Skip to main content

Back to Blog

From Stolen Credentials to Full Network Compromise

How Hackers Are Actually Using Exposed Passwords to Infiltrate Active Directory

Recent reports like the Verizon DBIR have noted that stolen credentials are often the foothold that attackers use to compromise networks and systems. A simple phishing or credential stuffing attack becomes the entry point for a much larger enterprise, like data theft, ransomware, or system hijacking.

This is rather vague, however: without knowing the full process, it is difficult for a system or network administrator to develop a strong security posture. Luckily, Microsoft’s threat intelligence team has provided us with essential insight in how these attacks occur, and thus how we can better defend against them, especially with regard to Active Directory systems.

So what does it mean, in practical terms, for a stolen credential to be used as an ‘entry point’?

Generally, it is easier for an attacker to leverage vulnerabilities in a system from inside the system itself. Even initial limited access provides a platform to collect further information and use reconnaissance tools to identify vulnerabilities. Then, one can leverage known exploits (such as unconstrained delegation) to escalate privileges, install malware, or increase the apparent legitimacy of targeted phishing attacks. Working as an authenticated user can also provide cover- security systems are less prone to flag suspicious activity when the actor is known to the system.

Microsoft’s Threat Protection Intelligence Team released an excellent article this past June tracing an attack chain from a cloud-based initial vector to full Active Directory system compromise. They describe how attackers “typically started with intensive password spray” to gain an initial foothold, then used a tool called Ruler to exploit the Exchange server and progress to remote code execution, lateral network movement, and data exfiltration.
Crucially, the success of attackers’ password spraying is dependent on users’ password re-use. Not just the re-use of their own passwords across services (which may make them personally vulnerable), but the more systemic issue of re-using passwords known to be compromised.

Take, for instance, the breach of mobile gaming company Zynga that occurred this past year. About 76 million hashed passwords were leaked, of which over 50% have been cracked to date. Of those dehashed passwords, analysis by Enzoic showed over 99% had appeared in past breaches before. And not only had they been seen before, but some of these passwords have been used hundreds of thousands of times. Even passwords that we have been conditioned to think look “strong” have appeared easily hundreds of times. For instance, the password “uaBuu623qN” is found over 200 times. For passwords based on dictionary words or names, it is often orders of magnitude more. This means a threat actor’s chances of finding just one person who has used a previously compromised password are pretty good- and all they need is a single one in order to gain that initial foothold. Additionally, if someone in the organization has their credentials compromised, either through phishing or a third-party attack on another website, it is likely that their password will be added to the huge aggregate lists of exposed passwords that threat actors use to perform password spraying- and thus anyone in the organization who may have chosen the same password is compromised as well.

This is why it is extremely important to comply with the NIST guidelines and check passwords against a constantly updated list of compromised credentials. Even if users are changing their passwords frequently, they are probably picking passwords that not only have been used before, but used thousands of times before, and consequently confer only limited security. Enzoic for Active Directory is a current and powerful tool to screen out these exposed passwords while minimizing user friction. Instead of counting on outdated, frustrating routine password changes and inconsequential “strength” requirements, let Enzoic’s vigilant threat intelligence work to protect your organization.



Dylan Hudson

Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.