Yanluowang Ransomware– Protecting Against Active Directory
Authored by: Venu Vissamsetty, VP of Security Research – Yanluowang is the latest targeted ransomware attack that enumerates Active Directory. It uses tools like ADFind to perform domain reconnaissance, escalate domain privileges, and deploy ransomware across the organization.
Active Directory provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication for domain-joined systems. Attackers know that Active Directory holds all privileges and credentials, making it a high-value target for their attacks.
MITRE has also categorized “Permission Groups Discovery” T1069 as one of the popular discovery methods used by attackers, which contains sub-techniques related to
- Local Groups Discovery (T1069.001)
- Domain Groups Discovery (T1069.002)
- Cloud Groups Discovery (T1069.003)
Attackers can discover Active Directory groups, Members, etc., from any domain-joined system using the AdFind tool to escalate privileges using the following commands.
Finding Active Directory group membership:
Adfind -f “objectcategory=group” will list all groups in Active Directory and the group members.
Find all Groups and Users that have adminCount = 1 (adminSDholder)
AdFind -default -f “(&(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))(adminCount=1))” -dn
AdminSDHolder object offers attackers opportunities to exploit user accounts and groups to take relative control of the Active Directory environment.
Finding domain administrators:
AdFind -f “&(objectcategory=group)(cn=Domain Admins)” member
The Attivo Networks ThreatDefend® platform provides real-time visibility into attacker attempts to discover permissions while restricting users from enumerating Active Directory on an as-needed basis, preventing them from discovering privileged Active Directory users or group permissions. The image below shows details of an AdFind reconnaissance attempt.
Attivo Networks offers a series of identity detection and response (IDR) solutions to protect against identity-based attacks such as the Yanluowang ransomware, one of which is the ADSecure solution. As AD is central to enterprise identities, the ADSecure solution is ideal for protecting against tools like AdFind, Bloodhound, and others that target AD data. The solutions detect unauthorized attempts to mine AD for data and extract sensitive or privileged credentials and objects to use in their attacks. Furthermore, the ADSecure solution responds with misinformation to misdirect the attackers away from production assets by presenting them with fake results that lead to a decoy environment. This tactic derails the attack and provides an early warning of the activity, so the organization can respond quickly to the ransomware before it can spread and cause excessive damage.
As more ransomware attackers leverage AD for discovery, target acquisition, credential theft, privilege escalation, and lateral movement, organizations should consider adopting IDR solutions that protect against identity-based attacks.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise