Quick Answer

Active Directory attacks are techniques that let an attacker start from a single low-privilege domain account and escalate, step by step, to Domain Admin or Enterprise Admin. The most common chain in a modern enterprise network is: map the attack path with BloodHound, crack service-account passwords offline with Kerberoasting and AS-REP Roasting, take over accounts via Shadow Credentials and ACL abuse, request an administrator certificate through the ADCS ESC1 misconfiguration, and finally pull the krbtgt hash with DCSync and forge a Golden Ticket for persistent control of the whole domain. This article explains each technique together with its defenses, within an authorized security-education framework.

Why is Active Directory the prime target?

The vast majority of enterprise networks run identity and access management on Active Directory (AD). A single Domain Controller (DC) authenticates hundreds of users, computers and service accounts. That centralization is a gift to an attacker: once they gain the smallest foothold, the target is no longer individual machines but the identity infrastructure itself. Domain Admin, in practice, means access to every machine, file and account on the network.

In penetration tests and Red Team operations, taking over AD is an almost standard objective, because AD's flexibility, years of accumulated misconfigurations and legacy settings leave at least one usable weak link in most environments. The techniques below are documented in MITRE ATT&CK, validated in the real world, and essential knowledge for defenders.

Note: This content is only for authorized security testing, CTF competitions and defensive education. Unauthorized access is a crime under Turkish Penal Code articles 243 to 245.

1. Recon and BloodHound: seeing the attack path

When an attacker enters an AD forest they first perform enumeration. Which users, groups and computers exist? Who has rights over whom? These answers can be pulled over LDAP with even a low-privilege domain account. Modern tools (such as NetExec / nxc) sweep a network range over SMB and LDAP and reveal the domain controller, operating systems and signing state.

The real power comes from BloodHound. It dumps AD relationships (group memberships, ACLs, sessions, delegations) into a graph database and visualizes the question "what is the shortest path from this account to Domain Admin?". Developed by SpecterOps, it lets the attacker focus on relationships rather than individual accounts, because in AD the real power lies in the trust and privilege edges between objects.

A typical BloodHound finding looks like this: a low-privilege user can Kerberoast a service account; that service account has GenericWrite over an admin account; that admin account can enroll for certificates on the ADCS server. This chain, which would take hours to find manually, surfaces in seconds with graph analysis.

Defense: Run BloodHound against your own environment regularly (a purple-team approach). Clean dangerous ACLs (GenericWrite, GenericAll, WriteDacl), isolate Tier 0 assets and remove unnecessary admin group memberships.

2. Kerberoasting and AS-REP Roasting: crackable tickets

Kerberos is AD's authentication protocol, and it has two famous weaknesses.

Kerberoasting (T1558.003): For any service account assigned a Service Principal Name (SPN), any domain user can request a TGS ticket. That ticket is encrypted with the service account's NTLM password hash. The attacker takes the ticket offline and cracks it with a wordlist (such as rockyou.txt). The server never sees the cracking attempt. Service accounts with weak passwords fall in minutes. Impacket's GetUserSPNs.py does this in one command; cracking happens with hashcat mode -m 13100.

AS-REP Roasting (T1558.004): If an account has "do not require Kerberos preauthentication" (DONT_REQ_PREAUTH) set, the attacker can request that account's AS-REP without knowing the password and crack it offline. GetNPUsers.py finds these accounts automatically; the hashcat mode is -m 18200.

Both techniques run "before authentication", are extremely quiet, and require nothing more than a domain user.

Defense: Use gMSA (Group Managed Service Accounts) for service accounts; their passwords are 120+ characters and rotate automatically. Reduce the number of Kerberoastable SPNs, enforce AES encryption, and never disable preauthentication unnecessarily.

3. Shadow Credentials: account takeover without resetting passwords

In classic ACL abuse, if you have write rights over an account (e.g. GenericWrite) you reset its password and log in. But that is noisy and locks the user out. Shadow Credentials (T1098) is far more elegant.

For certificate-based authentication (PKINIT), Windows uses an attribute on each account called msDS-KeyCredentialLink. If you can write to the target account, you add your own key to this attribute, authenticate as that account via PKINIT, and recover its NT hash (UnPAC-the-hash). The password never changes, the user notices nothing, and the attribute can be restored afterward. The shadow auto command of the Certipy tool automates this whole chain.

This is a technique that even professionals often discover anew, because it is both quiet and powerful: it turns a single ACL edge directly into full account takeover.

Defense: Monitor msDS-KeyCredentialLink changes with audit logs (Event ID 5136). Harden ADCS if you do not require Key Trust, and minimize write rights over accounts.

4. ADCS ESC1: becoming Domain Admin via a certificate

Active Directory Certificate Services (ADCS) is the component where organizations manage their own certificates, and it is the most powerful front in modern AD attacks. SpecterOps' "Certified Pre-Owned" research documented a series of misconfigurations from ESC1 to ESC8. The best known is ESC1.

ESC1 arises when three conditions meet: (1) low-privilege users can enroll in the certificate template, (2) the template has the Client Authentication EKU, and (3) most critically, the enrollee can supply the subject (SAN). With all three together, an ordinary user can say "I am administrator@domain" in a certificate request, and the CA issues them a valid certificate as Domain Admin. The attacker authenticates with that certificate over Kerberos, gets a TGT, and recovers administrator's NT hash via UnPAC-the-hash. Certipy does this end to end with its find, req and auth commands.

ESC1 also provides persistence, because certificates, unlike passwords, are long-lived and unaffected by password changes. That is why even experts say "I didn't know this" the first time they see it.

Defense: Disable "enrollee supplies subject" on vulnerable templates, require manager approval, restrict enrollment rights, and centrally monitor ADCS events (certificate requests). Run Certipy against your own environment and close ESC1-ESC8.

5. DCSync and Golden Ticket: persistent control of the whole domain

After reaching Domain Admin, the goal is persistence. DCSync (T1003.006) lets the attacker mimic a domain controller's replication behavior (the DRSUAPI protocol) to pull any account's password hash without physically logging into the DC. The most valuable target is the krbtgt account's hash.

With the krbtgt hash in hand, you can forge a Golden Ticket (T1558.001): a valid, unlimited TGT for any user (including Enterprise Admin) with any group memberships you choose. It is a near-indelible backdoor into the domain, because the krbtgt password is rarely changed. Impacket's secretsdump.py performs DCSync, and ticketer.py forges the Golden Ticket. In the final step, secretsdump -just-dc dumps NTDS.dit (the whole domain's password database), the crown jewel.

Defense: Rotate the krbtgt password regularly (and twice if compromise is suspected). To detect DCSync, monitor "Directory Service Replication" events on DCs and alert on unauthorized replication sources. Tier 0 isolation, LAPS and Privileged Access Workstations (PAW) limit the impact of these attacks.

Experience this chain in a safe environment

You can experience all of the above techniques in Part II of the DSET Academy Red Team Lab, in your browser, with real commands against a fully simulated fictional domain (acme.local). Each stage maps to a MITRE ATT&CK technique, graduated hints teach the method without giving away the answer, and at the end you earn a verifiable certificate of completion. The training is 100% simulated; no real system is ever touched.

Go to DSET Red Team Lab · Part II

For more about DSET's AI-powered security platform KAOS and our other services, see our KAOS page and our services. For your penetration testing needs, contact us.

Frequently Asked Questions

Are Active Directory attacks legal? You may only use these techniques on systems you are explicitly authorized to test (your own lab, an authorized pentest engagement, a CTF). Unauthorized use is a crime.

Do you need to be an admin to Kerberoast? No. Any valid domain user can request tickets for service accounts that have an SPN. That is exactly why it is so dangerous.

How do I close ADCS ESC1? Disable "enrollee supplies subject" on the vulnerable certificate template, enable manager approval, and restrict enrollment rights. Scan your own environment with Certipy.

Can I detect a Golden Ticket? Directly it is hard, because the ticket is cryptographically valid. But anomalous ticket lifetimes, tickets for non-existent accounts and krbtgt usage patterns can be hunted in a SIEM. The most effective control is rotating the krbtgt password regularly.

Is BloodHound used for defense? Absolutely. Defenders run BloodHound against their own environment to discover and close attack paths before attackers do. It is one of the core tools of purple-team work.

External Sources

  • MITRE ATT&CK: technique pages for Kerberoasting (T1558.003), AS-REP Roasting (T1558.004), DCSync (T1003.006), Golden Ticket (T1558.001)
  • SpecterOps, "Certified Pre-Owned: Abusing Active Directory Certificate Services" (ADCS ESC1-ESC8 research)
  • BloodHound official documentation (SpecterOps)
  • Microsoft, Kerberos authentication and Active Directory security references
  • Impacket and Certipy project documentation