Why Credentials Become High-Value Attack Targets
In enterprise environments, legitimate credentials represent the highest-value attack target. Once attackers possess valid credentials, they become indistinguishable from authorized usersβdetection becomes nearly impossible, and access persists until the credential is explicitly revoked.
π― Credential Value Proposition
Legitimate Access: Valid credentials bypass authentication entirely. Undetected Activity: Attackers using valid credentials appear as authorized users in logs. Persistent Access: Credentials remain valid across reboots, system updates, and network changes. Lateral Movement: Single credential enables access to all resources user has permission to access. Privilege Escalation Foundation: Valid credentials serve as starting point for privilege escalation to higher-privilege accounts.
π Credential Interception Attack Surface
Network Level: Credentials transmitted across networks; attackers can capture and replay. Authentication Protocol Level: Kerberos and NTLM protocols contain interception points. Memory Level: Credentials stored in memory; attackers dump memory to extract credentials. Storage Level: Credentials stored in configuration files, group policies, scheduled tasks; attackers hunt for stored credentials.
πΎ Common Credential Storage Locations
Active Directory: Credential hashes stored in ntds.dit file. Local System: LSASS process stores credentials; memory dumping extracts credentials. Group Policy: Passwords sometimes stored in group policy objects. Scheduled Tasks: Service account credentials stored in task scheduler. Registry: Cached credentials stored in registry; attackers dump for offline cracking. Configuration Files: Applications store credentials in config files for service access.
Kerberos-Related Abuse Concepts (Theoretical Framework)
Kerberos authentication protocol provides multiple attack opportunities. Understanding these conceptually is essential before studying specific exploitation techniques.
π« Ticket-Based Attack Concepts
Ticket-Granting Ticket (TGT): Users receive TGT after authentication; TGT allows requesting service tickets without re-authentication. If attacker obtains TGT, they can request service tickets for any service user has access to. Service Ticket: Allows access to specific service; encrypted with service account credentials. If attacker obtains service ticket, they can present it to service without knowing service credentials. Attack Implication: Compromising tickets bypasses the need to know actual passwords.
π« Ticket Forgery Concepts
Attack Surface: If attackers obtain service account credentials, they can forge service tickets for any resource. Forged tickets contain arbitrary user identity; services trust tickets without verifying authenticity. Detection Difficulty: Forged tickets appear legitimate because services cannot distinguish forged from legitimate tickets without additional controls. Persistence Implication: Service account compromise enables ticket forgery for persistent access.
π« Pre-Authentication Bypass Concepts
Normal Flow: Domain controllers normally require pre-authentication (user password hash) before issuing TGT. Misconfiguration: If pre-authentication disabled on account, attackers can request TGT without credentials. Attack Implication: Disabled pre-authentication enables credential guessing attacks where attackers try passwords offline against captured Kerberos messages.
π Service Account Credential Abuse
- Services run with permanent credentials
- Credentials unchanged for long periods
- Compromise enables service impersonation
- Forged tickets appear legitimate
- Hard to detect with normal monitoring
- High-value persistence mechanism
π Credential Harvesting Vectors
- Memory dumping from compromised systems
- NTDS database extraction from DC
- Registry credential hunting
- Configuration file secrets scanning
- Kerberos ticket sniffing
- Cache credential exploitation
π¬ Credential Abuse Foundation
Most AD privilege escalation begins with credential compromise. Understanding where credentials exist, how they're used, and what abuse opportunities exist is essential. Credentials serve as the foundation for all subsequent attack activities.
Privilege Escalation Mindset: Access Progression Inside Domains
How Access Grows Inside Active Directory
Privilege escalation is typically not a single step but a sequence of access expansion. Understanding how attackers chain minor access points into complete domain compromise is critical for both red and blue teams.
π Privilege Escalation Patterns
Initial Foothold: Attacker gains initial accessβcompromised user account, weak credentials, phishing success, external system compromise. Enumeration Phase: Attacker maps AD environment, identifies high-value targets, discovers privilege relationships. Escalation Chain: Attacker leverages misconfigurations to expand access incrementally: compromised user β member of group with higher privilege β compromise that group member β escalate within that privilege level. Domain Admin Achievement: Through multiple escalation steps, attacker reaches domain admin.
π Lateral Movement as Escalation
Concept: Lateral movement across systems allows attackers to access different privilege contexts. Attacker compromises system where service account runs; service account context on that system has elevated privileges. Horizontal Expansion: Attacker moves laterally to systems where high-privilege accounts log in. Session hijacking or credential harvesting on those systems extracts high-privilege credentials. Vertical Escalation: Through lateral movement, attackers reach systems where privilege escalation is easier.
π Group Membership Escalation
Attack Vector: If attacker controls account that can modify group memberships, they can add themselves to high-privilege groups. Privilege Jump: Group membership immediately grants privileges associated with that group. Access Right Abuse: Some accounts have access rights to modify other accounts or groups; these access rights enable escalation without being in high-privilege groups themselves.
High-Level Escalation Paths (Conceptual)
These represent common patterns through which attackers escalate privileges. Understanding the patterns helps identify where protections should focus.
Attacker compromises service account credentials. Using those credentials, attacker forges Kerberos tickets for any user or service. Forged tickets grant access as if attacker were that user.
Attacker identifies account with misconfigured access rights. That account can modify other users or groups. Attacker leverages access right to add themselves to high-privilege group or modify user properties for escalation.
Attacker identifies delegation relationships between services. By compromising one service, attacker can impersonate other services through delegation. Delegation chains may cross domain boundaries enabling cross-domain escalation.
Attacker compromises one domain. Attacker exploits trust relationships to access trusted domain. Through trust hop, attacker can reach forest root and achieve forest-wide compromise.
Attacker dumps credentials from compromised system. Among dumped credentials are high-privilege account credentials. Attacker uses those credentials to gain high-privilege access.
Attacker identifies misconfigured delegation on user or service. Misconfiguration allows attacker to delegate as arbitrary users. Attacker leverages delegation to impersonate high-privilege users.
β‘ Escalation Mindset Principle
Attackers don't think in terms of "exploit X leads to domain admin." Instead: "What access do I currently have? What privilege relationships can I leverage from this access? What's the next access point? Can I chain these together?" This chaining mindset, combined with thorough enumeration, turns minor access into complete compromise.
Enterprise Breach Patterns: From Weakness to Domain-Wide Impact
How AD Weaknesses Create Domain-Wide Compromise
Individual AD weaknesses typically wouldn't cause catastrophic damage alone. However, when combined and chained together, they create exploit chains leading to complete domain compromise and lateral movement to all systems.
β οΈ Initial Access Weakness
Common Entry Points: Weak credentials, phishing success, VPN access compromise, unpatched external-facing applications. Impact Scope: Initial access grants foothold in one user account or system. Alone, this is limited. Escalation Potential: Single compromised account becomes foundation for AD exploration and privilege escalation.
β οΈ Enumeration Weakness
Issue: AD enumeration via LDAP queries generates minimal logs; attackers map entire AD structure without detection. Impact: Attackers understand privilege relationships, service accounts, admin groups, domain trusts. Consequence: Attackers build attack plan before attempting exploitation; reconnaissance complete before blue team detects activity.
β οΈ Privilege Relationship Weakness
Issue: Excessive group memberships, overly permissive access control lists, misconfigured delegation. Impact: Multiple escalation paths from initial access to domain admin. Consequence: Attackers can choose easiest escalation path; defenders cannot block all paths because they don't understand their own privilege topology.
β οΈ Credential Weakness
Issue: Service accounts with static passwords, stored credentials in scripts, high-privilege accounts logging into non-administrative systems. Impact: Attackers dump credentials from compromised systems; high-privilege credentials extracted. Consequence: Single compromised workstation reveals high-privilege credentials used on that system; attackers immediately gain that privilege level.
β οΈ Cross-Domain Trust Weakness
Issue: Poorly configured cross-domain or cross-forest trusts; trust created without security assessment. Impact: Single domain compromise enables compromise of trusted domains. Consequence: Forest-wide compromise; attackers reach forest root and gain access to all domains in forest.
Breach Chain: From Compromised User to Domain Admin
Understanding typical breach chains helps defenders identify where to strengthen controls. Red teams use these chains to demonstrate exploitable paths.
π΄ Common Breach Timeline
- T+0: Initial compromise (phishing, weak password)
- T+Days: Reconnaissance (LDAP enumeration)
- T+Days: Lateral movement to key systems
- T+Days: Credential harvesting from systems
- T+Days: Privilege escalation via harvested creds
- T+Days: Domain admin compromise achieved
- T+Weeks: Persistence established, data exfiltration
π‘οΈ Detection Challenges
- LDAP queries hard to distinguish from normal activity
- Attackers using valid credentials blend with users
- Lateral movement appears as normal admin activity
- Privilege escalation may use legitimate features
- By time domain admin compromised, detection too late
- Attackers already have persistence mechanisms
π Enterprise Impact Reality
Most enterprise breaches don't involve sophisticated zero-day exploits or novel attack techniques. Instead, breaches chain together multiple common misconfigurations and weak security practices. Organizations that address fundamental AD security (least privilege, credential management, trust relationships) significantly reduce breach risk.
Ethical & Legal Boundaries: Authorized Security Testing
Authorization Requirements for Security Testing
All security testing, including red team exercises and penetration testing, must operate within strict legal and ethical boundaries. Unauthorized testing is a serious crime regardless of intent.
βοΈ Legal Authorization Required
Explicit Written Authorization: All security testing must have explicit, written authorization from organization leadership or authorized representatives. Verbal authorization is insufficient; formal documentation required. Scope Definition: Authorization must clearly define scope: which systems, which users, which attack techniques allowed. Testing outside scope is unauthorized. Legal Consequences: Unauthorized testing violates Computer Fraud and Abuse Act (CFAA) and similar laws globally. Penalties include criminal prosecution, prison time, and civil liability.
π Authorized Testing Requirements
Rules of Engagement: Formal document defining what is and is not authorized. Rules specify which systems can be targeted, which techniques allowed, which data can be accessed. Escalation Procedures: Clear procedures for handling unexpected situations. Testers must know when to stop and escalate. Communication Channels: Identified contacts for red team to communicate with blue team during exercise. Timeline & Duration: Testing must occur within defined time window. After-hours or weekend testing may be prohibited. Data Handling: Strict rules governing sensitive data discovered during testing; data cannot be exfiltrated or retained.
π Red Team Professionalism Standards
Minimize Impact: Testing should minimize impact to business operations. Avoid actions that could damage systems or cause significant disruption. Clean-Up Procedures: Red teams must clean up after themselves: remove backdoors, restore modified configurations, ensure no persistence left behind. Documentation: All actions documented for post-exercise debrief. Detailed documentation enables blue teams to learn from testing. Integrity: Testers must maintain integrity of systems and data. Avoid unnecessary destruction or corruption.
Responsible Red Team Usage of Exploitation Knowledge
Understanding AD exploitation techniques creates significant responsibility. This knowledge must only be applied within authorized contexts and ethical frameworks.
π― Authorized Use Cases
Authorized Red Team Exercises: Approved internal testing to identify vulnerabilities before attackers do. Penetration Testing Engagements: Third-party security firms conduct authorized penetration testing within strict scope. Vulnerability Research: Security researchers conduct controlled research with vendor coordination and responsible disclosure. Security Training: Safe lab environments where professionals learn exploitation techniques in controlled settings.
π― Prohibited Use Cases
Unauthorized Testing: Testing systems without explicit authorization. Competitor Targeting: Using exploitation knowledge against competitors. Disgruntled Employee Actions: Using knowledge after employment ends. Accidental Harm: Using techniques without understanding consequences; could cause significant damage. Credential Theft: Obtaining credentials not for security testing but for personal use. Data Exfiltration: Using access to steal data. Extortion: Threatening to disclose vulnerabilities for payment.
β οΈ Professional Ethics Statement
Security professionals carry responsibility to use their knowledge ethically and legally. Knowledge of exploitation techniques creates obligation to use that knowledge only for authorized defensive purposes. Misuse of exploitation knowledge undermines entire security profession, harms organizations, and exposes perpetrators to serious legal consequences. This training material is provided exclusively for authorized security professionals operating within legal frameworks.
β Ethical Foundation
The most skilled and respected security professionals are those who combine deep technical knowledge with strong ethical foundations. Career success in security comes from helping organizations improve security posture, not from unauthorized access or harm. Always ensure authorization is explicit, in writing, and clearly understood before conducting any security testing.
External Learning References & Trusted Resources
Recommended Resources for Credential & Escalation Concepts
These authoritative resources provide deeper understanding of credential abuse, privilege escalation concepts, and Kerberos security considerations. All resources are from trusted, reputable sources.
π Kerberos Protocol & AD Security
Microsoft Kerberos Documentation: Official specifications for Kerberos protocol used by Active Directory. Microsoft Kerberos Reference | IETF RFC 4120 (Kerberos): Technical RFC defining Kerberos protocol. RFC 4120 | AD Security Best Practices: Microsoft guidance on hardening AD environments. Microsoft AD Hardening
π Privilege Escalation & Attack Chains
MITRE ATT&CK Framework: Comprehensive mapping of attacker tactics and techniques including privilege escalation. MITRE ATT&CK | CIS Controls: Critical Security Controls for defending against AD attacks. CIS Controls | NIST Cybersecurity Framework: NIST guidance on access control and identity management. NIST CSF
π Red Team & Penetration Testing Standards
PTES (Penetration Testing Execution Standard): Professional standards for penetration testing engagements. PTES | OWASP Testing Guide: Guidance on security testing methodologies. OWASP | Professional Ethics in Security: ACM/IEEE ethics guidelines for security professionals. ACM Ethics
π Hands-On Learning Environments
HackTheBox: Legal hacking platform with authorized lab environments. HackTheBox | TryHackMe: Interactive security training with authorized lab networks. TryHackMe | Immersive Labs: Professional security training platform. Immersive Labs
β οΈ Resource Guidance
Always rely on official, authoritative sources when learning about security concepts. Avoid unverified sources that may contain inaccurate information or encourage unauthorized testing. Reputable sources maintain standards of accuracy and responsibility.
Verified Certificate Notice
Complete all 3 modules of this course to unlock your
Verified Cyber Security Certificate
with unique ID and QR verification
Module 1 β | Module 2 β | Module 3 β | 66% COMPLETE