When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack.
Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.
Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.
By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.
DCShadow is a technique in which an attacker abuses compromised replication permissions to mimic a domain controller and make malicious changes to Active Directory. It is a particularly stealthy technique, as the methods it uses do not create logs that detail the changes made. Thus, it can be difficult to discover and remove the changes made by an adversary. Threat Summary Target: Active Directory Tools: mimikatz ATT&CK® Tactic: Defense Evasion ATT&CK Technique: T1207 Difficulty Detection: Medium Mitigation: Medium Response: Hard
Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.
By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.
Password spraying is an attack technique in which an adversary attempts to compromise user accounts by attempting to authenticate with a curated list of passwords that are either frequently used or likely to be used by their target. Password spraying can be conducted by an external adversary against any internet-facing system or SaaS application, or by an adversary that has gained a foothold within the network and is seeking to widen their access. Frequent targets for password spraying include VPN
Within Active Directory, Group Policies (or Group Policy Objects) permit administrators to centrally manage configurations applied to domain-joined servers and workstations. Group Policies define policies (enforced settings) and preferences, which propagate default configurations that a user can modify. While Group Policies are an essential part of managing a healthy Active Directory-managed environment, administrators can occasionally run afoul of security best-practices. One such example was the ability to embed passwords in Group Policy Preferences that created local users or mapped network drives. While this