Deep Dive into Active Directory Exploitation

Active Directory (AD) is a hierarchical directory service built on LDAP, Kerberos, DNS, and SMB. Understanding it as an attacker means thinking in three layers: the logical structure (forests, domains, OUs, trusts), the authentication layer (NTLM, Kerberos, LSASS, SAM), and the authorization layer (ACLs, SIDs, group memberships, GPOs).

Three primitives matter most:

• Tickets — Kerberos issues TGTs (Ticket Granting Tickets) and TGS (service tickets). Possession of a TGT for a user equals impersonation of that user across the domain.
• Hashes — NTLM hashes never expire on their own and can be replayed via Pass-the-Hash. SAM, NTDS.dit, and LSASS all leak them.
• ACLs — Every AD object has a security descriptor. WriteDACL, GenericAll, or WriteOwner on the wrong object lets you rewrite the trust graph.

BloodHound, with its Neo4j-backed graph engine, turned AD exploitation from a craft into an engineering discipline by computing the shortest path from any user to Domain Admin using these primitives.

Before exploitation comes mapping. Any authenticated user can query AD via LDAP, which is why "low-priv domain user" is the default starting point for red teams.

# PowerView enumeration
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
Get-DomainComputer -Unconstrained
Get-DomainGPO | select displayname, gpcfilesyspath
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

For OPSEC-aware engagements, operators prefer LDAP queries through tools like ldapsearch, windapsearch, or the BloodHound SharpHound collector with stealth options (--CollectionMethods DCOnly). Each query reveals service principal names, delegation flags, password-last-set timestamps, and ACL edges that feed the attack graph.

The output is then ingested into BloodHound, where Cypher queries like MATCH p=shortestPath((u:User {name:"USER@DOMAIN"})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"})) RETURN p reveal the path.

Kerberos is the primary authentication protocol in modern AD, and its design quirks create the most powerful exploitation primitives in the offensive arsenal.

Kerberoasting

Any domain user can request a TGS for any account with a Service Principal Name (SPN). The returned ticket is encrypted with the service account's NTLM hash, allowing offline cracking with Hashcat mode 13100. Service accounts often have weak, non-rotating passwords set by administrators years ago.

# Rubeus
Rubeus.exe kerberoast /outfile:hashes.txt
# Hashcat
hashcat -m 13100 hashes.txt rockyou.txt

AS-REP Roasting

Users with the DONT_REQ_PREAUTH flag set will return an AS-REP message encrypted with their password hash without authentication. A single LDAP query identifies them; a single GetNPUsers.py call extracts the hash. Crack offline with Hashcat mode 18200.

Unconstrained Delegation

Machines configured with unconstrained delegation receive a forwardable copy of any user's TGT when that user authenticates to them. Compromise such a host, force a Domain Controller to authenticate (via PrinterBug / SpoolSample / PetitPotam), and extract the DC's TGT from LSASS to perform DCSync.

Constrained and Resource-Based Constrained Delegation (RBCD)

If you control an account with msDS-AllowedToActOnBehalfOfOtherIdentity writable on a target, you can configure RBCD and use S4U2self + S4U2proxy to impersonate any user — including Domain Admins — to that target.

Golden and Silver Tickets

Once you extract the krbtgt account hash (via DCSync or NTDS.dit dump), you can forge Golden Tickets — arbitrary TGTs for any user, valid for up to 10 years by default. Silver Tickets forge TGS for a single service using its account hash, bypassing the KDC entirely and producing almost no Domain Controller logs.

The Windows authentication subsystem caches credentials aggressively. LSASS, registry hives, DPAPI vaults, and credential manager all leak material to a SYSTEM-level operator.

• Mimikatz sekurlsa::logonpasswords — dumps cleartext, NTLM, and Kerberos tickets from LSASS.
• lsadump::dcsync /user:krbtgt — uses the Directory Replication Service Remote Protocol (DRSUAPI) to pull any account's hash from a DC remotely, requiring only Replicating Directory Changes rights.
• lsadump::sam — extracts local account hashes.

Lateral movement chains these into action: Pass-the-Hash via SMB (impacket-psexec, wmiexec, smbexec), Pass-the-Ticket via Rubeus's ptt, or Overpass-the-Hash to convert an NTLM hash into a TGT. WinRM (evil-winrm), DCOM (Invoke-DCOM), and SCM remote service creation each offer detection-evasion tradeoffs.

When credentials run out, abuse the directory's own access control. Common edges in BloodHound:

• GenericAll / GenericWrite on a user → set an SPN to enable Kerberoasting, or reset the password.
• WriteDACL on a group → add yourself, then re-elevate.
• ForceChangePassword → reset a user's password without knowing the old one.
• AddMember on Domain Admins → game over.
• WriteOwner → take ownership, grant yourself rights, escalate.

Cross-forest trusts add another dimension. SID History injection, trust ticket forging via the inter-realm trust key, and the printer bug across one-way trusts have all produced full forest compromises in real engagements.

NotPetya (2017) abused Mimikatz-style credential dumping plus PsExec lateral movement to ravage Maersk's 49,000-machine estate, propagating across the entire Active Directory forest in under two hours.

SolarWinds / Golden SAML (2020) demonstrated how attackers, after compromising AD FS token-signing certificates, forged SAML tokens to authenticate to cloud services as any user — a federated cousin of the Golden Ticket attack.

Hafnium / ProxyLogon (2021) chained Exchange vulnerabilities with AD privilege escalation; once SYSTEM on Exchange (a high-privilege object in AD), operators frequently abused Exchange's WriteDACL on the domain root to grant themselves DCSync rights and dump every credential.

Conti and LockBit ransomware affiliates routinely use Kerberoasting + BloodHound paths to reach Domain Admin within 24 hours of initial access, then deploy ransomware via Group Policy or PsExec to every domain-joined host simultaneously.

Defending AD is fundamentally about reducing the attack graph and increasing the cost of each edge:

1. Tier 0 isolation — Domain Controllers, ADCS servers, AAD Connect, and PAM hosts must never share credentials with Tier 1 (servers) or Tier 2 (workstations). Use the Microsoft Tier Model rigorously.
2. Disable NTLM where possible and enforce SMB signing, LDAP signing, and Extended Protection for Authentication to defeat relay attacks (PetitPotam, ntlmrelayx).
3. Service account hygiene — use Group Managed Service Accounts (gMSAs) with 30-character auto-rotated passwords. Remove legacy SPNs from privileged users.
4. Patch and configure AD CS — ESC1–ESC15 (Certify / Certipy) attacks have made AD CS the new krbtgt. Audit certificate templates for ENROLLEE_SUPPLIES_SUBJECT and dangerous EKUs.
5. Rotate the krbtgt password twice at least annually, and immediately after any suspected DC compromise, to invalidate Golden Tickets.
6. Monitor for the canary events: 4769 (TGS requests with RC4 encryption type 0x17), 4662 (DS-Replication-Get-Changes), 4624 logon type 9 (NewCredentials — used by overpass-the-hash), and unexpected LDAP queries from non-admin accounts.
7. Deploy Microsoft LAPS to randomize local administrator passwords and break the lateral-movement chain.
8. Run BloodHound defensively — the same graph that helps attackers helps you find and remove the worst edges first.

Detective controls like Microsoft Defender for Identity (formerly Azure ATP), Splunk's UEBA, and custom Sigma rules for Kerberoast TGS requests catch the noisy attacks. The quiet ones — Silver Tickets, DCSync from a compromised service account — require deeper telemetry and a mature SOC.