Active Directory Penetration Testing Playbook

According to Frost & Sullivan, Microsoft Active Directory is adopted by approximately 90% of Fortune 1000 companies as a primary method to provide seamless authentication and authorization. Such pervasive technology is nowadays a primary target for threat adversaries willing to compromise the core of an enterprise network and access to its most business-critical data.

Given the crucial role of Active Directory, understanding its architecture, protocols, attack surface, and common weaknesses are key for structuring effective and repeatable penetration testing initiatives.

This workshop presents a beginner-friendly methodology to assess Microsoft AD environment. Starting from the introduction of effective domain enumeration techniques, students are presented with the most common misconfigurations affecting AD environments, and how to detect and exploit such issues to demonstrate the related impact.

As part of the workshop, multiple real-world case studies will be offered to attendants including examples of techniques adopted by modern Advanced Persistent Threats (APTs) to attack the most secure Active Directory environments on the planet.

What will the students get

• Practical methods to identify and exploit the most common Active Directory weaknesses.
• A mini-arsenal with pre-configured tools for testing Active Directory environments.

Agenda/ Topics Covered

Overview on Active Directory Penetration Testing

• What is Microsoft Active Directory (AD) and its role in modern enterprise network.
• What is Active Directory Domain Services (AD DS).
• What is Penetration Testing?
• Penetration Testing vs. Red Teaming Active Directory.

Extensive Active Directory Domain Enumeration

• Understanding the structure of the target environment by enumerating Forests, Domains, Organizational Unit (OUs), Users, Groups, and Computers.
• Mapping privileges and trust relationships in the domain by enumerating Group Policy Objects (GPOs), Access Control Lists (ACLs), and Domain Trusts.
• Introduction to Bloodhound for extensive domain enumeration.

Abusing Active Directory for Local Privileges Escalation

• Abusing GPO for local privileges escalation.
• Abuse local administrative password in Group Policy Preference files.
• Abuse Local Administrator Password Solution (LAPS).

Domain Persistence Techniques

• Overview on Domain Persistence Techniques
• Case study: Golden & Silver Ticket Attacks

Domain Privileges Escalation

• Domain escalation: Domain Admin is just the beginning.
• Escalate privileges via Kerberoasting and AS-REP Roasting attacks.
• Password Spraying Attacks.
• How to select high-value users to be attacked.
• How to build a password dictionary to increase the guessing success rate.
• Overview on Kerberos Delegation issues.
• Identify Interesting ACL and abuse for Domain Escalation.

Lateral Movement

• Lateral Movement via network protocols
  • PowerShell Remoting
  • RDP
  • SMB/RPC
  • WinRM
• Abusing ACL for Lateral Movement
  • Manipulating passwords and group members
• Pass-the-Hash (PtH)
• Over-Pass-the-Hash (Over-PtH)
• Pass-the-Ticket (PtT)

Overview on Cloud-based & Hybrid Active Directory Security

• Terminology first: AD, ADDS, AAD, AADDS, Microsoft 365, Office 365, etc.
• AzureAD Reconnaissance
  • Users, Groups, Roles, Applications, etc.
  • Introduction to AzureHound for domain enumeration.
• Lateral Movement Techniques
  • Moving laterally by abusing SharePoint Online / OneDrive.
  • Effective internal phishing attacks leveraging Microsoft Teams.
• Example of Privilege Escalation technique: the Golden SAML attack.
• Example of Persistence technique: abusing application ownership.