Active Directory Attack Techniques for Red Teams

Active Directory (AD) is the central nervous system of most enterprise networks, managing users, computers, and permissions. For red teams, compromising AD is often synonymous with compromising the entire organization, as it provides a roadmap to critical data and systems. Offensive techniques are used to enumerate, exploit, and dominate AD environments, translating each attack into a clear demonstration of enterprise risk that defenders must mitigate.

Foundational Enumeration: Mapping the Attack Surface

Before launching attacks, you must understand the terrain. AD enumeration is the process of gathering information about domain users, groups, computers, trusts, and policies to identify potential attack paths. The goal is to answer key questions: Who are the high-value targets (e.g., Domain Admins)? How are systems connected? What legacy configurations exist?

Two primary approaches exist. The first uses native Windows commands and PowerShell modules like PowerView. These tools query AD via the Lightweight Directory Access Protocol (LDAP) to extract lists of users, sensitive groups, and computer accounts. The second, and far more powerful, approach leverages BloodHound. BloodHound ingests data collected by tools like SharpHound to build a graphical map of AD relationships, revealing complex attack paths that are otherwise invisible. It highlights how regular user permissions can be chained to gain Domain Admin privileges through misconfigured group memberships, delegation, or inherited permissions on computers. This graph-based view is indispensable for efficient targeting.

Credential-Based Attack Techniques

With a map in hand, the next objective is obtaining elevated credentials. Several classic AD attacks target the underlying authentication protocols.

Kerberoasting is an attack that targets service accounts. In AD, many services (like SQL servers) run under dedicated user accounts. When a user requests access to such a service, the Domain Controller provides a service ticket encrypted with that service account's password hash. If the service account uses a weak password, an attacker can request a ticket, extract the encrypted hash, and attempt to crack it offline to obtain the plaintext password. This is particularly dangerous because any authenticated user can request these tickets.

AS-REP Roasting is a similar attack targeting user accounts that have the "Do not require Kerberos pre-authentication" setting enabled. This misconfiguration allows an attacker to request a user's Authentication Service Response (AS-REP) message, which contains data encrypted with the user's password hash. This hash can also be taken offline for cracking, providing another credential theft vector without requiring any prior special permissions.

Once hashes or tickets are acquired, you can use them directly. Pass-the-Hash (PtH) is a technique where an attacker uses a captured password hash (often an NTLM hash) to authenticate to a remote system without needing the plaintext password. Similarly, Pass-the-Ticket (PtT) involves stealing a Kerberos Ticket-Granting Ticket (TGT) or service ticket and using it to impersonate that user on other systems. Tools like Mimikatz are essential for extracting these credentials from memory and facilitating their use.

Leveraging Delegation and Group Policy

Beyond password attacks, AD's functional mechanisms offer potent abuse vectors.

Delegation allows a service to impersonate a user to access other resources. Unconstrained delegation is a legacy setting where a service can impersonate any user to any other service in the domain. If an attacker compromises a computer with unconstrained delegation, they can capture the TGTs of any users who authenticate to it (including Domain Admins) and reuse them for full domain access. Constrained delegation is more limited but can still be abused if you compromise the account that holds delegation permissions.

Group Policy Objects (GPOs) are used to push settings to domain computers. An attacker with the ability to modify a GPO (e.g., by compromising an account in the Group Policy Creator Owners group) can create a malicious policy. This policy could deploy a scheduled task or startup script to all targeted computers, effectively granting the attacker code execution on a massive scale for lateral movement or persistent access.

Persistence, Lateral Movement, and Domain Dominance

Gaining a foothold is only the beginning. Maintaining access and expanding control is critical.

Persistence mechanisms ensure you retain access even if credentials change. Common techniques include creating hidden backdoor domain user accounts, adding your access to high-privilege groups like Domain Admins, or deploying Golden Tickets and Silver Tickets. A Golden Ticket is a forged Kerberos TGT created using the stolen krbtgt account's password hash, granting persistent domain admin access for as long as that hash is valid. A Silver Ticket is a forged service ticket for a specific service, allowing persistent access to that single resource.

Lateral movement strategies involve pivoting from one compromised host to another. Techniques include using stolen credentials via PtH or PtT, exploiting vulnerabilities like EternalBlue, or abusing remote administration tools like WMI or PowerShell Remoting. The goal is to "island hop" until you reach a system holding credentials or access that leads to a domain controller.

The final stage, domain dominance, involves actions that solidify full control. This includes extracting and cracking the krbtgt hash for Golden Ticket creation, performing a Domain Controller synchronization (DCSync) attack to replicate all user password hashes from the domain controller, or disabling security controls like antivirus software across the domain via GPOs.

Common Pitfalls

1. Lack of Operational Security (OPSEC): Running loud, automated tools from a single compromised workstation without consideration for logging (e.g., Windows Event ID 4624, 4688, 4662) will quickly alert defenders. Successful red teams move slowly, blend in with normal traffic, and clean up their tools.
2. Over-Reliance on Automation: While BloodHound is powerful, blindly following its "shortest path to Domain Admin" can lead to illogical jumps that defy normal user behavior and trigger alerts. You must interpret the graph and choose paths a real attacker might take.
3. Ignoring the "Why" for the "How": Executing an attack like Kerberoasting without understanding the underlying Kerberos protocol means you won't recognize when it fails or how to adapt. Knowing the theory behind each technique is crucial for problem-solving during an engagement.
4. Failing to Plan for Persistence: Gaining Domain Admin privileges but not establishing a backdoor means your access can be wiped out by a single password reset. Always implement multiple, layered persistence mechanisms appropriate to the assessment's goals.

Summary

• Enumeration is critical: Tools like BloodHound transform raw AD data into a visual map of exploitable relationships, revealing the most efficient paths to privilege escalation.
• Credentials are king: Attacks like Kerberoasting and AS-REP Roasting target weak passwords and misconfigurations in authentication protocols, while PtH and PtT allow stolen credentials to be reused directly.
• AD features can be weaponized: Misconfigured delegation permissions and excessive GPO edit rights provide powerful vectors for privilege escalation and mass lateral movement.
• Dominance requires persistence: Techniques like Golden Ticket creation and GPO backdoors ensure continued access, while DCSync allows for the total compromise of all domain credentials.
• Every offensive technique informs defense: Understanding these attacks allows blue teams to hunt for specific indicators, harden configurations, and implement robust monitoring to detect and respond to AD-focused intrusions.