Attivo Networks Blogs

Yanluowang Ransomware– Protecting Against Active Directory

Yanluowang Ransomware– Protecting Against Active Directory

Authored by: Venu Vissamsetty, VP of Security Research – Yanluowang is the latest targeted ransomware attack that enumerates Active Directory.  It uses tools like ADFind to perform domain reconnaissance, escalate domain privileges, and deploy ransomware across the organization.

Active Directory provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication for domain-joined systems. Attackers know that Active Directory holds all privileges and credentials, making it a high-value target for their attacks.

MITRE has also categorized “Permission Groups Discovery” T1069 as one of the popular discovery methods used by attackers, which contains sub-techniques related to

  • Local Groups Discovery (T1069.001)
  • Domain Groups Discovery (T1069.002)
  • Cloud Groups Discovery (T1069.003)

Attackers can discover Active Directory groups, Members, etc., from any domain-joined system using the AdFind tool to escalate privileges using the following commands.

Finding Active Directory group membership:

Adfind -f “objectcategory=group” will list all groups in Active Directory and the group members.

Find all Groups and Users that have adminCount = 1 (adminSDholder)

AdFind -default -f “(&(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))(adminCount=1))” -dn

AdminSDHolder object offers attackers opportunities to exploit user accounts and groups to take relative control of the Active Directory environment.

Finding domain administrators:

AdFind -f “&(objectcategory=group)(cn=Domain Admins)” member

The Attivo Networks ThreatDefend® platform provides real-time visibility into attacker attempts to discover permissions while restricting users from enumerating Active Directory on an as-needed basis, preventing them from discovering privileged Active Directory users or group permissions.  The image below shows details of an AdFind reconnaissance attempt.

Attivo Networks offers a series of identity detection and response (IDR) solutions to protect against identity-based attacks such as the Yanluowang ransomware, one of which is the ADSecure solution.  As AD is central to enterprise identities, the ADSecure solution is ideal for protecting against tools like AdFind, Bloodhound, and others that target AD data.  The solutions detect unauthorized attempts to mine AD for data and extract sensitive or privileged credentials and objects to use in their attacks.  Furthermore, the ADSecure solution responds with misinformation to misdirect the attackers away from production assets by presenting them with fake results that lead to a decoy environment.  This tactic derails the attack and provides an early warning of the activity, so the organization can respond quickly to the ransomware before it can spread and cause excessive damage.

As more ransomware attackers leverage AD for discovery, target acquisition, credential theft, privilege escalation, and lateral movement, organizations should consider adopting IDR solutions that protect against identity-based attacks.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

one × 3 =

Ready to find out what’s lurking in your network?

Scroll to Top