Introduction
Active Directory remains the backbone of enterprise identity management, and it continues to be one of the most fertile attack surfaces in internal engagements. This post covers the techniques I use most frequently in real red team operations.
Phase 1: Initial Enumeration
Once you have initial access to a domain-joined machine, the first step is passive enumeration. Tools like BloodHound, PowerView, and ADRecon help map the entire AD environment without triggering excessive alerts. Focus on identifying high-value targets, privileged groups, and trust relationships.
Phase 2: Credential Harvesting
Kerberoasting and AS-REP roasting are my go-to techniques for harvesting crackable credentials. Service accounts often have weak passwords and elevated privileges. I've cracked Kerberos TGS tickets to domain admin service accounts in under 30 minutes.
Phase 3: Lateral Movement
With valid credentials, lateral movement through the network becomes straightforward. Techniques like Pass-the-Hash, Pass-the-Ticket, and overpass-the-hash allow moving between systems without knowing plaintext passwords. WinRM and PSExec remain reliable execution methods.
Phase 4: Privilege Escalation
ACL abuse paths identified by BloodHound often provide the most reliable privilege escalation. GenericAll, WriteDACL, and AddMember permissions on privileged groups are commonly misconfigured and allow direct escalation to Domain Admin.
Phase 5: Persistence & Domain Dominance
Golden Ticket and Silver Ticket attacks provide long-term persistence. DCSync allows extracting all domain credentials without touching the domain controller's disk. These techniques demonstrate the true impact of an AD compromise.
Key Takeaways
AD security requires a defense-in-depth approach: tiered administration, privileged access workstations, credential guard, and continuous monitoring with tools like Microsoft Defender for Identity.