Ransomware, Network Security

Ransomware gangs take less than a day to breach Microsoft Active Directory. Here’s what to do

AD Active Directory written on green key of a computer keyboard.

In its recent research, Sophos X-Ops found it took less than a day — approximately 16 hours — for attackers to reach Active Directory, one of the most critical assets for a company. In this article, we look at the findings and provide guidance to help security teams harden their Active Directories.

Successfully penetrating Microsoft Active Directory (Azure Active Directory has been renamed to Microsoft Entra ID) is the equivalent of grabbing the brass ring for attackers. Once they’ve entered Active Directory, they can move laterally from system to system through the network, steal data, access applications and servers, plant backdoors and ransomware, and cause other types of disruption.

For instance, while the median time for attackers to get to Active Directory came in at about 16 hours, they aren’t wasting much time stealing data from that point. Sophos found that, at least through June 2023, the median time between exfiltration to ransomware deployment was about 21 hours. However, the attackers took much longer to post the stolen data online, about 28.5 days.

There’s another good reason Active Directories are targeted. Sophos’ research found that most of the AD servers they investigated were defended by only Microsoft Defender, and at times, there was no defense at all. In cases where Microsoft Defender was in place, attackers have effective ways of disabling it.

“In fact, we’ve seen a steady rise of this technique being used over the last three Active Adversary Reports. In 2021, this technique was observed in 24% of cases, rising to 36% in 2022 and continuing to rise to 43% in the first half of 2023,” Sophos said in its report.

When disabling Active Directory, the attackers find they also have a place to take cover as they attempt to move elsewhere in the compromised organization.

Fortunately, there are steps organizations can take to improve the security of their Active Directory deployments, especially if, as Sophos found, they aren’t doing anything or they’ve only deployed Microsoft Defender.

Here are some for consideration:

Inventory: Collect a comprehensive accounting of all Active Directories. Keep this list up to date.

Harden administrative hosts: Secure active director administrative hosts systems by shutting down all unused services, removing stale objects, limiting ports, and everything else reasonably possible to reduce the host’s attack surface. Implement Microsoft’s Local Administrator Password Solution.

Embrace the principle of least privilege. Identify accounts with high privilege levels and reduce access to only the necessary levels.

Harden your domain controllers. Attackers can modify and destroy the Active Directory Domain Services database and access all of the associated accounts by gaining access to the Active Directory Domain Services database. These systems provide the services and information enterprises need to manage their users, workstations, applications, and servers.

Strong authentication: Multifactor authentication (MFA) can be used for Active Directory access. MFA is an additional layer of security that requires users to provide two or more forms of authentication before accessing a system or application. This can be done using Microsoft’s native multifactor authentication capabilities or third-party multifactor authentication vendors. Also, use strong passwords.

Of course, no matter how secure and careful an organization is in defending its Active Directories, attackers sometimes manage to get through, and organizations must implement capabilities to identify attackers when this happens.

By monitoring for signs of compromise, organizations can ensure their security operations teams can investigate the situation and, if necessary, dispatch their incident response teams. This should include general log management and monitoring tools, tools specialized at monitoring Active Directory installations, and security information and event monitoring systems.

By simply implementing auditing and logging capabilities, organizations can more quickly identify and investigate suspicious activity.

Finally, regularly review and adjust the security policies that govern Active Directory deployments so that they stay current and effective.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.