Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.
By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.
DCShadow is a technique in which an attacker abuses compromised replication permissions to mimic a domain controller and make malicious changes to Active Directory. It is a particularly stealthy technique, as the methods it uses do not create logs that detail the changes made. Thus, it can be difficult to discover and remove the changes made by an adversary. Threat Summary Target: Active Directory Tools: mimikatz ATT&CK® Tactic: Defense Evasion ATT&CK Technique: T1207 Difficulty Detection: Medium Mitigation: Medium Response: Hard
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.
Pass-the-ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g. file shares and other computers) as a user without compromising that user’s password. This technique is often used by adversaries to move laterally through an organization’s network while hunting for opportunities to escalate privileges or fulfill their mission. Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all
Similar in concept to a golden ticket, a silver ticket attack involves compromising credentials and abusing the design of the Kerberos protocol. However, unlike a golden ticket — which grants an adversary unfettered access to the domain — a silver ticket only allows an attacker for forge ticket-granting service (TGS) tickets for specific services. TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account they can mint TGS tickets for that service.