Browsed by
Tag: Active Directory Attacks

What is a Silver Ticket Attack?

What is a Silver Ticket Attack?

Silver Ticket Attack Threat Overview:Forged Service Tickets Silver Tickets enable an attacker to create forged service tickets (TGS tickets) that are used to access compromised service accounts. The Kerberos Silver Ticket is a valid Ticket Granting Service (TGS) Kerberos ticket that has been encrypted/signed by the service account configured with a Service Principal Name (SPN). How a Silver Ticket Attack Works The following is a summary of how the attack works: Extract NTLM password hash for either a service account


What is LDAP Reconnaissance?

What is LDAP Reconnaissance?

When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack.


What is Plaintext Password Extraction?

What is Plaintext Password Extraction?

Group Policy Preferences allow administrators to create and manage local accounts on servers and workstations in an Active Directory domain. Attackers can easily find and obtain the encrypted passwords of administrative account credentials managed by Group Policy Preferences and decrypt them using the Microsoft-published AES key.


What is DCSync?

What is DCSync?

DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.


What is Ntds.dit Password Extraction?

What is Ntds.dit Password Extraction?

By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.


What is AdminSDHolder Modification?

What is AdminSDHolder Modification?

Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.


What is DCShadow?

What is DCShadow?

DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.


What is the Golden Ticket Attack?

What is the Golden Ticket Attack?

By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.


What is Pass the Hash?

What is Pass the Hash?

Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.