Chapter 45: Active Directory Red Teaming¶

Overview¶

Active Directory (AD) remains the backbone of identity and access management in over 90% of Fortune 1000 enterprises. Its deeply interconnected trust model — spanning forests, domains, organizational units, and Group Policy — creates an attack surface of extraordinary complexity. A single misconfigured ACL, an overlooked delegation setting, or a vulnerable certificate template can provide an attacker a path from an unprivileged domain user to Enterprise Admin. This chapter examines the full AD red teaming lifecycle: enumeration, privilege escalation, lateral movement, domain dominance, forest trust abuse, and persistence. Every offensive technique is paired with its corresponding defensive control and detection query, ensuring that red team knowledge directly strengthens blue team capabilities.

Learning Objectives¶

By the end of this chapter, students SHALL be able to:

1. Enumerate Active Directory environments using graph-based analysis concepts
2. Identify and explain common privilege escalation paths in AD environments
3. Describe ACL abuse techniques including WriteDACL, GenericAll, and ForceChangePassword
4. Explain delegation attacks: constrained, unconstrained, and resource-based constrained delegation
5. Analyze Active Directory Certificate Services (ADCS) misconfigurations (ESC1–ESC8)
6. Map each offensive technique to its corresponding MITRE ATT&CK technique and defensive control
7. Design detection strategies for AD attack paths using event log correlation

Prerequisites¶

• Completion of Chapter 17 (Red Team Operations)
• Solid understanding of Active Directory architecture (forests, domains, trusts, OUs, GPOs)
• Familiarity with Kerberos authentication protocol
• Working knowledge of PowerShell and Windows event logging

MITRE ATT&CK Technique Mapping¶

45.1 Active Directory Enumeration Methodology¶

45.1.1 Graph-Based AD Analysis¶

Traditional enumeration lists users, groups, and computers. Graph-based analysis reveals relationships — the transitive paths that connect a low-privilege user to a high-value target. This is the conceptual foundation of tools like BloodHound.

graph TD
    A[Domain User:\nsvc_backup] -->|MemberOf| B[Group:\nIT-Support]
    B -->|GenericAll| C[User:\nadmin_jones]
    C -->|MemberOf| D[Group:\nServer-Admins]
    D -->|AdminTo| E[Server:\nDC01.corp.local]
    E -->|Contains| F[Domain Admin\nCredentials]

    style A fill:#1d3557,color:#fff
    style B fill:#457b9d,color:#fff
    style C fill:#e9c46a,color:#000
    style D fill:#f4a261,color:#000
    style E fill:#e76f51,color:#fff
    style F fill:#e63946,color:#fff

Key Concept: The attack path above shows three "hops" — each hop represents a distinct privilege escalation step. The defender's goal is to break every path by removing unnecessary permissions.

45.1.2 LDAP Enumeration Concepts¶

LDAP queries form the backbone of AD enumeration. Understanding what data is accessible to any authenticated domain user is critical for defenders.

# CONCEPTUAL — Understanding what data LDAP exposes
# Any authenticated domain user can query:
# - All user objects and their attributes
# - Group memberships (including nested)
# - Computer objects and OS versions
# - Trust relationships
# - GPO objects and links
# - Certificate templates (if ADCS is deployed)

# Example LDAP filter concept for finding accounts
# with Service Principal Names (Kerberoastable):
# (&(objectClass=user)(servicePrincipalName=*))

# CONCEPTUAL — ACL data that reveals attack paths
# PowerView concept: Get-DomainObjectAcl
# Returns Access Control Entries (ACEs) for AD objects
#
# Dangerous permissions to look for:
# - GenericAll: Full control over the object
# - GenericWrite: Modify most attributes
# - WriteDACL: Modify the object's ACL itself
# - WriteOwner: Take ownership of the object
# - ForceChangePassword: Reset password without knowing current
# - AddMember: Add members to a group

45.1.3 SharpHound Collection Concepts¶

SharpHound is the data collector for BloodHound. Understanding its collection methods helps defenders identify enumeration activity.

45.2 Privilege Escalation Paths¶

45.2.1 ACL Abuse Techniques¶

ACL misconfigurations are the most common source of AD privilege escalation paths. Each represents a defensive gap that can be identified and remediated proactively.

WriteDACL Abuse¶

Concept: If a principal has WriteDACL permission on an object, they can modify the object's Discretionary Access Control List — effectively granting themselves any permission they want on that object.

SYNTHETIC SCENARIO — WriteDACL Abuse Path
══════════════════════════════════════════════════════
Domain: SYNTHETICCORP.LOCAL (192.168.10.0/24)

1. User "svc_monitor" has WriteDACL on OU "Privileged-Users"
2. Attacker (as svc_monitor) adds GenericAll ACE for themselves
3. Attacker now has full control over all users in that OU
4. High-value target "admin_martinez" is in that OU
5. Attacker resets admin_martinez's password
6. admin_martinez is member of Domain Admins

RESULT: Domain user → Domain Admin in 3 steps

# CONCEPTUAL FLOW — NOT executable commands
# Step 1: Identify WriteDACL permission
#   → PowerView: Get-DomainObjectAcl -Identity "Privileged-Users"
#   → Look for: ActiveDirectoryRights = WriteDacl

# Step 2: Add GenericAll ACE (concept)
#   → Add-DomainObjectAcl -TargetIdentity "admin_martinez"
#     -PrincipalIdentity "svc_monitor" -Rights All

# Step 3: Abuse GenericAll (concept)
#   → Set-DomainUserPassword -Identity "admin_martinez"

# DETECTION — Windows Security Event Log
# Event ID 5136: Directory Service Object Modified
# Look for: nTSecurityDescriptor attribute changes
# Alert when: Any modification to DACL of privileged objects

# PREVENTION CHECKLIST:
# □ Audit all WriteDACL permissions with BloodHound
# □ Remove unnecessary WriteDACL grants
# □ Enable Advanced Auditing: DS Object Changes
# □ Protected Users group for high-value accounts
# □ AdminSDHolder enforcement review

GenericAll Abuse¶

Concept: GenericAll grants complete control over an AD object. The abuse depends on the object type:

ForceChangePassword¶

Concept: This permission allows resetting a user's password without knowing the current password. It is commonly granted to helpdesk groups but often over-scoped to include privileged accounts.

45.2.2 Delegation Attacks¶

Kerberos delegation allows services to impersonate users when accessing other services. Three types exist, each with distinct security implications.

graph LR
    subgraph Unconstrained
        A1[User] -->|TGT forwarded| B1[Server with\nUnconstrained\nDelegation]
        B1 -->|User's TGT| C1[Any Service]
    end

    subgraph Constrained
        A2[User] -->|TGS| B2[Server with\nConstrained\nDelegation]
        B2 -->|S4U2Proxy| C2[Allowed\nServices Only]
    end

    subgraph RBCD
        A3[User] -->|TGS| B3[Target Server]
        B3 -->|Configured to trust| C3[Requesting\nServer]
    end

    style B1 fill:#e63946,color:#fff
    style B2 fill:#e9c46a,color:#000
    style B3 fill:#2d6a4f,color:#fff

Unconstrained Delegation¶

When a server is configured for unconstrained delegation, any user's TGT (Ticket Granting Ticket) is cached on that server when they authenticate. An attacker who compromises such a server can harvest all cached TGTs.

Printer Bug / SpoolService Concept: An attacker can coerce a Domain Controller to authenticate to an attacker-controlled host with unconstrained delegation. The DC's machine account TGT is then captured, enabling DCSync.

-- Detect unconstrained delegation configurations
-- Query: Find all accounts with unconstrained delegation
-- LDAP filter concept: (userAccountControl:1.2.840.113556.1.4.803:=524288)

SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where TargetServerName in (UDServers)  // Known UD servers
| where SubjectUserName endswith "$"      // Machine accounts
| where SubjectUserName startswith "DC"   // Domain controller coercion
| summarize count() by TargetServerName, SubjectUserName, bin(TimeGenerated, 1h)

Resource-Based Constrained Delegation (RBCD)¶

Concept: RBCD flips the delegation model — the target server specifies which services can delegate to it, via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. An attacker who can write to this attribute on a computer object can configure delegation from an account they control.

Prerequisites for RBCD attack (conceptual):

1. Write permission on a computer's msDS-AllowedToActOnBehalfOfOtherIdentity
2. A computer account the attacker controls (any domain user can create up to 10 by default via ms-DS-MachineAccountQuota)
3. The target computer must not have delegation protections

45.3 Domain Dominance Techniques¶

45.3.1 DCSync Concept¶

DCSync simulates the behavior of a domain controller requesting replication data. It requires the Replicating Directory Changes and Replicating Directory Changes All privileges — normally held only by Domain Admins and Domain Controllers.

CONCEPTUAL FLOW — DCSync
═══════════════════════════════════════
Attacker (with replication rights)
    │
    ▼
Domain Controller (DC01 — 192.168.10.10)
    │ DRS_REPLICATION_GET_CHANGES_ALL
    ▼
Returns: NTLM hashes for all domain accounts
    │
    ▼
Including: krbtgt hash → Golden Ticket capability

# Monitor for replication requests from non-DC sources
# Event ID: 4662 (An operation was performed on an object)
# Properties:
#   {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}  ← DS-Replication-Get-Changes
#   {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}  ← DS-Replication-Get-Changes-All
#
# ALERT: When SubjectUserName is NOT a domain controller machine account
# PRIORITY: CRITICAL

# PREVENTION CHECKLIST — DCSync
# □ Audit who holds replication rights (should be DCs only)
# □ Remove replication rights from all non-DC accounts
# □ Enable Advanced Audit Policy: DS Access
# □ Monitor Event ID 4662 with specific GUIDs above
# □ Implement tiered administration (Tier 0 isolation)
# □ Deploy Microsoft ATA/Defender for Identity

45.3.2 Golden Ticket Concept¶

A Golden Ticket is a forged TGT created using the krbtgt account's NTLM hash. It grants unrestricted access to any resource in the domain for the ticket's lifetime (default: 10 years in forged tickets).

45.3.3 Silver Ticket Concept¶

A Silver Ticket is a forged TGS (Ticket Granting Service) ticket for a specific service, created using that service account's NTLM hash. Unlike Golden Tickets, Silver Tickets never touch the domain controller, making them harder to detect.

45.4 Active Directory Certificate Services (ADCS) Attacks¶

ADCS provides PKI services within AD environments. Misconfigurations in certificate templates create some of the most impactful escalation paths in modern AD environments.

45.4.1 ADCS Escalation Taxonomy (ESC1–ESC8)¶

graph TD
    A[ADCS Misconfigurations] --> B[ESC1: Template allows\nSAN specification]
    A --> C[ESC2: Template allows\nany purpose EKU]
    A --> D[ESC3: Enrollment agent\ntemplate abuse]
    A --> E[ESC4: Template ACL\nmisconfiguration]
    A --> F[ESC5: CA server\nobject ACL abuse]
    A --> G[ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2\nflag on CA]
    A --> H[ESC7: CA manager\napproval bypass]
    A --> I[ESC8: NTLM relay\nto HTTP enrollment]

    style A fill:#1d3557,color:#fff
    style B fill:#e63946,color:#fff
    style F fill:#e63946,color:#fff
    style G fill:#e63946,color:#fff
    style I fill:#e63946,color:#fff

ESC1 — Subject Alternative Name (SAN) Abuse¶

Concept: If a certificate template allows the enrollee to specify a Subject Alternative Name (SAN), any user who can enroll can request a certificate with the SAN set to a Domain Admin's UPN, then authenticate as that admin.

Vulnerable template conditions (ALL must be true):

1. Template allows enrollment by low-privilege users
2. Manager approval is NOT required
3. CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set
4. Template has an EKU that enables authentication (Client Authentication, Smart Card Logon, PKINIT, or Any Purpose)

# CONCEPTUAL — Identifying ESC1 vulnerable templates
# Tool concept: Certify.exe find /vulnerable
# Or: certipy find -vulnerable
#
# Look for templates where:
#   Enrollment Rights: Domain Users (or similar broad group)
#   Requires Manager Approval: False
#   Enrollee Supplies Subject: True
#   Extended Key Usage: Client Authentication
#
# SYNTHETIC EXAMPLE OUTPUT:
# Template: UserAuthentication-Legacy
# Enrollment: SYNTHETICCORP\Domain Users
# Supply Subject: True
# Manager Approval: False
# EKU: Client Authentication
# STATUS: VULNERABLE TO ESC1

# REMEDIATION — ESC1
# □ Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT from all templates
#   that grant Client Authentication EKU
# □ If SAN is required, enable Manager Approval
# □ Restrict enrollment to specific security groups
# □ Audit all certificate templates quarterly
# □ Monitor Event ID 4887 (certificate request with SAN)
# □ Deploy Certify/Certipy in audit mode as part of AD health checks

ESC8 — NTLM Relay to ADCS HTTP Enrollment¶

Concept: If the ADCS web enrollment interface accepts NTLM authentication without EPA (Extended Protection for Authentication), an attacker can relay NTLM authentication from a coerced machine account to the CA and request a certificate as that machine.

45.5 Persistence Mechanisms¶

45.5.1 SID History Injection¶

Concept: The sIDHistory attribute allows a migrated user to retain access to resources in their previous domain. An attacker with Domain Admin privileges can inject the SID of a privileged group (e.g., Enterprise Admins, S-1-5-21-...-519) into a regular user's SID history, granting persistent elevated access.

Detection:

• Monitor Event ID 4765 (SID History added to an account)
• Monitor Event ID 4766 (SID History addition attempt failed)
• Alert on any non-migration SID history modifications

45.5.2 GPO Abuse for Persistence¶

Concept: An attacker with write access to a Group Policy Object linked to critical OUs can deploy persistent access mechanisms — scheduled tasks, startup scripts, or registry modifications — that execute every time Group Policy refreshes.

SYNTHETIC SCENARIO — GPO Persistence
══════════════════════════════════════════════════════
Domain: SYNTHETICCORP.LOCAL

1. Attacker compromises account with GPO edit rights
2. Creates Immediate Scheduled Task in Default Domain Policy
3. Task runs a PowerShell reverse shell concept every 90 minutes
4. Applies to ALL domain-joined computers
5. Survives system rebuild (GPO reapplied on domain join)

DETECTION:
- Event ID 5136: GPO object modification in AD
- Event ID 4698: Scheduled task created (on endpoints)
- Monitor: \\SYNTHETICCORP.LOCAL\SYSVOL changes
- Tool: Group Policy change auditing solutions

45.5.3 Shadow Credentials¶

Concept: The msDS-KeyCredentialLink attribute allows certificate-based authentication via Windows Hello for Business (WHfB). An attacker with write permissions to this attribute on a user or computer can add their own key credential, enabling authentication as that principal without modifying the password.

# CONCEPTUAL — Shadow Credentials Attack Flow
# 1. Attacker has GenericWrite on target computer SQLSRV01$
# 2. Generate key pair (concept: Whisker tool)
# 3. Write attacker's public key to msDS-KeyCredentialLink
# 4. Request TGT using PKINIT with the corresponding private key
# 5. Authenticate as SQLSRV01$ machine account
# 6. Perform S4U2Self to obtain TGS as any user to SQLSRV01

# DETECTION — Shadow Credentials
# Event ID 5136: DS Object Modified
# Attribute: msDS-KeyCredentialLink
# Alert: ANY modification to this attribute outside of
#        legitimate WHfB enrollment workflows
#
# PREVENTION:
# □ Audit write permissions on msDS-KeyCredentialLink
# □ Remove unnecessary GenericWrite/GenericAll permissions
# □ Monitor attribute changes via Directory Service auditing
# □ Consider clearing msDS-KeyCredentialLink where WHfB
#   is not deployed

45.6 Forest Trust Attacks¶

45.6.1 Trust Relationship Concepts¶

graph TD
    subgraph Forest A
        A1[corp.syntheticcorp.local] -->|Parent-Child\nBidirectional| A2[us.corp.syntheticcorp.local]
        A1 -->|Parent-Child\nBidirectional| A3[eu.corp.syntheticcorp.local]
    end

    subgraph Forest B
        B1[partner.synthetictrust.local]
    end

    A1 ---|External Trust\nBidirectional| B1

    style A1 fill:#1d3557,color:#fff
    style A2 fill:#457b9d,color:#fff
    style A3 fill:#457b9d,color:#fff
    style B1 fill:#2d6a4f,color:#fff

Key concept: Intra-forest trusts are inherently transitive — compromise of any domain in a forest leads to compromise of the entire forest (via the krbtgt trust key or Enterprise Admins SID injection). Cross-forest trusts can be abused through SID filtering bypass or unconstrained delegation.

45.6.2 SID Filtering and Its Limitations¶

SID filtering is the primary defense against cross-trust SID history injection. When enabled, the trusting domain strips foreign SIDs from authentication tokens. However:

• SID filtering is not enabled by default on intra-forest trusts
• Even with SID filtering, SIDs from the trusted domain's own forest are allowed
• Some organizations disable SID filtering for "migration convenience" and forget to re-enable it

45.7 Lab Concept: Domain User to Domain Admin in Three Hops¶

LAB ENVIRONMENT (SYNTHETIC — NOT a real network)
════════════════════════════════════════════════════════════
Domain: LAB.SYNTHETICCORP.LOCAL
DC: DC01 (192.168.10.10)
Workstation: WS01 (192.168.10.50)
SQL Server: SQL01 (192.168.10.30)

Starting point: Domain user "jsmith" (standard user)

HOP 1: ACL Abuse
─────────────────
BloodHound reveals: jsmith → MemberOf → IT-Support
IT-Support → ForceChangePassword → svc_sql

Action concept: Reset svc_sql password
Result: Control of svc_sql account

HOP 2: Constrained Delegation
──────────────────────────────
svc_sql is configured for constrained delegation to SQL01
msDS-AllowedToDelegateTo: MSSQLSvc/SQL01.LAB.SYNTHETICCORP.LOCAL

Action concept: S4U2Self + S4U2Proxy to impersonate admin to SQL01
Result: Admin access on SQL01

HOP 3: Credential Harvesting
─────────────────────────────
SQL01 has a cached session from admin_garcia (Domain Admin)
Concept: Extract credentials from LSASS memory

Action concept: Use admin_garcia credentials
Result: Domain Admin access

TOTAL HOPS: 3
DEFENSIVE BREAKS NEEDED:
  □ Remove ForceChangePassword from IT-Support on svc_sql
  □ Move to constrained delegation with protocol transition disabled
  □ Enable Credential Guard on SQL01
  □ Place admin_garcia in Protected Users group
  □ Implement tiered administration (Tier 0/1/2)

45.8 Blue Team Detection Correlation¶

45.8.1 Detection Matrix¶

45.8.2 Tiered Administration Model¶

The single most effective defense against AD attack paths is the tiered administration model:

TIER 0 — Domain Controllers, ADCS, AD Admin accounts
  → Dedicated PAWs, no internet access, separate credentials
  → Monitored with highest fidelity

TIER 1 — Member Servers (SQL, Exchange, File, App servers)
  → Server admins cannot log into Tier 0 or Tier 2
  → Separate admin accounts from daily-use accounts

TIER 2 — Workstations and End-User Devices
  → Help desk accounts scoped to Tier 2 only
  → Local admin password solution (LAPS) deployed

Exam Prep & Certifications¶

Review Questions¶

Key Takeaways¶