Chapter 45 Quiz: Active Directory Red Teaming¶

B — A chained privilege escalation path where each hop grants incrementally higher permissions, ultimately reaching Domain Admin through transitive relationships

BloodHound maps Active Directory relationships (group memberships, ACLs, sessions, GPO links) and identifies attack paths through graph theory. Multi-hop paths reveal how seemingly low-risk permissions chain together to create critical escalation routes. A path from a standard user to Domain Admin through transitive group memberships and ACL edges represents a real, exploitable privilege escalation chain.

B — Perform any operation on the target object including password reset, SPN modification (for targeted Kerberoasting), or adding the account to privileged groups

GenericAll grants full control over the target object, equivalent to object ownership. On a user object, this enables: resetting the password without knowing the current one, modifying the servicePrincipalName attribute to enable targeted Kerberoasting, adding the user to groups, modifying logon scripts, and writing to any attribute. This is one of the most powerful ACL edges in BloodHound attack paths.

B — Kerberoasting requires any authenticated domain account and targets accounts with SPNs; AS-REP Roasting targets accounts with Kerberos pre-authentication disabled and can be performed without domain credentials

Kerberoasting requests TGS tickets for service accounts with registered SPNs — the returned ticket is encrypted with the service account's hash and can be cracked offline. AS-REP Roasting targets accounts where the DONT_REQUIRE_PREAUTH flag is set, requesting an AS-REP that contains encrypted material crackable offline. AS-REP Roasting can be performed with just a list of usernames and no domain credentials.

B — Replicating Directory Changes and Replicating Directory Changes All rights; retrieves the krbtgt account's NTLM hash by simulating domain controller replication

DCSync abuses the Directory Replication Service (DRS) protocol to request password data as if the attacker were a domain controller performing replication. It requires Replicating Directory Changes and Replicating Directory Changes All permissions, which Domain Admins and domain controllers possess by default. Retrieving the krbtgt hash enables Golden Ticket creation for unlimited domain persistence.

B — Golden Tickets are forged TGTs created with the krbtgt hash, granting access to any service in the domain; Silver Tickets are forged TGS tickets created with a specific service account hash, granting access only to that service but without contacting the KDC

Golden Tickets forge TGTs signed with the krbtgt hash, allowing the attacker to request TGS tickets for any service as any user (including non-existent ones). Silver Tickets forge TGS tickets for a specific service using that service's NTLM hash. Silver Tickets are harder to detect because they never touch the KDC — the forged TGS is presented directly to the target service.

B — The attacker can modify the domain object's DACL to grant themselves DCSync rights (Replicating Directory Changes), then extract all domain credentials

WriteDacl allows modification of the object's Discretionary Access Control List. On the domain object, this means the attacker can add an ACE granting their compromised account the Replicating Directory Changes and Replicating Directory Changes All extended rights, enabling a DCSync attack. This is a critical ACL abuse path that BloodHound specifically identifies and highlights.

B — Constrained Delegation allows a service to impersonate users to specific backend services; an attacker can abuse it using S4U2Self and S4U2Proxy to obtain service tickets for the allowed services as any domain user

Constrained Delegation (configured via msDS-AllowedToDelegateTo) permits a service to request tickets on behalf of users for specific SPNs. An attacker with the service's credentials can use S4U2Self to obtain a forwardable ticket for any user, then S4U2Proxy to present that ticket to the allowed backend services. If the allowed SPN includes CIFS or HTTP on a domain controller, this can escalate to domain compromise.

B — The attacker can request a certificate with an arbitrary SAN (e.g., the Domain Admin UPN), then use that certificate for Kerberos authentication as the privileged user (ESC1)

ESC1 (Escalation Scenario 1) in ADCS exploitation occurs when a certificate template allows enrollees to specify the Subject Alternative Name (SAN) and has enrollment rights for low-privileged users. The attacker enrolls with a SAN containing a Domain Admin's UPN, receives a valid certificate, and uses it for PKINIT Kerberos authentication. This effectively impersonates the Domain Admin with a CA-signed certificate.

B — RBCD is configured on the target (backend) service via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, and can be abused by anyone with write access to that attribute — unlike traditional delegation, which requires Domain Admin to configure

RBCD shifts delegation configuration from the front-end service (requiring SeEnableDelegationPrivilege, typically Domain Admin) to the back-end resource. An attacker with write access to a computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute can configure a controlled account to delegate to that computer, then use S4U2Self and S4U2Proxy to access the target as any user.

B — Microsoft published the AES-256 decryption key in MSDN documentation, making all GPP-encrypted passwords trivially decryptable using tools like gpp-decrypt

Group Policy Preferences allowed administrators to push local admin passwords, drive mappings, and scheduled tasks via SYSVOL. The passwords were encrypted with a static AES-256 key that Microsoft published in MSDN documentation (MS14-025). Any authenticated domain user can read SYSVOL, find cpassword values in Groups.xml, ScheduledTasks.xml, and similar files, and instantly decrypt them.

B — The attacker can reset the target's password to a known value without knowing the current password, but unlike GenericAll, cannot modify other attributes such as SPNs or group memberships

ForceChangePassword (User-Force-Change-Password extended right) allows resetting a user's password without knowing the current password. This is more limited than GenericAll, which grants full control over all object attributes. However, password reset alone is sufficient to take over the target account and is a viable privilege escalation step in multi-hop BloodHound attack paths.

B — AdminSDHolder automatically propagates its ACL to all protected groups (Domain Admins, Enterprise Admins, etc.) every 60 minutes via SDProp; an attacker who modifies the AdminSDHolder ACL gains persistent access to all protected objects

The Security Descriptor Propagation (SDProp) process runs every 60 minutes and overwrites the ACL of protected accounts and groups with the AdminSDHolder container's ACL. An attacker with sufficient access can add an ACE to AdminSDHolder granting their controlled account permissions over all protected objects. Even if defenders clean up the compromised account's direct permissions, SDProp restores them within an hour.

B — Create a Golden Ticket in the child domain with the Enterprise Admins SID from the parent domain injected into the SID History, enabling cross-domain escalation via SID History injection

In a parent-child trust relationship, an attacker who compromises the child domain's krbtgt hash can forge a Golden Ticket that includes the Enterprise Admins SID (from the parent domain) in the SID History field. When this ticket is presented across the trust boundary, the parent domain grants Enterprise Admin privileges because it trusts the child domain's krbtgt-signed ticket and honors the SID History.

B — (&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)(!( cn=krbtgt)))

This LDAP filter identifies user accounts (not computer accounts) that have at least one SPN registered, excluding the krbtgt account. These accounts are Kerberoastable — any authenticated user can request TGS tickets for their SPNs and attempt offline cracking. Tools like Rubeus, Impacket's GetUserSPNs, and PowerView automate this enumeration and ticket extraction process.

B — Tier 0 credential exposure on a Tier 1 asset violates the tiered administration model, indicating that privileged access boundaries are not properly enforced

The tiered administration model specifically prohibits higher-tier credentials from being used on lower-tier assets. A Tier 0 admin session on a Tier 1 server means those credentials can be extracted from memory (via Mimikatz or similar), breaking the entire tiering model. This is a critical finding in AD red team assessments, demonstrating that administrative practices undermine the architectural security controls.