New Zealand’s National Cyber Security Centre (NCSC) has joined the Australian Signals Directorate and US, UK and Canada to release joint guidance that aims to inform organisations about 17 common techniques used to target Active Directory, as observed by the authoring agencies.

The paper provides an overview of each technique and how it can be leveraged by malicious actors, as well as recommended strategies to mitigate these techniques.

Microsoft’s Active Directory is the most widely used authentication and authorisation solution in enterprise information technology (IT) networks globally. Active Directory's pivotal role in authentication and authorisation makes it a valuable target for malicious actors. It is routinely targeted as part of malicious activity on enterprise IT networks. 

Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory.

Responding to and recovering from malicious activity involving Active Directory compromise is often time consuming, costly, and disruptive. Therefore, organisations are encouraged to implement the recommendations within this guidance to better protect Active Directory from malicious actors and prevent them from compromising it.

“For many organisations, Active Directory consists of thousands of objects interacting with each other via a complex set of permissions, configurations and relationships. Understanding object permissions and the relationships between those objects is critical to securing an Active Directory environment,” the agencies note, and the paper lists some tools that can be used to that end.

The full guide is available HERE