AD Exploitation: Advanced Tactics Hackers Use to Conquer Active Directory

The journey to Domain Admin never begins with a direct attack on a Domain Controller. It almost universally starts with the compromise of a single, low-privileged entity—a phishing email clicking standard employee, a vulnerable web server, or an unsecured remote access gateway. Once this initial beachhead is established, the exploitation lifecycle begins with aggressive internal reconnaissance.

BloodHound and Graph Theory

Active Directory was designed to be easily readable to facilitate seamless network operations. By default, any authenticated user in the domain can query the LDAP (Lightweight Directory Access Protocol) directory to retrieve massive amounts of information. Attackers weaponize this feature using advanced mapping tools, the most infamous being BloodHound.

BloodHound utilizes graph theory to reveal the hidden, incredibly complex relationships within Active Directory. An attacker runs a data ingestor (like SharpHound) on the compromised low-privileged machine. This tool quietly queries the Domain Controller, pulling data on user groups, computer sessions, Access Control Lists (ACLs), and Kerberos delegation settings. BloodHound then visualizes this data, automatically calculating the shortest, most efficient attack paths from the attacker’s current low-privileged position directly to the Domain Admins group. It exposes the hidden vulnerabilities that human administrators simply cannot see, transforming a sprawling network into a clear, turn-by-turn roadmap for exploitation.

Enumerating Local Administrators and Sessions

Before moving, the attacker must know where to go. They actively enumerate which users have Local Administrator rights over which computers. More importantly, they hunt for active sessions. Tools like PowerView are used to query the domain and discover where highly privileged users (such as IT administrators or helpdesk personnel) are currently logged in. If an attacker can identify a standard workstation where a Domain Admin left a disconnected RDP session, that workstation immediately becomes the primary target for lateral movement.

With the attack path mapped, the adversary must acquire the necessary credentials to traverse the network. This phase involves sophisticated techniques to extract authentication material directly from the memory of compromised machines.

The Pass-the-Hash (PtH) Attack

When a user logs into a Windows machine, the operating system does not store their plaintext password in memory. Instead, the Local Security Authority Subsystem Service (LSASS) process stores the cryptographic hashes of the password (specifically, the NTLM hash).

If an attacker gains Local Administrator rights on a machine, they can use tools like Mimikatz or specialized command-line utilities to dump the memory of the LSASS process and extract these hashes. In a Pass-the-Hash (PtH) attack, the adversary does not need to crack the hash to reveal the plaintext password. They can simply inject the stolen hash directly into their own session, tricking the remote authentication protocol (NTLM or Kerberos via Overpass-the-Hash) into believing they are the legitimate user, instantly granting them access to any remote system where that user has privileges.

Kerberoasting and AS-REP Roasting

Attackers also target the Kerberos authentication protocol itself. Active Directory uses Service Principal Names (SPNs) to associate a specific service (like SQL Server) with a service account. In a Kerberoasting attack, any authenticated user can request a Kerberos Service Ticket (TGS) for any service in the domain. A portion of this ticket is encrypted using the password hash of the underlying service account. The attacker requests the ticket, extracts it, and takes it completely offline to their own powerful cracking rigs. Because service accounts often have highly elevated privileges but are configured with weak, non-expiring passwords, the attacker can quickly crack the password offline and instantly gain administrative control over the service or the domain.

A similar attack is AS-REP Roasting. If a user account is configured with the setting "Do not require Kerberos preauthentication" (a severe misconfiguration), an attacker can request an Authentication Service (AS) ticket for that user. The Domain Controller will return a ticket encrypted with the user's password hash, which the attacker can again extract and crack offline.

Once the attacker has successfully moved laterally and harvested sufficient credentials, they execute the final maneuvers to achieve total domain dominance.

Exploiting Dangerous ACLs and Delegation

Often, the path to Domain Admin does not require a software exploit, but rather the exploitation of misconfigured Access Control Lists (ACLs) within the directory itself. For example, a helpdesk group might have been improperly granted GenericAll or ForceChangePassword rights over a high-level administrative account. If the attacker compromises a helpdesk user, they can simply reset the password of the admin account and take it over.

Furthermore, misconfigured Kerberos Delegation is a prime target. If a server is configured with Unconstrained Delegation, any user who logs into that server leaves a highly sensitive Ticket Granting Ticket (TGT) in its memory. If an attacker compromises that server and waits for a Domain Admin to log in (perhaps by tricking them into investigating a fake alert), the attacker can steal the Admin's TGT from memory and use it to impersonate the Domain Admin anywhere on the network, instantly compromising the entire forest.

DCSync: Replicating the Keys to the Kingdom

The ultimate technique for domain compromise is the DCSync attack. Domain Controllers continuously communicate with one another to synchronize directory changes, utilizing the Directory Replication Service (DRS) Remote Protocol.

If an attacker has managed to acquire sufficient privileges (specifically the Replicating Directory Changes and Replicating Directory Changes All permissions, typically held by Domain Admins or Enterprise Admins), they can execute a DCSync attack. Using tools like Mimikatz, the attacker's machine pretends to be a legitimate Domain Controller and sends a replication request to the actual DC. The targeted DC complies, sending the attacker the password hashes of every single account in the Active Directory database, including the highly coveted krbtgt account hash, without executing a single line of malicious code on the DC itself.

Once Domain Admin is achieved, the attacker’s final goal is absolute, stealthy persistence. They must ensure that even if the security team discovers the breach, changes all administrator passwords, and rebuilds the compromised servers, the attacker retains total access.

Forging the Golden Ticket

The ultimate persistence mechanism is the Golden Ticket. By utilizing the krbtgt password hash extracted during a DCSync attack, the adversary gains the ability to cryptographically forge their own Kerberos Ticket Granting Tickets (TGTs).

The attacker can create a Golden Ticket for a completely fictitious user, specify that the user is a member of the Domain Admins and Enterprise Admins groups, and set the ticket to be valid for 10 years. Because the ticket is correctly encrypted with the domain's master key, the Domain Controller accepts it as perfectly valid. The attacker can use this forged ticket to access any resource in the domain indefinitely.

The DCShadow Attack

For even deeper persistence, attackers utilize DCShadow. Instead of just pulling data like DCSync, DCShadow allows the attacker to push malicious changes into the Active Directory database by temporarily registering their own workstation as a rogue Domain Controller. The attacker can silently inject backdoors, modify ACLs, or add their own accounts to administrative groups. Because the changes are injected via the legitimate replication protocol, they bypass standard security logging and monitoring solutions, making detection extraordinarily difficult.

Defending against advanced AD Exploitation requires a massive paradigm shift from traditional network security to rigorous, identity-centric architecture hardening.

Enforce Strict Credential Tiering

The most critical defense against lateral movement and credential theft (like Pass-the-Hash) is implementing the Microsoft Tiered Administration Model. High-privilege Tier 0 administrators (Domain Admins) must be technically restricted from ever logging into lower-tier systems (Tier 1 servers or Tier 2 workstations). If an admin never leaves their credentials in the memory of a vulnerable workstation, the attacker cannot steal them. This must be enforced using Authentication Policies and Silos.

Eradicate Misconfigurations and Attack Paths

Organizations must actively identify and eliminate the systemic misconfigurations that attackers rely upon.

• Disable Kerberoasting: Migrate all Service Accounts to Group Managed Service Accounts (gMSAs) to ensure they have complex, automatically rotating 120-character passwords that cannot be cracked offline.
• Audit Delegation: Strictly audit and remove any instances of Unconstrained Delegation, replacing them with Resource-Based Constrained Delegation where absolutely necessary.
• Map Attack Paths: Defenders must continuously use tools like BloodHound themselves (in a defensive capacity, such as Azure BloodHound Enterprise) to map and remediate dangerous ACLs and nested group structures before attackers can exploit them.

Continuous Threat Detection

Because AD attacks often utilize legitimate administrative protocols (like replication for DCSync), traditional antivirus is largely blind to them. Organizations must deploy advanced Identity Threat Detection and Response (ITDR) solutions that monitor the Active Directory environment in real-time. These systems analyze behavioral anomalies, detect malicious LDAP queries, identify Kerberos ticket anomalies, and immediately flag unauthorized replication requests, allowing defenders to intercept the exploitation lifecycle before total domain compromise is achieved.