Active Directory Research Articles

AI techniques applied to network intrusion detection system by using genetic approaches

The ability to identify and assess potential security risks to a communication network is a critical function of network intrusion detection systems. The data it provides regarding the frequency and type of assaults is a valuable addition to other network security measures, including firewalls. Typically, an NIDS will have a sensor that scans all incoming and outgoing packets on the monitored network, flags those that seem suspicious, and then sends the flagged packets and an alert message to a server system, which will then store them and analyse them in conjunction with other events. First, we standardised the protocol structure. Then, we used a genetic approach to generate mutation and cross-over values for device identification. Finally, we used a modified J48 decision tree algorithm to conduct our search. The developed algorithms/ones outperform the existing methods in terms of performance. As an initial step in detecting an intrusion, the 64-byte structured protocol standardisation technique is created. The wire shark tool is used to monitor the communication process network, taking into account all potential transactions. An array is created from the recorded packets. Included in the array are details about the frames, as well as the protocol type, hardware device type, source and destination IP addresses, MAC addresses, and data. This information is transformed by the 64-byte protocol structured standardisation. Because all of the necessary attributes are determined in the same place by this common protocol structure procedure, finding the MAC and IP addresses in packets should take as little time as possible. As a second step, the product and device details are supplied by the least and most important 16 bits of the MAC address. Using the cross-over and mutation functions, the genetic iv method compares the invader device to the Current Active Directory List (CADL).

Unsupervised Learning for Lateral-Movement-Based Threat Mitigation in Active Directory Attack Graphs

Cybersecurity threats, particularly those involving lateral movement within networks, pose significant risks to critical infrastructures such as Microsoft Active Directory. This study addresses the need for effective defense mechanisms that minimize network disruption while preventing attackers from reaching key assets. Modeling Active Directory networks as a graph in which the nodes represent the network components and the edges represent the logical interactions between them, we use centrality metrics to derive the impact of hardening nodes in terms of constraining the progression of attacks. We propose using Unsupervised Learning techniques, specifically density-based clustering algorithms, to identify those nodes given the information provided by their metrics. Our approach includes simulating attack paths using a snowball model, enabling us to analytically evaluate the impact of hardening on delaying Domain Administration compromise. We tested our methodology on both real and synthetic Active Directory graphs, demonstrating that it can significantly slow down the propagation of threats from reaching the Domain Administration across the studied scenarios. Additionally, we explore the potential of these techniques to enable flexible selection of the number of nodes to secure. Our findings suggest that the proposed methods significantly enhance the resilience of Active Directory environments against targeted cyber-attacks.

Clop Ransomware in Action: A Comprehensive Analysis of Its Multi-Stage Tactics

Recently, Clop ransomware attacks targeting non-IT fields such as distribution, logistics, and manufacturing have been rapidly increasing. These advanced attacks are particularly concentrated on Active Directory (AD) servers, causing significant operational and financial disruption to the affected organizations. In this study, the multi-step behavior of Clop ransomware was deeply investigated to decipher the sequential techniques and strategies of attackers. One of the key insights uncovered is the vulnerability in AD administrator accounts, which are often used as a primary point of exploitation. This study aims to provide a comprehensive analysis that enables organizations to develop a deeper understanding of the multifaceted threats posed by Clop ransomware and to build more strategic and robust defenses against them.

Hardening Active Directory Graphs via Evolutionary Diversity Optimization based Policies

Active Directory (AD) is the default security management system for Windows domain networks. An AD environment can be described as a cyber-attack graph, with nodes representing computers, accounts, etc., and edges indicating existing accesses or known exploits that enable attackers to move from one node to another. This paper explores a Stackelberg game model between one attacker and one defender on an AD attack graph. The attacker’s goal is to maximize their chances of successfully reaching the destination before getting detected. The defender’s aim is to block a constant number of edges to minimize the attacker’s chance of success. The paper shows that the problem is #P-hard and, therefore, intractable to solve exactly. To defend the AD graph from cyber attackers, this paper proposes two defensive approaches. In the first approach, we convert the attacker’s problem to an exponential sized Dynamic Program that is approximated by a Neural Network (NN). Once trained, the NN serves as an efficient fitness function for defender’s Evolutionary Diversity Optimization based defensive policy. The diversity emphasis on the defender’s solution provides a diverse set of training samples, improving the training accuracy of our NN for modeling the attacker. In the second approach, we propose a RL based policy to solve the attacker’s problem and Critic network assisted Evolutionary Diversity Optimization based defensive policy to solve defender’s problem. Experimental results on synthetic AD graphs show that the proposed defensive policies are scalable, highly effective, approximate attacker’s problem accurately, and generate good defensive plans.

A generic approach for network defense strategies generation based on evolutionary game theory

The generation of optimal defense strategies in dynamic adversarial environments is crucial for cybersecurity. Recently, defense approaches based on evolutionary game theory have gained significant achievements. However, they would fail when facing complex networks and sophisticated attack strategies, due to the fatal drawbacks of defense strategy generation considering atomic attacks only. To relieve this issue, a generic approach for generating defense strategies using evolutionary game theory is proposed in this paper. Initially, a novel payoff quantification method for network attack-defense games based on attack graphs is designed. Innovatively, two factors concerning the decision-maker's degree of irrationality (DI) and the level of environmental security (LES) are introduced into the replicator dynamics equation to model the impacts on equilibrium solutions. Noting that Active Directory (AD) domain service is one of the most used and representative information security management system in Windows domains, from which attack graphs and paths can be plainly extracted and analyzed. Therefore, it is necessary and imperative to anchor AD to unfold the theoretical analyses and experiments validation based on a real environment. Case studies on a real-world AD network demonstrate that the proposed approach is effective and can generate stable and efficient defense strategies.

Penetration Testing Platforms for Active Directory Network Environment

The security of Active Directory environments is a crucial aspect for organizations of all sizes. With the increasing number of cyber threats, it is important to understand the different penetration testing paradigms that can be used to attack these environments. This research focuses on a comparative analysis of four specific attacks: LLMNR poisoning, SMB relay, pass the hash, and token impersonation. The comparison is based on relevant criteria such as complexity, required tools, and susceptibility to defense mechanisms. The primary objective of this study was to build a virtual Active Directory network, which provides a controlled environment for testing the different attacks. This enabled us to evaluate the effectiveness of each attack and gather insights into the strengths and weaknesses of each paradigm. By conducting a comparative analysis using these criteria, we were able to determine the most effective methods for defending against these types of attacks and identify areas for improvement. The results of this study provide valuable insights into the security risks that organizations face when it comes to Active Directory environments. By understanding the different strengths and weaknesses of each attack, organizations can make informed decisions about which mitigation strategies to implement. This research also highlights the importance of continuous monitoring and testing to ensure the security of Active Directory environments. This comparative analysis provides a comprehensive overview of four key penetration testing paradigms for Active Directory environments. The results of this study can help organizations to better understand the security risks they face and implement effective mitigation strategies.

Penetration Testing Platforms for Active Directory Network Environment

The security of Active Directory environments is a crucial aspect for organizations of all sizes. With the increasing number of cyber threats, it is important to understand the different penetration testing paradigms that can be used to attack these environments. This research focuses on a comparative analysis of four specific attacks: LLMNR poisoning, SMB relay, pass the hash, and token impersonation. The comparison is based on relevant criteria such as complexity, required tools, and susceptibility to defense mechanisms. The primary objective of this study was to build a virtual Active Directory network, which provides a controlled environment for testing the different attacks. This enabled us to evaluate the effectiveness of each attack and gather insights into the strengths and weaknesses of each paradigm. By conducting a comparative analysis using these criteria, we were able to determine the most effective methods for defending against these types of attacks and identify areas for improvement. The results of this study provide valuable insights into the security risks that organizations face when it comes to Active Directory environments. By understanding the different strengths and weaknesses of each attack, organizations can make informed decisions about which mitigation strategies to implement. This research also highlights the importance of continuous monitoring and testing to ensure the security of Active Directory environments. This comparative analysis provides a comprehensive overview of four key penetration testing paradigms for Active Directory environments. The results of this study can help organizations to better understand the security risks they face and implement effective mitigation strategies.

Cyber Attack Against E-Albania and Its Social, Economic and Strategic Effects

Purpose: During last years, even because of pandemic situation caused by covid-19 virus, in Albania most of governmental public services for citizens, businesses and other customers were offered in an electronic way by creating a national database (e-Albania), offering more than 2200 services. As this electronic system was newly implemented, time after time it was attacked from hackers in different sectors of services, causing the interruption of service for hours, downloading all the confidential information and publishing them. After several partial attacks, in July 2022 came the general attack of the whole system, which black out the system and services for several days. Cyber actors - identifying as “HomeLand Justice” - launched a destructive cyber-attack against e-Albania which rendered websites and services unavailable. An investigation indicates cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber-attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information - either in a .zip file or a video of a screen recording with the documents shown. This cyber-attack creates social problems, economical loss and influenced negatively in the reputation of e-Albania and damage as well strategically the country and development of this sector in the future. Methodology: We have monitored the system and the attack, and we continue to do this. We analyze and synthesis the data collected, to come to conclusions and recommendations needed for the future. All the data which we have used are open for public, and mostly are primary data. The research method combines both quantitative and qualitative methods, but it is closer with qualitative method, as far as there in not enough data for using e pure quantitative analysis. We have used mostly the descriptive method. Results/Findings: Improving essentially the cyber infrastructure to avoid in the future such attacks with high social, economic and strategical cost. Conclusions: In the institution there was not a team for Cyber Security Monitoring the system, so called SOC (Security Operation Center), who controls in the real time all the logins. It was missing as well so called “Identifying Behavior”. There was not e separation of active directory, in physic machines and virtual machines, they were altogether. As the administrator had Full Right Privilege, the hacker doesn’t need to create a Privilege Escalation Vertical, so he easily took all the right of Admin. Originality and Practical Implications: The paper is original; it has not been previously published and it is not under consideration by any other publisher. The originality of the method stands in the fact that it is the first case in the world in information age, that a country (a whole electronic system, e-Albania), face a such complex, well organized and hard cyber-attack, which collapse the system for several days. All the data are authentic ones.

Surgical immunization strategies against lateral movement in Active Directory environments

Lateral movement, in which a cyber attacker progresses through an enterprise network in order to compromise its most valuable assets, is a key stage of any intrusion nowadays. Therefore, being able to mitigate lateral movement, be it by slowing down attacker progress or by limiting its reach, is a top priority for enterprise cyber-defence. Due to the inherent complexity of enterprise networks, it is also a paramount challenge. This challenge becomes even more prominent if we take into account the high impact of deploying security countermeasures on the performance or functionality of the network. In this paper we model lateral movement as an infection process and propose a methodology to prioritize which network elements to protect for a more effective and efficient mitigation. To do this we rely on a graph model and graph theoretic metrics taken from epidemiology research, and apply them to the trust relationships in Microsoft Active Directory infrastructures. We propose selective immunization techniques which act as “surgical” countermeasures, by impacting a very reduced ratio of the nodes in the network. Experiments show that the selective immunization strategies we propose effectively mitigate infection spread in these settings while keeping the amount of immunized nodes at a minimum.

Identification of Geothermal System in Cisolok, West Java based on the Correlation of Gravity Method, ADMT (Active Directory Magnetotelluric), and Drill Log Data

Indonesia has 40% geothermal potential of the world’s geothermal potential. One proof of its potential is in Cisolok, West Java. The method used in this study is the gravity method from 2013 GGMPlus satellite with First Horizontal Derivative (FHD) analysis which is correlated with ADMT and drill log data. Based on overlaid between Land Surface Temperature (LST) map and residual anomaly map, Cisolok has a temperature of around 23.8 – 26.5 °C. These correlations describe the normal fault structure in the south that controls the Cisolok geothermal system. The results of the 3D inversion modeling show alternating layers of tuff, tuff breccia and silt as a cap rock with a density contrast of 0 – 0.2 gr/cc at a depth of 0 – 325 m, thick limestone layers with a density contrast of -0.1 – (-0.05) gr/cc at a depth of 325 – 700 m, and a layer of granodiorite rock as an intrusion body with a density contrast of -0.2 – (-0.15) gr/cc at a depth of 700 – 900 m. Based on the results obtained, it can be proven that the gravity method and the ADMT method have a fairly good correlation in geothermal exploration activities.

Identification of Geothermal Potential in Block Ciasmara Sector II, Mount Salak Area, Based on the Correlation of the Active Directory Magnetotelluric (ADMT) and Self-Potential Methods

Indonesia possesses significant geothermal potential, with the largest share located in West Java, accounting for up to 21.7% distributed across 44 locations in 11 regencies. One such location with geothermal potential is in Block Ciasmara Sector II, the Mount Salak area, Bogor Regency, characterized by manifestations such as hot spring bathing pools. This research aims to understand the distribution of geothermal reservoirs in the study area, where these reservoirs contain hot fluids that can be harnessed for renewable energy generation. The methodology used in this research involves a correlation between the Active Directory Magnetotelluric (ADMT) and Self-Potential (SP) methods. A total of 3 ADMT measurements were conducted along tracks ranges from 5-8 meters, while the SP method involved 7 measurement points with coordinates distributed around the geothermal manifestations in the Mount Salak area. The data obtained were then visualized in 2D and 3D to gain insights into the distribution and orientation of the reservoir layers in the study area. The results indicate a correlation between the ADMT and Self-Potential methods. In Line 01 of the ADMT, located in the western part, there is a correlation with high potential difference values on the SP map ranges from 47.6-82.1 mV, suggesting the presence of tuff layers rich in alteration minerals. This is confirmed by the 2D ADMT modeling, which shows that the clay cap is thicker compared to Line 02 and Line 03, associated with the presence of alteration minerals in the clay cap. This correlation also applies to Line 03, which has low potential difference values ranges from 4.9-25.3 mV, indicating a response from lapilli rocks. This is corroborated by the 2D model, which reveals thickening of the lapilli rock layer on Line 03.Keywords: ADMT, Geothermal, Mount Salak, Reservoir, Self-Potential.

Exploring the Architecture, Deployment, and Security Aspects of Active Directory Federation Services ADFS: An In-Depth Analysis

Exploring the Architecture, Deployment, and Security Aspects of Active Directory Federation Services ADFS: An In-Depth Analysis

Scalable Edge Blocking Algorithms for Defending Active Directory Style Attack Graphs

Active Directory (AD) is the default security management system for Windows domain networks. An AD environment naturally describes an attack graph where nodes represent computers/accounts/security groups, and edges represent existing accesses/known exploits that allow the attacker to gain access from one node to another. Motivated by practical AD use cases, we study a Stackelberg game between one attacker and one defender. There are multiple entry nodes for the attacker to choose from and there is a single target (Domain Admin). Every edge has a failure rate. The attacker chooses the attack path with the maximum success rate. The defender can block a limited number of edges (i.e., revoke accesses) from a set of blockable edges, limited by budget. The defender's aim is to minimize the attacker's success rate. We exploit the tree-likeness of practical AD graphs to design scalable algorithms. We propose two novel methods that combine theoretical fixed parameter analysis and practical optimisation techniques. For graphs with small tree widths, we propose a tree decomposition based dynamic program. We then propose a general method for converting tree decomposition based dynamic programs to reinforcement learning environments, which leads to an anytime algorithm that scales better, but loses the optimality guarantee. For graphs with small numbers of non-splitting paths (a parameter we invent specifically for AD graphs), we propose a kernelization technique that significantly downsizes the model, which is then solved via mixed-integer programming. Experimentally, our algorithms scale to handle synthetic AD graphs with tens of thousands of nodes.

Exploiting Misconfiguration Vulnerabilities in Microsoft’s Azure Active Directory for Privilege Escalation Attacks

Cloud services provided by Microsoft are growing rapidly in number and importance. Azure Active Directory (AAD) is becoming more important due to its role in facilitating identity management for cloud-based services. However, several risks and security issues have been associated with cloud systems due to vulnerabilities associated with identity management systems. In particular, misconfigurations could severely impact the security of cloud-based systems. Accordingly, this study identifies and experimentally evaluates exploitable misconfiguration vulnerabilities in Azure AD which can eventually lead to the risk of privilege escalation attacks. The study focuses on two scenarios: dynamic group settings and the activation of the Managed Identity feature on virtual devices. Through experimental evaluation, the research demonstrates the successful execution of these attacks, resulting in unauthorized access to sensitive information. Finally, we suggest several approaches to prevent such attacks by isolating sensitive systems to minimize the possibility of damage resulting from a misconfiguration accident and highlight the need for further studies.

Multifractal analysis of temporal and spatial characteristics of earthquakes in Eurasian seismic belt

Abstract Seismic activity has complexity and randomness, and its temporal and spatial distribution has complexity, stage, level, and inheritance. The study of the temporal and spatial distribution characteristics of seismic activity is of great significance to the understanding of the law of seismic activity, such as the law that the time series of seismicity in the seismic belt is consistent with the complexity of geographical structure, the prediction of seismic risk, and other research related to earthquake. This article selects the seismic data catalog of the whole Eurasian seismic belt as the research object. Based on the characteristics of the seismic geological environment and tectonic environment characteristics, the multifractal analysis method is used for the seismic data of the seismic activity directory. The results show that the seismic activity of seismic zones has obvious multifractal structure of complex in time series and spatial scales, which can well reveal the seismic characteristics of seismic activity in time and space. In terms of time series, the study area D ∞ {D}_{{\rm{\infty }}} decreases significantly with time and energy before the occurrence of a large earthquake, and the time series of seismic activity in the study area is highly complex and highly correlated with the geological structure. Spatially, the spatial distribution of seismic intensity in the study area is infinite and sparse, showing the characteristics of infinite clustering. Therefore, it can reveal the basic rule of seismic activity effectively and lay a certain theoretical foundation for earthquake prevention and control in this seismic zone.

Security Test of Active Directory Domain Services

Security Test of Active Directory Domain Services

Improving your Active Directory security posture: AdminSDHolder to the rescue

This paper covers a key aspect of Active Directory (AD) security, which is often overlooked: the wealth of default read permissions that Microsoft has granted to any user and computer in the directory. The concept of an AD forest being a security boundary must now not only be understood as a protective feature; if you do not have an account in an AD forest, you cannot access any of its AD objects and connected resources. Instead, the security boundary must also be understood as the scope of reach for an intruder to access and assess the security of AD objects once they gain a foothold into an organisation’s network. Removing certain default read permissions in AD is a low-risk operation that pays off by making it much more difficult for intruders to perform reconnaissance that helps them in planning their next steps to domain dominance. Understanding the mechanism of the built-in logic that Microsoft has added to AD to protect the most privileged accounts in the directory (eg members of the domain admins group) is key to realising both the benefits and weaknesses of this mechanism. This paper discusses how this protection mechanism works behind the scenes and how it can be adjusted to remove risky default read permissions to make AD safer. Many AD infrastructures were implemented many years ago and operated by different teams of administrators over time, so most AD implementations today have incurred a solid ‘misconfiguration debt’. This paper covers one aspect of that debt: specifically, how to fix the permissions on objects that had once been added to a privileged group but are no longer a part of that group. Essentially, locking down the visibility of objects and general read permissions in AD is vital to reducing the AD attack surface and thus increasing its security posture.

Attacking Windows Hello for Business: Is It What We Were Promised?

Traditional password authentication methods have raised many issues in the past, including insecure practices, so it comes as no surprise that the evolution of authentication should arrive in the form of password-less solutions. This research aims to explore the problems that password authentication and password policies present and aims to deploy Windows Hello for Business (WHFB) on-premises. This includes creating three virtual machines (VMs) and evaluating WHFB as a password-less solution and showing how an attacker with privileged access may retrieve the end user’s domain password from the computer’s memory using Mimikatz and describing the possible results. The conducted research tests are in the form of two attack methods. This was feasible by the creation of three VMs operating in the following way. The first VM will act as a domain controller (DC) and certificate authority server (CA server). The second VM will act as an Active Directory Federation Service (ADFS). The third VM will act as the end-user device. The test findings research summarized that password-less authentication is far more secure than the traditional authentication method; this is evidenced throughout the author’s tests. Within the first test, it was possible to retrieve the password from an enrolled device for WHFB while it was still in the second phase of the deployment. The second test was a brute-force attack on the PIN of WHFB; since WHFB has measures to prevent such attacks, the attack was unsuccessful. However, even though the retrieval of the password was successful, there are several obstacles to achieving this outcome. It was concluded that many organizations still use password authentication as their primary authentication method for accessing devices and applications. Larger organizations such as Microsoft and Google support the adoption of password-less authentication for end-users, and the current usage of password-less authentication shared by both organizations is encouraged. This usually leads organizations to adopt this new solution for their IT infrastructure. This is because it has been used and tested by millions of people and has proven to be safe. This supports the findings of increased usage and the need for password-less authentication by today’s users.

Review Paper on the Light Weight Directory Access Protocol

External LDAP directories currently use directory servers such as MS Active Directory, OpenLDAP, OpenDJ, etc. to store user, group, and authorization information and then provide that information organization's enterprise applications. This is considered a standard technique. Most organizations prefer external LDAP because the authentication protocol is very simple. The proposed system uses an external Lightweight Directory Access Protocol (LDAP) to manage and authenticate user information inside and outside the organization. This external LDAP directory stores various user information. This information can be later retrieved by other users, depending on their access level. Various applications also use this technology to ensure that authenticated users provide correct authentication data. This data must match the information stored on your LDAP server.

ZERO TRUST CONCEPT FOR ACTIVE DIRECTORY PROTECTION TO DETECT RANSOMWARE

This scientific article explores the approach to protecting Active Directory from threats associated with ransomware, which are becoming increasingly perilous to corporate information systems. The concept of "zero trust" in the context of Active Directory is defined as an approach aimed at eliminating trust from the security framework and constantly verifying the compliance of users and their devices with configured security policies, context, and other parameters. The article delves into methods and tools that enable the implementation of the zero trust concept within the Active Directory environment, including behavior analysis, network traffic monitoring, and the utilization of advanced security rules. The importance of combining event processing technologies and artificial intelligence for automated detection and response to abnormal activity is also investigated. The research findings indicate the potential to enhance the effectiveness of protecting Active Directory from ransomware threats and ensuring the resilience of corporate networks against them. The adoption of the zero trust concept could be a significant step in ensuring cybersecurity and maintaining the reliability of information resources in modern enterprises