Did you know that a simple configuration error in Active Directory can be an attacker's entry ticket into your network? We see such vulnerabilities in almost every company.
In this article, we have collected five of the most common Active Directory vulnerabilities used in practice - from attacks from Golden Ticket to DCSync. You'll learn how they work, what hackers do next, and how to avoid.
account The attacker gains access to the password hash of the KRBTGT , a system service that issues Kerberos tickets. Using this hash, it creates a "golden ticket" that gives full access to the domain without verification. server.
What does the attacker do next?
What this looks like in practice:
In 2023, a bank in Eastern Europe lost control of its network. After the KRBTGT was compromised, the attackers migrated customer data within a few days without being noticed.
AD CS, which is used to manage digital certificates, may contain vulnerable templates. These templates allow an attacker to successfully authenticate, gaining administrator rights through a certificate.
What does the attacker do next?
In 2024, a retailer lost 2.5 TB of customer data due to an AD CS attack. Attackers used weak template settings to gain administrator privileges.
What does the hacker do next?
On one of the projects, an attacker used PtH to spread from a regular user to the Domain Admin level in less than an hour.
DCSync attack allows an attacker with Replicating Directory Changes privileges to impersonate domain controller and request password hashes of users, including administrators.
Typically the attacker then does the following:
In 2022, a group of cybercriminals infiltrated the infrastructure of a government agency and, thanks to DCSync, gained complete network access.
Services with Unconstrained Delegation store TGT tickets of other users, including administrators. If a hacker gains access to such a server, he can use these tickets to perform any action from the name of the user being attacked.
Next steps:
The software vendor was attacked via a SQL server with delegation enabled. Administrator tickets were used to connections to the company's financial systems.
Your steps:
Introduction
Active Directory (AD) is a key technology that underpins the infrastructure of corporate networks. Simplifying Managing authentication and access, AD often becomes a tasty morsel for attackers.In this article, we have collected five of the most common Active Directory vulnerabilities used in practice - from attacks from Golden Ticket to DCSync. You'll learn how they work, what hackers do next, and how to avoid.
1. Golden Ticket
How does this work?
account The attacker gains access to the password hash of the KRBTGT , a system service that issues Kerberos tickets. Using this hash, it creates a "golden ticket" that gives full access to the domain without verification. server.
What does the attacker do next?
- Creates accounts that are invisible to logs
- Gains access to critical data
- Uses constant access to infrastructure
- Counterfeits tickets with any expiration date, bypassing two-factor authentication
What this looks like in practice:
In 2023, a bank in Eastern Europe lost control of its network. After the KRBTGT was compromised, the attackers migrated customer data within a few days without being noticed.
Example:
Bash:
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:krbtgt"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:a9b3c... /ticket:golden.kirbi"'How to protect yourself?
- Change your KRBTGT account password regularly (2 times in a row for full rotation)
- Enable auditing of 4662 events (object access) to identify problems early.
2. AD CS Certificate Service Vulnerabilities
What's the problem?
AD CS, which is used to manage digital certificates, may contain vulnerable templates. These templates allow an attacker to successfully authenticate, gaining administrator rights through a certificate.
What does the attacker do next?
- Using the received certificate, it compromises sessions via RDP, WinRM or SMB
- Installs backdoors in infrastructure
- Uses certificates to perform Pass-the-Ticket (PtT) attacks
In 2024, a retailer lost 2.5 TB of customer data due to an AD CS attack. Attackers used weak template settings to gain administrator privileges.
Operation:
Bash:
Certify.exe find /vulnerable
Certify.exe request /ca:ca.corp.local\corp-CA /template:VulnerableTemplate /altname:AdministratorProtective measures
- Make sure templates do not use ENROLLEE_SUPPLIES_SUBJECT
- Check the permissions for using templates and restrict access to them
3. Pass-the-Hash (PtH)
How does this work?
NTLM password hashes stored in LSASS memory allow an attacker to authenticate without knowing the real password. password.What does the hacker do next?
- Distributed via SMB or SQL services to other machines
- Uses the acquired privileges to implement exploits
On one of the projects, an attacker used PtH to spread from a regular user to the Domain Admin level in less than an hour.
Example
Bash:
sekurlsa::logonpasswords
sekurlsa::pth /user:Admin /domain:corp.local /ntlm:a9b3c... /run:"cmd.exe"Council:
- Enable Credential Guard to protect hashes in memory (note that it only protects local ones accounts)
- Reconfigure your corporate infrastructure to exclude or restrict the use of NTLM Group Policy.
4. DCSync attacks
What is this?
DCSync attack allows an attacker with Replicating Directory Changes privileges to impersonate domain controller and request password hashes of users, including administrators.
Typically the attacker then does the following:
- Proceeds to create Golden Ticket
- Extracts privileged user accounts
- Obtains full credentials to compromise network infrastructure
In 2022, a group of cybercriminals infiltrated the infrastructure of a government agency and, thanks to DCSync, gained complete network access.
Demonstration
Bash:
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:Administrator"'How to protect yourself?
- Restrict access to Replicating Directory Changes , Replicating Directory Changes All and Replicating Directory Changes In Filtered Set
- Manually audit AD access lists for key nodes
5. Unconstrained Delegation
Why is this dangerous?
Services with Unconstrained Delegation store TGT tickets of other users, including administrators. If a hacker gains access to such a server, he can use these tickets to perform any action from the name of the user being attacked.
Next steps:
- Escalation of Privilege
- Performing fake transactions on systems connected to the attacked server
- Using TGT tickets to perform Pass-the-Ticket (PtT) attacks
The software vendor was attacked via a SQL server with delegation enabled. Administrator tickets were used to connections to the company's financial systems.
Example
Bash:
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Rubeus.exe monitor /interval:5 /filteruser:SERVER01$Recommendations:
- Switch all resources to Constrained Delegation
- Disable delegation for nodes where it is not required
- Check Resource-Based Constrained Delegation (RBCD) and limit its use
Conclusion
These vulnerabilities highlight how easily an attacker can gain full-scale access through configuration errors. AD.Your steps:
- Check your network for the issues described.
- Restrict access and set up auditing.
- Train specialists to keep the infrastructure under control.
