Active Directory (Attack & Defense )
28 min read
offensive

Active Directory (Attack & Defense )

Active Directory (Attack & Defense )
27 min read 5,883 words

This is the 2026 revision of Active Directory (Attack & Defense), first published in April 2022. The content might have under frequent changes.

Discovery

Table of Contents

SPN Scanning

Enumerate accounts that have Service Principal Names to find service accounts, SQL servers, and other services without running noisy port scans. Tools: PowerView (Get-NetUser -SPN), setspn.exe, Impacket GetUserSPNs.py.

Data Mining

Search file shares, Group Policy, and AD object attributes (description, info, comment) for stored secrets.
Tools such as : PowerView, Snaffler , manspider.

User Hunting

Locate where privileged users are logged on so you can target session theft or token impersonation.
Tools: PowerView (Find-DomainUserLocation), BloodHound session data.

LAPS

Identify LAPS-managed hosts and the principals allowed to read the stored local administrator password. Windows LAPS shipped as a built-in OS feature in the April 2023 updates and replaces the old standalone Microsoft LAPS. It stores the password in msLAPS-Password instead of the legacy ms-Mcs-AdmPwd, and adds password encryption, history, DSRM support, and optional backup to Entra ID. When enumerating, check which attribute is in use and who holds read rights.

AppLocker

Read the application control policy (effective rules) to plan execution that stays inside allowed paths and publishers.

Azure / Entra-ID

Azure AD was renamed Microsoft Entra ID in 2023. Enumerate users, groups, roles, applications, service principals, and the link between on-prem AD and the tenant.

Tools: AzureHoundROADtools (roadrecon), and AADInternals.

Active Directory Federation Services

Identify ADFS and federated domains. A compromised ADFS token-signing key allows forged SAML assertions (Golden SAML, covered under Persistence).

Attack path mapping with BloodHound 

Legacy BloodHound 4.x is retired. BloodHound Community Edition uses SharpHound CE and AzureHound collectors, a web UI and API, and adds edges for AD CS, Entra ID, and dMSA relationships. Use it to map paths to Tier 0 before deeper enumeration.

AD CS enumeration 

Certificate Services is now a primary recon target. Certipy (find -vulnerable) and Certify enumerate certificate templates and CA settings and flag the ESC conditions described under Privilege Escalation.

Service enumeration with NetExec 

NetExec (nxc) is the maintained successor to CrackMapExec, which was archived in 2023. It enumerates SMB, LDAP, WinRM, MSSQL, and other services, validates credentials at scale, and marks owned accounts in BloodHound.

Privilege Escalation

Enumeration Tool kits

Local privilege escalation discovery. Tools: PowerUp, PrivescCheck, WinPEAS.

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability

DNSAdmins

Members of DnsAdmins can load an arbitrary DLL into the DNS service running on the DC (dns serverlevelplugindll), leading to code execution as SYSTEM on the DC.

Kerberos Delegation

Three forms, all still in scope:

  • Unconstrained delegation: a host configured for unconstrained delegation caches TGTs of users who authenticate to it; combine with a coercion technique to capture a DC TGT.
  • Constrained delegation: abuse of msDS-AllowedToDelegateTo with S4U2Self and S4U2Proxy to impersonate users to specific services.
  • Resource-Based Constrained Delegation (RBCD)(Added 2022-2026, now a primary chain.) Where ms-DS-MachineAccountQuota is greater than 0 (default 10), create a computer account, write msDS-AllowedToActOnBehalfOfOtherIdentity on a target you have write access to, then use S4U to impersonate any user to that target. Tools: Impacket addcomputer.py and rbcd.pybloodyAD, Rubeus, PowerMad.

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Write access to a GPO linked to a target OU allows pushing scheduled tasks, scripts, or settings to affected machines.

Tools: SharpGPOAbuse, PowerView.

Insecure ACLs Permission Rights

Abusable rights such as GenericAll, GenericWrite, WriteDACL, WriteOwner, and ForceChangePassword on users, groups, and computers. Map with BloodHound and act with PowerView, bloodyAD, or aclpwn.

Domain Trusts

Cross-domain and cross-forest abuse, including SID history injection and trust key extraction for inter-realm tickets.

DCShadow

Register a rogue domain controller to push malicious directory changes (also used for persistence).

RID Hijacking

Modify the RID of an account so a low-privilege user is granted access of a higher-privilege RID at logon.

Microsoft SQL Server

Abuse xp_cmdshell, SQL logins mapped to OS accounts, and impersonation. Tool: PowerUpSQL.

Red Forest

The ESAE administrative forest design. See the Enterprise Access Model under Defense & Detection, which is the model Microsoft now recommends in its place.

Exchange

PrivExchange and related issues where Exchange has excessive rights in AD and can be relayed to escalate.

LLMNR/NBNS

Spoof name resolution to capture authentication for offline cracking or relay.

Tool: Responder.

Active Directory Certificate Services (AD CS) (Added 2022-2026)

SpecterOps published the “Certified Pre-Owned” research and the ESC numbering grew from ESC1 to ESC8 in 2021 to ESC1 to ESC16 by 2025. A misconfigured certificate template or CA frequently gives a standard domain user a direct path to Domain Admin, and an issued certificate keeps working after a password reset, so it doubles as persistence.

ESCWhat it abuses
ESC1Template allows requester-supplied subject (SAN) plus client authentication EKU, so you request a cert as anyone.
ESC2Template with Any Purpose or no EKU restriction.
ESC3Enrollment Agent certificate, used to enroll on behalf of other users.
ESC4Write access over a template DACL, used to reconfigure it into ESC1.
ESC5Control over PKI-related AD objects.
ESC6CA has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag, enabling SAN injection CA-wide.
ESC7CA management rights (ManageCA, ManageCertificates).
ESC8NTLM relay to the CA web enrollment (HTTP) endpoint, classically relaying a coerced DC.
ESC9Certificate with no security extension (szOID_NTDS_CA_SECURITY_EXT absent), enabling mapping abuse.
ESC10Weak certificate mapping registry settings on the DC.
ESC11NTLM relay to the CA RPC (ICertPassage) endpoint, no web endpoint required.
ESC12CA key stored on a YubiHSM, or shell access to the ADCS host.
ESC13Template linked to an issuance policy that maps to a privileged AD group (OID group link).
ESC14Weak explicit mapping through writable altSecurityIdentities.
ESC15 (EKUwu)CVE-2024-49019: inject arbitrary Application Policies into a V1-schema template certificate. Patched November 2024.
ESC16Security extension disabled CA-wide, a global version of ESC9.

Certifried (CVE-2022-26923), by Oliver Lyak in May 2022: an authenticated user changes a machine account dNSHostName to obtain a certificate that authenticates as a DC. Tools: CertipyCertifyForgeCert. References: Certipy ESC wikiTrustedSec EKUwuHackTricks AD CS escalation.

oPac / sAMAccountName spoofing

Chains CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC name confusion). A standard user with machine account quota greater than 0 renames a computer account to match a DC name, requests a ticket, and ends up with a DC service ticket, reaching Domain Admin. Patch with KB5008380 and KB5008602 (November 2021), and apply both, since one alone does not close the chain. Tools: noPac.pysam-the-admin. Reference: thehacker.recipes.

Shadow Credentials 

Write attacker-controlled key material into a target account msDS-KeyCredentialLink attribute, then authenticate with PKINIT and no password. Requires PKINIT support (AD CS in the domain). Tools: WhiskerpyWhisker, Certipy. Reference: thehacker.recipes.

Authentication coercion and relay 

Force a victim, often a DC, to authenticate to a server you control, then relay that authentication to a useful endpoint. A common chain is: coerce a DC, relay to AD CS (ESC8 or ESC11), obtain a DC certificate, then DCSync.

  • PrinterBug / SpoolSample (MS-RPRN).
  • PetitPotam (MS-EFSRPC), by Gilles Lionel. Original unauthenticated vector patched as CVE-2021-36942 (August 2021); authenticated variants remain.
  • ShadowCoerce (MS-FSRVP), patched as CVE-2022-30154. Disable the File Server VSS Agent if not needed.
  • DFSCoerce (MS-DFSNM), by Filip Dragovic, June 2022.
  • Coercerp0dalirius/Coercer bundles many coercion methods.
  • Relay targets: LDAP and LDAPS (RBCD or shadow credential write), AD CS web and RPC (ESC8, ESC11), and ADWS, using Impacket ntlmrelayx.
  • KrbRelayUp: local privilege escalation from a normal user to SYSTEM in domains where LDAP signing is not enforced (the default). It coerces local machine Kerberos authentication, relays to LDAP, and creates an RBCD or shadow credential primitive. Disclosed April 2022; Microsoft addressed the specific path in the October 2022 updates. Dec0ne/KrbRelayUpMicrosoft write-up.

Reference: Unit 42 on authentication coercion.

BadSuccessor (dMSA abuse)

CVE-2025-53779, by Yuval Gordon at Akamai (May 2025). Windows Server 2025 introduced delegated Managed Service Accounts (dMSA) with a migration that lets the new dMSA inherit the predecessor account privileges. By writing the migration attributes (msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState) on a dMSA you control, the KDC mints a PAC carrying any target account group memberships, up to Domain Admin, with no permission on the target account itself, only the ability to create or control a dMSA in an OU. Akamai reported about 91 percent of tested domains had non-admins able to do this. Patched late August 2025. Restrict who can create dMSAs, audit OU permissions, and monitor dMSA object creation and attribute writes. References: AkamaiSemperis.

Group Managed Service Accounts and Golden gMSA 

Any principal listed in msDS-GroupMSAMembership can read the gMSA password from msDS-ManagedPassword. With the KDS root key attributes, the Golden gMSA technique computes the password of any associated gMSA offline, for past, present, and future values, and a compromised KDS root key cannot be rotated without replacing it and every dependent gMSA. Tools: GMSAPasswordReader, NetExec, GoldenGMSA. Reference: Semperis.


Lateral Movement

Microsoft SQL Server Database links

Crawl linked SQL servers to execute commands across trust boundaries.

Tool: PowerUpSQL.

Pass The Hash

Reuse an NTLM hash to authenticate without the plaintext password. Tools: Mimikatz, NetExec, Impacket. (Added 2022-2026) Related variants now common in engagements: Pass the Ticket, Overpass-the-Hash, and Pass the Certificate (PKINIT authentication with a certificate, and UnPAC-the-hash to recover the NT hash from a PKINIT TGT).

System Center Configuration Manager (SCCM)

SCCM is often a faster route to domain control than AD itself. (Added 2022-2026) SpecterOps consolidated the tradecraft in Misconfiguration Manager with this taxonomy:

  • RECON: locate SCCM sites and management points.
  • CRED: extract Network Access Account credentials, PXE boot media secrets, and policy secrets.
  • ELEVATE: NTLM relay from clients and management points for local or domain escalation.
  • EXEC: deploy applications or scripts for code execution on collections.
  • TAKEOVER: seize the SCCM hierarchy, usually equal to full domain compromise.

Tools: SharpSCCMSCCMHunter. Reference: Misconfiguration Manager docs.

WSUS

Where WSUS uses HTTP or is otherwise misconfigured, an attacker on path can push a crafted update to targets. Tools: PyWSUS, SharpWSUS 

Password Spraying

Try a small set of passwords across many accounts to avoid lockout. Tools: NetExec, Kerbrute, DomainPasswordSpray.

Automated Lateral Movement

Hybrid identity movement, on-prem to Entra ID and back 

Most AD environments are now hybrid, so movement crosses the on-prem and cloud boundary in both directions. The synchronization server is the highest-value host.

  • Entra Connect (formerly Azure AD Connect) abuse: the sync server holds high-privilege credentials. With Password Hash Sync, the on-prem sync account (MSOL_) can DCSync, and its stored credentials can be decrypted on the connector server. With Pass-Through Authentication, an attacker on the PTA agent host can backdoor authentication and capture plaintext credentials. Tool: AADInternals.
  • Seamless SSO (AZUREADSSOACC$): Seamless SSO creates the AZUREADSSOACC$ computer account whose key is shared with Entra ID. With its hash you can forge Kerberos tickets that the cloud accepts and impersonate synced users.
  • Primary Refresh Token (PRT) theft: the PRT is the cloud equivalent of a TGT, bound to a registered device. Stealing and replaying it (with the device key and nonce) mints tokens for Entra-authenticated services and can ride through MFA. Tools: ROADtoken, AADInternals, Mimikatz. Reference: PRT exploitationMS Learn.
  • Device code phishing: the attacker generates a real Microsoft user_code and gets the victim to enter it at microsoft.com/devicelogin, then collects the access and refresh tokens after the victim clears MFA. Microsoft attributed an active campaign to Storm-2372 (February 2025). Tools: TokenTactics, roadtx. Block it with the Conditional Access Authentication Flows condition.
  • Illicit consent grants: trick a user into consenting to an attacker app on a real Microsoft screen, after which the app holds delegated Graph scopes through its own refresh token, surviving password resets and MFA. Tool: GraphRunner.
  • Cloud Kerberos Trust: the now-default Windows Hello for Business hybrid model, where Entra ID mints partial TGTs via an AzureADKerberos object that appears as an RODC mapped to no real server. Microsoft documents the Entra to AD attack surface and blocks privileged accounts through the Password Replication Policy, which should not be relaxed.

Defense Evasion

In-Memory Evasion

Reflective loading, module stomping, and sleep obfuscation to reduce in-memory detection.

Endpoint Detection and Response (EDR) Evasion

Userland unhooking, direct and indirect syscalls, and reduced API footprint.  Bring Your Own Vulnerable Driver (BYOVD) is now a common route to blind or kill EDR from kernel space.

OPSEC

Reduce artifacts and align activity with normal administrative behaviour.

Microsoft ATA & ATP Evasion

Azure ATP and ATA are now Microsoft Defender for Identity. Evasion focuses on avoiding the directory and network detections it ships, such as recon and DCSync patterns. See Defense & Detection.

PowerShell ScriptBlock Logging Bypass

Techniques to reduce or avoid script block logging.

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

In-memory patching or provider tampering to defeat AMSI for PowerShell.

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

Trusted execution and signed binary abuse.

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools

Stopping or tampering with agents and services, including via BYOVD 

Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)

Kerberoasting

Kerberos AP-REP Roasting

Request service tickets for SPN accounts and crack them offline. The November 2022 PAC and RC4 hardening (CVE-2022-37966 and CVE-2022-37967) changes detection and tradecraft. Prefer accounts that still allow RC4, and treat RC4 ticket requests as an indicator. Tools: Rubeus, Impacket GetUserSPNs.py.

Windows Credential Manager/Vault

DCSync

LLMNR/NBT-NS Poisoning

Others

Persistence

Golden Ticket

SID History

Silver Ticket

DCShadow

AdminSDHolder

Group Policy Object

Skeleton Keys

SeEnableDelegationPrivilege

Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Degrees of Domain Admin
  • Impacket – Impacket is a collection of Python classes for working with network protocols
  • aclpwn.py – Active Directory ACL exploitation with BloodHound
  • CrackMapExec – A swiss army knife for pentesting networks
  • ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • zBang – zBang is a risk assessment tool that detects potential privileged account threats
  • SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz – Utility to extract plaintexts passwords\, hash\, PIN code and kerberos tickets from memory but also perform pass-the-hash\, pass-the-ticket or build Golden tickets
  • Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit tools
  • RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
  • MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords\, insider intel\, network architecture information\, etc.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Red Teaming Defense for Windows Environments

Ebooks

Cheat Sheets

Other Resources

Defense & Detection

Tools & Scripts

  • Create-Tiers in AD – Project Title Active Directory Auto Deployment of Tiers in any environment
  • SAMRi10 – Hardening SAM Remote Access in Windows 10/Server 2016
  • Net Cease – Hardening Net Session Enumeration
  • PingCastle – A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
  • Aorato Skeleton Key Malware Remote DC Scanner – Remotely scans for the existence of the Skeleton Key Malware
  • Reset the krbtgt account password/keys – This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
  • Reset The KrbTgt Account Password/Keys For RWDCs/RODCs
  • RiskySPN – RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
  • Deploy-Deception – A PowerShell module to deploy active directory decoy objects
  • SpoolerScanner – Check if MS-RPRN is remotely available with powershell/c#
  • dcept – A tool for deploying and detecting use of Active Directory honeytokens
  • LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • DCSYNCMonitor – Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
  • Sigma – Generic Signature Format for SIEM Systems
  • Sysmon – System Monitor (Sysmon) is a Windows system service and device driver that\, once installed on a system\, remains resident across system reboots to monitor and log system activity to the Windows event log.
  • SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log
  • ClrGuard – ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes.
  • Get-ClrReflection – Detects memory-only CLR (.NET) modules.
  • Get-InjectedThread – Get-InjectedThread looks at each running thread to determine if it is the result of memory injection.
  • SilkETW – SilkETW & SilkService are flexible C# wrappers for ETW\, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection.

Sysmon Configuration

  • sysmon-modular – A Sysmon configuration repository for everybody to customise
  • sysmon-dfir – Sources\, configuration and how to detect evil things utilizing Microsoft Sysmon.
  • sysmon-config – Sysmon configuration file template with default high-quality event tracing

Active Directory Security Checks (by Sean Metcalf – @Pyrotek3)

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions – prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controllers

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).

Logging

  • Enable enhanced auditing
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro’s Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).

Important Security Updates

CVETitleDescriptionLink
CVE-2019-1040Windows NTLM Tampering VulnerabilityA tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka ‘Windows NTLM Tampering Vulnerability’.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040
CVE-2019-0683Active Directory Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka ‘Active Directory Elevation of Privilege Vulnerability’.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683
CVE-2019-0708Remote Desktop Services Remote Code Execution VulnerabilityA remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
CVE-2018-8581Microsoft Exchange Server Elevation of Privilege VulnerabilityAn elevation of privilege vulnerability exists in Microsoft Exchange Server, aka “Microsoft Exchange Server Elevation of Privilege Vulnerability.” This affects Microsoft Exchange Server.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518
CVE-2017-0143Windows SMB Remote Code Execution VulnerabilityThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143
CVE-2016-0128Windows SAM and LSAD Downgrade VulnerabilityThe SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka “Windows SAM and LSAD Downgrade Vulnerability” or “BADLOCK.”https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128
CVE-2014-6324Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka “Kerberos Checksum Vulnerability.”https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068
CVE-2014-1812Vulnerability in Group Policy Preferences could allow elevation of privilegeThe Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka “Group Policy Preferences Password Elevation of Privilege Vulnerability.”https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

Detection

AttackEvent ID
Account and Group Enumeration4798: A user’s local group membership was enumerated4799: A security-enabled local group membership was enumerated
AdminSDHolder4780: The ACL was set on accounts which are members of administrators groups
Kekeo4624: Account Logon4672: Admin Logon4768: Kerberos TGS Request
Silver Ticket4624: Account Logon4634: Account Logoff4672: Admin Logon
Golden Ticket4624: Account Logon4672: Admin Logon
PowerShell4103: Script Block Logging400: Engine Lifecycle403: Engine Lifecycle4103: Module Logging600: Provider Lifecycle
DCShadow4742: A computer account was changed5137: A directory service object was created5141: A directory service object was deleted4929: An Active Directory replica source naming context was removed
Skeleton Keys4673: A privileged service was called4611: A trusted logon process has been registered with the Local Security Authority4688: A new process has been created4689: A new process has exited
PYKEK MS14-0684672: Admin Logon4624: Account Logon4768: Kerberos TGS Request
Kerberoasting4769: A Kerberos ticket was requested
S4U2Proxy4769: A Kerberos ticket was requested
Lateral Movement4688: A new process has been created4689: A process has exited4624: An account was successfully logged on4625: An account failed to log on
DNSAdmin770: DNS Server plugin DLL has been loaded541: The setting serverlevelplugindll on scope . has been set to <dll path> 150: DNS Server could not load or initialize the plug-in DLL
DCSync4662: An operation was performed on an object
Password Spraying4625: An account failed to log on4771: Kerberos pre-authentication failed4648: A logon was attempted using explicit credentials

Resources

2 Comments

  1. Despite being from 2022 (heck, I know companies who still uses Serve 2008) … the content is valid, and you really did a good job listing all the information here.

Leave a reply

Your email address will not be published. Required fields are marked *