Active Directory Attack Techniques I Use Most Often

When clients ask what attacks I'll use against their Active Directory, they often expect some complex zero-day exploitation. The reality is much simpler - and that's what makes it scary.

Kerberoasting

This is my bread and butter. Any authenticated user can request service tickets for accounts with SPNs. Those tickets are encrypted with the service account's password hash. I take them offline and crack them.

Why it works so well:

• No special privileges required
• No alerts in most environments
• Service accounts often have weak passwords
• Service accounts often have excessive privileges

The fix: Use gMSAs. Their passwords are 240 random characters and rotate automatically.

NTLM Relay

Windows loves NTLM. When SMB signing isn't enforced, I can intercept NTLM authentication and relay it to other services. I don't need to crack anything - I just forward the authentication.

With tools like PetitPotam, I can force machines to authenticate to me. Then I relay those credentials to LDAP and give myself any permissions I want in Active Directory.

The fix: Enable SMB signing. Enable LDAP signing. Enable EPA. These should be default, but they're not.

Pass-the-Hash

When I compromise a machine, I dump the local SAM database and any cached credentials. If an admin has logged in recently, their NTLM hash is sitting in memory. I use that hash directly to authenticate elsewhere - no password cracking needed.

The fix: Credential Guard, LAPS, Protected Users group, and stop logging into workstations with Domain Admin accounts.

DCSync

Once I have the right privileges (usually Domain Admin, but sometimes less), I can replicate password data from the domain controller. This gives me every single password hash in the domain.

This uses normal AD replication protocols, so it's hard to distinguish from legitimate traffic unless you're specifically monitoring for it.

The fix: Audit who has replication rights. Monitor Event 4662 for replication requests from non-DC sources.

ACL Abuse

Active Directory permissions are complex. BloodHound helps me find paths I'd never discover manually. Common ones:

• GenericAll on a user = I can reset their password
• GenericWrite on a computer = I can configure resource-based constrained delegation
• WriteDacl on a group = I can add myself as a member

These permissions often exist because someone needed temporary access years ago.

The fix: Regular ACL audits with BloodHound. Clean up unnecessary permissions.

The Pattern

Notice that none of these attacks require exploiting software vulnerabilities. They all abuse legitimate features that are misconfigured. That's why EDR doesn't catch them - I'm not running malware, I'm using administrative tools the way they're supposed to work.

Security isn't about buying more products. It's about configuring what you have correctly. Start with the basics, and most of my job becomes much harder.