Chapter 17 Quiz: Active Directory Attacks

1. Kerberoasting requires which of the following prerequisites?

A) Domain Administrator privileges B) Any authenticated domain user account C) Physical access to the domain controller D) Exploitation of a kernel vulnerability

2. In Kerberos authentication, the Ticket Granting Ticket (TGT) is encrypted with which key?

A) The user's NTLM hash B) The krbtgt account's NTLM hash C) The service account's NTLM hash D) The domain controller's machine account hash

3. What does BloodHound use to discover and visualize AD attack paths?

A) Port scanning and service enumeration B) Graph theory applied to AD object relationships and permissions C) Brute-force password attacks against domain controllers D) Packet capture and network traffic analysis

4. AS-REP Roasting targets accounts with which specific configuration?

A) Service Principal Names (SPNs) set B) "Do not require Kerberos preauthentication" enabled C) "Account is disabled" flag set D) AdminCount attribute set to 1

5. A Golden Ticket is forged using which account's hash?

A) The Domain Administrator's hash B) The target service account's hash C) The krbtgt account's hash D) The computer account's hash

6. What is the key difference between a Golden Ticket and a Silver Ticket?

A) Golden Tickets work on Linux; Silver Tickets work on Windows B) Golden Tickets forge TGTs for any service; Silver Tickets forge TGS tickets for specific services C) Golden Tickets are detected by SIEM; Silver Tickets are not D) Golden Tickets expire faster than Silver Tickets

7. Resource-Based Constrained Delegation (RBCD) is configured on which object?

A) The delegating (front-end) service account B) The target (back-end) resource that receives delegation C) The domain controller D) The Group Policy Object linked to the OU

8. In the AD CS ESC1 vulnerability, what template configuration makes it exploitable?

A) The template requires manager approval B) The template allows the enrollee to specify the Subject Alternative Name (SAN) C) The template uses AES-256 encryption D) The template is disabled by default

9. DCSync works by abusing which AD feature?

A) Group Policy replication B) Domain controller replication protocol (MS-DRSR) C) Kerberos ticket generation D) DNS zone transfer

10. Which Impacket tool is used for Kerberoasting from a Linux attack machine?

A) secretsdump.py B) GetUserSPNs.py C) psexec.py D) ntlmrelayx.py

11. The ms-DS-MachineAccountQuota attribute determines:

A) The maximum number of domain users allowed B) How many computer accounts standard users can create C) The password complexity requirement for machine accounts D) The maximum number of domain controllers in the forest

12. Pass-the-Hash (PtH) exploits which authentication protocol?

A) Kerberos B) NTLM C) SAML D) LDAP

13. Which tool created by SpecterOps revolutionized AD attack path analysis?

A) Mimikatz B) PowerView C) BloodHound D) CrackMapExec

14. What is the primary defense against Kerberoasting?

A) Disabling Kerberos and using NTLM instead B) Using Group Managed Service Accounts (gMSAs) with 120-character random passwords C) Enabling "Do not require Kerberos preauthentication" D) Installing antivirus on all domain controllers

15. The Skeleton Key attack works by:

A) Replacing the krbtgt password B) Patching LSASS on a domain controller to accept a master password C) Modifying the SAM database on member servers D) Creating a backdoor user in Domain Admins

16. In the SolarWinds attack, the adversary achieved persistence using which technique?

A) Golden Ticket B) Silver Ticket C) Golden SAML (forging SAML tokens with the AD FS signing certificate) D) Scheduled tasks on all domain controllers

17. Which of the following Event IDs should be monitored to detect Kerberoasting?

A) Event ID 4624 (Successful Logon) B) Event ID 4769 (Kerberos Service Ticket) with encryption type 0x17 (RC4) C) Event ID 4740 (Account Lockout) D) Event ID 4688 (Process Creation)

18. Overpass-the-Hash differs from Pass-the-Hash because it:

A) Uses plaintext passwords instead of hashes B) Converts an NTLM hash into a Kerberos TGT C) Requires access to the domain controller D) Only works against Linux systems

19. In an unconstrained delegation attack, you can compromise any user who authenticates to the delegation server because:

A) The server stores the user's plaintext password B) The server receives and caches the user's TGT C) The server can reset any user's password D) The server has DCSync rights

20. To invalidate existing Golden Tickets, you must:

A) Reset the Domain Administrator password B) Reset the krbtgt password twice (invalidating both current and previous keys) C) Restart all domain controllers D) Delete the krbtgt account and recreate it

Answer Key

  1. B - Any authenticated domain user can request Kerberos service tickets for Kerberoasting.
  2. B - The TGT is encrypted with the krbtgt account's NTLM hash by the KDC.
  3. B - BloodHound applies graph theory to AD object relationships to find attack paths.
  4. B - AS-REP Roasting targets accounts where Kerberos preauthentication is not required.
  5. C - Golden Tickets are forged using the krbtgt hash, which encrypts all TGTs.
  6. B - Golden Tickets forge TGTs (access any service); Silver Tickets forge TGS tickets (specific service only).
  7. B - RBCD is configured on the target resource's msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
  8. B - ESC1 requires ENROLLEE_SUPPLIES_SUBJECT allowing the requester to specify any SAN.
  9. B - DCSync abuses the directory replication protocol to request password data from a DC.
  10. B - GetUserSPNs.py enumerates SPNs and requests Kerberos service tickets for cracking.
  11. B - This attribute controls how many computer accounts standard domain users can create (default: 10).
  12. B - PtH exploits NTLM authentication by using the hash directly without cracking.
  13. C - BloodHound by SpecterOps transformed AD security assessment with graph-based attack path analysis.
  14. B - gMSAs use automatically rotated 120-character passwords that are practically uncrackable.
  15. B - Skeleton Key patches LSASS memory on a DC to accept a master password alongside real passwords.
  16. C - The SolarWinds attackers used Golden SAML to forge authentication tokens for cloud services.
  17. B - Event ID 4769 with RC4 encryption type (0x17) indicates potential Kerberoasting activity.
  18. B - Overpass-the-Hash converts an NTLM hash to a Kerberos TGT for Kerberos-based authentication.
  19. B - With unconstrained delegation, the server receives full TGTs from authenticating users.
  20. B - The krbtgt password must be reset twice because the KDC uses both current and previous keys.