In the course of conducting penetration tests for various organisations, we’ve observed significant shifts in how environments are compromised. Traditional methods are no longer as effective as they once were, and attackers have adjusted their tactics accordingly. The lessons learned from these penetration tests offer valuable insights into the evolving landscape of cybersecurity, particularly regarding the vulnerabilities in Active Directory (AD). By understanding how testers are successfully breaching environments, organisations can better prepare and defend against real-world attacks.
Lesson 1: Traditional Attack Methods Are Losing Their Edge
One of the first things we’ve noticed in recent penetration tests is that older techniques like Responder and Pass-the-Hash (PtH) are becoming less effective in well-secured environments.
- Responder
This tool, once a staple for capturing credentials through protocols like LLMNR and NBT-NS, is now frequently thwarted. Many clients have disabled these vulnerable protocols and improved their network segmentation, making it harder for us to capture useful credentials during tests. The takeaway here is that organisations that have implemented these basic security measures are far less susceptible to this type of attack.
- Pass-the-Hash (PtH)
While PtH can still be used in modern environments, the way it’s employed has changed dramatically. In the past, we might have spammed hundreds or even thousands of servers with a harvested hash to see which ones would grant us local admin access. However, this approach now triggers multiple alerts and is quickly detected by security teams. Today, PtH is used much more cautiously. For instance, when we obtain a hash, we carefully identify which specific server or domain administrator account it is most likely to authenticate with before attempting the attack. This selective use of PtH helps avoid detection and increases the chances of success.
What You Can Learn
Organisations that stay ahead by disabling legacy protocols and adopting advanced security features significantly reduce the risk of these traditional attacks. Regularly reviewing and updating your security posture to reflect the latest threats can prevent attackers from exploiting these once-common vulnerabilities. Additionally, monitoring for unusual network activity, such as multiple authentication attempts across servers, can help detect and thwart PtH attacks.
Lesson 2: Active Directory is the New Battleground
As traditional methods have become less reliable, Active Directory has emerged as the primary target for attackers. In nearly every recent penetration test where we’ve successfully gained domain admin access, Active Directory has been the focal point.
- Kerberoasting
During tests, we’ve often targeted service accounts within AD using Kerberoasting. By extracting and cracking service ticket hashes, we’ve gained access to accounts that sometimes have extensive privileges. The lesson here is that service accounts, often overlooked in security audits, can be a significant weak point.
- DCSync and DCShadow
These advanced techniques allow us to manipulate AD replication processes to extract credentials or inject malicious changes. What we’ve found is that environments lacking rigorous monitoring and logging of AD activities are particularly vulnerable to these attacks.
- Kerberoasting
What You Can Learn
Protecting Active Directory should be a top priority. Regularly review service accounts for unnecessary privileges, enforce strong password policies, and ensure that all AD activities are thoroughly monitored. Understanding and addressing AD-specific vulnerabilities can make the difference between a minor incident and a full-blown domain compromise.
Lesson 3: Misconfigurations in Active Directory Certificate Services (AD CS) Are a Growing Risk
Another significant lesson from recent penetration tests is the growing threat posed by misconfigurations in Active Directory Certificate Services (AD CS). AD CS is used to issue digital certificates that can authenticate users, devices, and services within an organisation. However, when misconfigured, AD CS can become a gateway for attackers to elevate privileges and gain unauthorised access.
- Vulnerable Certificate Templates
During penetration tests, we’ve found that many organisations have certificate templates that are improperly configured, allowing low-privilege users to request certificates that grant higher-level access. For instance, a user might be able to request a certificate for domain admin privileges if the template is not properly secured.
- Misconfigured Enrolment Permissions
In some cases, we’ve encountered AD CS environments where the permissions to enrol in certain certificates are too broad. This allows attackers to enrol in certificates that can be used for authentication and privilege escalation, even if they start with low-level access.
What You Can Learn
Regularly audit your AD CS environment to ensure that certificate templates are correctly configured and that enrolment permissions are tightly controlled. Restrict certificate issuance to only those accounts that absolutely require it and enforce stringent access controls to prevent unauthorised certificate requests.
Lesson 4: Misconfigurations Are Often the Gateway
In many penetration tests, the initial entry point or the key to escalation has been misconfigurations within the client’s environment. These misconfigurations, especially within Active Directory, often go unnoticed but can be easily exploited.
- Over-permissive Privileges
One common issue we encounter is users or service accounts with more privileges than they need. Attackers, once inside the network, can exploit these permissions to escalate their access. This is especially true in environments where permissions have been granted loosely over time without regular audits.
- Weak or Outdated Passwords
Despite widespread awareness, weak passwords—especially for service accounts—remain a significant issue. During tests, we’ve successfully cracked passwords that allowed us to escalate privileges quickly.
What You Can Learn
Regular audits of account permissions and password policies are essential. Ensuring that privileges are assigned based on the principle of least privilege and that service accounts are properly secured can close off many common attack paths.
Lesson 5: The Importance of Continuous Monitoring and Testing
One of the most critical lessons from our penetration tests is the importance of continuous monitoring and regular testing. In environments where robust monitoring is in place, our activities are often detected and stopped before we can achieve significant objectives.
- Anomaly Detection
Environments that use advanced monitoring tools capable of detecting unusual patterns in AD activities or network traffic are much harder to compromise. In tests, we’ve seen our activities flagged almost immediately in well-monitored environments, forcing us to change tactics or abandon the attempt.
- Regular Penetration Testing
Clients who regularly conduct penetration tests and follow through with remediation efforts present a much tougher challenge. These organisations are proactive in identifying and fixing vulnerabilities before attackers can exploit them.
What You Can Learn
Investing in continuous monitoring and regularly testing your defences through penetration tests is crucial. Not only does this help in detecting and stopping attacks in real-time, but it also ensures that your security measures evolve with the threat landscape.
Conclusion
The evolving tactics seen in penetration tests highlight the shift towards targeting Active Directory and the increasing complexity of modern attacks. Traditional methods are becoming less effective, but attackers are adapting by focusing on the core of your IT infrastructure—Active Directory and related services like AD CS. By learning from these penetration tests, organisations can better prepare for the threats they face. Strengthening AD security, addressing misconfigurations, and investing in continuous monitoring and testing are key steps in building a resilient defence against modern cyber threats.
Take the Next Step to Secure Your Environment
Ready to strengthen your defences against modern cyber threats? Our team at MTI specialises in penetration testing that uncovers the vulnerabilities others might miss. Don’t wait for an attack to expose your weaknesses—be proactive.
Contact us today to schedule a comprehensive penetration test and take control of your cyber security posture. Let’s secure your Active Directory and ensure your organisation is prepared for whatever comes next.