RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Microsoft Active Directory

Product
Developers: Microsoft
Last Release Date: 2022/08/25
Technology: Server platforms

Content

Active Directory is an LDAP-compatible implementation of Microsoft's directory service for Windows NT operating systems.

Anatomy of Active Directory Attack

2022

Using MagicWeb malware to post-compromise Active Directory

The attackers responsible for the attack on the SolarWinds supply chain began to use MagicWeb malware for post-compromise, which is used to maintain constant access to the compromised environment and perform lateral movement. This became known on August 25, 2022.

Researchers from Microsoft discovered how APT the Nobelium group uses the backdoor after gaining administrator rights to server Active Directory Federated Services (AD FS). With such privileged access, attackers replace the legitimate DLL with a malicious MagicWeb DLL. In this case, the malicious is ON loaded on the AD FS server as legitimate software.

Illustration: securitylab.ru

Like domain controllers, AD FS servers can authenticate users. MagicWeb facilitates authorization for attackers by allowing claims to be manipulated in AD FS authentication tokens. This way hackers can authenticate on the network.

MagicWeb is an improved iteration of the previously used specialized tool FoggyWeb, which also provides a strong foothold inside victims' networks, Microsoft said.

MagicWeb outperforms FoggyWeb's data collection capabilities, facilitating direct hidden access. It manipulates user authentication certificates for authorization rather than signature certificates used in Golden SAML-type attacks.

According to Microsoft's bulletin, as of August 2022, the use of MagicWeb is very targeted[1] SolarWinds is not reported[2] the victims of this software[3].

Emergency fix of authorization problem

On May 20, 2022, it became known that the company Microsoft had released unscheduled fixes (OOBs) to solve the problem authorization Windows with Active Directory (AD), which it had been working on since May 12, 2022. The problem appeared after the installation domain of Windows updates released on May Tuesday of the 2022 fixes on the controllers. servers The Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP) services experienced third-party or client authorization failures. The problem was related to how certificate-to-device mapping data was handled by the domain controller.

File:Microsoft Active Directory.png
Windows Active Directory

As reported, released Windows OOB updates are only available through Microsoft Update Catalog and will not be distributed through Windows Update.

The company has released the following cumulative service packs for installation on domain controllers:

Updates have also been released that have nothing to do with the problem:

You can manually import all updates from the list into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. Instructions for WSUS can be found on the WSUS page, and for Configuration Manager - on the import update page from Microsoft Update Catalog[4].

2019: MaxPatrol SIEM downloads package to detect anomaly in user activity in Active Directory

On April 10, 2019, Positive Technologies announced the download of the expertise package to MaxPatrol SIEM, which allows you to detect anomalies in user activity in Microsoft Active Directory. Read more here.

2011

Active Directory implements for administrators the use of group policies (GPO) to ensure uniformity in the configuration of the user's working environment, deploying software on many computers (through group policies or through Microsoft Systems Management Server 2003 (or System Center Configuration Manager)), installing OS updates, application and server software on all computers on the network (using Windows Server Update Services (WSUS); Software Update Services (SUS) earlier).

Active Directory stores environment data and settings in a centralized database.

Information systems consist of a variety of different hardware and software. Managing such disparate information is becoming increasingly difficult without specialized tools. Active Directory Domain Services is a centralized repository of configuration information, authentication requests, and all objects stored in the enterprise forest.

With Active Directory, you can effectively manage users, computers, groups, printers, applications, and other directory service-supporting projects from a single, secure, centralized location. Gennady Efimov, a specialist at Krechet, spoke about the migration procedure using a specific example of the implemented project, gave the necessary recommendations and shared his advice and experience, helped the students highlight the reasons and justify the need for migration to Active Directory 2008 R2 before management.

Notes

  1. [https://www.securitylab.ru/news/533551.php and the APT group behind the attack on
  2. about
  3. , it uses the MagicWeb malware to post-compromise Active Directory]
  4. Microsoft urgently fixes the authorization problem in Windows AD