There was a time when attacks against identity and authentication infrastructure were the domain of well-financed and, likely, state-backed threat actors. These groups crave persistence on critical networks and would invest heavily in tactics that would allow them not only a foothold on vital systems but also stealthy lateral movement from resource to resource.
Access to Active Directory, domain controllers, and exploitation of known weaknesses in the Kerberos authentication protocol were often key in these efforts, and for a long time required significant dwell time in order to, for example, forge Kerberos tickets and move about a network making legitimate service requests.
However, the advent of open source pen-testing tools such as Mimikatz — a credential-dumping tool capable of recovering plaintext or hashed passwords from systems — narrowed the knowledge gap necessary to leverage these types of attacks. Dwell times went from days or weeks to minutes, and what was almost exclusively the domain of advanced persistent threat groups was now also within reach of script kiddies.
Mimikatz, in particular, has been integrated into the arsenals of close to 30 state-sponsored groups and has been used in devastating attacks, including 2017's NotPetya, which burrowed into the supply chain of governments and private sector organizations across Europe, and 2011's hack of Dutch certificate authority DigiNotar, which eventually bankrupted the company.
Since Active Directory is recognized as the de facto identity platform for businesses and governments running Windows, and it enables authentication for numerous enterprise services, it stands to reason that hackers would invest in atta ..
Support the originator by clicking the read the rest link below.
