When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack.
Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.
By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.
Threat (Privilege Escalation) Password Spraying is a technique attackers leverage to guess the password of an account. By trying a small number of highly common passwords against large numbers of accounts while also staying below an organization’s defined lockout threshold, the attacker can compromise accounts without any elevated privileges and likely without detection. How Password Spraying Works The following is a summarization of how the attack works: An attacker compromises a standard domain user (e.g. phishing, social engineering, etc.) Using
Threat (Privilege Escalation) Group Policy Preferences allow administrators to create and manage local accounts on servers and workstations in an Active Directory domain. Attackers can easily find and obtain the encrypted passwords of administrative account credentials managed by Group Policy Preferences and decrypt them using the Microsoft-published AES key. How Plaintext Password Extraction through Group Policy Preferences Works The following is a summarization of how the attack works: An attacker locates group policy XML files containing AES encrypted local account