Three tools hackers use to attack your Active Directory
by Tina Siering
Why hackers don't need to hack, they just need to log in
While the stereotypical understanding is that a hacker sits in a dark room - wearing an obligatory hoodie, of course - and types line after line of malicious code into his computer, the reality is somewhat different. While modern hackers use a myriad of tools, some of which require programming, the attackers are not so much using algorithms as they are using human behavior for their own purposes. With knowledge of basic personality traits and accompanied by the play of emotions, the hackers manipulate at precisely the moment when the human mind is switched off and curiosity, the fulfillment of duty, greed - or simply the desire for recognition - takes over. As part of its preparatory information gathering, the hacker uses publicly available data sources to research the target company and its employees. The focus here is on identifying employees who will later become the target of the social engineering attack. The first contact is also sometimes made via social networks and is subsequently intensified in order to tempt the victims into rash actions.
However, social engineers are by no means only digitally active. In industrial espionage, tailgating is at the top of the hacker agenda. Tailgating involves an attacker gaining physical access to areas of a company that are actually strictly sealed off. Access to the company building is gained via previously spied-out access points. In order to gain the trust of the employees, the social engineers pretend to be a service provider of the company's own IT, for example, with the aim of gaining PC access for the target persons. To do this, the attacker can pose as a craftsman who needs to check the heating in the executive suite or as an IT specialist who has been notified of a defect in the server room.
The placement of prepared data carriers (so-called "candy drop" method) in highly frequented locations is also already a preparatory measure for the later fictitious cyber attack. But once a "real hacker" has reached his first target and gained access to a network, the criminal's "real work" begins. With captured access data, he creates an initial bridgehead in the system, from which he moves laterally through the network, expanding his authorizations further and further. In this "installation phase", a fixed communication path is established in the victim's network. If the hacker remains undetected, this ultimately leads to the takeover of the Active Directory. The hackers use various tools to prepare for this, three of which are described in more detail below.
Three tools hackers use to take over compromised systems
In a majority of organizations, the operating system used is Microsoft Windows, centrally managed and controlled by the Active Directory (AD) directory service. The directory service makes it possible to replicate the structure of an organization and centrally manage the use of network resources or objects. With the help of Active Directory, an administrator can organize, provide and monitor the information of the objects. Individual business units are separated from each other by domains. Target in the focus of cybercriminals: Attack Active Directory and take over. Once they have successfully penetrated the network, in many cases it is done via a simple logon.
In fact, most Active Directory takeovers succeed because stolen identities and associated credentials are used. Once attackers have positioned themselves unnoticed on the network, they go on a targeted search for higher privileges until they finally get to the credentials of administrators or equally privileged users, which are often frighteningly poorly secured.
These three open source tools are used by hackers when attacking networks and stealing credentials:
1. LaZagne: The open source tool for convenient password search
LaZagne is available as a free tool and is designed to search Active Directory for stored passwords to user accounts. LaZagne is aware of existing security vulnerabilities in applications and the operating system and exploits them. The tool identifies passwords in email clients as well as in web browsers, databases or admin tools. In the hacker scene, LaZagne is also and above all popular because of its user-friendliness and ease of use. Once a password has been successfully discovered, the attackers can conveniently log in to the local network via the compromised user account.
2. Bloodhound: The tool for hijacking domain admin accounts
Bloodhound is another open source tool, available for free, designed specifically for attacks against Active Directories and the Microsoft Azure cloud computing platform. Bloodhound specifically finds existing vulnerabilities in the account management of passwords and permissions.
3. Mimikatz: Uncover unsecured passwords in a snap
Another open source tool, but one of the particularly dangerous kind: Mimikatz is considered by security experts to be one of the most threatening hacking tools. This is because Mimikatz is optimized to attack accounts that are not under special surveillance. These are mainly service accounts with extended privileges. Mimikatz can quickly and reliably read Kerberos tickets (for secure authentication in TCP/IP networks), gets hold of decrypted passwords from memory or unencrypted password hashes.
How organizations can protect themselves
There are three main strategic approaches to countering sophisticated social engineers and their sophisticated cyberattacks: Awareness, incident response readiness, and targeted threat hunting for early attack detection. Our cyber security experts recommend the following three security measures:
1) Social Engineering Audits
The purpose of conducting a social engineering audit is to check the security awareness of your company's employees. In principle, the execution of the social engineering audit is bound to fixed and clearly defined rules that meet both applicable laws and ethical requirements. The top priority of our experts is to protect the personal rights of employees. We achieve this by evaluating audit results on a statistical basis - affected employees remain anonymous. Employees' names are not mentioned in the Social Engineering Audit Report. Negative consequences or consequences under labor law for affected employees can generally be ruled out.
Social engineering audits are thus used to specifically check the "human vulnerability". The audits put the rules of conduct of all a company's employees in dealing with IT systems to the test - and at the same time are used to uncover weaknesses and sensitize employees in awareness training courses. In the course of the audit, concepts are developed that increase the company's internal IT security beyond the technical level. For this reason, our IT security experts recommend having corresponding social engineering audits performed regularly, not just once, but as part of an overall IT security concept, and also regularly reviewing security awareness measures that have already been implemented - and adapting them to the existing security risks if necessary.
2) Managed Detection and Response (MDR) solutions
Once cyber criminals have successfully gained access to a network, it is essential to detect them in time! With our Active Cyber Defense (ACD) service, we enable you to protect yourself from the consequences of cybercrime by detecting or identifying attackers on your network as early as possible, before they do any kind of damage. ACD is a fully managed service that proactively and continuously analyzes networks for anomalies, preventing communication of attackers to their Command & Control Servers (C&Cs).
This means that you do not need your own personnel resources for permanent monitoring and incident detection. Instead, our security analysts monitor the IT infrastructure around the clock for conspicuous activity and provide immediate information when action is required. ACD is implemented entirely as an on-premise solution. If action is required, the company's internal IT is informed immediately with recommendations for action. As a managed service, ACD therefore acts as an efficient early warning system that can be used to secure networks actively, proactively and permanently. All systems within a network are always monitored - from desktop computers to cell phones and tablets to IoT devices.
3) Incident Response Readiness
To ensure a targeted response in the event of an acute cyber attack, optimal preparation for this emergency is required. The prerequisite for a company's permanent incident response readiness is therefore the development and implementation of a comprehensive cyber defense strategy. This enables companies to detect and defend against complex attacks and thus sustainably increase their security status. Companies are provided with detailed guidelines, tools and processes to respond appropriately and effectively to a security incident.
Conclusion
The threat of cyber attacks is omnipresent. Whether large corporations or SMEs, hackers effectively exploit existing security vulnerabilities to penetrate networks and systems, carry out blackmail attempts, derive data or spy on company secrets. The biggest gateway is still the "human vulnerability". With targeted manipulation, hackers can also get into complex structures with the aim of taking over the admin. Regular awareness training for all employees is recommended for reliable protection against cyber attacks. In addition to an effective incident response readiness strategy, it is essential to use tools for early attacker detection. With ACD, Allgeier secion offers such a "Managed Detection and Response" service.
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.