search

Active Directory Privilege Escalation

hashtag
Active Directory Attacks

Active Directory is the primary identity management service in Windows environments. Proper enumeration and understanding of Active Directory components is crucial for finding attack vectors.

hashtag
Initial Enumeration

Initial enumeration involves identifying domain controllers, exploring network resources, and discovering basic domain information.

hashtag
Discovering Domain Controllers

  • Network scanning for standard DC ports (53, 88, 389, 445)

  • DNS queries for SRV records

  • LDAP queries

hashtag
Basic Domain Information

  • Domain name and NetBIOS name

  • Domain functional level

  • Trust relationships

hashtag
NBT-NS Poisoning

hashtag
NBT-NS Poisoning from Linux

NetBIOS Name Service poisoning involves responding to NetBIOS name resolution requests to capture credentials or redirect users.

Tools:

  • Responder

  • ntlmrelayx

  • Impacket suite

hashtag
NBT-NS Poisoning from Windows

Similar to Linux-based poisoning but using Windows-native tools or specialized utilities:

  • Inveigh

  • PowerShell scripts for LLMNR/NBT-NS poisoning

hashtag
User Enumeration & Password Policies

Understanding user accounts and password policies is critical for planning authentication attacks.

hashtag
Retrieving Password Policies

hashtag
Enumerating Users

hashtag
Password Spraying Attacks

Password spraying involves trying a small set of common passwords against many user accounts to avoid account lockouts.

hashtag
Windows Password Spraying

hashtag
Post-Compromise Enumeration

After gaining initial access, deeper enumeration helps identify privilege escalation paths.

hashtag
Domain Information

  • Group Policy Objects

  • Domain trusts

  • Sites and services

hashtag
User and Group Details

  • Group memberships

  • Account privileges

  • Service accounts

hashtag
Computer Objects

  • Operating systems

  • Installed software

  • Security configurations

hashtag
Active Directory Privilege Escalation

Common privilege escalation paths in Active Directory:

  1. Kerberoasting

  2. AS-REP Roasting

  3. DCSync attacks

  4. Abuse of Group Policy

  5. ACL/DACL misconfigurations

  6. Resource-based constrained delegation

hashtag
Persistence Mechanisms

Ways to maintain access in Active Directory environments:

  1. Golden/Silver tickets

  2. Domain Controller synchronization rights

  3. DSRM password modification

  4. Skeleton key malware

  5. Custom SSP

  6. ACL modifications

hashtag
Detection Evasion

Techniques to avoid detection during Active Directory attacks:

  1. Operational security practices

  2. Avoid noisy tools and commands

  3. Living off the land techniques

  4. Limiting lateral movement

  5. Alternative authentication methods

PreviousCrackmapexecNextCredential Hunting in Windows

Last updated