โ๏ธ Active Directory Attack Techniques
Comprehensive guide to Active Directory attack vectors, exploitation techniques, and offensive security methodologies
๐งช Practice These Techniques in GOAD
Use the GOAD lab to safely replicate and study AD attack paths.
๐ Credential Access Attacks
Pass-the-Hash (PtH)
Description: Using NTLM hashes to authenticate without knowing the plaintext password
Tools: Mimikatz, Impacket, CrackMapExec
MITRE ATT&CK: T1550.002
Detection: Monitor for suspicious logon events (Event ID 4624 Type 3) with NTLM authentication
Pass-the-Ticket (PtT)
Description: Injecting Kerberos tickets into memory for authentication
Tools: Mimikatz, Rubeus, Impacket
MITRE ATT&CK: T1550.003
Detection: Monitor for unusual ticket requests and TGT/TGS manipulation
Over-Pass-the-Hash
Description: Using NTLM hash to request Kerberos TGT
Tools: Mimikatz, Rubeus
MITRE ATT&CK: T1550.002
Detection: Look for RC4 encryption in Kerberos pre-authentication
DCSync Attack
Description: Replicating password data from Domain Controller
Tools: Mimikatz, Impacket secretsdump
MITRE ATT&CK: T1003.006
Detection: Monitor for Directory Replication Service (DRS) requests from non-DC systems
Kerberoasting
Description: Requesting service tickets and cracking service account passwords offline
Tools: Rubeus, Impacket GetUserSPNs, PowerView
MITRE ATT&CK: T1558.003
Detection: Monitor for RC4 TGS requests and unusual SPN queries
ASREPRoasting
Description: Exploiting accounts with Kerberos pre-authentication disabled
Tools: Rubeus, Impacket GetNPUsers, ASREPRoast
MITRE ATT&CK: T1558.004
Detection: Monitor for AS-REQ requests without pre-authentication
โ๏ธ Lateral Movement Techniques
NTLM Relay
Description: Relaying NTLM authentication to other systems
Tools: Responder, ntlmrelayx, MultiRelay
MITRE ATT&CK: T1557.001
Detection: Enable SMB signing and LDAP channel binding
Remote Service Execution
Description: Using SMB, WMI, or PowerShell remoting for lateral movement
Tools: PsExec, WMIExec, Enter-PSSession
MITRE ATT&CK: T1021
Detection: Monitor for unusual service creation and WMI/PS remote sessions
Silver Ticket
Description: Forging service tickets for specific services
Tools: Mimikatz, Rubeus
MITRE ATT&CK: T1558.002
Detection: Monitor for tickets with unusual lifetimes or invalid PAC
DCOM Lateral Movement
Description: Abusing DCOM objects for remote code execution
Tools: Impacket dcomexec, SharpCOM
MITRE ATT&CK: T1021.003
Detection: Monitor unusual DCOM object activations
๐ Privilege Escalation
Delegation Abuse
Description: Exploiting Kerberos delegation for privilege escalation
Tools: Rubeus, PowerView, Impacket
MITRE ATT&CK: T1134.001
Detection: Audit delegation settings and monitor S4U2Self/S4U2Proxy requests
Group Policy Abuse
Description: Modifying GPOs or abusing GPO permissions
Tools: PowerView, SharpGPOAbuse, PowerGPOAbuse
MITRE ATT&CK: T1484.001
Detection: Monitor GPO modifications and unusual GPO links
Token Impersonation
Description: Stealing and impersonating access tokens
Tools: Mimikatz, Incognito, TokenKidnapper
MITRE ATT&CK: T1134.001
Detection: Monitor for SeImpersonatePrivilege usage and token manipulation
PrintNightmare
Description: Exploiting Print Spooler service vulnerabilities
Tools: SharpPrintNightmare, Impacket
MITRE ATT&CK: T1068
Detection: Disable Print Spooler or monitor for suspicious DLL loads
๐ Persistence Mechanisms
Golden Ticket
Description: Creating forged TGT tickets for domain-wide persistence
Tools: Mimikatz, Rubeus, Impacket ticketer
MITRE ATT&CK: T1558.001
Detection: Monitor for tickets with unusual encryption or lifetime
DCShadow
Description: Creating rogue domain controller for persistent changes
Tools: Mimikatz
MITRE ATT&CK: T1207
Detection: Monitor for new DC registrations and unusual replication
AdminSDHolder Abuse
Description: Adding backdoor permissions to protected admin groups
Tools: PowerView, ADSI Edit
MITRE ATT&CK: T1098
Detection: Monitor AdminSDHolder ACL changes
DSRM Abuse
Description: Using Directory Services Restore Mode password for persistence
Tools: Mimikatz
MITRE ATT&CK: T1003.008
Detection: Monitor for DSRM logons and registry changes
Skeleton Key
Description: Installing backdoor authentication mechanism on DC
Tools: Mimikatz
MITRE ATT&CK: T1556.001
Detection: Monitor for LSASS memory modification and unusual authentication patterns
๐ Certificate Services Attacks (ADCS)
ESC1 - Misconfigured Certificate Templates
Description: Exploiting templates allowing SAN specification
Tools: Certify, Certipy
MITRE ATT&CK: T1649
Detection: Audit certificate template configurations
ESC2 - Subordinate CA Certificate
Description: Requesting subordinate CA certificates for persistence
Tools: Certify, Certipy
MITRE ATT&CK: T1649
Detection: Monitor for unusual certificate requests
ESC3 - Enrollment Agent Abuse
Description: Using enrollment agent rights to request certificates on behalf of users
Tools: Certify, Certipy
MITRE ATT&CK: T1649
Detection: Audit enrollment agent template usage
ESC4 - Vulnerable Template ACLs
Description: Modifying certificate template permissions
Tools: Certify, Certipy
MITRE ATT&CK: T1649
Detection: Monitor template ACL modifications
ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
Description: Abusing CA flag to specify arbitrary SAN
Tools: Certify, Certipy
MITRE ATT&CK: T1649
Detection: Check for dangerous CA flags
ESC7 - Vulnerable CA Permissions
Description: Abusing ManageCA or ManageCertificates rights
Tools: Certify, Certipy
MITRE ATT&CK: T1649
Detection: Audit CA ACL permissions
ESC8 - NTLM Relay to AD CS HTTP
Description: Relaying NTLM to certificate enrollment web services
Tools: ntlmrelayx, Certipy
MITRE ATT&CK: T1557.001
Detection: Enable Extended Protection for Authentication on ADCS web services