[This is part one of a two-part series to describe how CounterCraft deception technology can be used to protect Microsoft Active Directory]

Microsoft Active directory is really the default enterprise network operating system. It’s everywhere. It is where we store all our network, user and infrastructure data. To quote the O’Reilly big book of “Active Directory”¹:

“Active Directory enables administrators to manage enterprise-wide information efficiently from a central repository that can be globally distributed. Once information about users and groups, computers and printers, applications and services has been added to Active Directory, it can be made available for use throughout the entire enterprise…”

Being a single, global repository for so much network information makes Active Directory (AD) a very obvious target. The purpose of this blog post is to describe an example of how deception technology can be used to detect (and therefore control) an attacker as they attempt to breach your AD installation.

To begin with, let’s set out the stall. Throughout this post we will talk about Production and Deception Environments. To be clear, the Production environment is your standard IT infrastructure. It is all the endpoints, servers and services that run in your organisation. The Deception Environment is a fake environment built by you with the sole purpose of enticing would-be attackers, not a realistic and credible simulation of your production systems. It includes all the deception hosts and services created to spoof the attacker. In this example, we will make a basic assumption that an endpoint has been already compromised. This means functional domain credentials – a username and password – have been obtained by the attacker.

This second assumption is that the attacker will follow the commonest attack-tree, or adversary activity map, for this scenario, which is as follows:

  1. Compromise of a production endpoint – e.g. a user workstation.
  2. The attacker then tries to identify users and credentials for the domain (this is also known as Local Domain Mapping).
  3. The next step is to attempt to enumerate users, domains and policies from the domain controller (also known as LDAP reconnaissance).
  4. Obtain credentials located in the local machine, also known as Credential Theft.

These are common steps taken by any attacker trying to compromise an AD installation. We are talking about the attack stages defined by the Mitre ATT&CK Matrix from “Execution” to “Collection”.

Deception technology can be deployed to detect this activity in three areas:

  1. Detect Enumeration of AD Credentials on Endpoints
  2. Detect Enumeration of AD Credentials on the Production AD Domain Controller
  3. Detecting Enumeration of AD Credentials in Shared Resources

Every area is crafted as part of a carefully structured Deception Campaign. This is deployed and managed from the CounterCraft Deception Director.

The different areas are explained in greater detail below:

Detecting Enumeration of Active Directory Credentials on Production Endpoints

To detect the enumeration of users and credentials, Endpoints are seeded with specific Breadcrumbs pointing to a fully instrumented deception AD Domain Controller (AD DC). Any attempt to interact with the deception AD DC will instantly be detected, and notifications sent by the CounterCraft Deception Director, to alert on the malicious activity.

Additionally, deception user credentials linked to the production AD DC are also placed on local machines. When they are used, the false credentials create an alert from the AD. Assuming that the production AD DC logs are collected by a SIEM, the CounterCraft Deception Director will take a log feed from the SIEM to enable generation of CounterCraft notifications. Alternatively, the AD DC can feed logs directly to the Deception Director.

The next part is to seed the Endpoints with deception credentials to deception services hosted on additional deception servers, located in a deception environment. Any lateral movement to these resources will be instantly detected and alerts sent by the Deception Director.

Detecting Enumeration of Active Directory Credentials on a Production Active Directory Domain Controller

The production AD DC is seeded with fake users, credentials and resources. If the attacker decides to ignore, or has not found, the Breadcrumbs that lead to the deception AD Domain Controller, and performs an enumeration of users, domains or policies of the production AD Domain Controller, these false credentials will be presented.

When the fake credentials are presented, an alert is raised from the AD DC. As before, this is typically reported via a log feed from the SIEM to the CounterCraft Deception Director. This also generates a CounterCraft notification.

Detecting Enumeration of AD Credentials in Shared Resources

A series of shared resources are presented that are seeded with additional Breadcrumbs. The Breadcrumbs lead the attacker to CounterCraft Deception Hosts within the deception environment. The shared resources will point away from the Production Environment entirely with the aim of increasing the dwell time of the attacker in the deception environment, all the while gathering more detailed data on their tools, techniques, procedures and more importantly, their motivation.

This concludes the first post. The next post will address the infrastructure required to achieve the steps we have spelled out here.

Reference: ¹ DESMOND, Brian; RICHARDS, Joe; ALLEN, Robbie & LOWE-NORRIS, Alaistair G. “ACTIVE DIRECTORY” – 5th Ed. O’Reilly, 2013

Read “Using Deception to Protect Active Directory Pt. 2” here

Author: Richard Barrell, Product Manager at CounterCraft.