The US Cybersecurity and Infrastructure Security Agency (CISA), Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC) and other U.S. and international partners, co-sealed Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate 17 common techniques used by adversaries and malicious actor to compromise Active Directory.
The objective of malicious activity involving Active Directory is to escalate privileges and gain control of a domain by targeting the highest privileged user objects, such as those in the Domain Admins and Enterprise Admins security groups. Active Directory can be misused by malicious actors to establish persistence, and some persistence techniques allow actors to log in to organizations remotely, even bypassing multi-factor authentication (MFA) controls.
Evicting the most determined malicious actors can require drastic action, ranging from resetting all users’ passwords to rebuilding Active Directory itself. Responding to and recovering from malicious activity involving Active Directory is often time consuming, costly, and disruptive.
Organizations are encouraged to implement the recommended mitigations to better protect Active Directory from malicious actors and prevent them from compromising it. The guide also provides a security controls checklist and an overview of using canary objects to detect some of the malicious techniques used to compromise Active Directory.
Link to full Guide: PROTECT-Detecting-and-Mitigating-Active-Directory-Compromises.pdf
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments