Attivo Networks Blogs

CERT Alert AA20-302A: Who is Pinging Your Domain Controllers?

Reading Time: 2 minutes  |  Published: October 29, 2020 in Active Directory, Blogs

Author: Venu Vissamsetty, Founding Engineer at Attivo Networks – Organizations are facing ransomware threats daily. The older ransomware strains only encrypted the local infected system, which limited the damage caused to an organization. The newer ransomware variants use self-propagating techniques to move laterally and spread across the network, crippling the entire organization.

 

CERT has released an alert (AA20-302A) on “Ransomware Activity Targeting the Healthcare and Public Health Sector.” This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

 

According to the CERT alert, Ryuk actors will quickly map the network to enumerate the environment to understand the infection’s scope. To limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. The group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move laterally throughout the network. The group also uses third-party tools, such as Bloodhound.

 

Additional research published by DFIR and Sophos on Ryuk indicates that they perform discovery activities after establishing an initial foothold.  As part of the discovery process, attackers ping and locate domain controllers using living off the land tools.

Active Directory Protection with ADSecure:

ADSecure prevents and conceals the discovery of sensitive information from Active Directory, provides real-time insights into attackers Active Directory discovery methods, and prevents attacks from moving laterally inside the network.

ADSecure Protection Best Practices:

  • Deploy ADSecure on all windows endpoints which can access domain controllers from inside the network or across VPN segments.
  • Deploy ADSecure on Citrix VDI infrastructure managed by domain controllers on-premise, in Citrix cloud, or public cloud providers like Azure, AWS, GCP, and others.
  • Configure ADSecure to conceal production domain controllers from attackers, provide deceptive controllers domain names, IP addresses and get real-time visibility into who is targeting your organization domain controllers.
  • Configure ADSecure to conceal and prevent attackers from discovering members of the “domain admins” and “enterprise admins” groups. Get real-time visibility into who is discovering privilege group members from Active Directory.
  • Configure ADSecure to conceal “local administrators” on endpoints. Get real-time visibility into who is discovering local administrators on compromised endpoints.
  • Configure ADSecure to conceal critical software distribution and management systems, CI/CD systems, and others in Active Directory. Attackers can target systems like Microsoft SCCM, Jenkins, and more and deploy ransomware across the organization.

Additional Resources:

No Comments

Post A Comment

2 + 3 =