Active Directory (AD) is the identity and access management backbone of most enterprise Windows networks. Compromising Active Directory means compromising the entire organization. As a security professional, you must understand AD's structure, components, trust relationships, and the attack techniques that target it.
This lesson builds on your knowledge of Windows authentication (Lesson 2) and PowerShell (Lesson 5) to provide a comprehensive understanding of Active Directory from a security perspective.
Active Directory Domain Services (AD DS) is a distributed, hierarchical database that stores information about network resources. Key architectural components:
Forest: corp.local (Forest Root)
โโโ Tree: corp.local
โ โโโ Domain: corp.local
โ โ โโโ OU: Users
โ โ โโโ OU: Computers
โ โ โโโ OU: Servers
โ โ โโโ OU: Service Accounts
โ โโโ Domain: dev.corp.local (Child Domain)
โโโ Tree: subsidiary.com
โโโ Domain: subsidiary.com (Separate Tree)Domain Controllers are the servers that host the AD DS role. In a typical environment, multiple DCs provide redundancy and load balancing. Five Flexible Single Master Operations (FSMO) roles distribute specific responsibilities:
| FSMO Role | Scope | Security Significance |
|---|---|---|
| Schema Master | One per forest | Controls schema modifications; adding custom attributes can be abused for persistence |
| Domain Naming Master | One per forest | Controls addition/removal of domains; compromise allows creating rogue domains |
| RID Master | One per domain | Allocates RID pools to DCs for SID generation; compromise is less critical but still significant |
| PDC Emulator | One per domain | Primary time source, password changes, Group Policy processing; highest-value DC to compromise |
| Infrastructure Master | One per domain | Handles cross-domain object references; should not be on a GC server in multi-domain forests |
# Find FSMO role holders
netdom query fsmo
# Or using PowerShell
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
# Find all domain controllers
Get-ADDomainController -Filter * | Select-Object Name, Site, OperatingSystem, IPv4Address
# Check replication status (important for detecting DCSync)
Get-ADReplicationPartnerMetadata -Target "DC01" -Scope Server |
Select-Object Partner, LastReplicationSuccess, LastReplicationResultThe PDC Emulator is the most critical DC in a domain. It handles password changes (failed password attempts are forwarded to it first), time synchronization, and Group Policy processing. Compromising the PDC Emulator gives an attacker significant control over the domain. Always ensure it is the most hardened and monitored DC.
Trust relationships allow users in one domain to access resources in another. Understanding trusts is critical for understanding lateral movement across domain boundaries:
| Trust Type | Description | Security Implication |
|---|---|---|
| Parent-Child | Automatic, bidirectional, transitive within a tree | Compromising child domain can potentially access parent domain resources |
| Tree-Root | Automatic, bidirectional, transitive between tree root domains in a forest | Cross-tree access within the forest |
| External | Manual, non-transitive, between domains in different forests or NT 4.0 domains | Limited to specific domains; can be one-way |
| Forest | Manual, transitive, between two forest root domains | Broad access; compromise of one forest can extend to the trusted forest |
| Shortcut | Manual, transitive, created to speed up authentication between domains in the same forest | Optimizes trust path; reduces hops |
โ ๏ธ A two-way forest trust between Forest A and Forest B means that if an attacker fully compromises Forest A, they can potentially access resources in Forest B through the trust. The SID History attribute can be abused in cross-forest attacks. Always monitor trust relationships and use Selective Authentication to limit which servers trusted forest users can access.
Group Policy is the primary mechanism for centrally managing Windows configurations in a domain. GPOs can enforce security settings, deploy software, configure scripts, and control virtually every aspect of the Windows environment.
GPOs are processed in this order: Local โ Site โ Domain โ OU (LSDOU). Later GPOs override earlier ones if there are conflicts. The highest-linked GPO takes precedence.
# List all GPOs in the domain
Get-GPO -All | Select-Object DisplayName, GpoStatus, ModificationTime, CreationTime
# View GPO links (where GPOs are applied)
Get-GPO -All | ForEach-Object {
$links = Get-GPOReport -Guid $_.Id -ReportType XML
[PSCustomObject]@{
GPO = $_.DisplayName
Links = ($links -match 'SOMPath' | Measure-Object).Count
}
}
# Generate a detailed HTML report for a specific GPO
Get-GPOReport -Name "Default Domain Policy" -ReportType HTML -Path "C:\Temp\DDP.html"
# Find GPOs with weak permissions (attackers can modify GPOs to gain control)
Get-GPO -All | ForEach-Object {
$perms = Get-GPPermission -Guid $_.Id -All
$perms | Where-Object {
$_.Permission -eq "GpoEditDeleteModifySecurity" -and
$_.Trustee.Name -notin @("Domain Admins","Enterprise Admins","SYSTEM")
} | Select-Object @{N='GPO';E={$_.DisplayName}}, Trustee, Permission
}
# Check for GPO-deployed logon scripts (persistence vector)
Get-GPO -All | ForEach-Object {
$report = Get-GPOReport -Guid $_.Id -ReportType XML
if ($report -match 'script') {
Write-Host "GPO '$($_.DisplayName)' contains script settings" -ForegroundColor Yellow
}
}๐ก GPO abuse is a powerful technique for persistence and lateral movement. If an attacker can modify a GPO (through weak GPO permissions), they can deploy malicious scripts, create scheduled tasks, add users to local admin groups, or install software on every computer that the GPO applies to. Tools like SharpGPOAbuse automate this process.
Active Directory has a vast attack surface. Here is a summary of the major attack categories you should understand:
| Attack Category | Technique | Required Privileges | Impact |
|---|---|---|---|
| Credential Theft | Pass-the-Hash | NTLM hash of target user | Lateral movement as target user |
| Credential Theft | Pass-the-Ticket | Kerberos ticket (TGT/TGS) | Lateral movement as ticket owner |
| Credential Theft | DCSync | Replicating Directory Changes rights | Dump all domain hashes |
| Credential Theft | Golden Ticket | KRBTGT hash | Domain-wide persistence |
| Credential Theft | Silver Ticket | Service account hash | Access specific services as any user |
| Credential Theft | Kerberoasting | Any domain user | Crack service account passwords |
| Credential Theft | AS-REP Roasting | Any domain user | Crack passwords of accounts without pre-auth |
| Privilege Escalation | ACL Abuse | Write permissions on AD objects | Modify group membership, reset passwords |
| Privilege Escalation | GPO Abuse | GPO edit permissions | Code execution on all affected machines |
| Privilege Escalation | Delegation Abuse | Compromised delegated account | Impersonate any user to target service |
| Persistence | DCShadow | Domain Admin rights | Inject malicious changes into AD |
| Persistence | SID History | Domain Admin rights | Add SIDs to user's token for access |
| Persistence | AdminSDHolder | Write permissions | Persistent admin rights via SDProp |
Kerberos delegation allows a service to impersonate a user when connecting to another service. This is a powerful feature that is frequently abused by attackers:
# Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation |
Select-Object Name, DNSHostName, TrustedForDelegation
# Find users with unconstrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation |
Select-Object Name, SamAccountName
# Find constrained delegation configurations
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo |
Select-Object Name, msDS-AllowedToDelegateTo
# Find resource-based constrained delegation
Get-ADObject -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne "$null"} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity |
Select-Object Nameโ ๏ธ Unconstrained delegation is extremely dangerous. Any TGT that authenticates to a machine configured for unconstrained delegation is stored in memory on that machine. If an attacker compromises that machine, they can extract TGTs โ including those of Domain Admins who may have authenticated to it. Microsoft recommends migrating to constrained or resource-based constrained delegation and enabling "Account is sensitive and cannot be delegated" on high-value accounts.
Defending AD requires a layered approach. Key defensive measures include:
# Check if an account is in the Protected Users group
Get-ADGroupMember -Identity "Protected Users" | Select-Object Name, SamAccountName
# Check for accounts with "Account is sensitive and cannot be delegated"
Get-ADUser -Filter {AccountNotDelegated -eq $true} | Select-Object Name, SamAccountName
# Check for gMSAs in the domain
Get-ADServiceAccount -Filter * | Select-Object Name, DNSHostName, PrincipalsAllowedToRetrieveManagedPassword
# Audit AD for accounts with dangerous properties
Get-ADUser -Filter * -Properties * | Where-Object {
$_.PasswordNeverExpires -eq $true -or
$_.TrustedForDelegation -eq $true -or
$_.DoesNotRequirePreAuth -eq $true
} | Select-Object Name, PasswordNeverExpires, TrustedForDelegation, DoesNotRequirePreAuthVerify exercises to earn โ 150 XP and unlock next lab level.