Joint guidance on detecting and mitigating Active Directory compromises

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the following international partners in releasing cyber security guidance on mitigating Microsoft Active Directory compromises:

  • Cybersecurity and Infrastructure Agency (CISA)
  • National Security Agency (NSA)
  • New Zealands National Cyber Security Centre (NCSC-NZ)
  • United Kingdom Government Communications Headquarters (GCHQ)

Microsoft’s Active Directory is an authentication AuthenticationA process or measure used to verify a users identity. and authorization AuthorizationAccess privileges granted to a user, program, or process. solution widely used in enterprise information technology networks globally. It’s a valuable target for threat actors, and if compromised, threat actors can gain privileged access to all of the systems and users that Active Directory manages. Responding to Active Directory attacks can be time consuming, costly and disruptive.

This guidance aims to provide prevention, detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation strategies for prevalent Active Directory compromises including:

  • Kerberoasting
  • AS-REP roasting
  • Password spray
  • MachineAccountQuota
  • Unconstrained delegation
  • Password in group policy reference
  • Active Directory certificate services
  • Golden certificate
  • DCSync
  • Dumping ntds.dit
  • Golden ticket
  • Silver ticket
  • Golden SAML
  • Microsoft Entra Connect
  • One-way domain trust bypass
  • SID history
  • Skeleton key

By implementing this guidance organizations can take the steps necessary to secure their enterprise directory services.

Read the joint guidance on mitigating Active Directory attacks.

Related links

Date modified: