Chapter 17 Key Takeaways

Active Directory Attacks

1. Active Directory Is the Crown Jewel

Over 90% of enterprise networks use Active Directory. Compromising AD means compromising everything: every workstation, every server, every mailbox, every file share. This is why AD attacks are the culmination of most enterprise penetration tests, and why defending AD is the highest-priority security objective.

2. Enumeration Is Everything

BloodHound, PowerView, and ADRecon reveal attack paths invisible to manual analysis. The time invested in thorough AD enumeration before attempting attacks is always well spent. BloodHound's graph-based analysis can discover complex, multi-hop attack paths that no human could identify through manual review.

3. Kerberoasting Is the Most Impactful First Move

Any authenticated domain user can Kerberoast. Service accounts with weak passwords and SPNs provide a reliable path to credential harvesting without triggering obvious security alerts. The defense is straightforward: Group Managed Service Accounts (gMSAs) or 25+ character passwords on all service accounts.

4. Delegation Misconfigurations Are Everywhere

Unconstrained delegation, constrained delegation, and RBCD misconfigurations are found in nearly every large AD environment. Understanding all three delegation types and their exploitation is essential for both attackers and defenders.

5. AD CS Is a Massive and Often Overlooked Attack Surface

The "Certified Pre-Owned" research exposed that AD Certificate Services misconfigurations can provide direct paths from standard user to Domain Admin. ESC1 (enrollee supplies SAN) is found in a majority of enterprise AD environments. Every AD assessment must include AD CS auditing.

6. Golden Tickets Provide Ultimate Domain Persistence

With the krbtgt hash, an attacker can forge TGTs for any user with any group membership. Golden Tickets have a default validity of 10 years and survive all password resets except krbtgt rotation. Organizations must reset the krbtgt password twice annually and immediately after any suspected compromise.

7. DCSync Eliminates the Need to Touch the Domain Controller

With replication rights (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All), an attacker can extract any user's password hash remotely without logging into the DC. Non-default accounts with these rights are a critical finding in any assessment.

8. Defense Must Be Layered and Proactive

No single control prevents all AD attacks. Effective defense requires: tiered administration, gMSAs, LAPS, Credential Guard, delegation auditing, AD CS hardening, BloodHound-based attack path analysis, and monitoring tools like Microsoft Defender for Identity.

9. The Complete Attack Chain Demonstrates Real-World Risk

The progression from phishing -> local privilege escalation -> credential harvesting -> Kerberoasting -> lateral movement -> DCSync -> Golden Ticket reflects actual adversary tradecraft. This chain can execute in hours in a well-connected network with common misconfigurations.

10. Build a Lab and Practice Relentlessly

AD attacks require hands-on practice. Building a personal AD lab with intentional vulnerabilities is the single best investment in developing AD attack and defense skills. Tools like GOAD, BadBlood, and Vulnerable-AD make this accessible to every student.

Quick Reference: AD Attack Priorities