Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.
DCShadow is a technique in which an attacker abuses compromised replication permissions to mimic a domain controller and make malicious changes to Active Directory. It is a particularly stealthy technique, as the methods it uses do not create logs that detail the changes made. Thus, it can be difficult to discover and remove the changes made by an adversary. Threat Summary Target: Active Directory Tools: mimikatz ATT&CK® Tactic: Defense Evasion ATT&CK Technique: T1207 Difficulty Detection: Medium Mitigation: Medium Response: Hard
Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.
Pass-the-ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g. file shares and other computers) as a user without compromising that user’s password. This technique is often used by adversaries to move laterally through an organization’s network while hunting for opportunities to escalate privileges or fulfill their mission. Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all