentially lead to attacks like object impersonation.
A Golden gMSA attack is a cyberattack in which attackers dump Key Distribution Service (KDS) root key attributes and generate the passwords for all of the associated gMSAs offline. This two-step process begins with the attacker retrieving several attributes from the KDS root key in the domain. Then, using the Golden gMSA tool, the attacker generates the password of any gMSA that is associated with the key (without having a privileged account).
A Golden Ticket attack enables an attacker to forge a Kerberos ticket, giving them unauthorized access to any system in the domain as a highly privileged user, such as a domain administrator. Such elevated privileges can give the attacker almost unlimited access to Active Directory and the resources that depend on it.
This command-line tool in Windows operating systems forces an immediate refresh of Group Policy on the local machine. This tool can be useful for applying policy changes immediately, rather than waiting for the automatic refresh cycle.
Granular audit policies can be configured in AD for more detailed information gathering. Misconfigurations can lead to gaps in monitoring and logging, potentially enabling attackers to avoid detection.
This unique value identifies a specific group in an AD environment. In a UNIX context, the GID is often used to map UNIX groups to their Windows counterparts. This capability can be manipulated for access control bypass attacks in mixed OS environments.
A group Managed Service Account (gMSA) is a managed domain account that helps to secure services on multiple servers. Introduced in Windows Server 2012, gMSA is a special type of service account in Active Directory and features automatic password rotation every 30 days. It also provides simplified service principal name (SPN) management and the ability to delegate the management to other administrators. If compromised, GMSAs can be used to escalate privileges or move laterally across a network.
See also: Golden gMSA attack
Passwords for Group Managed Service Accounts (gMSAs) are managed by AD. These accounts, if compromised, can allow an attacker to move laterally across a network or escalate privileges.
See also: Group Managed Service Account (gMSA)
In Active Directory, users are grouped together to simplify the process of granting permissions or delegating control. Incorrect group memberships can give a user more access rights than necessary, following the principle of least privilege can reduce the risk.
Group nesting refers to the practice of adding groups as members of other groups. Although nesting can simplify permissions management, it can also create complex and hard-to-track permissions structures, potentially leading to excessive permissions and security issues.
This Microsoft Management Console (MMC) snap-in provides a single administrative interface for managing Group Policy across the enterprise in an Active Directory environment. GPMC simplifies the management of Group Policy by making it easier to understand, deploy, and manage policy implementations.
This planning and troubleshooting tool for group policies can simulate the potential impact of GPOs, but misuse or misunderstanding of its results can lead to misconfigurations.
Group policies enable IT administrators to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy Objects (GPOs), which are linked to Active Directory Domain Services (AD DS) containers. A GPO is a component of Group Policy, used to represent policy settings applied to users or computers. GPOs can become a target for attackers who want to alter security settings on a system-wide level.
See also: Group Policy Object (GPO) abuse
Attackers with permissions to modify GPOs can leverage this ability to execute malicious code, modify system settings, or disrupt system operations on systems where the GPO applies.
Part of Group Policy, GPP enables more advanced configuration of systems. GPP is notable for a security issue: It used to store passwords in a reversible encrypted format, a vulnerability that has been exploited in the past.
See also: Group Policy Preferences (GPP) password attack
Before a Microsoft update removed the Group Policy Preferences (GPP) feature, GPP allowed administrators to store passwords in Group Policy Objects (GPOs). The encrypted passwords could easily be decrypted, and older GPOs might still contain these deprecated password entries, making them a target for attackers.
A report of Group Policy settings within the scope of an object (user or computer). This report can be valuable for troubleshooting but can also expose potential weaknesses or misconfigurations in GPOs to attackers.
Group Policy is an integral feature built into Microsoft Active Directory. Its core purpose is to enable IT administrators to centrally manage users and computers across an AD domain. This includes both business users and privileged users like IT admins, and workstations, servers, domain controllers (DCs) and other machines. Group Policy security is an important part of AD security.
Group scopes define the reach of the AD groups in terms of their ability to include other groups or users as their members, and the extent to which these groups can be granted permissions. Misconfiguration of group scopes can lead to unauthorized access to resources.
Active Directory defines two types of groups: Security and Distribution. Security groups are used for permissions, whereas Distribution groups are used for email distribution lists.
Hardening an AD environment involves securing the environment against attacks by reducing the surface of vulnerability. This might include measures like implementing least privilege access, monitoring for suspicious activity, regularly updating and patching systems, and so on.
In the context of Active Directory, hashing relates to how passwords are stored. AD uses a hashing algorithm to store passwords in a non-reversible hashed format, enhancing security. However, attackers can still use techniques like pass-the-hash attacks to exploit these hashed credentials.
Active Directory health checks are important for ensuring the correct operation and performance of an AD environment. Regular health checks can identify issues before they become major problems. Security-wise, they can also identify unusual activity that may indicate a breach or attempted attack.
A hidden recipient in Active Directory is a user that does not show up in the address lists. If hidden recipients are not properly managed, an attacker could use them to exfiltrate data without raising alarms.
AD structure is built as a hierarchy, starting from forests down to domains, organizational units, and individual objects. An understanding of this hierarchy is crucial for both managing AD and for securing it against potential attacks.
In AD, the home directory is a specific network location that is automatically connected each time a user logs on. If not properly secured, these directories can be exploited by attackers to gain unauthorized access to sensitive data.
In cybersecurity, a honeypot account is a decoy AD account used to attract and detect malicious activities. If the honeypot account is accessed or altered, it could be an indication of a security breach.
A host is a computer that is connected to a network.
In Active Directory, a host (A) record maps a domain name to an IP address in DNS. If these records are not properly secured, attackers could manipulate them, causing traffic to be redirected to malicious sites.
In the context of Active Directory Federation Services (AD FS), a host header is used to route incoming HTTP/HTTPS requests that are sent to a specific AD FS federation server in a farm.
A HIDS is a system that monitors a computer system, rather than a network, for malicious activities or policy violations. Implementing a HIDS on critical AD servers can help to detect and prevent potential attacks.
A hotfix is a single, cumulative package that includes information (often in the form of files) that is used to address a problem in a software product like Active Directory. From a cybersecurity perspective, regular application of hotfixes is essential to protect from known vulnerabilities.
A Hybrid Active Directory environment integrates on-premises AD with cloud-based solutions like Azure AD (now Entra ID). This setup enables users to have a single identity for both systems. From a cybersecurity perspective, managing access and identities across on-premises and cloud environments can be complex and requires a comprehensive security approach.
In a hybrid cloud deployment, Active Directory might serve to authenticate and authorize users and computers in a network that combines on-premises infrastructure and cloud services. Security measures need to be taken into account across both environments.
Many organizations today use both on-premises Active Directory and in-the-cloud Azure AD. This hybrid identity environment enables a common user and system identity for authentication and authorization of resources regardless of location. However, it also presents unique cybersecurity challenges.
In response, Semperis delivers identity threat detection and response (ITDR) solutions designed for hybrid identity protection. We also sponsor the Hybrid Identity Protection (HIP) Podcast and Hybrid Identity Protection Conference (hipconf.com) series.
A popular brute-force tool, Hydra supports numerous protocols, including SMB and HTTP, which are often used in AD environments. Hydra can be used to guess or crack passwords, allowing unauthorized access to user accounts.
HTTPS is often used in AD Federation Services (ADFS) to secure communications. It’s important to keep certificates up to date and use strong encryption protocols to maintain security.
IAM is a framework of policies and technologies for ensuring that the right people in an enterprise have the appropriate access to technology resources. IAM systems can be used to initiate, capture, record, and manage user identities and their related access permissions.
From phishing emails to cyberattacks targeting Active Directory, threat actors love to target identity resources. If a cyberattacker can gain a user’s identity credentials (for example, via a phishing email), they don’t need to break into your environment; they can simply log in. Once inside your environment, the attacker can attempt to take over additional identities, working their way up (through privilege escalation) to admin-level access. At that point, the attacker can make changes to Active Directory to take over, lock down, or shut down user and system accounts, resources, and data.
IdM is a broad administrative area that involves identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity.
IdP is a system that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with AD Federation Services (ADFS).
Identity systems are coming under sustained attack. Misuse of credentials is now a primary method that cyberattackers use to access systems and achieve their goals.
Gartner defined the identity threat detection and response (ITDR) category to evaluate solutions that detect and derail identity-based attacks. ITDR refers to the set of practices, strategies, and technologies used to detect and respond to potential threats and attacks targeting user identities and credentials. In an Active Directory context, this often includes monitoring for suspicious activity such as abnormal login patterns, excessive failed login attempts, or unexpected privilege escalation.
ITDR is a crucial component of cybersecurity as compromised user credentials are often a stepping stone for attackers to gain access to sensitive resources, perform lateral movement, or carry out privilege escalation within the network. Therefore, organizations need a collection of tools and processes to defend identity systems.
This attribute in AD links an on-premises user to an Office 365 user. ImmutableID is often used during AD migrations or consolidations.
Impacket is a collection of Python classes developed for working with network protocols, often used for creating network tools. It provides a robust and comprehensive framework for crafting and decoding network packets, enabling developers to construct and analyze network traffic. Although Impacket is an important tool for legitimate network administrators and cybersecurity professionals, it can also be exploited by malicious actors for network attacks, such as NTLM relay attacks on Active Directory.
See also: NTLM relay attack
Impersonation refers to the ability of a thread to execute in a security context that is different from the context of the process that owns the thread. In a cybersecurity context, impersonation is a common attack method that could lead to unauthorized access or privilege escalation.
Special identities that represent different users at different times, depending on the circumstances. For example: Anonymous Logon, Batch, Authenticated User and more.
A method of indexing data for fast retrieval used by the Extensible Storage Engine (ESE) used in Active Directory.
Indicators of attack (IOAs) in cybersecurity are security indicators that demonstrate the intent of a cyberattack. Detecting IOAs early in an attack can help defenders prevent further damage.
See also: security indicators, indicators of compromise, indicators of exposure
Indicators of compromise (IOCs) in cybersecurity are security indicators that demonstrate that the security of the network has been breached. Investigators typically spot IOCs after being informed of a suspicious incident, discovering unusual callouts from the network, or during a security assessment. Semperis Purple Knight and Directory Services Protector (DSP) scan for IOCs.
See also: security indicators, indicators of attack, indicators of exposure
Indicators of exposure (IOEs) are security indicators that provide insight into potential exploitable vulnerabilities before a cybersecurity incident occurs. By understanding such risks, security teams can better prioritize security management efforts and be prepared to contain attacks quickly. Semperis Purple Knight and Directory Services Protector (DSP) scan for IOEs.
See also: security indicators, indicators of attack, indicators of compromise
IRM is a form of IT security technology used to protect information from unauthorized access. In the context of Active Directory, IRM can help protect sensitive data by controlling who has access to it and what they can do with it, such as preventing data from being printed or forwarded.
A set of policies issued by an organization to ensure that all IT users within the organization’s domain abide by its rules and guidelines related to information security. The policies are designed to protect organizational data and manage risk to the confidentiality, integrity, and availability of information.
One of five FSMO roles in AD, the Infrastructure Master is responsible for updating references from objects in its domain to objects in other domains. If all domain controllers are also Global Catalog servers, the infrastructure master role does not perform any tasks.
See also: Flexible Single Master Operations (FSMO) roles
Inheritance refers to the cascading of permissions from parent objects to child objects within the Active Directory tree. In AD, permissions granted at a higher level in the hierarchy can be inherited by lower-level objects, unless inheritance is explicitly blocked. Inheritance simplifies permission management, but incorrect configurations could expose resources to unauthorized users.
Unauthorized domain controllers or domain controller compromise can lead to the replication of directory services data to a malicious actor, enabling them to gather sensitive information and credentials.
This feature enables administrators to install a domain controller by using restored backup files. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently, especially when the WAN links to these sites are relatively slow and/or the existing AD database size is considerably large.
This PowerShell command installs a new domain controller in AD.
This PowerShell command installs a new AD DS forest. This is a highly privileged command that, if misused, can lead to the creation of a malicious forest, potentially compromising the entire AD environment.
Refers to a DNS that is integrated with an Active Directory domain. An AD-integrated DNS server stores its data in Active Directory. This allows the DNS information to be replicated to all other domain controllers in the domain, improving the fault tolerance of your DNS.
A trust established between two Active Directory forests. An inter-forest trust can be a one-way or two-way trust that provides for controlled access to resources in each forest. Managing and monitoring inter-forest trusts to mitigate the risk of unauthorized access is crucial.
In Active Directory, the ISTG role is held by one domain controller in each site and is responsible for creating a spanning tree of all site links in the site, and constructing a least-cost routing topology for replication between domain controllers within the site.
This type of logon occurs when a user enters their credentials directly to the system, typically through the system’s console. In Active Directory, interactive logons are logged as a specific event (Event ID 528 on Windows Server 2003 and older, and Event ID 4624 on Windows Server 2008 and newer).
The internet is a global network of computers and servers that communicate with one another using standardized protocols, primarily TCP/IP (Transmission Control Protocol/Internet Protocol). The internet provides various services including the World Wide Web, email, file transfer, and cloud services. In terms of cybersecurity, the internet is often the main vector for a wide range of threats targeting Active Directory environments, including phishing attacks, malware distribution, and remote exploitation of vulnerabilities. Thus, securing internet connections and monitoring Internet-facing services are crucial tasks in network security.
IAS is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2000 and 2003. IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and VPN connections. From a cybersecurity perspective, securing the IAS is crucial, as attackers compromising it could manipulate authentication processes, gain unauthorized network access, or snoop on network traffic. Since Windows Server 2008, IAS has been replaced by Network Policy Server (NPS).
IIS is a web server software created by Microsoft for use with Windows NT family. IIS supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. In the context of AD, IIS is often used for hosting necessary web-based services like ADFS.
IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP packet in a data stream. In terms of Active Directory, IPsec policies can be used to provide security for traffic between AD domain controllers and member servers or clients, thereby adding an extra layer of security.
An intranet is a private network within an organization. Intranets are often used to share company information and computing resources among employees. Security-wise, uncontrolled or unauthorized access to the intranet can lead to information leakage or other forms of internal attacks.
A device or software application that monitors a network or systems for malicious activity or policy violations. An IDS plays a crucial role in a robust security architecture.
A hardware or software inventory typically refers to the process of collecting detailed information about all the hardware or software used across an organization. An accurate inventory is essential for managing resources, planning for future needs, and maintaining security.
An IP address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. In an Active Directory environment, proper IP addressing is crucial for network communication and resource access.
This series of rules dictates which form of IPsec should be used in a transaction between the server and the client. Misconfiguration of the rules could leave security vulnerabilities in your AD environment.
A section of a network isolated from the rest of the network. Using isolated network segments can limit the potential damage if a security incident occurs in a different segment.
This set of detailed practices for IT service management (ITSM) focuses on aligning IT services with the needs of business.
The Active Directory database is based on the Microsoft Jet Blue engine and uses Extensible Storage Engine (ESE) to store, edit, delete, and read data. The Active Directory database is a single file named ntds.dit. By default, this database is stored in the %SYSTEMROOT%NTDS folder on each domain controller and is replicated between them.
A fast password cracker, used to detect weak passwords. Attackers use John the Ripper to crack hashed passwords, enabling unauthorized access.
An operation where a computer becomes part of an Active Directory domain. Joining a domain allows the system to use the central authentication provided by AD, access resources, and adhere to policies set by the domain. Mistakes in this process can cause vulnerabilities and improper access controls.
This security technology enables delegated administration for anything managed by PowerShell. In an AD context, JEA can help to limit privilege escalation attacks by reducing the number of people who have full administrative rights.
See also: Just-in-Time (JIT) administration
This method of assigning privileges to users is similar to Just Enough Administration (JEA). JIT gives users the privilege they need to perform a task but only for a certain period of time. This can minimize the risk of privilege escalation or credential theft.
See also: Just Enough Administration (JEA)
Kerberoasting targets the weakness in the Kerberos authentication protocol used by Active Directory. Attackers request a service ticket for a targeted service account and then crack the encrypted service ticket offline to obtain the account’s password.
See also: Kerberos, Kerberos delegation abuse, Kerberos password guessing
Rubeus is a powerful tool for interacting with the Microsoft Kerberos protocol. In Kerberoasting attacks, attackers use Rubeus to request service tickets and crack the tickets offline to gain service account credentials.
Kerberos is the primary authentication method used in Active Directory domains to authenticate users and computers. Older operating systems support DES encryption, while Windows Server 2008 and later support AES encryption. Kerberos is prone to several types of attacks, such as Golden Ticket and Silver Ticket attacks, that exploit the way Kerberos tickets are created and used within an AD environment.
The Kerberos computer network security protocol manages authentication and authorization in Active Directory. Massachusetts Institute of Technology (MIT), which created Kerberos, describes it as using strong cryptography to enable a client to prove its identity to a server on an unsecured network connection. After client and server use Kerberos to prove their identities, they can also encrypt their communications to ensure privacy and data integrity. Two decades ago, the Kerberos protocol was a game-changer in regard to security, unification, and moving AD toward identity management. But the evolution of attack methods and cloud migration have made Kerberos increasingly vulnerable to cyber threats.
See also: Kerberos delegation abuse, Kerberos password guessing, Kerberoasting
This security feature in Active Directory allows a service to impersonate a user to access a different service. The feature is designed to reduce the number of users with excessive privileges. However, misconfigurations can lead to the ability for attackers to elevate privileges or bypass authentication systems.
See also: Kerberos delegation abuse
Attackers can manipulate unconstrained, constrained, and resource-based constrained delegation to impersonate other users or elevate privileges within the domain. This abuse takes advantage of the complexities and implicit trust of the Kerberos protocol.
See also: Kerberoasting, Kerberos, Kerberos Constrained Delegation (KCD), Kerberos password guessing
In this attack, an adversary targets user accounts that do not require Kerberos pre-authentication. The attacker attempts to authenticate to the Key Distribution Center (KDC) and is returned an encrypted ticket-granting ticket (TGT) that contains the user’s hashed password, which can then be cracked offline.
See also: Kerberos, Kerberos delegation abuse, Kerberoasting
Kerberos policy defines ticket properties for all domain users, such as ticket lifetime and renewal. This policy is part of Group Policy and, if not properly configured, can allow threat actors to replay old Kerberos tickets to gain unauthorized access.
SPN is used in Active Directory to associate a service instance with a service logon account. SPNs can be a target for certain types of attacks, like Kerberoasting, where an attacker uses a valid Kerberos ticket to request service ticket data, which can then be offline-brute-forced to reveal the service account’s plaintext password.
Kerbrute is a tool designed to perform Kerberos pre-auth brute-forcing. It can be used to validate whether usernames exist within an Active Directory environment without the risk of account lockouts.
In the Kerberos protocol, the KDC is responsible for authenticating users and providing ticket-granting tickets (TGTs), which are then used to obtain service tickets for various resources in the network. A compromised KDC could have severe implications, as it can lead to the compromise of any user or service in the domain.
This command-line utility lists Kerberos tickets of the user who runs the command. The tool is useful for troubleshooting Kerberos authentication issues.
This Active Directory service generates replication topology for the Active Directory replication system. If KCC fails or is compromised, it can lead to inconsistencies in the directory data.
A known secure state represents the state of an environment that is confirmed not to contain any malware or ransomware. Returning to a known secure state after a cyberattack helps to prevent the loss of confidentiality, integrity, or availability of information.
This command-line utility is used to configure a computer that is not joined to a domain to use domain resources. The tool is often used to configure a machine to use Kerberos for authentication in non-traditional scenarios.
L0phtCrack is a password auditor that helps to automate the recovery of passwords from hashes, helping attackers break into systems by cracking the user’s password.
This attribute identifies the last known location of a moved or deleted AD object. If not properly monitored, it can aid in object lifecycle tracking and potentially object restoration, posing a security risk.
This attribute specifies the last time the user has logged on. Irregularities in this attribute might indicate a potential unauthorized access or pass-the-hash attack.
Lateral movement occurs when a cyberattacker uses compromised accounts to gain access to additional clients and accounts throughout an organizations network. Cyberattackers use lateral movement in combination with privilege escalation to identify and gain access to sensitive accounts and resources that share stored sign-in credentials in accounts, groups, and machines. A typical goal of successful lateral movement is eventual administrative access to Active Directory domain controllers.
See also: domain dominance, least privilege, privileged access, privilege escalation
A layered defense is one that applies multiple layers of protection (e.g., endpoint security, SIEM, and Active Directory security) to help ensure that a cyberattacker who penetrates one layer of defense will be stopped by a subsequent layer.
See also: defense in depth
The process of linking the transport layer and application layer, creating a cohesive unit. In regards of LDAP channel binding, the LDAP application layer is essentially intertwined with the TLS tunnel. This tight interconnection creates a distinct and unique identifier, or fingerprint, for the LDAP communication, thus any intercepted LDAP communications cannot be reused by attackers.
Logical, one-way connections from one domain controller to another for the purpose of replication. If compromised, LDAP connection objects can be exploited to gain unauthorized control over replication.
A standard plain text data interchange format. Represents directory content as records for update requests in Active Directory. Used by the LDIFDE command-line utility.
See also: LDAP Data Interchange Format Directory Exchange (LDIFDE)
A Microsoft utility that can be used to import/export AD objects to/from LDIF files. Misuse can lead to unauthorized data export/import.
See also: LDAP Data Interchange Format (LDIF)
LDAP Directory Probe is a Windows Support Tool graphical utility that admins use to run LDAP operations against AD. Misuse of this tool can expose sensitive information or alter AD objects.
In this type of attack, an attacker manipulates input fields to insert and execute Lightweight Directory Access Protocol (LDAP) commands. The attacker uses these commands to query and manipulate data stored in an LDAP server, often used in conjunction with Active Directory.
An extension of LDAP that encrypts LDAP traffic. If not properly configured, LDAPS can leave traffic susceptible to interception.
Policies that define the behavior of an LDAP server. Misconfiguration of these policies can lead to performance issues and potential security risks.
When an LDAP server can’t answer a query, the server refers the client to another server. In a referral attack, a client can be referred to a malicious server.
LDAP search filters are used to find and manipulate AD objects. Improper use can lead to unauthorized access or alteration of directory objects.
LDAP signing refers to the process where LDAP traffic is digitally signed at its source. This digital signature serves to ensure that the content within the LDAP traffic remains unchanged during transit, preserving its authenticity and integrity. Moreover, it provides a means for the receiver to confirm the original source of the LDAP traffic. The setup for LDAP signing can be achieved either through tailored group policies or by manipulating registry keys. Turning off LDAP signing may make the network susceptible to man-in-the-middle attacks.
This tool is used to dump domains using LDAP. The tool provides an attacker with easy access to all sorts of useful information about the domain.
LDAPMiner is a tool used for LDAP data extraction, primarily intended for penetration testing and other security audits. Attackers can use this tool to query and gather data from the AD environment, assisting in reconnaissance.
Sometimes called minimum privilege, the information security principle of least privilege emphasizes that users and applications should be granted privileged access only to the data and operations they require to perform their jobs. By taking this approach, IT and security teams can help to prevent potential lateral movement in their organization’s networks.
See also: domain dominance, lateral movement, privileged access, privilege escalation
A principle of limiting user rights to the bare minimum permissions they need to perform their work. Not following LUA can open avenues for privilege escalation attacks.
A unique identifier for each object within Active Directory (AD). Manipulation of this identifier could lead to unauthorized access, which is a major cybersecurity concern.
LDAP is an open and cross-platform protocol based on the X.500 directory standard used for directory services authentication. The LDAP provider allows access to the hierarchical structure of Active Directory, or any LDAP compliant database. LDAP injections can pose a cybersecurity threat if input data is not properly sanitized, allowing attackers to execute arbitrary commands in the directory server.
Lingering objects can occur if a domain controller does not replicate for an interval of time longer than the tombstone lifetime (TSL), and then reconnects to the replication topology. These are objects that remain in the directory database after they were deleted on other domain controllers and cause inconsistencies and potential security issues if not handled properly.
In Active Directory, a link table is a database table that keeps track of linked multi-valued attributes. These include attributes that create a relationship between two AD objects, like member and memberOf attributes that link users to groups.
An attribute in the AD schema that uniquely identifies an object attribute. If compromised, this attribute can lead to data inconsistencies and potential privilege escalation.
An Active Directory mechanism that allows incremental updates to multi-valued attributes. If compromised, this replication can lead to data inconsistency and potentially propagate false information within the directory.
Attributes in AD that have a corresponding attribute in another object, such as member and memberOf. Improper configuration can create orphaned links which might confuse the replication process, affecting the consistency of AD data.
A feature in Active Directory, introduced with Windows Server 2003, that enables individual updates to multivalued attributes instead of replicating the entire set of values. For example, adding a new member to a large group only replicates the addition of the new user, not the entire group membership list. When a non-linked multi-valued attribute is updated, the entire attribute must be replicated. Requires Windows Server 2003 Interim mode or Windows Server 2003 Forest Functional Level or higher. If manipulated, it can lead to replication errors or unauthorized changes.
A Microsoft tool that helps organizations manage local administrator passwords for domain-joined computers. It helps mitigate the risk of a pass-the-hash attack by randomly generating and storing a different password for each machine’s local administrator account in Active Directory. In terms of cybersecurity, the implementation of LAPS can significantly improve an organization’s security posture by limiting lateral movement possibilities for attackers who have gained access to local administrator credentials on one machine.
Groups that exist on a local machine. If an attacker gains control of a local group, they can change permissions and gain additional privileges.
Sets of rules defined on a local machine that dictate how that specific system behaves. If not configured properly, these can provide a loophole for security breaches.
The LSA is responsible for local security policy and user authentication. Cyberattacks often target LSA secrets as they contain sensitive security data and credentials.
This process in Microsoft Windows operating systems is responsible for enforcing the security policy on the system. LSASS is often targeted by the infamous Mimikatz tool to extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory.
User accounts that exist specifically on a local machine and are not domain-based. If not secured properly, they can be used by attackers to gain a foothold in a network.
User accounts that have been locked due to numerous incorrect login attempts. An attacker might deliberately lock accounts to cause a denial of service or to disguise their activities.
The LockerGoga ransomware attack leverages “the organization’s own infrastructure, in this case Active Directory and Group Policy, to help itself spread” (Darren Mar-Elia, VP of Products at Semperis). Ransomware doesn’t usually spread that way, so this method is harder to detect. But organizations can still minimize risk from such threats. “We know that the attackers gained Domain Admins access on Active Directory in order to use that infrastructure to spread,” says Mar-Elia. “Hardening your infrastructure using a least privilege approach can help tremendously.”
The LockoutThreshold parameter defines the number of invalid login attempts allowed before the account is locked. This parameter is crucial to thwarting brute-force attacks.
Active Directory stores a cache of users’ logon information locally on the system. If this cache is not secured properly, it can be exploited to gain unauthorized access to user accounts.
Defines the hours during which a user is allowed to log on to the domain. If not properly managed, it could provide a window of opportunity for attackers during off-hours.
A file that is assigned to a user account and that runs automatically when the user logs on. A logon script can adjust settings in the operating system, map network drives for different groups of users, or even display a welcome message that is specific to each user. These scripts reside in a folder in the SYSVOL network share of a domain controller and thus are available throughout the domain. If malicious content is inserted into these scripts, it can result in widespread compromise of systems.
This parameter specifies the machines from which a user can log on. If not appropriately restricted, it can lead to lateral movement attacks.
This Group Policy setting allows the same user to have different policies when logging onto different machines. Misconfiguration of this setting can lead to privilege escalation attacks.
A security feature in Windows that prevents the LSASS process from being accessed. It mitigates the risk of attacks aimed at extracting sensitive information from the LSASS process, such as those carried out using the Mimikatz tool.
Data objects that are stored by LSA to hold sensitive data like credentials. Extraction of these secrets is a common tactic in credential theft attacks.
Used in the compression of AD database (NTDS.DIT) data. Exploitation of this mechanism can lead to data corruption or theft.
Every computer on a network has a machine account, which provides a means for authentication and auditing. An attacker with control over a machine account can carry out various attacks like pass-the-ticket or pass-the-hash.
A unique identifier that Windows assigns to each machine’s security accounts manager (SAM) database. If an attacker obtains a machine SID, they might impersonate the machine and gain unauthorized access to network resources.
A state you can place a server into when applying updates or performing some other maintenance task. Failing to properly secure a server during maintenance can expose the system to potential attacks.
Malware is malicious software or code intended to damage or destroy computer systems and other personal devices by various means, including stealing data, gaining unauthorized access, sharing private information, etc. Cyberattackers can use malware to weaponize Active Directory and map possible attack paths, making it crucial for organizations to elevate their focus on AD security and recovery. At Semperis, our solutions provide continuous monitoring and vulnerability assessment for AD, as well as the ability to reverse unauthorized changes without administrator involvement.
A man-in-the-middle (MiTM) attack is a cyberattack in which the attacker positions themselves between two parties (e.g., two users, a user and an application, a workstation and a server computer) in an attempt to intercept, inspect, and even modify data exchanged between the parties. This attack can lead to data breaches, exposing sensitive information and providing unauthorized access to network resources.
A type of domain account that automatically manage password management, eliminating the potential for password expiration that could cause service disruptions. These accounts can be targeted for privilege escalation attacks.
An attribute in AD that specifies the user or group that manages an object. Misuse can lead to unauthorized access to resources.
An attribute defined in the Active Directory Schema as mandatory for a class of objects. For example, for a User object, ‘sAMAccountName’ is a mandatory attribute.
Network drives mapped onto an individual system. If an attacker gains access to a system with mapped drives, they could potentially access sensitive data or spread ransomware across the network.
The Maze ransomware variant, discovered in 2019, is considered the first in which cyberattackers not only encrypted data but also threatened to leak victims’ confidential data if their demands were not met. Maze usually gains access via phishing emails, then uses various techniques to move laterally through the network. It compromises and leverages Active Directory (AD) to propagate the ransomware payload to as many systems as possible.
A computer running a Windows Server operating system that is a member of an Active Directory domain but is not a domain controller.
This attribute contains the Distinguished Names of groups to which an object (user or group) belongs. Misconfiguration can lead to unauthorized access to resources.
A feature in AD that allows caching of universal group membership for a user at a site to enhance logon performance. If cache data is not secured properly, it can be exploited to gain unauthorized access.
MSMQ is a messaging protocol that allows applications running on separate servers or processes to communicate. If not properly secured, it can be a potential point of exploitation, allowing unauthorized messages or commands.
An AD database that stores the metadata for objects in Active Directory. If this database is compromised, an attacker can change the metadata associated with the AD objects.
In the context of Active Directory refers to the data about the data in the directory. This includes information about when and how data objects were created, modified, accessed, or deleted, including by whom. From a cybersecurity perspective, metadata can provide crucial insights during a security investigation or auditing, as it can reveal unauthorized changes, access patterns, or indicators of compromise.
Metasploit is a penetration testing framework that makes hacking simple. It’s an essential tool in an attacker’s arsenal, with numerous exploits, including those targeting AD environments.
A Microsoft-created authentication protocol, MS-CHAP has been found to have vulnerabilities and can be exploited if used for network authentication.
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud-based solution that uses on-premises Active Directory signals to detect and respond to cybersecurity threats and compromised identities. Defender for Identity monitors and analyzes user and client activities and information across the network, creating a behavioral baseline for each user. MDI then alerts on unusual client or user activity as established by this baseline.
A centralized service for managing identities across multiple directories. If MIIS is breached, an attacker could manipulate identity data across systems.
MIM is a service that provides tools and technologies for managing identities, credentials, and identity-based access policies across heterogeneous environments. MIM includes features for identity synchronization, certificate and password management, and user provisioning.
MMC hosts administrative tools called snap-ins, including many for AD, such as the Active Directory Users and Computers snap-in. Inappropriate access to MMC can lead to unauthorized changes in AD.
Mimikatz is a leading tool for extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. It can be used to mount Golden Ticket attacks, in particular, that exploit Kerberos vulnerabilities, allowing attackers to generate a ticket-granting ticket (TGT) and gain domain-level privileges. It is also used to perform pass-the-hash attacks that enables an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password. Additionally, the tool can be used to launch Silver Ticket attacks that involve creating fraudulent service tickets and allow access to a specific service on a specific machine but can go undetected by the domain controller.
The MITRE ATT&CK Framework is a commonly used tool for understanding current security coverage and determining how to improve it. This knowledge base provides foundational information that can be used to develop threat models and is a popular tool for building comprehensive security plans.
This term refers to the domain functional level of Active Directory when there are Windows NT 4.0 domain controllers present. In mixed mode, certain advanced features are disabled, making AD more susceptible to security risks.
See also: Native mode
A location in a directory hierarchy where a volume is attached, providing additional file system locations. If a mount point is not secured properly, an attacker could gain unauthorized access to sensitive data.
This PowerShell cmdlet is used to move a directory server to a new site. It’s useful in larger organizations for managing the topology of Active Directory.
This PowerShell command transfers one or more operations master (FSMO) roles to a specified domain controller.
See also: Flexible Single Master Operations (FSMO) roles
This PowerShell cmdlet is used to move an object or a container of objects to a different container or domain.
This command-line tool is used to move AD objects between domains. Misuse can lead to accidental or malicious relocation of objects, leading to inconsistencies and potential breaches.
This attribute defines which services an account can represent in a Kerberos delegation. A misconfiguration can lead to privilege escalation and Kerberos delegation attacks.
This attribute dictates the Domain and Forest functional level of the AD. A lower functional level may expose the AD to vulnerabilities, since some security improvements are only available at higher levels.
This attribute is used as the source anchor attribute in Azure AD Connect. Misconfiguration can lead to sync issues between on-premises AD and Azure AD, potentially causing authentication issues.
This attribute stores the timestamp of the last successful interactive logon for the user. Unusual logon times can indicate a potential security breach.
This attribute determines the length of time an account remains locked after exceeding the account lockout threshold. If too short, it may not prevent brute-force attacks effectively.
Optional features that have been enabled or disabled in an Active Directory forest. Misconfiguring these features could expose the forest to security risks.
This attribute contains the Fine-Grained Password Policies that are applied to user or group objects. If these settings are lax or misconfigured, it can leave user accounts vulnerable to brute-force or password-spray attacks.
This attribute stores the timestamp of the second most recent successful user logon. Anomalous logon times can indicate a potential security breach.
This attribute represents a user’s primary computer. If manipulated, the attribute can enable an attacker to impersonate a user’s machine, potentially leading to unauthorized access.
This attribute contains replication metadata for linked attributes, such as group memberships. A threat actor with access to this attribute can potentially alter group memberships, leading to privilege escalation.
This attribute indicates the encryption types that the user account supports for Kerberos pre-authentication. Weak encryption types can make the account vulnerable to Kerberos-based attacks.
This attribute stores flags that dictate the status of the user account, like if it’s disabled, locked out, or has an expired password. Unauthorized manipulation of these flags can lead to privilege escalation or unauthorized access.
This attribute provides the precise time when a user’s password will expire. If not properly managed, it can give a window of opportunity to attackers to attempt credential-based attacks.
A command-line interface utility for the Microsoft Windows Installer, which is used for installing, maintaining, and removing software.
This authentication package in Windows deals with NTLM hashes. The famous pass-the-hash attack often targets this package, as NTLM hashes can be reused for authentication without cracking.
A feature that allows clusters to span multiple Active Directory sites to improve availability. If not properly configured and secured, this type of clustering can become a potential attack vector.
An attribute of an object that can contain more than one value. Multi-valued attributes can have no value, one value, or more than one. For example, the memberOf attribute for a user object, which contains a list of all groups the user belongs to.
Multicloud security solutions help to protect your infrastructure, application, and data across multiple cloud providers’ cloud systems.
MFA is a security mechanism that requires users to prove their identity using two or more independent methods, or factors, before they are granted access. These factors can include something you know (like a password), something you have (like a hardware token or a mobile phone), and something you are (like a fingerprint or other biometric factor). In the context of Active Directory, implementing MFA can greatly increase security by making it harder for attackers to gain access even if they have compromised a user’s password, reducing the risk of a successful phishing, password-spray, or brute-force attack.
Active Directory’s ability to allow changes to occur at any DC, which then replicates the changes to other DCs. If an attacker compromises a single DC, they could propagate malicious changes to others.
A unique identifier used by Microsoft for an object in a directory. Unauthorized changes could lead to loss of access or inconsistencies in the directory.
A security feature wherein both client and server validate each other’s identity before establishing a connection. Without this, it’s easier for an attacker to conduct man-in-the-middle (MitM) attacks.
The process of resolving a hostname into an IP address within a network. Attacks such as DNS spoofing can manipulate this process to redirect network traffic.
In the context of AD, Named Pipes are a method of Inter-Process Communication (IPC). They are subject to IPC-related vulnerabilities such as DLL Hijacking or Named Pipe Impersonation.
In Active Directory, a namespace is a container that holds objects such as users, computers, and other organizational units. A well-designed namespace can help prevent many security issues such as name clashes and replication errors.
Also known as a Directory Partition in Active Directory, an NC is a portion of the directory that can be replicated to domain controllers. There are three types of NCs:
A Domain Functional Level (DFL) that only applies to Windows 2000 Server, and that does not support Windows NT domain controllers. Once in Native mode, the domain will support nested groups. The alternative is Mixed mode.
See also: Mixed mode
A command-line utility to report NetBIOS over TCP/IP statistics.
In Active Directory, groups can contain other groups, allowing for hierarchical organization. However, nesting can lead to unintentional permission escalation and access to resources if not managed carefully.
A command-line tool used to connect, disconnect, and configure connections to shared resources, like network drives and printers. If misused, this tool could lead to unauthorized access to resources.
Acronym for Network Basic Input/Output System, is a networking protocol used by Windows systems for communication on a local network. The NetBIOS name of a computer is generally the first 15 characters of the host name, followed by the “$” character. NetBIOS name resolution to IP addresses is provided by local broadcasts and the WINS service.
Known as the “Swiss Army knife” for TCP/IP, Netcat can read and write data across network connections. Attackers can use Netcat to create backdoors, transfer files, or carry out network exploration.
A Windows service used for user and computer authentication in older operating systems. A share called Netlogon is automatically created on all domain controllers for backward compatibility and can hold logon scripts. The recent ZeroLogon exploit allowed attackers to gain control over the domain controller using this service.
A command-line scripting utility that, among other things, enables the modification of network configurations. Attackers could misuse this tool to manipulate network traffic or exfiltrate data.
This command-line tool is used to display active network connections and listening ports. Attackers might use it for internal reconnaissance after gaining initial access.
NAP is a Microsoft technology for controlling network access of a computer based on its health. If compromised, NAP can allow unauthorized systems access to the network.
NAT is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit. In the context of Active Directory, misconfigured NAT rules could potentially expose internal services to the outside, posing a security risk.
This refers to the process of identifying all devices on a network. In the context of Active Directory, ensure that only authorized individuals can perform network discovery to prevent unwanted reconnaissance.
NFS is a distributed file system protocol allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. Improperly configured NFS shares can allow unauthorized access to sensitive files.
The point of interconnection between a computer and a private or public network. A compromised network interface on a domain controller could allow an attacker to intercept or manipulate traffic.
NLA is a security feature for RDP connections that requires the connecting user to authenticate before a session is established with the server. Disabling NLA can leave the server vulnerable to RDP-based attacks.
A Network Listener is a network service or component that listens for incoming network connections or packets on a specific port or protocol. It waits for incoming communication requests and responds appropriately based on the predefined rules or configurations.
NPS is the Microsoft implementation of a RADIUS server and proxy. As with any authentication system, it is a critical security component, and any compromise can lead to unauthorized network access.
A security practice where different portions of a network are separated from each other. This can limit the spread of lateral movement in an Active Directory compromise.
The services (e.g., DNS, DHCP) that are made available from a server to a private or public network. If these services are compromised, it can have a direct impact on the security of the Active Directory environment.
Network sniffing refers to using network protocol analyzers or similar tools to capture and analyze network traffic. In the context of AD, this could potentially expose unencrypted sensitive data.
A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In Active Directory, accurate timekeeping is essential for Kerberos authentication, as there’s a maximum time difference (5 minutes by default) allowed between the time on the client and the time on the server. If an attacker can manipulate the NTP responses on a network, they could potentially exploit this for replay attacks or even to cause authentication failures across the network. Therefore, it is crucial to secure NTP communications.
The New Technology File System (NTFS) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk. NTFS is the primary file system for recent versions of Windows and Windows Server.
This PowerShell cmdlet is used to create a new AD Organizational Unit (OU). If misused, it can lead to the creation of unnecessary OUs, disrupting the structure of AD and potentially masking unauthorized changes.
A PowerShell cmdlet used to create a new user object in Active Directory. Use by an attacker could lead to the creation of backdoor accounts for persistent access.
The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. One example of how NIST executes its mission, “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life,” is the development of the NIST Cybersecurity Framework. This popular approach to identifying and resolving high-priority risks to Active Directory (AD) and other crucial systems comprises five phases:
Nmap is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. Attackers can use this scanner for network discovery and security auditing.
A non-authoritative restore restores an AD domain controller to a point in time. However, because this type of restore is not marked as authoritative, if another domain controller has updated objects or attributes since the target domain controller’s restored date and time, those updates replicate into the restored domain controller, making its data current.
See also: authoritative restore
An NDR indicates that a particular piece of communication (such as an email or a packet) has not been delivered. Cyberattackers can use NDRs to gain information about the internal structure of an organization’s email system to perform a targeted attack.
In the context of Active Directory, non-repudiation refers to the capability to ensure a party in a dispute cannot deny the validity of the evidence (like a user denying his activities). A weak audit policy can lead to poor non-repudiation.
The process of modifying data to fit a desired format. Attackers can bypass input validation checks through normalization inconsistencies.
The NotPetya “wiper” malware acts like ransomware but does not have a way to reverse its encryption. NotPetya particularly affects Active Directory (AD), bringing operations to a halt. NotPetya is infamous for its devastating attacks in 2017 that began in the Ukraine and went on to cause an estimated—and unprecedented—$10 billion in damages worldwide.
A command-line utility to diagnose Domain Name Service (DNS) infrastructure problems.
Built-in service accounts on Windows systems. If these accounts are compromised, they can often provide high levels of system access.
NT Service Hardening restricts Windows services from performing abnormal activities in the file system, registry, network, or other resources that could be used to allow malware to persist or spread.
A built-in Windows backup utility. If an attacker can manipulate or access these backups, they may gain access to sensitive data.
This is a Windows system file used in the boot process. Tampering with or compromising this file can lead to persistent system-level access for an attacker.
NTDS quotas limit the number of objects that a security principal can own in the directory. If not properly set, this could be leveraged for a Denial of Service (DoS) attack.
The AD database stored on domain controllers, containing all information about user objects, including hashed passwords. Attackers often target this file to extract sensitive data.
A command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). If used maliciously, it can cause significant damage to AD services.
See also: Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS)
A tool for extracting AD data from ntds.dit files (the AD database). NTDSXtract can be used to uncover usernames, group memberships, password policies, and more. This data can aid an attacker in planning and conducting attacks.
Permissions on file system objects on NTFS volumes, managed through Active Directory. Misconfigurations can lead to unauthorized data access or denial of service.
NTLM is a collection of security protocols used to authenticate, provide integrity and confidentiality to users. While Kerberos is the preferred authentication protocol and is used in modern Windows versions, NTLM is still available for older clients and systems on a workgroup. NTLM has several security flaws, prone to various attacks such as pass-the-hash and pass-the-ticket, that allow attackers to gain access to users’ passwords, and should therefore be avoided.
In an NTLM relay attack, an attacker intercepts NT LAN Manager (NTLM) authentication sessions between computers on a network and then forwards (relays) the credentials to another host on the network. This enables the attacker to execute commands or access resources on the second host using the intercepted credentials.
A tool built with the aim of making NTLM protocol based reconnaissance fast and easy. It can be used to identify domains and services which support Null sessions.
A type of anonymous bind in LDAP. When null bind is enabled, it can allow an anonymous user to connect to the directory and potentially access sensitive information.
Null sessions in Windows are unauthenticated NetBIOS sessions, which can enable an attacker to gather a wealth of information about the system.
OAuth is an open standard for access delegation, commonly used for token-based authentication and authorization. Protecting OAuth tokens is critical; attackers can use stolen tokens to impersonate legitimate users.
In Active Directory, an object is a distinct, named set of attributes representing something in the network, such as a user, a computer, or a group. Securing these objects is vital, as their compromise can enable attackers to gain unauthorized access or elevate their privileges.
This feature enables you to collect information whenever a specified type of object is accessed. A lack of appropriate auditing could allow malicious activity to go unnoticed.
This Active Directory event occurs when an object, such as a user or a group, is removed. Monitoring for unexpected object deletions is important for catching potential malicious activity.
This globally unique value is used to identify a variety of things, including schema attributes and classes, security mechanisms, and name forms. OIDs are crucial for the interoperability and extensibility of the directory service. In many LDAP directory implementations, an OID is the standard internal representation of an attribute. Each attribute in the Active Directory schema has a unique X.500 OID. All OID values that are created by Microsoft begin with 1.2.840.113556.
Object inheritance is a property of Active Directory objects in which child objects inherit the permissions of their parent objects. Incorrect settings can lead to excessive permissions being accidentally granted.
This attribute is used to group similar classes together. Incorrect configuration can lead to misclassifications and potential security vulnerabilities.
This attribute determines the kind of objects (e.g., user, computer, group) that are stored within Active Directory. It also specifies the set of must-have attributes (i.e., every object of the class must have at least one value of each) and may-have attributes (i.e., every object of the class may have a value of each). ObjectClass is defined in a classSchema object. Manipulating this attribute can enable an attacker to mask malicious activity.
A unique identifier for an object in Active Directory, which remains constant. Attackers could use ObjectGUIDs to maintain persistence in the environment.
This unique identifier is assigned to each object in an Active Directory domain. If an attacker can manipulate these identifiers, they could gain unauthorized access.
This process enables a computer to join a domain without needing network connectivity. A potential attack vector could force a device to join a domain controlled by an attacker.
This tool can be used to change the password of any user that has a valid local account on a Windows system. If an attacker gains physical access to a system, they can use such tools to gain access to a local account and potentially escalate their privileges.
This popular identity and access management (IAM) platform provides cloud software to help companies manage and secure user authentication into modern applications and for developers to build identity controls into applications, website web services, and devices. It can be integrated with Active Directory to manage user access across on-premises and cloud environments. If compromised, it can lead to widespread unauthorized access.
This command-line tool, developed by Joe Richard (DS-MVP) to query Active Directory for unused computer or user accounts, can also clean up accounts.
This tool is used to replicate on-premises Active Directory information to Microsoft cloud services. A compromise of DirSync could expose sensitive on-premises Active Directory data to an attacker.
A password that is valid for only one login session or transaction. It is commonly used in two-factor authentication systems to provide an additional layer of security beyond just a username and password.
In Active Directory, a one-way trust is a unidirectional authentication path created between two domains. If an attacker compromises this, they could gain unauthorized access to resources in one domain while originating from the other.
It’s an internet protocol used for obtaining the revocation status of an X.509 digital certificate. An attacker could perform an OCSP spoofing attack to imitate a certificate authority and issue fraudulent certificates.
The underlying software that controls a computer or server. Hardening the OS of domain controllers is critical for Active Directory security.
Attributes that the directory automatically provides, such as creationTimeStamp. These attributes are calculated by a domain controller on request. They can be used to track actions and changes on objects. An LDAP search request requesting “all attributes” does not return operational attributes and their values. Attackers might attempt to manipulate or clear these to hide their activities.
An attribute defined in the schema as optional for a class of objects. Unlike mandatory attributes, optional attributes are not required to have a value.
In terms of Active Directory, organizational identity refers to the credentials and identifiers that belong to a company or organization. Protecting these identifiers is crucial to prevent attackers from masquerading as a legitimate entity within the organization.
An OU is type of container within an Active Directory into which you can place users, groups, computers, and other organizational units. OUs can be used to assign group policies and manage resources, and misconfiguration can lead to inappropriate access.
An orphaned object remains in the directory database but has been deleted in every practical sense because its parent object was deleted. These objects can be exploited by an attacker to hide their activities or maintain persistence in an environment.
Operating system (OS) provisioning is the act of installing a given operating system across several hosts.
This type of patch is released at an unscheduled time, typically to address a specific vulnerability. Apply these patches quickly to avoid exploitation.
The default settings and configuration that come with a system or software when it’s first installed. These configurations can sometimes be insecure, so it’s important to harden them based on best practices to avoid easy exploitation.
Outbound replication is the process of a domain controller replicating changes to other domain controllers. If an attacker can manipulate this process, they can propagate malicious changes across the domain.
A trust relationship between two domains for purpose of authentication. The outbound trust is from the perspective of the domain that trusts another domain.
Outlook Anywhere allows access to your Exchange Server from your Outlook client without using VPN. This can provide a potential entry point for attackers if not properly secured.
OWA provides the ability to access email via a Web browser. If not secured properly, this can provide an entry point for attackers.
In this configuration, two site links have sites in common. This configuration can lead to inefficient replication traffic if not managed correctly, providing potential opportunities for an attacker to intercept sensitive data.
An overpass-the-hash attack is similar to a pass-the-hash attack but involves Kerberos rather than NTLM. The attacker uses a user’s password hash to generate a Kerberos pre-authentication hash, which is then used to request a ticket-granting ticket (TGT) from the domain controller.
See also: Kerberos, Pass-the-hash attack
In Active Directory, every object has an owner, which has certain rights over the object. An attacker taking ownership of an object could potentially misuse those rights.
This security principal represents the current owner of an object. An attacker gaining owner rights can modify important attributes of the object, leading to security breaches.
In Active Directory, the parent container refers to the higher-level container object that holds other objects within.
An object is either the root of a tree of objects or has a parent object above it in the tree hierarchy. If two objects have the same parent, they must have different relative distinguished names (RDNs).
A hierarchical relationship between two domains in Active Directory, where one domain is the parent and the other is the child. Child domains inherit policies from their parent domain.
The subset of attributes that replicate to partial naming context (NC) replicas. Specifies which attributes should be replicated to Global Catalog servers.
A logical division of the Active Directory database that stores objects and attributes. Partitions include the schema partition, configuration partition, and domain partitions. Proper partition management is essential for maintaining the integrity and scalability of the directory.
In a pass-the-hash attack, an attacker gains access to the password hash of a user’s account in Active Directory and uses it to authenticate and impersonate the user without knowing the actual password. This attack takes advantage of weak hashing algorithms or stolen password hashes.
In a pass-the-ticket attack, an attacker steals a Kerberos ticket-granting ticket (TGT) from a user’s machine and uses that TGT to gain unauthorized access to resources, without needing to authenticate.
This type of authentication enables users to use the same username and password on-premises and in the cloud, without the need for a third-party federation system.
This feature enables synchronization of password changes in Active Directory to other systems. For instance, when a user changes their password in Active Directory, the PCNS ensures that this change is reflected in other systems that the user has access to.
A requirement in the password policy that mandates the use of strong passwords containing a combination of uppercase and lowercase letters, numbers, and special characters. Enforcing password complexity makes it harder for attackers to guess or crack passwords. While strong password complexity requirements are important, it’s equally crucial to educate users about the importance of password hygiene, avoiding password reuse across multiple accounts, and adopting additional security measures like multi-factor authentication for enhanced protection.
A policy that requires users to change their passwords after a specified time interval. Password expiration helps enforce regular password updates and reduces the risk of compromised credentials being used for an extended period.
A component in Active Directory that intercepts and validates password changes to enforce custom password policies or perform additional checks. Password filters are used to enhance password security and prevent weak or easily guessed passwords from being set.
A mathematical representation of a user’s password stored in Active Directory. Attackers target password hashes as they can be cracked offline, allowing unauthorized access to user accounts. Techniques like Pass-the-Hash attacks exploit password hashes.
A feature in Azure AD Connect that synchronizes the password hashes of on-premises Active Directory user accounts to Azure AD (Entra ID), enabling users to use their on-premises passwords to sign in to cloud services. Protecting password hash synchronization is crucial to prevent the compromise of user credentials.
This mechanism in Active Directory prevents users from reusing previously used passwords by maintaining a history of their password changes. Password history policies enhance security by discouraging the reuse of old passwords.
This security feature in Active Directory temporarily locks a user account after a specified number of failed login attempts. Password lockout policies help prevent brute-force attacks and unauthorized access attempts.
A set of rules and requirements that dictate the complexity, length, expiration, and other characteristics of user passwords in Active Directory. Weak password policies can make user accounts susceptible to brute-force attacks and credential guessing.
The process of ensuring that the defined password policies are enforced and adhered to by all users within Active Directory. Proper password policy enforcement helps mitigate the risk of weak passwords and improves overall security.
The process of changing a user’s forgotten or expired password in Active Directory. Proper implementation of password reset procedures ensures secure and authorized access restoration while minimizing the risk of social engineering or unauthorized password changes.
Objects in the System container of Active Directory that implement Fine-Grained Password Policies (FGPP).
A technique used by attackers to guess common or weak passwords against a large number of user accounts in Active Directory, aiming to avoid account lockouts and raise the chances of successful authentication. Rather than trying multiple passwords against one user, which can trigger account lockouts, an attacker tries one commonly used password against multiple accounts, reducing the risk of detection and increasing the chance of successful authentication.
An authentication method that eliminates the need for traditional passwords, often replaced by biometric factors (e.g., fingerprint or facial recognition), hardware tokens, or other secure authentication methods. Passwordless authentication reduces the risk of password-related attacks and can enhance user convenience.
The process of regularly applying software updates (patches) to fix vulnerabilities and bugs in Active Directory components and associated systems. Failing to patch systems can leave them exposed to known exploits and attacks.
One of the five Flexible Single Master Operations (FSMO) roles in AD, a PDC Emulator acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. The PDC Emulator is responsible for handling password changes, user lockouts, and Group Policy. It also serves as the primary time source for the domain. The PDC Emulator is targeted by most Group Policy tools. One domain controller in each domain must hold this role.
See also: Flexible Single Master Operations (FSMO) roles
The process by which objects in Active Directory inherit permissions from their parent containers or organizational units (OUs). Understanding and properly managing permission inheritance is important to ensure consistent access control and prevent unintended access to sensitive resources.
See also: Inheritence
Access rights granted to users, groups, or computer accounts that determine what actions they can perform on Active Directory objects. Misconfigured permissions can lead to unauthorized access, privilege escalation, or exposure of sensitive information.
An attacker uses a valid account to generate an access token and modifies the token to elevate privileges, enabling the attacker to execute commands or access resources that would normally be beyond their permissions.
PetitPotam is an attack method in which cyberattackers force a victim client to authenticate to an arbitrary machine without any user interaction. When PetitPotam is exploited and Windows NT LAN Manager (NTLM) credentials are sent to Active Directory Certificate Services, a cyberattacker can get Domain Administrator privileges without prior authentication to the domain.
A deceptive technique used by attackers to trick users into revealing their credentials or sensitive information through fraudulent emails, websites, or other communication channels. Phishing attacks often target Active Directory users to gain unauthorized access to the network. Once they get the users’ credentials, they will begin to gather information on the system resources and attempt to move laterally through the network. Additionally, these credentials can be used to create more precise, personalized and dedicated attacks on specific high-value company users.
PingCastle is an Active Directory assessment tool written in C#. Based on built-in models and rules, this tool evaluates AD subprocesses and generates a risk report that includes a score for privileged accounts, trust relationships between AD domains, insights on stale objects, and security anomalies. For hybrid environments, it can also provide insights into whether the trust relationship with Azure AD is secure. Attackers can use this tool to analyze the state of the AD environment and identify potential vulnerabilities.
See also: Purple Knight
A PowerShell Post-Exploitation Framework, PowerSploit is widely used by attackers for various tasks such as executing payloads, exfiltration, privilege escalation, and more in an AD environment.
This built-in group in Active Directory includes all user and computer accounts that need compatibility with older Windows NT 4.0–based systems.
Used for compatibility purposes with older operating systems. For user and group objects, this name is the value of the sAMAccountName attribute. For computer objects, it is the NetBIOS name of the machine with the “$” character appended to the end.
In Windows NT-based domains the primary domain controller (PDC) was the first domain controller in the domain, and it had zero or more backup domain controllers (BDCs). A domain controller (DC) designated to track changes made to the accounts of all computers on a domain. Although used by many, the PDC concepts no longer applies in Windows 2000 and above Active Directory, as all domain controllers are essentially equal from a replication perspective, because it uses multi-master replication model. Not to be confused with PDC Emulator.
A group assigned to each user in Active Directory, representing their primary affiliation within the domain. Used mostly for POSIX compliance. Primary groups are used for access control and are associated with permissions on resources.
The email address associated with a user or mailbox that is considered the primary address for communication. Active Directory uses the primary SMTP address as the unique identifier for email-related operations.
The right of a user to perform system-related operations, such as debugging the system. Rights and privileges are effectively the same and are granted to security principals such as users, services, computers or groups. Some (such as Enable computer and user accounts to be trusted for delegation) apply to Active Directory, whereas others (such as Change the system time) apply to the Windows operating system. The user is considered a member of its primary group. A user’s authorization context specifies what privileges are held by that user.
The process of assigning specific administrative privileges or rights to non-administrator users or groups within Active Directory. Privilege delegation allows users to perform specific tasks without granting them full administrative access, minimizing the risk of privilege abuse or unauthorized changes.
The process of gaining higher levels of access and permissions than originally assigned. Privilege escalation attacks within Active Directory can enable attackers to bypass security controls and gain administrative privileges. Once inside your environment, cyberattackers typically seek privilege escalation, from lower- to higher-privileged accounts in an effort to gain administrative privilege and access to Active Directory.
See also: Domain dominance, Lateral movement, Privileged access
The practice of dividing administrative privileges across multiple user accounts in Active Directory, ensuring that no single account has excessive or unrestricted access. Privilege separation helps minimize the impact of compromised accounts and reduces the risk of unauthorized actions.
Privileged access grants higher than standard rights and control over resources in an environment. This type of access should be granted sparingly, as gaining control of a privileged access account can enable cyberattackers to shut down or disable Active Directory and gain control of your network.
See also: Domain dominance, Lateral movement, Privilege escalation
A solution in Microsoft Identity Manager (MIM) that helps mitigate security concerns associated with administrative privilege escalation or misuse.
An account with elevated permissions and access rights that can perform administrative tasks within Active Directory. Compromised privileged accounts are a prime target for attackers as they can grant extensive control over the domain.
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems. Attackers use this as a tool for lateral movement in an AD environment.
PsTools is a set of widely used command-line tools that allow you to manage local and remote systems. These tools can be utilized by attackers for various tasks such as executing processes remotely, shutting down systems, or viewing system information.
Part of the pass-the-hash toolkit, PTH-Winexe allows execution of commands on Windows systems by passing NTLM hashes instead of plaintext credentials, enabling lateral movement and remote command execution.
A cryptographic key used in asymmetric encryption algorithms, consisting of a public and private key pair. Public keys are widely distributed and used to encrypt data or verify digital signatures in Active Directory communications.
A digitally signed document that binds a public key to an entity’s identity, validating the authenticity and integrity of the public key. Public key certificates are used in Active Directory for secure communication, authentication, and encryption.
A framework of cryptographic services, technologies, and protocols used to establish and manage digital certificates, public-private key pairs, and secure communication in Active Directory. PKI is crucial for ensuring secure authentication, data integrity, and confidentiality.
When it comes to protecting your enterprise from cyberattacks, protecting your identity infrastructure is key. Infiltrations of identity systems not only expose your most important assets and business operations to attack but can go undetected for long periods, causing significant damage. So, strengthening your identity security stance is an important step. For at least 90 percent of enterprises, that means prioritizing Active Directory and Azure AD security.
Active Directory and Azure AD vulnerabilities can give attackers virtually unrestricted access to your organization’s network and resources. Semperis built Purple Knight—a free community AD and Azure AD security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment.
Purple Knight helps identify security gaps in your AD environment that can leave the door open for cyberattackers. The tool also provides assessment reports with grading based on the following categories: AD delegation, AD infrastructure security, account security, Kerberos, and Group Policy security.
Pwdump is a tool that extracts NTLM and LanMan password hashes from the Windows Security Account Manager (SAM), which can then be cracked offline. This can lead to unauthorized access if strong password policies are not in place.
A query in Active Directory refers to a request made to the directory service to retrieve specific information, such as the details of a user or a computer. AD queries are essential for managing and controlling access to resources. Lightweight Directory Access Protocol (LDAP) is commonly used to perform queries against the AD database. For example, an administrator might run a query to find all users in a specific department.
Quotas in Active Directory refer to the limits placed on the number of objects that a security principal (such as a user or a group) can own in a directory partition. This is particularly important in a large, distributed environment to prevent any one user or group from creating so many objects that it impacts the AD’s performance or storage.
A precomputed textual table used to reverse cryptographic hash functions, primarily for cracking password hashes. Each rainbow table is specific to a certain hash function, character set, and password length. Rainbow tables contain millions or even billions of precomputed hashes for potential passwords. An attacker who obtains the hashed version of a password (perhaps through a data breach or by penetrating an inadequately secured Active Directory system) can use a rainbow table to look up that hash and potentially find the original password.
A tool that attempts to crack password hashes with rainbow tables.
A type of malware that encrypts a victim’s data until a payment is made to the cyberattacker. Victims are told that if payment is made, they will receive a decryption key to restore access to their files, although this is often a ruse. In a double extortion attack, not only is the decryption key withheld, but the malicious actor also threatens to publish the data on data leak sites (DLSs).
Ransomware groups are often connected to criminal or terrorist organizations or to hostile nation states. Payment of ransom typically funds further criminal activities.
See also: malware, ranswomware as a service
A business model in which threat actors lease or purchase ransomware variants from ransomware developers in the same way that organizations lease SaaS products from legitimate software developers. RaaS has grown in popularity in recent years.
See also: malware, ransomware
RODC servers are Domain Controllers that hold a read-only copy of the Active Directory database and do not allow changes to AD. An RODC is typically deployed in locations that require quick access to AD services but are not physically secure enough to host a writable domain controller. While an RODC can authenticate user logins, changes are not written directly to it, but rather to a writable domain controller, then replicated back to the RODC.
Writeable domain controllers can be used to update objects in Active Directory. In Active Directory, all domain controllers are writeable, unless they are a Read-Only Domain Controllers (RODC).
A recovery point objective (RPO) sets a limit on how old data can be before it is backed up (e.g., 24 hours old).
See also: recovery time objective
A recovery time objective (RTO) sets a limit on the amount of time that an application, system or process, can be unavailable (e.g., no more than 2 hours).
See also: recovery point objective
A recursive DNS query is a type of DNS query in which the DNS resolver or server attempts to resolve the query by iteratively querying other DNS servers until it obtains the final answer. Clients commonly use this type of query to resolve hostnames to IP addresses.
First introduced as an optional feature in Windows Server 2008 R2, this feature creates a new hidden container in the domain tree and stores deleted objects for a specified number of days before permanently removing them, allowing the option to restore them without loss of the object’s attribute values. This feature can be enabled and accessed through the Active Directory Administrative Center (ADAC) console.
When an object has been deleted, it remains in a hidden container in the domain tree until a configured length of time (i.e., the tombstone lifetime) has passed, after which the object is permanently removed from storage. These objects exist only when the Recycle Bin optional feature is enabled.
Red Forest, also known as Enhanced Security Admin Environment (ESAE), was a Microsoft security concept in which all your administrative credentials resided in a separate AD forest, trusted by your production AD forests. The approach aimed to remove admin credentials from AD forests and thus improve security. The concept has been retired.
In cybersecurity testing, the red team is the group of individuals responsible for attacking an organization’s cybersecurity defenses, exploiting system vulnerabilities, and helping identify methods of counterattack for defenders (i.e., the blue team).
See also: blue team
The Windows Registry stores configuration settings and options on Microsoft Windows operating systems, including those related to AD. An attacker gaining access to the Registry could change these settings to disrupt AD functionality or increase their privileges.
The name of an object relative to its parent. This is the leftmost attribute-value pair in the distinguished name (DN) of an object. For example, in the DN “cn=Daniel Petri, ou=Company Users, dc=semperis, dc=com”, the RDN is “cn=Daniel Petri”.
A RID is a unique identifier assigned to each object in an AD domain. It’s combined with a domain identifier to form a security identifier (SID) for the object. The RID master, one of the FSMO roles, is responsible for processing RID pool requests from all domain controllers in a particular domain.
Remote access refers to methods that allow users to access an AD network from a remote location. Insecure remote access points can be exploited by attackers for unauthorized access to the network.
RDS, formerly known as Terminal Services, allows a user to take control of a remote computer or virtual machine over a network connection.
See also: Terminal Services
Remote management refers to managing computer systems from a remote location. This is especially relevant for administering Domain Controllers spread across various geographical locations. In the context of Active Directory, tools like Remote Server Administration Tools (RSAT) allow administrators to manage roles and features remotely.
This is a communication protocol used by client programs to request a service from a program on another computer on the network. It is used extensively for AD replication and administration. However, it can be exploited for lateral movement if not properly secured.
A collection of tools and applications that enables IT administrators to remotely manage roles and features in Windows Server 2008 onwards from a workstation computer running Windows 7 and onwards. Similar to installing the adminpak.msi on Windows 2000 or Windows XP client computers.
A PowerShell command that removes an AD Organizational Unit (OU). If used maliciously, it could lead to disruption of the AD structure and potential loss of objects within the OU.
A PowerShell command that removes an AD user. If used maliciously, it can lead to the deletion of legitimate user accounts, potentially causing operational disruptions or data loss.
A command line utility to diagnose Active Directory replication between domain controllers.
A copy of an Active Directory namespace (NC or naming context) on a domain controller that replicates with other domain controllers within the AD forest.
Replication in Active Directory refers to the process of copying data from one domain controller to another. This process ensures that each domain controller has the same information as other domain controllers and enables the distribution of the AD database across multiple servers. If replication fails or is delayed, it can lead to inconsistencies, known as replication errors.
A Replication Bridgehead Server is a domain controller designated to manage the replication traffic within a site in Active Directory. It acts as a central point for receiving and sending replication data between sites, reducing replication traffic over wide-area networks (WANs).
The replication interval in Active Directory defines the time duration between two consecutive replication cycles between domain controllers. It ensures that changes are propagated efficiently across the network without causing excessive replication traffic.
Replication latency is the time lag between the final originating update to an AD object and to all replicas.
Replication metadata in AD is used to resolve conflicts that may occur during replication. Metadata keeps track of which changes have already been applied to prevent old changes from overwriting more recent ones.
Replication topology refers to the structure of connections between domain controllers for replicating data in Active Directory. It defines how changes are propagated across the network to ensure data consistency.
A PowerShell command that resets the machine account password for the computer. If misused, it can disrupt the secure channel between the computer and its domain, leading to potential denial of service or unauthorized access.
ReFS is a file system developed by Microsoft for use on a Windows operating systems and is designed to overcome some of the limitations in NTFS.
A network tool that can manipulate network communications and respond to network broadcast requests, Responder is often used in man-in-the-middle attacks, helping attackers intercept and manipulate traffic.
A tool in Windows that administrators use to determine the combined effect of Group Policies applied to a system and/or user. Essentially, it provides a cumulative view of all the policies from various sources that apply to a specific user or system. This tool can be particularly useful in troubleshooting scenarios, when an administrator needs to understand why a certain policy is or isn’t taking effect.
A Russia-based or Russian-speaking private ransomware as a service (RaaS) operation. REvil (also known as Sodinokibi) ransomware often spreads via brute-force attacks and server exploits, but it can also spread via malicious links and phishing. Cyberattackers can use REvil to exploit Active Directory (AD) misconfigurations or weak passwords to spread across the network.
This is the process of invalidating a certificate, a process that can be managed through AD’s Certificate Services. Proper certificate revocation is important to prevent unauthorized use of a certificate in a Man-in-the-Middle attack or other types of cyberattacks.
In this type of attack, the relative identifier (RID) of a standard domain account is modified to match the RID of a domain admin account, effectively promoting the standard account to domain admin status.
One of the five FSMO (Flexible Single Master Operations) roles in AD, the RID Master is responsible for processing RID pool requests from all DCs within the domain. When objects such as users and computers are created in Active Directory, they are assigned a unique security ID (SID) and a relative ID (RID). The RID master role ensures that no objects in AD get assigned the same SID and RIDs. Any failure of the RID Master role could impact the creation of new objects within the domain. One domain controller in each domain must hold this role.
See also: Flexible Single Master Operations (FSMO) roles
A system for public key cryptography.
RBAC is a key principle used in managing access control It assigns permissions based on the role of a user within the organization rather than the individual user. This approach simplifies managing permissions and can reduce the risk of privilege escalation attacks.
An object that exposes a set of properties that are characteristic of the directory.
The root domain is the top-most domain in an Active Directory forest. The root domain is the first domain created in a new AD forest and becomes the parent of any subsequent child domains. The security and stability of the root domain are crucial to the overall AD structure as the compromise of the root domain could lead to a complete forest breach.
RRAS is a Microsoft API and server software that makes it possible to create applications to administer the routing and remote access service capabilities of the operating system, to function as a network router. However, RRAS servers, if part of the domain and not properly secured, can become an entry point for attackers.
A type of ransomware that is known to target large, public-entity Windows systems. Ryuk encrypts a computer’s files, system access, and data, making it impossible for users to retrieve information or access programs. This attack has an unusual aspect for Active Directory (AD): the ransomware is pushed to unsuspecting users via AD Group Policy Objects (GPO).
To defend against rainbow table attacks, it’s common to use a method called salting the hashes, where a random value is added to the password before it’s hashed. This makes rainbow tables far less effective because even a small change in the input (like adding a “salt”) results in a drastically different hash. It’s worth noting that protecting your password hashes is a crucial aspect of securing an Active Directory environment.
The users’ logon name that is used to support clients and servers running earlier versions of Windows. Also called the “Pre-Windows 2000 logon name”.
In a SaveTheQueen attack, cyberattackers target AD through a strain of ransomware using the SYSVOL share on AD domain controllers to propagate throughout the environment. Accessing the SYSVOL share—which is used to deliver policy and logon scripts to domain members—typically requires elevated privileges and indicates a serious AD compromise.
The Active Directory schema defines every object class that can be created and used in the Active Directory forest. By default and out of the box, the schema defines every attribute that can exist in an object, the relationships between the various attributes, which one is mandatory, what permissions each one has and many other parameters. The schema is basically a blueprint or template of how data and what type of data can be stored in Active Directory. From a cyber security perspective, unauthorized changes to the schema can be dangerous because they cannot be undone and may have a destructive effect on the Active Directory data.
The Schema Admins group in Active Directory is a highly privileged group that has full control over the Active Directory schema. Members of this group can modify the schema, including adding or deleting attribute and object class definitions. For example: The Schema Admins group would typically include IT administrators responsible for managing the Active Directory schema, such as implementing schema extensions or performing schema updates.
From a cybersecurity perspective, compromising the Schema Admins group can have severe consequences, as it allows attackers to make unauthorized changes to the Active Directory schema. This could lead to data corruption, denial of service, or unauthorized access to critical systems and sensitive information.
Schema extensions in Active Directory refer to the process of modifying or adding new attribute and object class definitions to the existing Active Directory schema. This enables organizations to customize the schema to accommodate specific application requirements or store additional attributes for objects. For example: An organization may extend the Active Directory schema to include custom attributes for user objects to store additional information such as employee ID numbers or department names.
This is one of the five FSMO (Flexible Single Master Operations) roles in AD, responsible for handling all the changes to the Active Directory schema. Unauthorized access to the Schema Master can lead to critical changes in the AD structure, enabling severe attacks. One domain controller in the entire forest must hold this role.
See also: Flexible Single Master Operations (FSMO) roles
An object that defines an attribute or an object class.
A version of the LDAP protocol that establishes a secure connection to the LDAP server by applying SSL/TLS. It’s crucial to protect the exchange of information between clients and domain controllers from eavesdropping or manipulation.
A standard protocol used in various protocols such as HTTPS, LDAPS and others, that supports confidentiality and integrity of messages in client and server applications that communicate over open networks. SSL supports server and, optionally, client authentication using X.509 certificates. SSL is superseded by Transport Layer Security (TLS). TLS version 1.0 is based on SSL version 3.0.
The SAM is a database stores users and group objects used by client Windows operating systems to authenticate local users. The users’ passwords are stored in a hashed format. SAM uses cryptographic measures to prevent unauthenticated users accessing the system. If an attacker gains access to this database, they can attempt to extract details about the user accounts and their passwords.
An XML-based open standard for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider. SAML is critical in scenarios where secure and seamless Single Sign-On (SSO) is needed across different domains. It helps organizations provide a smooth user experience, reducing the need for multiple passwords and logins, while maintaining high levels of security and control over user access.
In Active Directory, a security descriptor is a data structure that contains the security information associated with a securable object like users, groups, or computers. It includes the owner SID, primary group SID, DACL, and SACL. A security descriptor defines who has what type of access to the object. Misconfiguration in a security descriptor may lead to unauthorized access or privilege escalation.
A process within Active Directory that maintains the consistency of Access Control Lists (ACLs) across the directory. It operates at the domain level and ensures that permissions changes made to a parent object are properly propagated to all child objects within the hierarchy. Thus, it plays a vital role in enforcing security and access control policies across the AD infrastructure.
A collection of Windows logs that capture a range of security-related information, including logon attempts and resource access, which can be invaluable in detecting suspicious activity. If not monitored regularly, malicious activities can go unnoticed, leading to breaches.
Security groups can contain multiple accounts such as user objects, computer objects or even other group objects, that can be used to easily assign permissions to a resource or apply for permissions. Security Groups play a crucial role in securing resources and managing access rights within an Active Directory environment as they are used to apply the permissions to a folder or object to the group instead of every individual account.
A SID is a unique value used to identify user, group, and computer accounts in Windows. They play an essential role in managing the permissions and control access to resources in an Active Directory environment. if an attacker is able to forge a SID, they might impersonate another user or gain unauthorized privileges. The SID value for all objects in a domain is identical. To create a unique value for security principals, the SID value is combined with a unique RID value that is controlled by the RID pool assigned to DCs by the RID Master FSMO role holder in the domain.
Security indicators are values based on metrics obtained by comparing logically related attributes about the behavior of an activity, process, or control within a specified time. These critical indicators are derived from predefined criteria, and they may be predictive of the overall security posture of an organization. Security indicators include indicators of attack (IOAs), indicators of compromise (IOCs), and indicators of exposure (IOEs).
See also: Indicators of attack,Iindicators of compromise, Indicators of exposure
A technology that aggregates and analyzes log and event data generated by various sources in an organization’s IT infrastructure. Organizations use SIEM to gather, centralize, and store logs from various sources, in real time.
You can use SIEM to monitor for suspicious activity and analyze past events by collecting logs from networks, systems, infrastructures, applications, or specific assets. SIEM can also obtain external threat feeds and use advanced analytics to notify you of malicious events in your Active Directory environment. However, some attacks are designed to elude SIEM detection.
A SOC is a unit that operates as an organization’s cybersecurity hub, tasked with strengthening security measures and dealing with threats in real-time. It monitors various systems including identities, endpoints, servers, and databases, while also leveraging up-to-date threat intelligence to identify and rectify vulnerabilities before they can be exploited by cyber attackers.
A suite of solutions designed to streamline security operations by automating threat detection and response. SOAR integrates various security tools and systems, providing a unified platform to collect data and execute appropriate responses to threats. This allows security teams to manage and respond to a higher volume of threats more efficiently, enhancing an organization’s overall security posture.
You can use this security technology to help reduce incident response time—which directly affects productivity and efficiency—and access past alerts for research purposes. However, some attacks are designed to elude SOAR detection.
With the advent of cloud services, mobile devices, and remote work, organizations’ security perimeters have changed from the on-premises servers that comprise a network to a new frontier: identity.
A unique entity, also referred to as a principal, that can be authenticated by Active Directory. Typically a user object, a security group object, or a computer object. All security principals in Active Directory have a Security ID (SID).
SSPI allows applications to use various security models available on a computer or network without changing the interface to the security system. Its misuse can lead to token manipulation attacks.
STS is a software-based identity provider, issuing security tokens as part of a claims-based identity system. It’s commonly used in federation scenarios, playing a critical role in ensuring security. If compromised, it can lead to unauthorized access to multiple services.
Server Core is a minimal server installation option for Windows Server that provides a low-maintenance server environment with limited functionality. It’s mainly used for infrastructure roles, including an Active Directory Domain Services role. From a cybersecurity perspective, the smaller attack surface of Server Core can reduce the potential risk of security vulnerabilities.
SMB is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. An example of a cybersecurity issue is the SMB Relay attack where an attacker sets up an SMB server and gets the target machine to authenticate to it, allowing for credential theft or execution of arbitrary code.
A user account that is created explicitly to provide a security context for services running on Windows Servers. Mismanagement of service accounts can expose them to attackers, allowing lateral movement or escalation of privileges.
The Service Connection Point (SCP) object in Active Directory is used to define the configuration information that clients or services need to find and connect to specific services or resources within the organization’s infrastructure. For example: Microsoft Exchange creates SCP objects to specify the Autodiscover service’s endpoint in Active Directory. This allows Outlook clients to automatically discover Exchange settings and connect to the appropriate Exchange server.
An SPN is a unique identifier tied to each instance of a Windows service. SPNs are used in conjunction with the Kerberos authentication protocol to associate a service instance with a service logon account. In a cyberattack known as Kerberoasting, an attacker may request Kerberos tickets for SPNs to crack their passwords offline.
See also: Kerberoasting, Service Principal Name (SPN) scanning
A method often used in attacks to discover service accounts in an Active Directory environment. Attackers enumerate services running under domain accounts via exposed Service Principal Names (SPNs). These accounts often have elevated privileges and weaker passwords, making them prime targets for compromise.
An attack where a user session is taken over by an attacker. In the context of Active Directory, this could include taking over a Kerberos ticket granting ticket session, for instance.
This PowerShell cmdlet sets the expiration date for an AD account. If improperly used, it could lead to denial of service by setting an immediate expiration on valid user accounts.
This PowerShell command sets the account lockout protection for an AD user.
This PowerShell command restricts logon to specific workstations for a user. If used maliciously, it can lead to unauthorized access or a potential denial of service.
This PowerShell cmdlet is used to modify the properties of a computer object. If used maliciously, it can lead to unauthorized changes to computer properties, potentially leading to operational disruptions or breaches.
This PowerShell cmdlet is used to modify the default password policy for an AD domain. If misused, it can weaken the organization’s password policy, making it easier for an attacker to guess or crack passwords.
This PowerShell cmdlet is used to modify the attributes of a user object in Active Directory. In the wrong hands, this command could be used maliciously to alter user account properties, such as the description field, for stealthy persistence or privilege escalation.
Shadow Copy is a technology in Windows systems that allows taking manual or automatic backup copies or snapshots of data, even if it is in use. It can be used to restore previous versions of files and directories.
When users share a username and password across multiple systems (including non-AD systems), an attacker can leverage breached or weak credentials from one system to gain unauthorized access to another.
Shadow groups in Active Directory are used to mirror the membership of a given dynamic distribution group. This can be especially useful when permissions need to be assigned to a dynamic distribution group. However, if not properly managed, shadow groups can pose a security risk through inadvertent granting of permissions.
A security mechanism in Active Directory that eliminates foreign SIDs from a user’s access token when accessing resources through Forest Trust. This feature, which is enabled by default between forests, helps to protect against malicious users with administrative privileges in a trusted forest from gaining control over a trusting forest. When SID filtering is active, only SIDs from the trusted domain are used in a user’s token, while SIDs from other trusting domains are excluded.
SID History is an attribute of a user object, which assists in the migration of resources from one domain to another. It stores former SIDs of a user account, allowing for access to resources that recognize the old SID. This can be abused by attackers in a method called SID History Injection to escalate privileges.
Security Identifier (SID) history attribute can be manipulated to elevate a user’s privileges. An attacker can add the SID of a privileged group into the SID history attribute of their account, granting them the corresponding privileges.
A Silver Ticket attack focuses on forging a session ticket (ST). This attack enables the attacker to impersonate a legitimate user and gain unauthorized access to resources within the domain. In this type of attack, an attacker gains unauthorized access to a service by forging a Kerberos ticket for that service. By obtaining the service account’s NTLM hash and other required information, the attacker can create a malicious ticket, granting them access to the service without needing to authenticate or know the actual user’s password.
A framework that provides a mechanism for authentication and optional security services in internet protocols. In the context of Active Directory (AD), SASL is used to ensure the integrity and security of data during transmission. When an AD client wants to authenticate with a server, it can use SASL to specify the method of authentication it prefers. SASL supports several authentication methods, such as Kerberos, NTLM, and Digest-MD5, and it’s often used in protocols like LDAP. Some SASL mechanisms also provide security services beyond authentication, such as data integrity checks and encryption, to protect data during transmission.
SSO is an authentication process that allows a user to access multiple resources with one set of login credentials. SSO can be used to provide users with seamless access to network resources, improving user experience by reducing the number of passwords they need to remember. SSO can increases business efficiency, but also presents a potential security issue if the single authentication point is compromised.
A collection of one or more well-connected (reliable and fast) TCP/IP subnets represented as objects in the AD database. Sites help administrators optimize both Active Directory logon traffic and Active Directory replication with respect to the physical network and WAN connection speeds. When users log in, domain member machines find domain controllers (DCs) that are in the same site as the user, or near the same site if there is no DC in the site. When DCs replicate, they will perform an almost immediate replication between all DCs in a site and postpone the replication traffic to other sites based on the replication window and interval. Misconfiguring sites and services may lead to inefficiencies in replication and can impact the availability of AD services.
Site links in Active Directory represent reliable IP paths between sites. They are used by the Knowledge Consistency Checker (KCC) to build the replication topology.
An object of class site, representing a site.
In a skeleton key attack, an adversary deploys a malicious piece of software onto a domain controller. This malware enables the attacker to log into any account within the domain using a password known only to the attacker, without disrupting normal operations or changing actual passwords.
This is a strong form of two-factor authentication used to log on to an AD domain. A smart card contains a certificate, associated with a user account, providing a robust defense against credential theft.
A rapid psexec style attack with the added benefit of pass-the-hash capability. It runs commands on remote computers leveraging SMB protocol.
A tool that allows users to enumerate samba share drives across an entire domain. Attackers can use it to find out about file, directory, and share-level permissions.
This refers to a “photo” or stored state of the Active Directory database at a given point in time, which can be used for backup purposes. Unauthorized access to snapshots can reveal sensitive data, and outdated snapshots may contain vulnerabilities that have been patched in the live environment.
SRPs identify software programs running on computers in a domain, and control the ability of those programs to run. This is an effective method to prevent execution of malware or untrusted software. SRP can be employed to establish a highly secure configuration for systems by permitting the execution of only pre-approved applications. Being integrated with Microsoft Active Directory and Group Policy, SRPs can be created both in network environments and on independent computers.
In early 2020, cyberattackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. SolarWinds had 33,000 customers using Orion, according to SEC documents. However, around March 2020, up to 18,000 SolarWinds customers installed updates that left them vulnerable to cyberattackers. Included were several SolarWinds high-profile clients, including Fortune 500 companies and multiple agencies in the US government, including parts of the Pentagon, the Department of Homeland Security, and the Treasury.
Special identities (also called implicit identities) are predefined groups serve unique, often dynamic roles within the infrastructure. Unlike typical groups, these identities don’t have a static list of members. Instead, they represent different users under different circumstances. A few examples of these special identities include the Anonymous Logon, Batch, and Authenticated User.
In an SPN-jacking attack, cyberattackers manipulate the SPN of computer/service accounts to redirect preconfigured Constrained Delegation to unintended targets, even without obtaining SeEnableDelegation privileges.
In the context of Active Directory, spoofing generally refers to a situation where a malicious entity impersonates another device or user on the network. For instance, DNS spoofing might be used to divert traffic to a malicious server.
In DNS, a type of information record stored in the zone database on DNS, that maps the name of a particular service to the DNS name of a server that offers that service. Active Directory uses SRV records heavily to allow clients and other DCs to locate services like Global Catalog, LDAP, and Kerberos, and DCs automatically advertise their capabilities by publishing SRV records in DNS.
The process of negotiating and establishing a connection protected by Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
Also known as third-party attacks or value-chain attacks, occur when an attacker infiltrates your system through an outside partner or provider with access to your systems and data. Essentially, instead of attacking the primary target directly, the threat actor targets less secure elements in the network’s supply chain. Notorious examples include the SolarWinds attack, where malicious code was inserted into software updates, affecting thousands of customers globally.
In the context of Active Directory, synchronization is the process of ensuring that multiple copies of a data object, such as a user account or group, are the same across all domain controllers. If synchronization fails, it can lead to inconsistencies that might be exploited by an attacker.
An access control list (ACL) that controls the generation of audit messages for attempts to access a securable object in AD. Resulting audit messages can be seen in the security log in the Windows Event Viewer. Ignoring SACLs can leave a system vulnerable by failing to record and alert on suspicious activities.
The SYSVOL share is a very important folder that is shared on each domain controller in the AD domain. The default location is %SYSTEMROOT%SYSVOLSYSVOL and it typically contains Group Policy Objects, Folders, Scripts, Junction Points and more. Each Domain Controller gets a replica of the SYSVOL share. If not properly secured, attackers may gain access to this share and whatever is placed there is replicated by default throughout the AD forest. Unauthorized modifications in SYSVOL can also lead to GPO-related security issues.
A Sysinternals graphic network monitoring utility that shows a representation of all currently active TCP and UDP endpoints on a system.
TACACS is a remote authentication protocol commonly used in UNIX networks. TACACS allows a remote access server to forward a user’s logon password to an authentication server to determine whether access can be allowed to a given system. While not directly part of Active Directory, it’s often used in conjunction with AD in mixed environments.
Terminal Services, now known as Remote Desktop Services, allows users to access Windows-based programs or the full Windows desktop remotely. Though it provides convenience and flexibility, it can also pose a security risk if not properly secured, as it could be exploited by attackers for unauthorized remote access.
See also: Remote Desktop Services (RDS)
This PowerShell command checks the secure channel between the local computer and its domain. If it shows an insecure connection, it could indicate potential MiTM attacks or other network compromises.
Threat hunting is a proactive cybersecurity process of searching through networks to detect and isolate advanced threats that evade existing security solutions. It’s crucial in Active Directory environments to identify potential intrusions or malicious activities that have bypassed traditional security measures. A well-known example of a threat hunting case in AD would be looking for signs of “Golden Ticket” attacks, where attackers forge a TGT.
An umbrella term to describe the types of vulnerabilities, attacks, and threat actors that exist at any given time, within a certain context. Computer and information technologies are advancing at lightning speed. However, cyberattackers are keeping pace by constantly evolving their methods of exploiting system vulnerabilities. The volatility in today’s cyber threat landscape makes it critical to use a layered security approach and solutions built specifically to protect and quickly recover Active Directory.
TGS is a critical component of the Kerberos authentication protocol used in Active Directory. After the initial authentication, a Ticket Granting Ticket (TGT) is issued by the Key Distribution Center (KDC). The TGS uses this TGT to issue service tickets for access to other resources within the domain. If an attacker gains access to a valid TGT, they can request tickets to any network service, leading to potential unauthorized access.
See also: Ticket-Granting Ticket (TGT)
In the Kerberos authentication protocol, Ticket Options is a field in the ticket that specifies flags such as whether the ticket is renewable, or if it’s valid for proxy use. Misconfiguration of these options, or exploitation by an attacker, can lead to security issues, such as unauthorized ticket renewal.
As part of the Kerberos authentication protocol, a TGT is issued by the Key Distribution Center (KDC) upon initial user authentication. This ticket is then used to request service tickets from the Ticket Granting Service (TGS) for specific network resources. The TGT contains the session key, expiration date, and user IP Address. The TGT is a high-value target for attackers, as possession of a valid TGT allows them to impersonate users and gain unauthorized access to resources.
See also: Ticket Granting Service (TGS)
Tier 0 assets are those that are critical to the operation of your IT environment. Such assets include Active Directory and AD domain controllers, which in turn control access and privileges to every user, system, and resource in the organization.
This security model for administrative access segregates privileges into separate tiers to prevent credential theft and unauthorized access. For instance, admins with access to the domain controller (Tier 0) should not use the same accounts or machines to manage less trusted assets like user workstations (Tier 2). This model is essential in minimizing the risk of privilege escalation or lateral movement attacks.
Active Directory uses the Kerberos protocol for authentication which relies on time-sensitive tickets. It is crucial to maintain accurate and synchronized time across all systems in an AD environment to prevent authentication issues. Incorrect time settings can even lead to Kerberos-based attacks, such as replay attacks.
TTL is not unique to Active Directory, but it plays a critical role in DNS which is a significant component of AD. In the context of AD integrated DNS, TTL is a value in a DNS record that signifies the duration that the record is valid for before it needs to be refreshed. An excessively long TTL might lead to outdated DNS information being used, which could disrupt AD services.
A token in Active Directory is a representation of user’s rights and permissions. Every time a user logs in, a token is generated which identifies the user and the groups to which the user belongs. Tokens can be targeted by cybercriminals to perform token impersonation attacks, stealing the token to gain unauthorized access.
Token bloat is a condition where a user accumulates so many security identifiers (SIDs) in their access token due to membership in many groups that they experience logon or resource access issues. From a cybersecurity standpoint, token bloat can both impact user productivity and serve as a sign of excessive permissions that might be exploited by an attacker if the user’s account were to be compromised.
When an object is deleted from Active Directory it is moved to the Deleted Objects container. The object retains most of its attributes. Objects remain in this container for the tombstone period (by default 180 days) after which they are permanently deleted. It the tombstone period has not yet passed, the deleted objects can be reanimated. Restoring incorrectly tombstoned objects might lead to inconsistencies and possibly orphaned objects.
The number of days before a deleted object is removed from the directory services. The default used to be 60 days when no value is entered. In modern operating systems the value is 180 days.
A two-way relationship that is automatically created between parent and child domains in a Microsoft Active Directory forest, and which can allow users from one domain in the forest login to resources on any other domain in that forest. This means that if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A automatically trusts Domain C. Attackers can exploit this transitivity to gain unauthorized access to resources.
TCP/IP is the suite of communication protocols used to interconnect network devices on the internet or in a private network. In the context of Active Directory, it is critical as it forms the backbone of network communications. Ensuring proper security measures such as IPsec are implemented is important to protect the network traffic against sniffing or spoofing attacks.
TLS is a protocol that ensures privacy between communicating applications and users on the internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. If not correctly implemented, attackers might exploit vulnerabilities in the protocol or use downgraded attacks to weaken the connection’s security.
A tree is a collection of Active Directory domains in a hierarchical order and with a contiguous namespace.
A tree root trust is an automatic transitive trust relationship that is established between the root domains of two trees in the same Active Directory forest. This trust allows all domains in one tree to trust all domains in the other tree. However, similar to transitive trusts, tree root trusts could be potentially exploited by attackers for lateral movement within the forest.
TrickBot is a Trojan type of malware that was first identified in 2016. Its original purpose was to target banks and steal financial data, but TrickBot has evolved into modular, multistage malware. The most common initial infection vector is malspam that contains malicious, macro-laden office documents such as invoices, holiday greeting cards, traffic violations, etc.
A trust is a relationship between domains that allows access by objects in one domain to resources in another. It’s established between two domain trees or forests to enable users in one domain to access resources in the other. For instance, a user from one domain can login and access resources in another domain.
These define the type of access that is given to a trusted domain. Trust attributes include settings such as selective authentication, which restricts access to only certain resources in a domain. Misconfigurations in trust attributes can lead to unauthorized resource access.
In Active Directory, a trust boundary is a logical boundary that separates different security domains or realms. It represents the extent to which trust relationships can be established between entities within and outside the boundary. Establishing a trust relationship across this boundary allows security principals (such as users or computers) from one domain to access resources in another domain.
2FA adds an extra layer of security to the authentication process by requiring users to verify their identity using two different factors: something they know (like a password), and something they possess (like a token or mobile device). It makes it harder for attackers to gain access even if they manage to compromise one factor.
Universal groups in Active Directory are groups that can include users, groups, and computers from any domain within its AD forest. This attribute makes them ideal for large-scale access management across multiple domains, but misconfigurations or excessive use can increase replication traffic within the forest, potentially affecting performance.
This PowerShell command unlocks an AD account that has been locked out. Misuse could lead to an attacker unlocking accounts that were locked due to suspicious activities.
A USN is a 64-bit number in Active Directory that increments as changes occur to objects or attributes. Used to control the replication of these changes throughout the entire AD forest.
While not strictly an AD term, UAC is a Windows security feature that can interact with AD. It controls the privileges of a user account, requesting confirmation whenever a change requires administrative rights. If UAC settings are not appropriately configured, it may allow unauthorized changes or malware propagation.
In Active Directory Services Interface (ADSI), each object has a unique identifier known as a UID. It’s often used when interacting with AD via scripts or programming languages, serving as a distinct pointer to an object in the directory.
In Active Directory, a user object is a distinct set of attributes representing a network user. It includes information like username, password, and various other details about the user. The security of user objects is paramount to ensure data privacy and prevent unauthorized access.
An Internet-style login name for a user object, based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember, and simplifies the login process, especially in environments with trust relationships. By convention, this should map to the user email address which makes it easier to remember.
A virtual directory is a directory name, also known as a path, which is used to reference the physical directory (or directories) where files are actually stored. This concept is important in AD because it allows resources to be located and managed effectively without directly handling the underlying complexities of their physical locations.
A VLAN is a logical division on a network, grouping together a set of devices that can communicate as if they were on the same physical network, even if they are not. From an AD perspective, VLANs can influence the design and performance of AD replication, as well as the application of policies.
A VPN is a secure network connection that uses encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. This has implications for Active Directory because it allows remote and secure access to an organization’s network where AD resources reside.
The process of creating a virtual version of something, including but not limited to a hardware platform, operating system, a storage device or network resources. In AD contexts, domain controllers might be virtualized to save on hardware costs or for disaster recovery purposes. However, virtualization of AD components needs to be managed carefully, as incorrect configurations (like having a virtual domain controller keep its own time) can lead to significant issues.
A virus is a malicious program that replicates itself to spread to other computers. It can potentially impact Active Directory if it infects systems that interact with AD, or if it specifically targets AD components. Virus protection and timely intervention are crucial for maintaining the integrity and availability of the AD environment.
VBScript is a lightweight scripting language, developed by Microsoft, that is often used for server-side scripting in Active Directory environments. Despite its age, many AD admins have legacy VBScripts in their environment, or may use VBScript for quick, simple tasks.
This is a Windows service that enables manual or automatic backup of computer files and volumes. It’s essentially Windows’ native backup tool, capable of creating “shadow” copies at specified intervals, or when triggered by a system event. VSS can be used to back up an Active Directory database while it is still running and plays an essential role in system restore and data recovery operations.
This security technique is used to identify security weaknesses in a computer system. In the context of Active Directory, vulnerability scanning can uncover issues such as unpatched software, security misconfigurations, or the use of weak passwords. Regular vulnerability scanning is a critical part of maintaining the security of an Active Directory environment.
The Wannacry ransomware worm exploited the EternalBlue vulnerability and targeted Windows-based computers in 2017. Microsoft released a security patch for EternalBlue shortly before the attacks began, but many Windows users did not immediately update their systems or were using out-of-date versions of Windows. As a result, Wannacry infected more than 200,000 computers across 150 countries and caused $8 billion in damages.
A command prompt utility that allows administrators or backup operators to backup and restore an operating system (OS), volume, file, folder or application. Wbadmin replaced NT backup, the tool used to create backups in systems before Windows Server 2008.
In the realm of SSL/TLS, a wildcard certificate is a certificate that can secure any subdomains of a domain. For example, a single wildcard certificate for *.semperis.com can secure www.semperis.com, mail.semperis.com, etc. In AD, a wildcard certificate can be used to secure multiple services without the need for multiple certificates.
Also known as Azure Active Directory (AAD). This is the Active Directory Domain Services in the Windows Azure cloud.
Windows Defender is the built-in, real-time security system on Windows that offers protection against a wide range of threats such as malware, spyware, and viruses. It plays a critical role in securing the devices that are part of the Active Directory.
A Windows application that allows administrators to see detailed records of the operating system, security and application notifications. Used by administrators to diagnose system problems and predict future issues.
A Windows-based service that resolves computer NetBIOS names into IP Addresses. WINS was designed to solve the problems arising from NetBIOS name resolution in routed environments.
An infrastructure built into Microsoft Windows operating systems that enables management data and operational parameters to be retrieved from, and configured on, any device that “plugs in” to the system. It provides a unified way for software to request system information and manage system components locally or remotely. WMI can be used for tasks such as querying system settings, setting system properties, or triggering specific actions on systems.
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, PowerShell helps IT professionals control and automate the administration of the Windows operating system and applications that run on Windows. For example, administrators can use PowerShell to automate the process of creating users in Active Directory.
A language-independent scripting host for Windows Script compatible scripting engines. It provides a set of objects and services that enable system-level scripting, allowing scripts written in JScript or VBScript, for instance, to automate administrative tasks or interact with the Windows operating system directly. WSH scripts can be executed directly from the desktop or command prompt, or they can be embedded into a webpage, providing a versatile platform for automating routine tasks.
Windows Server is a group of operating systems designed by Microsoft that supports enterprise-level management, data storage, applications, and communications. Active Directory is one of the critical services running on Windows Server, providing a variety of directory services.
WSUS is a Windows server role that can plan, manage and deploy updates, patches and hotfixes for Windows operating systems and other Microsoft software.
The Windows Time service makes sure that all computers in an Active Directory domain share a common time. This is critical, as a time difference beyond the allowed threshold (5 minutes by default) can lead to authentication failures due to the Kerberos protocol’s time sensitivity.
The Windows NT namespace provider, supporting the Windows NT SAM account database.
Widely used in network troubleshooting and protocol analysis, Wireshark is a legitimate network capture tool that can be used by attackers to capture and analyze network traffic, potentially uncovering sensitive data transmitted in plaintext.
A SQL-like language used to filter and query information from the Windows Management Instrumentation (WMI) framework. It is utilized to write queries that return specific information from the vast amount of data that WMI can deliver, such as querying for events or data objects, calling methods, or accessing or modifying system properties. WQL offers a robust toolset for administrators to automate tasks, troubleshoot, or gather system information in a Windows environment.
In the context of Active Directory, a workstation typically refers to a computer that is connected to the network and under the control of AD. Policies can be applied to workstations, users can log into them using their AD credentials, and they can access resources based on their AD user rights and permissions.
A writeable domain controller is a server that hosts a writable copy of the AD database. This is in contrast to a read-only domain controller (RODC). WDCs allow changes to the database, which are then replicated to other DCs. Any compromise of a WDC can have a significant impact due to its ability to alter directory data.
A series of computer networking standards that define a directory service for distributed computing systems. It serves as a global address book, facilitating the sharing of information about users, systems, networks, services, and applications throughout the network. The LDAP protocol is based on a subset of these standards, making X.500 an important part of the foundation for modern directory services like Microsoft’s Active Directory.
Zero Trust is a security concept that assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Zero Trust requires all users to be authenticated and authorized before being granted access to applications and data. Identity security is at the heart of successful Zero Trust initiatives.
A vulnerability in the cryptography of the Microsoft Netlogon process can enable an attack against Active Directory (AD). Zerologon enables cyberattackers to impersonate any computer and take control of a domain controller, including the root domain controller. To accomplish this, cyberattackers change or remove the password for a service account on the controller, then cause a denial of service (DoS) or take over and own the entire network.
Zone transfers occur in Domain Name System (DNS) protocols where a DNS server passes a copy of part of its database (a zone) to another DNS server. In an Active Directory context, it is an essential component of AD-integrated DNS zones replication process. Security-wise, unsecured zone transfers can expose sensitive information about network resources, thus it’s important to ensure they are configured to only allow transfers to authorized servers.