In 2026, Active Directory remains at the heart of the now hybrid identity infrastructure of most large companies and is still widely used as an on-premises identity provider, even when organisations migrate to the cloud. 

Wavestone incident response teams note that 38% of attacks begin with identity compromise (vs. 20% in 2024). More broadly, attackers frequently exploit on-premises identities to move laterally into cloud environments (Microsoft Digital Defence Report 2025 [1]). 

In a context where the hybridisation of identities increases an already vast attack surface, companies must be able to understand the challenges and equip themselves effectively. 

Through this new 2026 overview of Active Directory security tools, we offer you: 

1. An updated map of Active Directory security tools 
2. An overview of major market trends (consolidation, transition to platforms, cloud hybridisation) 
3. Feedback on operational implementation challenges and key success factors 

An overview of AD 2026 security tools, which has been further enhanced  

By analysing the market, we have identified four main use cases for these tools: 

1. Analysis and audit 
2. Hardening and maintaining security  
3. Detection 
4. Response and reconstruction 

A listing of publishers and tools offering features that meet one or more of these four use cases was conducted. It was designed to be as comprehensive as possible, including tools from the best-known and most widely used players on the market as well as those from lesser-known players, proprietary tools and open-source tools, tools with a wide range of features and tools offering a more limited set of features. All relevant tools were thus included in a list, with various information for each one (reputation, description of the tool and use cases covered, hosting, etc.). 

The following overview selected a number of publishers from this list, for the functional coverage they offer and their large use within organisations. 

The Microsoft Entra ID logo is added to tools that offer the possibility of integrating it into their operations in addition to on-premises AD coverage. This is a strong trend in the market. 

1. A dynamic market undergoing consolidation 

The Active Directory market has undergone several changes since 2022, with different major transactions. The aim is most often for publishers to complement their offering or to cover a new need for Active Directory security. 

Among other things, we can note : 

Acquisition of PingCastle by Netwrix [2] : PingCastle, renowned for its expertise in AD security auditing, strengthens Netwrix’s offering. This acquisition enables Netwrix to expand its portfolio with a lightweight, quick-to-deploy tool that is popular with technical teams, while reaffirming its commitment to providing a unified platform covering the entire AD security lifecycle. 

Acquisition of Attivo by SentinelOne [3] : Attivo, a specialist in identity security and lateral movement detection, strengthens SentinelOne’s offering by integrating advanced AD protection capabilities into a unified platform combining EDR, XDR and identity security. 

Acquisition of BrainWave by Radiant Logic [4] : Radiant Logic strengthens identity and governance analysis capabilities. By combining BrainWave’s detailed rights mapping with Radiant Logic’s identity federation, the offering becomes more comprehensive in addressing AD challenges. 

Integration of Stealthbits by Netwrix [5] : By merging with Stealthbits, Netwrix has integrated historical Active Directory auditing and detection components (StealthAUDIT, StealthDEFEND, etc.), strengthening its offering in the protection of identities and sensitive data and moving towards a unified platform focused on AD security. 

2. From specific tools to centralised platforms 

In 2022, our overview of Active Directory security tools mentioned “specialised tools, each addressing part of the equation.” [6]. In 2026, we are seeing the emergence of centralised platforms capable of covering several needs around Active Directory and, often, Entra ID. This dynamic is primarily driven by publishers seeking to broaden their value proposition and differentiate themselves with comprehensive platforms rather than specialised tools offering specific features. 

Some publishers build their platforms through successive acquisitions, such as Netwrix (AD auditing, data protection, vulnerability discovery, PingCastle, etc.) or SentinelOne (EDR/XDR enhanced by Attivo on identity), while others are gradually enhancing their existing offerings to provide modular suites, whether they are administration/monitoring tools such as ManageEngine ADAudit Plus or Quest Change Auditor, which add AD auditing, hardening and detection components across the entire Active Directory ecosystem. 

The promises made by publishers are clear: 

• Centralisation of data (accounts, groups, rights, security events) 
• Unified view of attack paths between AD and Entra ID 
• Simplified management for security, infrastructure and IAM teams via consolidated consoles and dashboards 

From the customer’s point of view, the benefits are obvious, but the reality may be more nuanced: 

• Consolidation can reduce the number of tools and simplify integrations, but it does not eliminate the need for AD expertise or specialised tools (e.g. for post-incident reconstruction). 
• Environments often remain multi-vendor, with a mix of global platforms (XDR, CNAPP, Identity Security) and targeted AD tools, particularly in large groups or organisations that are already heavily equipped. 

In this context, the challenge is not simply to “choose a platform”, but rather to put together a coherent whole, ensuring that: 

• The AD/Entra ID scope is well covered throughout the entire lifecycle (prevention, detection, response, reconstruction). 
• The tools can feed existing processes (SOC, crisis management, PRA, IAM). 
• Dependence on a single publisher is assessed and controlled. 

3. Cloud hybridisation 

With the rise of Entra ID and SaaS applications, identity hybridisation has become the norm: AD accounts and groups are synchronised to the cloud, and the same credentials are used to access on-premises and cloud resources. Numerous recent incidents show that attackers are exploiting these hybrid architectures to pivot between AD and Entra ID, taking advantage of poor configurations or weak alignment between the two worlds. [7] 

This translates into several concrete needs: 

• Joint supervision of AD and Entra ID: ability to correlate signals from the on-premises directory (changes, anomalies, lateral movement attempts) and the cloud (Entra ID Protection signals, connection anomalies, conditional access, etc.).  
• Security policy alignment: hardening of AD (configuration, delegation, privileged accounts) in line with conditional access policies, MFA and Zero Trust requirements.  
• Hybrid reconstruction capabilities: in the event of AD compromise, reconstruction and restoration must integrate Entra ID dependencies (synchronisation, service accounts, applications) to avoid side effects on the cloud, and vice versa. 

Publisher are gradually positioning themselves on this hybridisation. Some are expanding their AD audit engines to include Entra ID (on-premises to cloud) and offer a unified view of identity vulnerabilities: Netwrix Auditor now allows Entra ID to be monitored in parallel with Active Directory with a single view of hybrid threats. Tenable Identity Exposure extends its exposure indicators to specific Entra ID risks, and Semperis Directory Services Protector correlates AD and Entra ID changes in a single console to reduce the hybrid attack surface. 

Other tools start in the cloud (Entra ID, SaaS) and move down to on-premises AD (cloud to on-premises), using a hybrid identity threat detection and response approach: Microsoft Defender for Identity provides a consolidated inventory of AD and Entra ID identities and new detection capabilities on hybrid components (Entra Connect, AD FS, etc.), while CrowdStrike Falcon Identity Threat Protection analyses hybrid accounts present in both AD and Entra ID/Azure AD. 

Operational implementation still has room for improvement 

The Active Directory security market is seeing growing and structured adoption of sophisticated tools. In many organisations, functional coverage is now adequate, or even advanced, across the various aspects of AD security (auditing, hardening, detection, backup). 

However, technological maturity contrasts with operational implementation that is still incomplete. AD disaster recovery plans (DRPs) often remain theoretical, untested, or disconnected from the backup and reconstruction tools deployed. Regular reviews (of privileges, delegations, approval relationships) are still rarely industrialised: they often depend on a few experts, with a limited level of automation. 

The effectiveness of implementation is also impacted by the constant evolution of the ecosystem, between the platformisation of tools and the hybridisation of identities. The challenge for the coming years will therefore be to align tools (both existing and future) with robust, documented and tested processes: 

1. Clarify responsibilities between infrastructure, IAM, security and SOC teams, 
2. Formalise and automate recurring controls (rights reviews, configuration validation, restoration tests). 

Only then will investments in Active Directory security tools, both on-premises and in the cloud, enable true resilience to be achieved. 

Methodology overview 

We have identified four main categories for grouping tools: 

Analysis and audit: 

• Account and Privilege: Inventory of accounts, groups and associated rights to detect excessive or non-compliant privileges. 
• AD Discovery: Exploration of the AD structure (OUs, GPOs, objects) to deduce the architecture, relationships and dependencies. 
• Vulnerability Discovery: Identification of security vulnerabilities (configuration, obsolete accounts, weak passwords, etc.). 
• Attack Path Discovery: Modelling potential attack paths to privileged accounts. 

Hardening and management: 

• Password Management: Management of password policies, synchronisation, password auditing (strength, reuse, compromise, etc.). 
• Rights & Privilege Management: Delegation, access control, role and permission management. 
• GPOs Management: Creation, analysis, modification of group policy objects. 
• Change Management: Change tracking, traceability, change management and migration tools. 

Monitoring: 

• Threat Detection: Proactive detection of suspicious behaviour, privilege escalation, lateral movement. 
• Security Incident Detection: Identification of security incidents, real-time alerts, event correlation. 
• Backup and Recovery: 
• AD Backup & Recovery: Partial or complete backup of AD objects, rapid disaster recovery. 
• Investigation & Forensics: Post-incident analysis, traceability of malicious actions, evidence collection. 

For each of the tools classified, a badge (Microsoft Entra ID logo) is added when the tool offers the possibility of integrating Microsoft Entra ID into its operation. 

Conclusion

The 2026 overview is based on an analysis of 180 tools, compared to 150 in 2022. It was constructed using a similar approach to that of 2002. It is based on a listing of tools on the market. On this basis, and in line with recurring themes in Active Directory security, a categorisation has been established to facilitate reading. 

The list of tools mentioned is not intended to be exhaustive, as the list of tools that can contribute directly or indirectly to Active Directory security is vast. This overview is therefore a summary of the main existing tools, particularly those that Wavestone consultants encounter most often in large organisations (considered, studied, tested or deployed). 

References

[1] Microsoft Digital Defense Report 2025 | Microsoft 

[2] Netwrix Acquires PingCastle | Netwrix 

[3] SentinelOne, Inc. – SentinelOne Completes Acquisition of Attivo Networks 

[4] Radiant Logic Signs Definitive Agreement to Acquire Brainwave GRC – Radiant Logic | Unify, Observe, and Act on ALL Identity Data 

[5] Netwrix annonce sa fusion avec Stealthbits | Netwrix 

[6] Radar des outils pour renforcer la sécurité d’Active Directory – RiskInsight 

[7] Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog 

Cet article Overview of Active Directory security tools – version 2026  est apparu en premier sur RiskInsight.

The event also featured a CTF competition running from Saturday night to Sunday morning, where our team YoloSw4g secured 6th place among 120 participating teams.  

The following technical analyses focus on the key takeaways from each presentation, emphasizing practical implications for security professionals. 

GPO parser (Synacktiv) 

Speaker: Wilfried Bécard

Synacktiv’s offensive security team introduced a new open-source tool designed to simplify a task that’s both important and often frustrating when dealing with Active Directory compromises: analyzing Group Policy Objects (GPOs). 

GPOs are a key mechanism used by organizations to manage configurations across their Windows environments. They can enforce security policies, run scripts, install software, and more, often without users even realizing it. From an attacker’s perspective, understanding how these policies are set up can provide valuable insight into where to escalate privileges or how to move laterally. But going through GPOs manually to spot those opportunities is time-consuming and not always straightforward. 

Synacktiv’s tool takes things a step further than what’s currently out there for parsing GPOs. While many tools focus on who can apply which policies (by looking at access control lists (ACLs) and linked objects) this one digs into what the policies actually do. It pulls out useful details like which users or groups are being added, what scripts are being run, or which software gets pushed to machines. That deeper look can uncover more complex paths an attacker might take to move through a network, especially ones that aren’t visible when you’re just looking at ACLs. 

The tool also integrates smoothly with BloodHound. By feeding it richer GPO data, BloodHound can show privilege escalation routes that might not show up with simpler analysis. That means defenders, red teamers, and anyone working in AD environments get a clearer picture of how an attacker might chain together GPO behavior to gain access or move around. 

Synacktiv plans to release the tool soon on their GitHub. Whether you’re securing a domain or testing one, it’s definitely worth keeping an eye on. 

DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape 

Speaker: Julien Bedel

DCOM Architecture 

The “DCOM Turns 20” conference presented a technical analysis of the evolving threats related to Component Object Model (COM) and its distributed version (DCOM). Throughout the years, COM has established itself as a central element of the Windows ecosystem by enabling interoperability between applications through unique identifiers (GUID and ProgID). This design facilitates interactions between programs of different languages (i.e. C++, VBS, PowerShell …) but now represents a considerable attack surface with over 30,000 interfaces available on a single Windows 11 workstation.  

This functional richness offers attackers multiple initial access possibilities, ranging from command execution to file downloading, making restriction of access to COM classes technically impossible without compromising system stability. 

Organizations must therefore rely on compensating controls such as AppLocker policies to restrict executable paths and EDR solutions to detect suspicious COM-based activities. 

Persistence Techniques and Lateral Movement 

Attackers can inject specific registry keys into HKCU (taking priority over HKLM) to redirect COM calls to malicious DLLs. This method requires a sophisticated approach: proxying legitimate functions of the original DLL and targeting specific processes (office applications, browsers, VPN clients, EDR solutions) that remain active during the session and communicate regularly with external networks. For lateral movement, DCOM uses AppIDs to identify groups of COM classes accessible remotely. 

The accessibility of port 135 (RPC) signals DCOM availability, enabling the use of tools like DcomExec for remote command execution, particularly through Excel and Office suite interfaces. 

Defense against these lateral movement techniques requires implementing network firewalls to restrict RPC traffic, deploying IDS/IPS solutions to monitor suspicious DCOM communications, and establishing proper network segmentation to limit attackers’ ability to pivot across systems. 

Privilege Escalation and Bypasses 

The conference demonstrated how DCOM serves as the underlying foundation for many widely used privilege escalation techniques. A significant portion of these exploits are commonly known as “Potato” attacks. These techniques have proliferated because Microsoft does not consider them as constituting a breach of security boundaries, leading to the development of multiple variants over time, despite occasional patches being released to address specific implementations.  

The presentation further illustrated how DCOM interfaces serve as a versatile exploitation platform, enabling attackers to achieve diverse objectives through various Windows-specific techniques, from NTLM relay attacks against RDP users to UAC bypass mechanisms, highlighting the breadth of attack vectors available within Microsoft’s DCOM architecture. 

To counter these threats, organizations must implement a defense in depth strategy encompassing protocol signing, NTLM disabling and the use of security solutions such as EDR, IDS or IPS. 

Browser Cache Smuggling: the return of the dropper 

Speaker : Aurélien Chalot

The “Browser Cache Smuggling: the return of the dropper” conference presented a different approach to malware delivery and execution during a Red Team assignment. Today, the analysis of attachments in mailboxes is increasingly monitored by security tools. This is an innovative way of delivering a payload to a victim’s machine. Two interesting ideas have been highlighted: 

• Browsers are caching web files to reduce the bandwidth meaning that the files have to be downloaded into victim’s machine 

• Well-known software’s such as Teams can still suffer from DLL Load Order hijacking   

Basically, the attack path relies on the fact that a victim will be tricked into visiting a website controlled by an attacker and where an object with a malicious payload is set up into the HTML page. As browser’s only caches certain file based on the mime-type, the attackers must force the Content-Type of the delivered file to a cacheable value such as image/jpeg. The payload will be then silently downloaded into a temporary folder into the victim’s machine and this file is readable and writable by the current user on the system.  

When the payload is delivered, the attacker needs a way to execute it. The second part of the conference explained how trusted software can be used to hide code and traffic. The example of a certain version of Microsoft Teams has been used to demonstrate how DLL proxying can be used to achieve such executions discreetly. When Teams is executed, the software will try to load multiple DLLs following the Windows Search Order. As some DLL are missing, it will finally search into the current folder where Team’s is installed. As this folder is readable and writable by the current user, then the attacker can force a user to move the malicious payload (i.e the malicious DLL) from the browser cache folder into the Teams folder.  

Limits of this attack: 

• The cache folder will be scanned by an EDR (and not only Microsoft Defender on the article) and the temporary file could be quarantined with alerts. 

• The moving of the payload from the cache folder to the vulnerable software folder relies on social engineering and doesn’t provide a 0-click compromise path.  

• Firefox is not the default browser used by companies nowadays and Google Chrome or Microsoft Edge use more advanced storage mechanisms for cached files. 

Countermeasures: 

• Set a purge a regular purge of the cached files into the browser configuration 

• Ensure that EDR/AV scans temporary files  

• Restrict the modification of the temporary folder of the browser by a normal user 

Links to the articles:  

• https://blog.whiteflag.io/blog/browser-cache-smuggling/ 

• https://blog.whiteflag.io/blog/brower-cache-smuggling-the-return-of-the-dropper/ 

When climate change benefits to APTs 

Speaker: Cybelle Oliveira

Cybelle Oliveira presented a conference on the evolution of several APTs observed during the last few years: the specialization of a dozen APTs groups now engaged in an “environmental warfare”. These APTs now target vital environmental industrial infrastructures (water treatment, power grids, carbon capture labs, etc.), especially those protecting populations from climate change effects. To quote numbers given during the conference, a steep rise of 340% in malicious activity targeting climate infrastructure has been noted between 2022 and 2025. In 89% percents of these attacks, populations were physically impacted. 

So why change targets from private companies to climate infrastructures? One of the main answers is climate change. Attackers seem to have perfectly understood its challenges and turned them into opportunities. Indeed, weaponization of extreme temperatures and availability of infrastructures helping populations to deal with changing climate become powerful extorsion arguments as the impacts may affect the population of whole regions. How would a state react if hundreds of thousands of its citizens were to be deprived of heat during winter or ventilation during ever hotter summers? 

This growing trend is reinforced by the lack of preparation of said industries to face advanced cyber threats. It is well known that industrial information systems do not have the same lifecycles as classic IT: the need for availability results in heavy delays for updates and systems are often used for more than a decade. Consequently, the obsolescence of equipment and protocols used in OT environments makes them easy targets for attackers. In particular, Modbus protocol, a historical OT communication protocol without security features (authentication, integrity checks, etc.), is still widely spread across networks, even though new secure protocols such as OPC-UA have emerged since. Worse, thousands of these Modbus ports can easily be found open over the Internet, creating entry points right within industrial networks. This denotes the lack of inventory and cartography of vital climate infrastructures, preventing Blue Teams from efficiently identifying the attack surface and securing it. 

In conclusion, climate change and its effects should now be accounted for in CTI to better anticipate risk periods and new menaces as attackers already plan their actions based on these criteria. In addition, helping industry securing climate infrastructures becomes a priority to protect populations as well as secure climate action globally. 

Cet article LeHack 2025: What to Remember est apparu en premier sur RiskInsight.

In this article, we will expose the cyber-resilience challenge of Entra ID, explain why native features are incomplete and present the result of a PoC conducted on an open-source tool, Microsoft 365 DSC, to backup and recover Entra ID’s data.

The challenge of cyber-resilience in managed Cloud services

With Entra ID, the directory management strategy is in line with the Cloud paradigm. It means that the various network, storage, computer, OS and application layers are handled by Microsoft, leaving the customer to focus solely on his identity data.

This fundamental difference has an impact on the resiliency of the service. Indeed, the creation of snapshots to back up the integrality of the system, which is a common practice on AD, is not native on a managed service such as Entra ID. Thus, in order to face a disaster recovery scenario linked to malicious activities, we can only rely on native Microsoft functionalities: the identity lifecycle model, RBAC administration model and import/export capabilities.

The incomplete soft delete model

To ensure resilience, Cloud services are widely using a soft delete mechanism. Its main purpose is to recover data in the event of an accidental deletion. For example, in Azure Recovery Service Vault, the soft delete is the last safeguard in the event of intentional or unintentional deletion of the vault. Combined with immutability parameters, the vault cannot be erased regardless of admin permissions.

In Entra ID, the concept of soft delete exists but is insufficient to ensure data resilience for two reasons. On the one hand, there is neither role distinction between soft-delete and hard-delete nor Recovery role, i.e. the permissions required to delete an object are sufficient to allow for permanent deletion. On the other hand, the life cycle of objects in Entra ID (create, manage, delete) is governed by the same role:

• The role User Administrator can both create and hard-delete a user
• The role Cloud Application Administrator can register an application, configure all aspects of the application and hard-delete the application
• The role Cloud Device Administrator can add a device, configure all aspects of the device and unregister a device

The impact of a deletion on Entra ID

This design makes the User Administrator, Privileged Authentication Administrator, Cloud Application Administrator, Application Administrator, Cloud Device Administrator, Intune Administrator and Windows 365 Administrator roles all the more critical, as their compromise can lead to the permanent loss of identity data. The impact of such a deletion can be a loss of access to applications and data, a loss of permissions, and an inability to administrate.

Although the deletion of hybrid users synchronized with an on-premise AD is reversible, information such as role assignment will be lost, threatening the rights and access model. This is not the case for Cloud identities, which are generally part of the Control Plane. As part of the Enterprise Access Model, the Control Plane includes the most sensitive access, leading to a global compromise of an Information System.

In a disaster recovery scenario, some assets are more critical than others and should be backed up as a priority. These include:

• Control Plane users, groups and roles assigned
• Enterprise Applications (service principals) with critical permissions over Azure or Microsoft 365
• Administrative workstations

Comparison of backup open-source methods

To reduce the likelihood of Entra ID malicious data loss risk, the implementation of a backup solution seems essential, at least for the Control Plane in order to maintain control over your Information System and rebuild. We have therefore analyzed 3 open-source methods for ensuring data backup:

• Microsoft Graph PowerShell: this is the PowerShell library for Microsoft Graph APIs. You can build your own script(s) to export and import Entra ID objects attributes that fit with organization needs
• Microsoft Entra Exporter: this is a PowerShell module that export a local copy of some Entra ID attributes (Users, Applications, Service Principals, Roles, etc.) into JSON file
• Microsoft 365 Desired State Configuration (DSC): this is a PowerShell module for declarative configuration, deployment and management of Microsoft 365 services

Backing up Entra ID objects with Microsoft 365 DSC

In this part, we will explain how we tested the open-source solution Microsoft 365 DSC and share the results and conclusions we got.

Our PoC

Microsoft 365 DSC enables the management of the configuration and state of Microsoft 365 services following a declarative approach. By defining the desired state rather than specific steps, it simplifies the management of complex cloud configurations and ensures consistency across the environment.

In the context of a PoC, the test population deployed in our test tenant is as follows:

• 30 Cloud Only Users (randomly generated by Microsoft as part of the test’s tenant creation process)
• 10 Security Groups (randomly assigned to Users)

The purpose of this PoC is to identify the benefits and limitations of the solution through a series of tested and documented uses cases:

The process required configuring a service account with the right permissions (User.ReadWrite.All, Group.ReadWrite.All) in Entra ID to interact with Microsoft Graph API for data export and import.

These permissions enabled the service account to retrieve the necessary configuration and data from Entra ID and later re-import it.

Result of the PoC Microsoft 365 DSC

As a result of these tests, we were able to gather conclusive information on the solution’s benefits and limitations. On the positive side:

• Granular Configuration Selection: The solution allows precise targeting of configurations for backup, enabling users to select specific settings.
• Recovery without deletion: During recovery, current users and groups are retained, preventing accidental deletion.
• Overwrite of Outdated Attributes: Backed-up attributes replace the old ones.
• Language of the Data Storage: Data is stored in JSON format, making it easy to manipulate and modify backup files.
• Automation Capabilities: Once the necessary tools are installed, the solution is easy to automate.
• Monitoring and Alerts: Microsoft 365 DSC can be used to monitor data consistency and receive alerts in the event of suspicious changes
• Snapshot Versions management: It enables easy maintenance and administration of multiple snapshot versions
• Detailed Logging Functionality: It offers the possibility to generate highly detailed logs, providing records of all operations for enhanced oversight.

Despite these advantages, the study revealed several limitations:

• Incomplete Data in Backup: The backup process does not capture all attributes, leading to potential loss of important information.
• Backup Size Limit: The backup size is capped at 11MB, which may be insufficient for larger configurations or datasets.
• Deactivation Status Not Captured: Snapshots do not store deactivation statuses for users, potentially re-enabling disabled users during recovery.
• Unencrypted Data and Credentials: Security concerns arise from data and credentials being stored unencrypted, posing risks to sensitive information.
• Object IDs’ Loss: During imports, object IDs are lost, causing recreated objects to have new IDs, which can lead to duplicate entries in subsequent imports.
• Privileged Service Principal: The service principal involved has elevated privileges, increasing the risk of security vulnerabilities if not properly managed.

It is important to note that this tool does not really support “restoration” as it is possible to re-create objects, but it does not ensure service restoration and continuity. The reason being that it currently cannot restore links between new ID objects and applications, which is an issue native to Entra ID.

Our opinion about Microsoft 365 DSC

Microsoft 365 DSC is a great tool when it comes to basic uses and documentation as it is simple to use and to deploy on test environments. It is also quite efficient as a monitoring tool thanks to its version control and detailed logs. However, it is not adapted to large environments because of the limited scalability, the poor user experience and security issues related to configurations and credentials. It can also lead to inconsistencies or duplication as object IDs that can be referenced elsewhere are unrecoverable.

Additional solutions may be required such as scripting for handling configuration files and ensuring the consistency of the modifications, as well as well-defined encryption and backup processes. Therefore, we recommend always carefully evaluating the specific needs, planning additional developments and mainly using the solution for supervision and testing purposes.

Given the limitations of Microsoft’s open-source tools, it could be worthwhile to explore what third-party vendors, such as Semperis or Quest who are pure players on the subject, have to offer. These alternatives might address some of the challenges related to scalability, reliability and security, providing options that better suit larger environments. It is important to remain open to these possibilities and evaluate them based on the specific requirements of your organization.

Cet article Resilience Entra ID est apparu en premier sur RiskInsight.

Thinking about the right way to deal with this topic in organisations is at the crossroads of AD security enhancement and cyber resilience projects.

Infrastructure and backup agents: weak points

Our various assessments over the last few months have shown that backup strategies have not always evolved towards the state of the art.

First problem: backup infrastructures are not resilient to cyber risk by default. For example, authentication on these backup infrastructures is very often linked to the Active Directory itself. Subsequently, the backup system could be compromised by the attacker, leading to a potential destruction of the backups… including those of the Active Directory!

And backups are a prime target for attackers. In more than 20% of the incidents managed by the Wavestone CERT in 2021, backups were impacted. It is therefore important to consider the cyber scenario – and especially the ransomware scenario – when thinking about the resilience of backups.

The second problem is that Domain Controllers (DC) backups are hosted in the backup tool, which often has a lower level of security than Active Directory. Indeed, an organisation that has already done some work to secure AD will have potentially greatly strengthened its tier 0 (always back to the tiering model!): setting up dedicated workstations for administration, multi-factor authentication, network filtering, dedicated hardware, limiting the number of privileged accounts, etc. Unfortunately, this will not necessarily be the case for the backup infrastructure. As these backups are not necessarily encrypted, an attacker could recover and exfiltrate them from a DC via the backup infrastructure, which is easier to compromise. Once the backup has been depleted, the attacker will be able to extend the scope of his compromise via a ‘pass the hash’ attack, after recovering the hashes, or a brute force attack, after extracting the secrets from the ntds.dit database to recover passwords in clear text, to be replayed on services whose authentication is not based on Active Directory.

Third problem: traditional backup methods rely on agents installed on Domain Controllers, whose high privileges sometimes increase the risk of systems becoming compromised. Backup agents almost always require administrative rights to the asset being backed up, which mechanically exposes the Domain Controllers and therefore the Active Directory domains. This leads to the paradoxical situation where the measure to reduce the risk of unavailability (installation of a backup agent on a DC) becomes the vulnerability itself that causes a risk that can become critical (unavailability of the entire information system).

Backup on disconnected media, on immutable infrastructure, or in the cloud: multiple strategies for multiple scenarios

To solve these two problems, multiple solutions exist, and their combination facilitates the construction of a robust strategy. This strategy must consider the context of the organisation as well as its cybersecurity maturity.

To address the first problem induced by the vulnerable agent, two approaches exist, both viable:

1. Reduce the probability of exploitation of the vulnerability induced by the backup agent. In addition to the classic security maintenance issues (regular updates, rapid correction of agent vulnerabilities, etc.), this involves integrating a dedicated backup tool into tier 0, whose security level will have been reinforced.
2. Get rid of the backup agent. How can this be done? By using the native Windows Backup feature, which allows a backup to be made and exported, which can be encrypted and taken out of the tier 0 asset, to a tier 1 asset, which itself can be backed up by the company’s standard backup solution.

To increase the resilience of Active Directory backups, a combination of measures should be taken wherever possible:

1. Externalize the backup on media (offline version). The first variant can be set up quickly and at low cost: it involves setting up an external hard disk which will be disconnected once the backup has been made. Then, it is simply a matter of setting up the associated organisational processes so that the necessary actions can be carried out without the relevant agents forgetting. The second option, for the rare organisations that still have them, is to rely on tapes. This option is also dependent on a key process: the regular backup and outsourcing of the backup catalogue, so as not to lose time in the event of restoration, should it also disappear (a story inspired by real events encountered by our incident response teams). A word of caution: tape backups should be seen as a last resort to ensure that a copy of the data is retained in the event of a disaster scenario. In fact, this backup format does not lend itself to rapid reconstruction, due to the considerable time required before restoration to the production IS can begin: time required to repatriate the tapes and time required to read their content.
2. Outsource the backup outside the (online) information system. Whether this is done using in-house scripts or market solutions (see our radar), after robust encryption, a backup can be outsourced. The advantage of market solutions is that they directly integrate the rapid reconstruction element (see next section) of a DC.
3. Rely on a complementary but independent backup. To increase the availability of the backup infrastructure, it is sufficient to (redundantly) ensure that there is no risk of simultaneous compromise. To this end, taking advantage of their transition to the cloud, many organisations have recently chosen to add an additional DC, but hosted in the cloud (the others being traditionally still on-premises), thus naturally benefiting from its own backup mechanisms. Due to the internal replication mechanisms of AD, the DC hosted in the cloud will be compromised (compromise of some accounts or AD configurations) in the same time scale as the on-premises ones, but due to the closeness between the backed-up assets and the backup system, one will have a greater chance of having a backup of a DC still available.
4. Make your backup infrastructure immutable by relying as much as possible on the solutions offered by backup software publishers. Indeed, most publishers now offer immutability mechanisms, which sometimes do not require the purchase of additional storage bays. By making backups immutable within their primary storage, you can be sure of an optimal reconstruction time since it will not be necessary to repatriate backups from offline storage (1.) or online storage (2.) before being able to start restoring. N.B.: 2. can and should benefit from this concept (Amazon S3, Azure blob, etc.).

Finally, one last point of detail, knowing which DCs to back up and use for restoration when necessary is essential (DC Global Catalog, most recent OS version, etc.), as is knowledge of the frequency (ideally daily) and the retention period (a much more subjective subject).

Fast rebuilding : often incompletely tested capabilities

Rebuilding tests are as old as the concept of DRP. But again, one can’t just rely on these annual tests to consider oneself prepared, given the state of the threat. Indeed, these tests are very often based on assumptions that will not be verified in the event of a major cyber-attack: available backups, confidence in the state of the information system, functional collaborative tools (workstations, messaging, ticketing tools, etc.), ready and available target hosting infrastructure, etc.

From what we observe in organisations, the times displayed and communicated on the reconstruction times of an AD domain are often underestimated a priori. The start and stop times of the stopwatch are often questionable: it starts when the backup recovery start button is pressed and stops when a DC is restored and operational (AD forest recovery procedure executed [2]). However, some points are often overlooked when comparing this time to the RTO time:

• unsatisfied dependency on another indispensable domain (domain with one or more approval relationships with other domains),
• ability to handle the authentication load that a service reopening will represent,
• execution time for “grooming” operations (mass password change, deactivation of certain services or accounts, clean-up in objects and groups, etc.),
• etc.

When the AD infrastructure is paralysed by a major cyber-attack, rebuilding it will quickly become the crisis unit’s priority, because of the dependence of applications and users on it. It is also the service with the lowest RTO. In the case where backups are available, certain questions quickly arise that must be addressed in the cyber defense strategy that is being defined (see our article on Successful Ransomware Crisis Management: Top 10 pitfalls to avoid):

• Is there a need for an area to accommodate sensible future infrastructure?
• Does creating users in Azure AD during the crisis allow the service to be reopened more quickly?
• If there are many AD domains (as is the case with very large organisations), in what order should they be created?

On the infrastructure side, firstly, in most cases, having an isolated and secure rebuild area saves time. This must be available, ready to host the number of VMs required to achieve the level of service considered acceptable in such a situation and under the control (accounts with sufficient rights, accessibility, etc.) of the team responsible for the Active Directory service only. This is to reduce the risk of compromise but also to avoid creating obstacles (requests to be made to another team) the day the need arises.

This zone can be on-premises or in a cloud service, depending on the costs and the organisation’s cybersecurity posture with regard to hosting DC on a cloud (if it is public). This dormant zone can also be used to host regular Active Directory recovery tests, to get as close as possible to a real situation. Finally, this infrastructure must obviously be in tier 0, if the organisation relies on this framework.

Then, on the process side, it is advisable to prepare several pieces of information in advance that will be essential when the need to rebuild the service arises:

• determine the minimum number of DCs and their location (rebuilding area in the cloud / on-premises, but also geographically in case of presence in multiple locations),
• determine the replication method (standard replication or use of IFM [3]) of the DCs to minimise the time between the availability of the first and last DC required to reopen the service,
• determine ready and deactivated filtering rules, which only need to be activated before the service is opened,
• establish the acceptable level of risk for the rebuild (simple rebuild and object grooming or pivot method),
• (in organisations with multiple domains serving multiple businesses) establish a rebuild sequence, which should have been determined in advance with the business managers, to reopen the service with the right priorities.

Here again, specialised AD backup and recovery tools provide value: they allow the recovery process of an AD forest to be carried out in a few clicks and in an automated manner. Parallelization of these operations is also made possible, making these tools an undeniable accelerator to consider for organizations with many forests!

Finally, on the resources side, it is important to have an organisation that can respond to this occasional but very important work overload. For this, the automation of reconstruction activities that can be automated, but also the existence of teams that have already practised the exercise many times, is often decisive.

Some organisations take advantage of Disaster Recovery testing to simulate the worst possible situation for the Active Directory service, rather than just simulating a partial recovery. This is undoubtedly good practice.

Ultimately, asking the question of the resilience of one’s Active Directory infrastructure draws on the more global subject of information system resilience, but also concepts around tiering, and considerations regarding regularly scheduled full-scale exercises. We could even make a bridge with DevOps: wouldn’t we dream of being able to redeploy an AD infrastructure almost automatically, in the image of what DevOps manages to do thanks to the ‘Infrastructure as Code’ concept? In the meantime, regular training remains the only way to develop confidence about one’s ability to quickly reopen a minimal AD service if it were to be completely destroyed.

[1] https://www.wavestone.com/en/insight/cert-w-2022-cybersecurite-trends-analysis/

[2] https://learn.microsoft.com/fr-fr/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide

[3] Install From Media : https://social.technet.microsoft.com/wiki/contents/articles/8630.active-directory-step-by-step-guide-to-install-an-additional-domain-controller-using-ifm.aspx

Cet article ACTIVE DIRECTORY RECOVERY: HOW TO BE READY ? est apparu en premier sur RiskInsight.

In recent years, AD has been frequently targeted by attackers, as it has been compromised in 100% of the cyber-attacks managed by CERT-Wavestone, with the intention of using the access gained to spread malware (e.g., ransomware) throughout the IS or to access and leak a large amount of sensitive information from an organisation.

However, its degree of security remains highly inadequate: In 2018, 96% of penetration tests carried out by Wavestone on 25 information systems of prominent companies resulted in total compromise. Even though this value has been decreasing over the past two years, it is still close to 90%.

As this has become an absolute priority for most organisations, corporate cybersecurity teams have launched major programmes to strengthen the AD’s security level. Organisations are searching for solutions to help them in addressing this complex, wide-ranging project, that includes top priority topics such as the implementation of tiering.

By analysing the market, we have identified 4 use cases on which these tools are positioned:

1. Analysis and audit
2. Hardening and maintenance in security condition
3. Detection
4. Response and Rebuild

The following radar shows a set of vendors providing solutions for these four use cases related to Active Directory security.

Last update : April 2023

SPECIALISED TOOLS, EACH ANSWERING A PART OF THE EQUATION

“AUDIT”: MAP THE AD AND IDENTIFY ITS VULNERABILITIES TO STRUCTURE AN ACTION PLAN

Before starting any action to improve security, it is necessary to identify the starting point, by establishing an initial inventory. To do so, you can use an audit tool to examine various aspects of the AD configuration, such as obsolete protocols, obsolete OS versions, out-of-date functional levels, password policies, approval relationships with other AD forests, privileged accounts, and the granting of rights that could lead to compromise paths, among other things.

These tools are traditionally used by offensive security teams (internal or external), but we are increasingly observing a recurrent use of this tool by teams in charge of Active Directory MCO and security teams throughout the project to track the rectification of identified vulnerabilities month after month.

For the identification of AD vulnerabilities, tools such as PingCastle (open source), Purple Knight (Semperis), Group3r (open source) ADAnlyzer (Cogiceo) and OAADS (Microsoft) can be used. For compromise paths, BloodHound (open source) or AD Control Path (open source, ANSSI) can be used.

Finally, for regulated and public-sector operators in France, ANSSI offers the Active Directory Security (ADS) service [3], which enables critical operators in assessing their security level.

It should be noted that all audit solutions produce security reports on various reviewed elements, sometimes with a maturity score (that may be based on the Active Directory checkpoints provided by the ANSSI [4]) and technical indications for the correction to be made. The cybersecurity teams should then analyse and put various vulnerabilities in the light of the company’s context (e.g., priority areas, links with other ongoing projects, a more global security trajectory, etc.), create an action plan by first identifying the impacts associated with their implementation, prioritise the deployment of corrective actions, and ensure that they are effective.

“HARDEN & MANAGE”: STRENGTHENING THE SECURITY LEVEL OF THE AD BY APPLYING GOOD PRACTICES

It is not easy to keep Active Directory secure on a daily basis. Every day, changes are made at various levels (e.g., creating accounts, adding accounts to groups, granting rights to accounts, modifying GPOs, changing security policies, etc.), which can, in some cases, expose the Active Directory more than one can imagine.

Firstly, detecting vulnerabilities without delay and without taking manual actions might be an accelerator if adequate governance is in place to deal with the alarms raised. To this end, products such as Tenable.ad (Tenable), Directory Services Protector (Semperis), and Security Compliance Toolkit (Microsoft) can provide real-time visibility of vulnerabilities, allowing for increased reactivity in remediation. It should be noted that some organisations prefer to use auditing tools on a regular basis (i.e., many times a month) to identify and address the delta.

In addition, a range of tools exist to improve overall visibility, simplify day-to-day management, and thus enhance security, or to identify configuration changes that have been made. For example, AD Audit Plus (Manage Engine) or DatAdvantage for Directory Services (Varonis) allows you to receive all the details concerning a change and be notified, if necessary, while Booster for Active Directory (Brainwave) or Privilege Assurance (QOMPLEX) boosts the overall visibility of the AD. Furthermore, Quest’s suite of tools, ActiveRoles For Server to complete delegation management, Change Auditor to identify configuration changes, and GPOAdmin to maintain control of GPOs can complement the tools available to the AD MCO team.

Finally, in terms of improving privileged account management, we can refer to Stealthbits Privileged Activity Manager (Netwrix), which incorporates a PAM solution that makes possible, for example, just-in-time administration (granting privileges to an account only for an operation to be carried out and not permanently).

“MONITOR”: DETECT COMPROMISE ATTEMPTS BEFORE THEY SUCCEED

With the security configurations now enabled, Active Directory is more difficult to compromise, but it is not immune. It is therefore essential to continuously monitor it, in order to be able to detect the first signs of an attack.

In addition to the detection scenarios implemented in the SIEM by the SOC teams, based on the correlation of previously collected logs, specialised tools can complete the system. The latter retrieve data directly from the Domain Controllers either through an agent or an account, and then perform their own correlation and detection processes.

In this category of tools, we can cite Tenable.ad (Tenable), Directory Services Protector (Semperis), Falcon Identity Threat Detection (CrowdStrike), Ranger AD & Singularity Identity (SentinelOne) or DatAlert (Varonis).

“RESPOND & RECOVER”: INVESTIGATE COMPROMISES AND REBUILD THE ACTIVE DIRECTORY

In the event of a partial or total compromise of the AD, two actions should be carried out quickly and in parallel

– Forensics, to understand how the attacker proceeded and what level of confidence one can have in the AD in its current state.

– Restoration / reconstruction of the AD, depending on the case.

To carry out the necessary investigations and attempt to trace the source of the initial compromise, we can suggest the ADTimeline tool (open source, ANSSI), that allows to trace the modifications made to an AD via replication data.

Completely rebuilding an AD environment can take several days or even weeks, which can have a major impact on the organisation. Minimising this time can be vital in some cases. Some tools that can help reduce this time include Active Directory Forest Recovery (Semperis), which automates the Microsoft Forest recovery process, and Recovery Manager for Active Directory (Veeam), which combines compromise-proof backup and recovery when needed.

It should be noted that some organisations choose to outsource (after encryption) the backup as well as to automate and regularly practice the reconstruction, or even to host one of the forest’s Domain Controllers on a third-party platform to maximise the chances of successful restoration, by diversifying the means of backup.

WHAT ABOUT AZURE AD?

Given that many companies are now in a hybrid mode, it is advisable to integrate Azure AD into the scope of the security project as soon as possible. Some tools that can be mentioned within this context are:

– On the “Audit” section: Microsoft 365 DSC, BloudHound (now including an Azure AD part)

– On the “Harden & Manage” section: CoreView, Idecsi, Microsoft tools (Azure AD Access Reviews, Azure AD Entitlement Management, Azure AD Privileged Identity management, etc.)

– On the “Monitor” section: Azure AD Identity Protection, Microsoft 365 DSC

– On the “Respond & Recover” section: Azure AD Identity Protection, Quest On Demand Recovery

IMPORTANT POINTS ABOUT USING TOOLS

Deploying a tool alone does not increase the security level of AD environments. Once a tool has been acquired, it is important not to neglect the rest: defining and implementing governance (processes, organisational model, comitology, steering, reporting, control, continuous improvement, etc.) and the resources with the right expertise to make security improvements effective (dealing with alerts, correcting vulnerabilities, carrying out continuous improvement actions, etc.).

Also, a series of related projects to be carried out and processes to be reviewed during AD security projects, should not be underestimated: patch management, inventory, rationalisation (limiting the number of domains/forests in order to make it easier to maintain them in a secure condition), review of the backup strategy, reconstruction training, construction of restoration/clean-up infrastructure, etc.

Finally, when deploying these tools, keep in mind not to further expose the Active Directory: installing agents on Domain Controllers, opening network flows, granting privileges to accounts or service accounts, etc.

ABOUT OUR METHOD

The radar was built on the basis of a survey of tools on the market. On this basis and in relation to the recurring themes of Active Directory security, a categorisation has been established to facilitate reading.

The tools presented do not claim to be exhaustive, as the number of tools that can contribute to Active Directory security in any way is extensive. This radar is thus a review of the prominent existing tools, notably those encountered frequently by Wavestone consultants in organisations (considered, studied, tested and even deployed).

[1] https://docs.aws.amazon.com/whitepapers/latest/active-directory-domain-services//active-directory-domain-services.html

[2] https://www.silicon.fr/avis-expert/repenser-la-securite-dactive-directory-a-lere-du-cloud

[3] https://www.ssi.gouv.fr/actualite/le-service-active-directory-security-ads-accompagner-la-securisation-des-annuaires-active-directory-des-acteurs-critiques/

[4] https://www.cert.ssi.gouv.fr/uploads/guide-ad.html

Cet article Active Directory security tools radar est apparu en premier sur RiskInsight.