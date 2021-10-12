Defending any piece of territory requires knowing where it is vulnerable and how adversaries are likely to attack it. In the case of Microsoft’s Active Directory (AD), the territory that needs to be defended actually controls access to critical data and resources. Blocking the paths that threat actors use is a pivotal part of protecting AD. So is knowing where the vulnerabilities are.

This is where the free tools BloodHound and Purple Knight (built by Semperis identity experts) can help each other. Attackers frequently install applications such as BloodHound in the organizations they compromise so they can map the AD environment and determine the best way to strengthen their hold on the victim. Red and blue teams can leverage that same capability to make the attackers’ mission more difficult.

Finding Attack Paths and Uncovering Exposures

Using graph theory, BloodHound identifies the attack paths adversaries are likely to use to elevate privileges and move laterally inside your organization. But while BloodHound focuses on attack paths, Purple Knight is focused on finding exposures. Purple Knight works by querying your organization’s AD environment and performing tests against common attack vectors. By scanning for Indicators of Exposure (IoEs) and Indicators of Compromise (IoCs), Purple Knight can find risky misconfigurations and suspicious changes that suggest the AD environment has been breached.

Purple Knight has 70-plus security indicators split into five categories: account security, AD infrastructure security, group policy, kerberos security and AD delegation. When we first released Purple Knight, we discovered that kerberos security was the most at-risk area among the tool’s users. Group policy and account security issues rounded out the top three. According to the data collected from Purple Knight users, the largest organizations – which often have the most resources – have some of the most significant AD security gaps because of the complexity of their environments, the prevalence of legacy applications and the constant flux of IT personnel. The vulnerabilities reported frequently took the form of poor password policies, accounts with elevated privileges that have not been adequately reviewed and weak group policy configurations that created security holes attackers could exploit.