Kevin Beaver's Security Blog

Find at-risk internal user accounts with myNetWatchman’s Active Directory Audit tool

I’m always on the lookout for new tools that can do new and interesting things for those of us working in information security. They are few and far between, it seems, at least in the context of vulnerability and penetration testing. However, I’ve found one that can pay huge dividends. It’s called Active Directory Audit by threat intelligence company, myNetWatchman.

You know how threat intelligence vendors can find compromised login credentials (usually external web accounts) on the deep and dark webs? Well, Active Directory Audit allows you to leverage their information and check for internal Active Directory accounts that have either known compromised passwords or – even better – compromised credential pairs, i.e. usernames and passwords. This approach allows anyone from a consultant like myself to enterprise network admins to uncover Active Directory accounts that may be exposed and are currently at risk to external attack vectors via email, remote desktop, VPN connectivity and so on. Active Directory Audit is the only tool that I know of that brings these capabilities to internal domain accounts, where it arguably counts the most.

Active Directory Audit, which is a PowerShell script, is very easy to use. You simply obtain an API key from myNetWatchman and then run the script from a domain-connected computer via a user with Active Directory rights to Replicating Directory Changes and Replicating Directory Changes ALL. Using a domain admin account is the simplest way to get rolling. The script does its thing and provides its output in a spreadsheet with the following information:

• SamAccountName (username)
• PasswordHashPrefix (a portion of the Active Directory password hash)
• CurrentOrHistory (whether the current password or a historical one is affected)
• Elevated Access (whether the user has elevated privileges, i.e. domain admin)

The following is sample output I obtained running the script on a fairly large network. It’s de-identified but the numbers are close!

User Count: 1503 (total number of Active Directory users)
Elevated User Count: 8 (number of domain admins)
Distinct User Count with Match: 704 (total number of impacted users within the environment)
Password Match Count: 704 (total number of passwords found within the myNetWatchman data, both current and historical)
Current Password Count: 704 (total number of current passwords that were found within the myNetWatchman data)
Elevated Privilege Count: 5 (total number of elevated users that had a password match within the myNetWatchman data)
Elevated Exact Match Count: 1 (total number of users with elevated permissions that have a username/password combination match within the myNetWatchman data) <=the most critical finding to resolve!
Exact Match Count: 7 (total number of users in the domain with a username and password combination match within the myNetWatchman data) <=second most critical finding to resolve!

The above information is  obtained by comparing it to myNetWatchman’s 31+ billion credential Pairs (for the Exact Match) and 10+ billion passwords (for the Password scan). With a tool such as this, there’s no need to do password cracking or other audits when the passwords are literally handed to you, especially in this context!

Active Directory Audit is both revealing and enlightening. It shows you which user accounts on your network need immediate attention. It also underscores the risks associated with compromised passwords, especially when they’re weak and not adequately changed/rotated. Just as importantly, Active Directory Audit can provide tangible evidence to help with information security buy-in, especially when you’re getting pushback on initiatives such as user education and complex password/passphrase policies.

For more insight into password security, check out these articles and these blog posts I’ve written on the subject.