Active Directory (AD) is a standard tool used by most organizations to regulate users and machines accessing the company’s resources. However, it can be both a blessing and a curse: as the central repository for all the information relating to the network – credentials, users, computers, applications, and so on – AD is essential to the day-to-day running of the business.
Every computer on the company’s network must, therefore, have some level of access to AD for the network environment to function correctly.
Having all this information in one place, however, means it is also a highly prized target for threat actors, as any compromised endpoint gives an attacker access to this central repository. Once attackers compromise AD, they can gain insight and access to the network, providing them with critical information on which accounts to target so that they can advance their attack. Defenders know this and have tried to craft secure practices to protect AD.
These best practices include having separate administrator accounts per person and tiers of access to limit the ability of a single compromised account to create havoc. In addition to these best practices, they also run Red Team exercises, and other forms of monitoring to look for anomalous behaviours. It is inherently tricky balancing this need for with preventing unauthorized access. As such, it is hard to lock down an AD server from an attacker using automated tools that can quickly enumerate it and find the information they are seeking.