Active Directory is the backbone of most enterprise networks. A compromised AD means total domain takeover. Learn the attacks and how to defend.
Common AD Attacks
| Kerberoasting | Extract service account password hashes |
| AS-REP Roasting | Attack accounts without pre-authentication |
| Golden Ticket | Forge TGT using KRBTGT hash |
| Silver Ticket | Forge service ticket |
| DCSync | Replicate domain controller (steal all hashes) |
| Pass-the-Hash | Authenticate with NTLM hash |
Detection
# Kerberoasting Detection (Event ID 4769)
index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| stats count by ServiceName, Account_Name
| where count > 10
# DCSync Detection (Event ID 4662)
index=windows EventCode=4662
Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
| table _time, SubjectUserName, ObjectServerHardening Checklist
- Protect KRBTGT account (change password twice)
- Use Protected Users group for admins
- Disable NTLM where possible
- Implement tiered admin model
- Use LAPS for local admin passwords
- Enable advanced audit policies
Critical
If domain admin credentials are compromised, assume total breach. Golden tickets persist even after password resets.
December 2024