Active Directory audits
Microsoft Active Directory is a central brick of the information system of most companies. An Active Directory domain controller is a prime target for an attacker since, if successfully compromised, the attacker has access to corporate resources. Whether, as part of an audit or following a known compromise, it is essential that the Active Directory security be analyzed. Moreover, this must be applied on a recurring basis.
Such analysis reduces the arena of attack and prevents the risk of abuse, including privilege escalation and the persistence of an attacker within the information system
This specific audit includes a configuration audit combined with an offensive Active Directory audit.
The security audit of the Active Directory environment is carried out using the “configuration audit” approach, i.e. the auditor is in possession of a privileged domain access account with the aim of checking the configuration and determining whether the technical implementation of the target environment complies with good security practices and does not present a risk to the information system.
In parallel with the configuration audit, the offensive approach is carried out concomitantly and comprises a Black Box (without user account) and then a Gray Box (with user account). For this work, Synetis will seek, as an illustration, to implement MitM attacks by LLMNR/NBNS or DHCPv6 poisoning, to carry out lateral displacements, to raise its privileges etc.
The approach proposed by Synetis (configuration audit work in parallel with offensive AD tests) allows a detailed analysis of the configuration of the Active Directory, Domain Controllers, GPOs, services, AD structure, permissions and privilege accounts, etc. As a result of this analysis, a precise roadmap can be edited to significantly increase the overall security of the audited Active Directory domain.
