Active Directory Malware Defense

  • I came across a virus the other day, and I am just brainstorming how it could have been prevented or mitigated. The virus infected a computer, and started looking for AD user names by looking at folder names in C:\Users. It would then attempt to spread to other local computer and repeat. It kept spreading and brute forcing login attempts with these user names and slowly locking out all user accounts. Critical systems were not affected, and this variation was not caught by anti-virus software when it first hit. The question becomes, what if critical systems were hit. What can you change from a design standpoint that would help prevent this kind of attack. My first thought is maybe having a separate domain for critical systems that has a one way trust to the primary domain. My other thought is critical systems shouldn't rely on active directory, but that seems counter intuitive. I just wanted to open up a chat about what best practices exist for mitigating internal brute force attacks.

  • My guess would be process monitoring and killing of said processes.

    I've read about a few different services that search for this kind of behavior and will kill off processes that attempt this, but can't recall their names off hand.

  • Off the top of my head, the following are the first things that come to mind:

    • User Education

    • App white listing

    • central syslog and/or intrusion detection (OSSIM)

    That's the short list. Antivirus just can't keep up today. Also, app white listing sounds more of a pain that it really is. Just about every web browser that would automatically run something is going to drop the nasty in a very limited number of locations. I just disabled programs from running in those directories.... now granted, I'm only dealing with 3 Windows workstations anymore, but no trouble yet knocks on wood

  • Service Provider

    I feel like I just posted this, oh wait, I did. LAN-based security and Active Directory are points of vulnerability here. Not that other things don't carry their own risks. But AD is an old technology and isn't well prepared for this type of security problem.

    Youtube Video

  • Service Provider

    @s.hackleman said in Active Directory Malware Defense:

    My other thought is critical systems shouldn't rely on active directory, but that seems counter intuitive.

    Or it seems totally obvious. Depends on your perspective. Doesn't seem counter-intuitive to me whatsoever.

  • @scottalanmiller I sat down when this was first posted and watched the whole thing. I know the future is heading in this direction, I guess it didn't sit in until witnessing it first hand and seeing how real a threat like this can be.