Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.
By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.
By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.
Password spraying is an attack technique in which an adversary attempts to compromise user accounts by attempting to authenticate with a curated list of passwords that are either frequently used or likely to be used by their target. Password spraying can be conducted by an external adversary against any internet-facing system or SaaS application, or by an adversary that has gained a foothold within the network and is seeking to widen their access. Frequent targets for password spraying include VPN
Within Active Directory, Group Policies (or Group Policy Objects) permit administrators to centrally manage configurations applied to domain-joined servers and workstations. Group Policies define policies (enforced settings) and preferences, which propagate default configurations that a user can modify. While Group Policies are an essential part of managing a healthy Active Directory-managed environment, administrators can occasionally run afoul of security best-practices. One such example was the ability to embed passwords in Group Policy Preferences that created local users or mapped network drives. While this
Similar in concept to a golden ticket, a silver ticket attack involves compromising credentials and abusing the design of the Kerberos protocol. However, unlike a golden ticket — which grants an adversary unfettered access to the domain — a silver ticket only allows an attacker for forge ticket-granting service (TGS) tickets for specific services. TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account they can mint TGS tickets for that service.