Module 4 · Lesson 1

Kerberos Attacks & AI-Assisted Enumeration

How threat actors exploit the authentication backbone of Windows domains — and how AI accelerates the discovery phase.

When every Windows login depends on Kerberos, what happens when the protocol itself becomes the attack surface?

In June 2017, the destructive wiper disguised as ransomware that the world called NotPetya spread across Ukrainian and global networks in hours. Its most potent weapon was not novel malware — it was Mimikatz, harvesting Kerberos tickets and NTLM hashes from lsass.exe memory to move laterally at machine speed. Investigators at Maersk later confirmed the attackers had compromised a single domain controller and used Kerberos ticket-forgery to authenticate across 45,000 PCs and 4,000 servers before a single alarm fired.

The lesson wasn't that Kerberos was broken — it was that defenders had never mapped the attack paths Kerberos trust made possible.

How Kerberos Works (and Where It Fails)

Kerberos is a ticket-based authentication protocol introduced in Windows 2000 and still the default in every modern Active Directory environment. A client requests a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC), then exchanges it for service tickets (TGS) to access resources — all without sending passwords over the wire.

This architecture creates several well-documented attack surfaces. The protocol's reliance on symmetric encryption means that anyone who obtains the right cryptographic secrets can forge or reuse tickets without triggering normal authentication failures. Three attack classes dominate real-world AD engagements: AS-REP Roasting, Kerberoasting, and Golden/Silver Ticket forgery.

Key Attack Techniques

AS-REP Roasting Targets accounts with "Do not require Kerberos preauthentication" enabled. The KDC returns an AS-REP encrypted with the account's password hash — no credentials required to request it. Attackers crack the hash offline. Tools: Rubeus, impacket's GetNPUsers.py.

Kerberoasting Any authenticated domain user can request a TGS for any service principal name (SPN). The ticket is encrypted with the service account's NTLM hash. Attackers request tickets for high-privilege service accounts and crack them offline. First weaponized publicly by Tim Medin at DerbyCon 2014.

Golden Ticket Requires the KRBTGT account hash (the KDC's master key). With it, attackers forge TGTs for any user, including accounts that don't exist, with any group membership, valid for up to 10 years. Changing KRBTGT password twice invalidates all outstanding golden tickets.

Silver Ticket Forgery of a TGS using a service account's hash. Bypasses the KDC entirely — authentication happens only at the service host. Harder to detect since no KDC logs are generated. Requires only the target service account's hash.

AI-Assisted AD Enumeration

Modern AI tools — primarily large language models integrated into pentesting frameworks — accelerate three enumeration tasks that traditionally required hours of manual BloodHound graph analysis:

1. Attack path synthesis. BloodHound Community Edition and BloodHound Enterprise both expose raw graph data. AI can parse JSON exports and identify shortest-path chains from low-privilege users to Domain Admin, ranking them by exploitability (e.g., "User A has GenericWrite over Group B which has WriteDacl over Domain Controller C").

2. SPN discovery and prioritization. Querying LDAP for SPNs produces hundreds of results in large enterprises. AI can cross-reference SPNs against account types, password age (via pwdLastSet), and privilege indicators to rank Kerberoasting targets by expected cracking success.

3. ACL abuse path identification. AD Access Control Lists encode thousands of delegated permissions. AI tools can reason across multi-hop ACL chains — GenericAll → WriteDacl → DCSync — that human analysts miss in large ACL dumps.

Common AI-Identified Attack Chain — Kerberoasting to DA

Domain User

→

Request TGS (SPN)

→

Offline Hash Crack

→

Service Account Creds

→

ACL Abuse / Lateral Move

→

Domain Admin

Detection Note

Kerberoasting generates Event ID 4769 (Kerberos Service Ticket Operations) with encryption type 0x17 (RC4). Hunting for bulk 4769 events with RC4 encryption where the requesting account is not a service account is the primary SIEM detection. AI-assisted attackers increasingly use AES encryption requests to blend with legitimate traffic.

Tooling Landscape

Enumeration

BloodHound / SharpHound

Graph-based AD relationship mapping. Ingests LDAP/DNS data into Neo4j for Cypher path queries.

Ticket Attacks

Rubeus / Impacket

Rubeus (C#) for Windows-side ticket manipulation. Impacket GetUserSPNs.py / GetNPUsers.py for Linux-based roasting.

Credential Extraction

Mimikatz / pypykatz

lsass memory extraction, pass-the-hash/ticket. pypykatz is a Python port for cross-platform use.

AI Integration

PentestGPT / Custom LLM Chains

LLM wrappers that parse tool output and suggest next steps. Research-stage tools like ReconAI automate BloodHound query generation.

Authorized Use Only

All techniques in this module apply exclusively to authorized penetration testing engagements under signed scope agreements. Unauthorized use of these techniques against systems you do not own or have explicit written permission to test is a federal crime under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and equivalent statutes internationally.

Lesson 1 Quiz — Kerberos & Enumeration

Four questions · Select the best answer for each.

1. Kerberoasting works because any authenticated domain user can request a TGS for any SPN. What is the primary offline action that follows ticket capture?

Correct. The TGS is encrypted with the service account's NTLM hash. Attackers crack this hash offline — no interaction with AD is required after ticket capture, making detection via KDC logs impossible at this stage.

Not quite. The TGS is encrypted with the service account's password-derived key. The attack involves taking that encrypted blob offline and cracking it with GPU-accelerated password cracking tools.

2. AS-REP Roasting requires no credentials at all. What specific account configuration enables this attack?

Correct. When preauthentication is disabled, the KDC returns an AS-REP encrypted with the account's password hash without verifying the requester's identity. This encrypted blob can be cracked offline.

Not quite. The vulnerability is the "Do not require Kerberos preauthentication" flag. Without preauthentication, the KDC sends back an AS-REP that any unauthenticated user can request and attempt to crack.

3. A Golden Ticket attack requires which specific credential?

Correct. KRBTGT is the service account used by the KDC to sign all TGTs. With its hash, attackers can forge arbitrary TGTs — including for non-existent accounts with any group memberships — that the KDC will validate.

Incorrect. Golden Tickets require the KRBTGT hash specifically, not a DA account hash. KRBTGT is the KDC's signing key for all Ticket-Granting Tickets in the domain.

4. Which Windows Security Event ID is the primary detection signal for Kerberoasting when hunting in SIEM?

Correct. Event 4769 is generated each time a TGS is requested. Kerberoasting in default configurations uses RC4 (encryption type 0x17). Hunting for bulk 4769 events from non-service accounts using RC4 is the canonical detection method.

Not quite. Event 4769 (Kerberos Service Ticket Operations) with encryption type 0x17 (RC4) is the signal. Attackers increasingly request AES tickets to evade this specific detection.

Lab 1 — AI-Assisted Kerberos Attack Planning

Conversational AI lab · Minimum 3 exchanges to complete

Scenario

You are conducting an authorized internal penetration test. You have obtained a low-privilege domain user account. You need to plan a Kerberos-based attack path using AI assistance to identify and prioritize targets.

Discuss with the AI: How would you use AI tooling to enumerate and prioritize Kerberoastable accounts in a large enterprise AD environment? What data sources feed the prioritization, and what OPSEC considerations apply?

AESOP Lab Assistant

Kerberos & AD Enumeration

Ready for Lab 1. You have a low-privilege domain user account on an authorized engagement. Let's work through AI-assisted Kerberos attack planning. What's your first question — enumeration strategy, target prioritization, or OPSEC?

Module 4 · Lesson 2

BloodHound, ACL Abuse & AI Path Analysis

Graph-based attack path discovery, delegation abuse, and how AI interprets complex AD relationships at scale.

In an enterprise with 500,000 AD objects, how do you find the one three-hop path that leads from a help desk account to Domain Admin?

The NOBELIUM intrusion — attributed to Russia's SVR and disclosed in December 2020 — demonstrated AD privilege escalation at nation-state scale. After compromising the SolarWinds build system, attackers used their initial foothold in victim networks to enumerate Active Directory ACLs, identifying delegated permissions that allowed movement from low-trust cloud service principals to on-premises AD objects. Microsoft's MSTIC team documented that the attackers specifically hunted ACL-based paths to Azure AD and federated on-premises AD, abusing trust relationships that defenders had never audited. The attack remained undetected across hundreds of organizations for nine months.

BloodHound and Graph-Based Analysis

BloodHound, developed by Andy Robbins, Rohan Vazarkar, and Will Schroeder and first released in 2016, revolutionized AD attack path discovery. It uses SharpHound (or AzureHound for Azure AD) to collect relationship data via LDAP, SMB, and DNS, then stores it in a Neo4j graph database. Analysts query paths using Cypher, Neo4j's graph query language.

The key insight is that AD attack paths are graph problems. The question "can low-privilege user X reach Domain Admin?" translates to "does a directed path exist in the AD relationship graph from node X to node 'Domain Admins'?" BloodHound's built-in queries answer this in seconds — but interpreting and chaining results across thousands of paths requires human expertise or AI assistance.

BloodHound Community Edition (BHCE) is the free, self-hosted version. BloodHound Enterprise is SpecterOps' commercial offering with continuous monitoring, attack path prioritization scoring, and API access for automated analysis.

High-Value ACL Relationships

GenericAll Full control over an object. On a user: can reset password, add to groups, or write any attribute. On a group: can add members. On a computer: can perform resource-based constrained delegation abuse or shadow credentials attacks.

WriteDacl Allows modification of the object's DACL. Attacker grants themselves GenericAll or DCSync rights (Replicating Directory Changes). A common path: WriteDacl on the domain object → grant DCSync rights → dump all hashes.

WriteOwner Allows changing the object's owner. The new owner implicitly gains WriteDacl. Attack: WriteOwner → take ownership → WriteDacl → GenericAll.

GenericWrite Write access to non-protected object attributes. On a user: can write scriptPath (logon script) or ServicePrincipalName (enabling Kerberoasting of that user). On a computer: can write msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD abuse.

ForceChangePassword Reset a user's password without knowing the current password. Often granted to help desk accounts. Attackers with this right on a privileged account can reset it to a known password and authenticate.

AI-Assisted Path Analysis

The limitation of manual BloodHound analysis is cognitive load. In environments with 50,000+ objects, the number of potential attack paths is astronomical. AI tools address this in three concrete ways:

Natural language querying. Instead of writing Cypher, analysts can ask "find all paths from helpdesk users to domain controllers that use fewer than 4 hops" in plain English. LLM wrappers translate this to Cypher queries and interpret the results.

Path ranking and triage. AI can evaluate each discovered path for factors like: account age and activity, whether intermediate accounts have logged in recently (indicating creddentials may be valid), whether ACLs appear intentional or misconfigured, and estimated exploitation difficulty. This turns 500 paths into a ranked top-10 list.

Multi-hop reasoning. Human analysts often stop at direct relationships. AI can follow chains like: "User A has GenericWrite on Computer B → Computer B has AllowedToDelegate to Service C → Service C account has WriteDacl on Domain Object → grant DCSync." These four-hop chains are regularly missed in manual reviews.

NOBELIUM-Style Multi-Hop ACL Path

Cloud Service Principal

→

WriteDacl on AD Connector

→

Grant DCSync Rights

→

DCSync All Hashes

→

Golden Ticket

Delegation Abuse

Kerberos delegation allows services to authenticate to other services on behalf of users — enabling multi-tier applications. Three delegation types exist, each with distinct attack vectors:

Unconstrained Delegation: The delegated service receives the user's full TGT. Any account (computer or service) configured with unconstrained delegation that can be coerced into authenticating from a privileged principal (via printer bug / SpoolSample, MS-RPRN, or PetitPotam) will cache a Domain Controller TGT — granting full domain compromise. First weaponized by @tifkin_ and others circa 2018.

Constrained Delegation (KCD): Limits delegation to specific target services. Abuse requires compromising an account with KCD configured, then using s4u2proxy/s4u2self to impersonate any user against the allowed target service.

Resource-Based Constrained Delegation (RBCD): Configured on the target resource rather than the delegating account. If an attacker has GenericWrite on a computer object, they can write an msDS-AllowedToActOnBehalfOfOtherIdentity attribute pointing to an attacker-controlled account, then impersonate any domain user to that computer — including Domain Admins.

AI Tool Caution

AI-generated attack path analysis should always be validated manually before execution. LLMs can hallucinate ACL relationships or misidentify object types in large AD exports. Treat AI path suggestions as hypotheses to verify against raw BloodHound data, not as confirmed exploit chains.

Lesson 2 Quiz — BloodHound & ACL Abuse

Four questions · Select the best answer for each.

1. An attacker has WriteDacl on the domain object. What is the most direct path to domain compromise from this position?

Correct. WriteDacl on the domain object allows adding ACEs granting DCSync rights (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All). With DCSync, the attacker replicates all password hashes from any DC without needing local access to the DC itself.

Incorrect. WriteDacl allows modifying the DACL — the correct path is granting yourself DCSync replication rights, then using Mimikatz's lsadump::dcsync to pull all hashes, including KRBTGT, enabling Golden Ticket forgery.

2. Resource-Based Constrained Delegation (RBCD) abuse requires which specific permission over the target computer object?

Correct. GenericWrite (or specific write on msDS-AllowedToActOnBehalfOfOtherIdentity) lets the attacker configure the target computer to trust an attacker-controlled account for delegation, enabling impersonation of any domain user to that machine.

Not quite. RBCD abuse requires write access to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the target computer's AD object — GenericWrite typically provides this. It doesn't require local access or ForceChangePassword.

3. Which delegation type is most dangerous when combined with printer spooler coercion (MS-RPRN / SpoolSample)?

Correct. When a server with Unconstrained Delegation is configured, any Kerberos authentication it receives includes the authenticating principal's TGT. Coercing a DC to authenticate to this server (via SpoolSample) deposits the DC's TGT, enabling full domain compromise via pass-the-ticket.

Incorrect. The dangerous combination is Unconstrained Delegation + printer coercion. The unconstrained delegation host caches the coerced principal's TGT — if that principal is a Domain Controller, the attacker obtains a DC machine TGT leading to DCSync.

4. How does AI assistance specifically improve on manual BloodHound analysis in large enterprise environments?

Correct. AI's value in AD analysis is cognitive augmentation: translating intent to Cypher queries, following complex multi-hop chains that humans miss, and prioritizing thousands of paths into actionable short lists. AI does not replace collection or exploitation — it enhances analysis.

Not quite. AI doesn't replace BloodHound's collection or storage layers. Its value is in analysis: natural language to Cypher translation, multi-hop path reasoning, and ranked prioritization of discovered attack paths.

Lab 2 — BloodHound Path Analysis with AI

Conversational AI lab · Minimum 3 exchanges to complete

Scenario

You have run SharpHound and collected AD data. BloodHound shows 847 potential attack paths. You need to triage and prioritize them efficiently using AI assistance before your 4-hour engagement window closes.

Work with the AI to develop a systematic approach: How do you filter BloodHound's 847 paths to a prioritized top-5 list? What criteria does AI apply? How do you translate findings into Cypher queries? What does a WriteDacl-to-DCSync chain actually look like step by step?

AESOP Lab Assistant

BloodHound & ACL Analysis

Lab 2 ready. You have 847 BloodHound paths and a 4-hour window. Let's work through triage strategy. What's your starting point — prioritization criteria, specific ACL relationships, or Cypher query construction?

Module 4 · Lesson 3

DCSync, Credential Dumping & Pass-the-Hash/Ticket

The endgame of Active Directory compromise — extracting every credential in the domain and moving without passwords.

Once you can replicate the domain controller, you own every identity in the forest. What does that attack look like, and how does AI accelerate post-exploitation?

In March 2018, the SamSam ransomware operators encrypted approximately 3,789 government computers across the City of Atlanta, causing an estimated $17 million in recovery costs. Post-incident forensics revealed the attackers had spent weeks inside the network before deploying ransomware — using Mimikatz to dump NTLM hashes from domain controllers and pass-the-hash to authenticate across the network without ever needing to crack a single password. The city's lack of network segmentation and absence of Privileged Access Workstations meant that once one domain controller's hashes were captured, every system was accessible.

DCSync — Replicating the Domain

DCSync is a technique developed by Benjamin Delpy (creator of Mimikatz) and Vincent Le Toux, first demonstrated around 2015. It abuses the MS-DRSR (Directory Replication Service Remote Protocol) — the legitimate mechanism Domain Controllers use to synchronize AD data between each other.

When an account holds the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights (or DS-Replication-Get-Changes-In-Filtered-Set for fine-grained password policies), it can request that a DC replicate any AD object's data — including NTLM password hashes and Kerberos keys — without any local access to the DC itself.

The Mimikatz command is: lsadump::dcsync /domain:target.local /user:krbtgt. This requests the KRBTGT account's hash, enabling Golden Ticket creation. Running with /all /csv dumps every account in the domain. The operation generates Event 4662 on the domain controller and should trigger high-confidence SIEM alerts — but these alerts are frequently misconfigured or suppressed in many enterprises.

Credential Extraction Techniques

LSASS Memory Dump The Local Security Authority Subsystem Service (lsass.exe) caches credentials of logged-in users including NTLM hashes, Kerberos tickets, and sometimes cleartext credentials (WDigest). Mimikatz's sekurlsa::logonpasswords reads directly from lsass memory. Windows Credential Guard (introduced in Windows 10/Server 2016) isolates lsass in a VTL1 hypervisor context, blocking this technique.

SAM Database Extraction The Security Account Manager (SAM) database on non-DC systems stores local account hashes. impacket-secretsdump or reg.exe save can extract SAM, SYSTEM, and SECURITY hives for offline parsing. Local Administrator hashes on workstations are frequently identical across a fleet due to imaging — making local admin hash capture laterally useful even without domain credentials.

NTDS.dit Extraction Active Directory stores all domain objects in NTDS.dit on domain controllers. Direct access requires VSS (Volume Shadow Copy) to read the locked file: ntdsutil, vssadmin, or wmic shadowcopy. Combined with the SYSTEM hive for the SYSKEY, all domain hashes can be decrypted offline using impacket-secretsdump -just-dc-file.

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT)

NTLM authentication never requires the plaintext password — only its hash. Pass-the-Hash exploits this by injecting a captured NTLM hash directly into the authentication process, authenticating as the hash owner without cracking it. The technique has existed since 1997 (Paul Ashton) and remains effective because NTLM is still supported across Windows for backward compatibility.

Common PtH tools: Mimikatz's sekurlsa::pth spawns a process with the injected hash; impacket's psexec.py, smbexec.py, wmiexec.py authenticate over SMB/WMI using the hash directly. CrackMapExec (now NetExec) can spray a hash across an entire subnet to identify where it grants access.

Pass-the-Ticket (PtT) injects Kerberos tickets rather than NTLM hashes. Rubeus' ptt command or Mimikatz's kerberos::ptt inject a .kirbi ticket file into the current logon session. This is particularly powerful for service tickets (silver tickets) that grant access to specific resources without contacting the KDC.

Overpass-the-Hash converts an NTLM hash into a Kerberos TGT — useful in environments where NTLM is blocked but Kerberos is available. Mimikatz: sekurlsa::pth /user:X /domain:Y /ntlm:HASH /run:cmd.exe — the spawned process authenticates via Kerberos using the hash to request a TGT.

AI in Post-Exploitation

AI tools integrated into C2 frameworks (Cobalt Strike, Sliver, Havoc) or used as external analysis layers accelerate post-exploitation in measurable ways during authorized engagements:

Target selection. Given a dump of domain hashes and BloodHound data, AI can identify which accounts are worth prioritizing — cross-referencing hash age, group memberships, last logon, and ACL paths to determine which cracked or PtH'd accounts provide the most lateral movement value.

Credential reuse analysis. After dumping hundreds of hashes, AI can cluster accounts by hash value (identifying password reuse), flag accounts with identical hashes across departments, and predict which hashes are most likely to crack quickly based on password policy configuration.

OPSEC guidance. AI can reason about detection risks: "DCSync from a non-DC IP generates Event 4662 and typically triggers EDR. Recommend using a compromised DC as the replication source if available, or staging the operation during backup windows when replication events are baseline-heavy."

Detection — DCSync

Event 4662

Directory Service Access from a non-DC IP with properties 1131f70-c212-11d2-c… (replication GUIDs). High-fidelity detection when filtered correctly.

Detection — PtH

Event 4624 Type 3 / 4648

NTLM logon from unexpected source IPs. Network logons with no corresponding interactive session. User-Agent anomalies in WMI/SMB.

Mitigation — PtH

LAPS + Tiered Admin

Local Administrator Password Solution randomizes local admin passwords per machine, breaking lateral movement via local admin hash reuse. Tiered administration prevents DA accounts from logging into workstations.

Mitigation — DCSync

Protected Users + Tiering

Protected Users security group disables NTLM auth, WDigest, and limits delegation for DA accounts. Restricts DCSync to actual DCs by auditing replication rights quarterly.

Scope Reminder

DCSync, NTDS.dit extraction, and LSASS dumping generate significant evidence in endpoint and network logs. In authorized engagements, confirm with the client whether destructive-adjacent actions (that generate extensive logging) are within scope and whether a "purple team" approach where the defender is watching in real time is expected.

Lesson 3 Quiz — DCSync & Credential Attacks

Four questions · Select the best answer for each.

1. DCSync abuses which legitimate Windows protocol to extract domain credentials without local access to a domain controller?

Correct. MS-DRSR is the protocol DCs use to replicate AD data between themselves. DCSync tricks a DC into believing a legitimate replication request is occurring, causing it to send back the requested objects' hashed credentials.

Incorrect. DCSync uses MS-DRSR — the Directory Replication Service Remote Protocol — which is the legitimate DC-to-DC synchronization mechanism. Mimikatz impersonates a DC requesting replication of specific account objects.

2. Pass-the-Hash works against NTLM authentication but fails against which Windows security feature introduced in Windows 10 and Server 2016?

Correct. Credential Guard runs lsass in a VTL1 hypervisor-protected environment, preventing user-mode and kernel-mode tools from reading credential material from lsass memory. NTLM hashes are never exposed in accessible memory when Credential Guard is active.

Not quite. Credential Guard is the answer. It uses virtualization-based security (VBS) to isolate lsass in a separate VTL1 environment. Tools like Mimikatz operating in VTL0 (normal kernel) cannot access credentials protected by Credential Guard.

3. What distinguishes "Overpass-the-Hash" from standard Pass-the-Hash?

Correct. Overpass-the-Hash (also called Pass-the-Key) uses the NTLM hash as a Kerberos encryption key to request a TGT from the KDC. The resulting TGT enables full Kerberos authentication, bypassing NTLM restrictions while still relying on hash material rather than plaintext credentials.

Incorrect. The key distinction is the authentication protocol used. Standard PtH uses NTLM with the hash directly. Overpass-the-Hash uses the NTLM hash as a Kerberos RC4 key to request a TGT, then proceeds with Kerberos authentication.

4. NTDS.dit extraction requires reading a locked file on a live domain controller. What Windows capability is most commonly abused to access it without taking the DC offline?

Correct. VSS (Volume Shadow Copy) creates point-in-time snapshots that can be accessed even when files are locked by running processes. NTDS.dit can be copied from a shadow copy path like \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit without conflicts with the live database lock.

Not quite. Volume Shadow Copy Service (VSS) is the technique. Creating a shadow copy of the system volume allows reading NTDS.dit from the snapshot path even though the live file is locked by the AD database engine (ntdsa.dll). Tools: ntdsutil, vssadmin, wmic shadowcopy.

Lab 3 — DCSync & Credential Attack Planning

Conversational AI lab · Minimum 3 exchanges to complete

Scenario

You have compromised an account with DCSync rights (DS-Replication-Get-Changes-All) on an authorized engagement. You need to plan the post-exploitation phase — credential extraction, lateral movement, and OPSEC to avoid triggering the client's SOC before the test window closes.

Discuss with the AI: What is your DCSync execution plan, OPSEC considerations, and how do you use AI to prioritize which extracted hashes to act on first? How would you differentiate between Pass-the-Hash and Overpass-the-Hash scenarios based on what you find in the environment?

AESOP Lab Assistant

DCSync & Credential Strategy

Lab 3 active. You have DCSync rights on an authorized engagement. Let's plan execution, OPSEC, and post-dump prioritization. Start with your primary question — execution approach, detection avoidance, or what to do with the hashes once you have them?

Module 4 · Lesson 4

AD Persistence, Trust Abuse & Forest Compromise

After Domain Admin — maintaining access, crossing forest trusts, and the AI-assisted persistence techniques defenders must learn to detect.

Achieving Domain Admin is a milestone, not the finish line. How do sophisticated actors maintain persistence across AD resets, and how does trust abuse extend compromise across entire forests?

After NOBELIUM (APT29) achieved initial access through the SolarWinds Orion supply chain, Microsoft and Mandiant documented a persistence strategy of exceptional sophistication. Attackers created new federated identity providers in Azure AD using forged SAML tokens, added credentials to existing service principals, and modified AAD Connect synchronization accounts to maintain access even after the initial Orion backdoor was removed. In some victim organizations, credential access persisted across full AD password resets because the attackers had established trust relationships at the federation layer — effectively re-rooting their access above the credential level.

The lesson: persistence at the trust and identity provider layer survives conventional remediation entirely.

AD Persistence Techniques

Golden Ticket Persistence Forged TGTs using the KRBTGT hash remain valid until KRBTGT is reset twice (the two-reset requirement comes from the fact that DCs cache the previous KRBTGT password). Golden tickets with a 10-year lifetime can survive AD password resets for every other account if KRBTGT is not specifically reset. Detection: tickets with unusual lifetimes or group memberships not matching AD.

Skeleton Key Mimikatz's misc::skeleton patches lsass on domain controllers to accept a master password ("mimikatz") for any account while legitimate passwords continue to work. Requires DA access to deploy. Does not survive DC reboots. Detection: Event 4673 (Sensitive Privilege Use) during lsass patching.

AdminSDHolder Backdoor AdminSDHolder is a container whose ACL is propagated every 60 minutes (SDProp) to all protected groups (Domain Admins, Administrators, etc.). Attackers with DA rights add themselves to AdminSDHolder's ACL — the propagation automatically grants them persistent control over all protected objects even if removed from DA.

DSRM Account Abuse Directory Services Restore Mode is a local administrator account on every DC with a separately set password. If DSRMAdminLogonBehavior is set to 2, the DSRM account can log in over the network. Attackers set this registry key and modify the DSRM password to maintain persistent local admin on DCs even after AD passwords change.

Shadow Credentials Windows Hello for Business allows writing a key credential (msDS-KeyCredentialLink attribute) to a user or computer object. An attacker with write access to this attribute adds their own key, then authenticates as the account using PKINIT without knowing its password. Persists as long as the attacker's key credential remains on the object.

Domain and Forest Trust Abuse

Active Directory supports trust relationships between domains and forests, enabling users in one domain to authenticate to resources in another. These trust relationships — especially when misconfigured — create attack paths that bypass the security boundaries defenders believe they have established.

SID History Injection (Extra SIDs): When users migrate between domains, their previous SID is stored in the SIDHistory attribute to preserve resource access. An attacker who compromises a child domain can forge a TGT with a SIDHistory field containing the parent domain's Enterprise Admins SID (S-1-5-21-[domain]-519). If the parent domain has SID filtering disabled (the default for child domains within the same forest), this ticket grants Enterprise Admin access across the forest. This is the cross-forest child-to-parent privilege escalation first documented by Sean Metcalf at DerbyCon 2015.

Trust Ticket Forgery: Inter-domain trust relationships use shared trust keys for Kerberos referral. An attacker who extracts the trust key (via Mimikatz lsadump::trust) can forge inter-realm TGTs, authenticating from a child domain to a parent domain or a forest-trusted domain as any user.

Forest-to-Forest Trust Abuse: External forest trusts with SID filtering disabled (FilterSIDs=0) allow SIDHistory attacks across forest boundaries — a full forest compromise from a compromise of any trusted forest. Even with SID filtering enabled, resource forest trusts configured with Selective Authentication gaps or over-provisioned permissions frequently allow escalation.

Child-to-Parent Forest Escalation via SID History

Compromise Child Domain

→

Get Child KRBTGT Hash

→

Forge TGT + EA SID in SIDHistory

→

Referral to Parent KDC

→

Enterprise Admin on Forest Root

AI-Assisted Persistence & Detection Evasion

AI tools in authorized red team engagements assist with persistence selection and evasion planning in three documented use cases:

Persistence mechanism selection. Given environment parameters (EDR vendor, Windows version, logging configuration, SOC monitoring hours), AI recommends which persistence technique has the lowest detection probability. AdminSDHolder abuse, for example, is less likely to trigger EDR behavioral alerts than in-memory skeleton key patching.

Cleanup timing optimization. AI can reason about SOC shift patterns and logging retention windows to recommend when to remove persistence artifacts for minimal forensic exposure — a capability that makes AI genuinely dangerous in adversarial hands and emphasizes why AI governance in security tooling matters.

Trust enumeration acceleration. Enumerating all trust relationships in a complex multi-forest environment using native tools (nltest, Get-ADTrust) produces raw data that AI can map into an attack-relevant graph — identifying which trusts have SID filtering disabled, which are bidirectional, and which cross organization boundaries without proper security controls.

Defensive Priorities

Against Golden Tickets

Reset KRBTGT Twice

Microsoft's guidance: reset KRBTGT password, wait for replication, reset again. Invalidates all outstanding TGTs. Script: New-KrbtgtKeys.ps1 (Microsoft).

Against SID History

Enable SID Filtering

Enable Quarantine on all external trusts. For intra-forest child domains, SID filtering cannot be enabled by default — architectural segmentation is required for true isolation.

Against AdminSDHolder

Audit ACL Monthly

Script monthly diff of AdminSDHolder DACL. Alert on any new ACE additions. The 60-minute SDProp cycle means backdoors propagate quickly but also means audit windows are defined.

Against Shadow Credentials

Monitor msDS-KeyCredentialLink

Azure AD Connect Health and on-premises monitoring for changes to msDS-KeyCredentialLink. Unexpected writes to this attribute on privileged accounts should generate high-priority alerts.

Module Summary

Active Directory attack paths form a layered kill chain: enumeration (BloodHound + AI path analysis) → initial access via Kerberos abuse → credential extraction (DCSync, LSASS) → lateral movement (PtH/PtT) → persistence (Golden Tickets, AdminSDHolder, Shadow Credentials) → trust abuse (SID History, trust ticket forgery). AI accelerates each phase but the underlying protocols and misconfigurations are the root cause. Defenders must address the attack surface structurally, not just monitor for tool signatures.

Lesson 4 Quiz — Persistence & Trust Abuse

Four questions · Select the best answer for each.

1. AdminSDHolder persistence works because of which automatic AD process?

Correct. SDProp is a background process that runs every 60 minutes on the PDC Emulator. It copies AdminSDHolder's DACL to all protected objects (Domain Admins, Administrators, Schema Admins, etc.). A backdoor ACE added to AdminSDHolder propagates automatically to all protected accounts within the hour.

Not quite. The mechanism is SDProp — the Security Descriptor Propagator — which runs every 60 minutes on the PDC Emulator and stamps AdminSDHolder's ACL onto all protected group members. This is what makes AdminSDHolder backdoors persistent and self-reinforcing.

2. A child domain has been fully compromised. The attacker wants to escalate to Enterprise Admin on the forest root. Which technique leverages the inter-domain trust while bypassing SID filtering (which is typically disabled for intra-forest child domains)?

Correct. Within a forest, SID filtering is disabled by default between parent and child domains. A Golden Ticket forged in the child domain with the forest root's Enterprise Admins SID in the SIDHistory/ExtraSIDs field will be accepted by the parent KDC, granting full Enterprise Admin access. This requires the child domain's KRBTGT hash and knowledge of the parent domain's EA SID.

Not quite. The correct technique is SID History injection using a forged child domain TGT that includes the forest root's Enterprise Admins SID (S-1-5-21-[root]-519) in the PAC's ExtraSIDs field. Intra-forest trusts have SID filtering disabled by default, so the parent KDC accepts the forged ticket.

3. Shadow Credentials persistence writes attacker-controlled data to which Active Directory attribute?

Correct. Shadow Credentials abuses the msDS-KeyCredentialLink attribute, which stores Windows Hello for Business / FIDO2 public key credentials. Writing an attacker-controlled public key to this attribute allows authentication as the account using PKINIT Kerberos (certificate-based auth) without knowing its password.

Incorrect. The attribute is msDS-KeyCredentialLink. Shadow Credentials works by writing a public key to this attribute. The attacker then uses the corresponding private key to authenticate via PKINIT, bypassing password-based authentication entirely.

4. To fully remediate a Golden Ticket compromise, Microsoft recommends resetting the KRBTGT password twice rather than once. Why?

Correct. DCs accept tickets encrypted with the current or previous KRBTGT password to support legitimate Kerberos during password rollover. After one reset, the attacker's golden tickets (encrypted with the old password) are still valid because that old password becomes the "previous" password DCs still accept. The second reset removes the last reference to the compromised key.

Not quite. The reason is that DCs cache two KRBTGT passwords (current and previous) to prevent ticket failures during legitimate password rollover. After one reset, attacker golden tickets are still valid against the cached previous password. The second reset ensures both slots contain new, unknown values.

Lab 4 — AD Persistence & Trust Abuse Planning

Conversational AI lab · Minimum 3 exchanges to complete

Scenario

You have achieved Domain Admin on a child domain within a multi-forest enterprise environment during an authorized red team assessment. The engagement scope includes demonstrating persistence and cross-forest impact. You need to plan and justify your technique selection to the client's CISO.

Work with the AI: Which persistence mechanisms would you demonstrate to maximize client learning, and how do you explain their detection and remediation? How does SID History injection work operationally, and what does the attacker see versus what the defender needs to detect? What is the full remediation playbook for a golden ticket compromise?

AESOP Lab Assistant

Persistence & Trust Abuse

Lab 4 ready. You're Domain Admin on a child domain in a multi-forest environment — authorized red team, CISO briefing required. Let's work through persistence mechanism selection, SID History exploitation, or the Golden Ticket remediation playbook. Where do you want to start?

Module 4 Test — Active Directory Attack Paths

15 questions · 80% required to pass · Covers all four lessons

1. Kerberoasting targets accounts with which Active Directory attribute configured?

Correct. Any account with an SPN registered can have its TGS requested by any authenticated domain user. That TGS is encrypted with the account's hash and can be cracked offline.

Incorrect. Kerberoasting requires a registered SPN. AS-REP Roasting (not Kerberoasting) targets accounts with DONT_REQUIRE_PREAUTH.

2. Which impacket tool is used to perform AS-REP Roasting from a Linux attack host?

Correct. GetNPUsers.py requests AS-REP for accounts with preauthentication disabled. GetUserSPNs.py is the Kerberoasting tool.

Incorrect. GetNPUsers.py handles AS-REP Roasting. GetUserSPNs.py performs Kerberoasting. They target different attack conditions.

3. BloodHound stores its AD relationship graph data in which database technology?

Correct. BloodHound uses Neo4j. AD objects become nodes and relationships (ACLs, group memberships, sessions) become edges. Cypher queries traverse this graph to find attack paths.

Incorrect. Neo4j is the graph database that makes BloodHound's path-finding queries efficient. Its native graph storage and Cypher query language are specifically suited to AD relationship traversal.

4. An attacker with GenericWrite on a computer object can perform which attack?

Correct. GenericWrite on a computer enables writing to msDS-AllowedToActOnBehalfOfOtherIdentity, configuring RBCD to trust an attacker-controlled account. The attacker can then use S4U2Self/S4U2Proxy to get a TGS impersonating any domain user to that computer.

Incorrect. GenericWrite enables RBCD abuse by writing the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, not direct SAM access or group modification.

5. What is the primary reason Silver Tickets are harder to detect than Golden Tickets?

Correct. Golden Tickets interact with the KDC (generating Kerberos event logs). Silver Tickets are presented directly to the target service, which validates them locally using its own service account key — no KDC communication means no centralized authentication logs.

Incorrect. The detection difference is architectural: Silver Tickets never touch the KDC. Without KDC log generation, SIEM-based Kerberos anomaly detection misses silver ticket usage entirely.

6. The NOBELIUM (APT29 / SolarWinds) attackers maintained persistence that survived full AD password resets by abusing which layer?

Correct. NOBELIUM created rogue federated identity providers and added credentials to service principals — mechanisms that persist above AD itself. Resetting all AD passwords doesn't remove a forged SAML signing certificate or a service principal credential added at the Azure AD layer.

Incorrect. NOBELIUM's persistence was at the federation/cloud identity layer — forged SAML tokens and service principal credentials that survived on-premises AD password resets entirely.

7. DCSync generates which Windows event ID on the domain controller being queried?

Correct. Event 4662 with specific GUID properties (1131f70-c212-11d2-c and related) in the Properties field indicates a replication operation. DCSync from a non-DC IP generating 4662 with these GUIDs is a high-fidelity detection signal.

Incorrect. DCSync triggers Event 4662 (Directory Service Access) with replication-specific GUIDs. Detecting 4662 from non-DC source IPs with replication GUIDs is the standard SIEM rule.

8. Pass-the-Hash is effective because NTLM authentication uses the password hash in which part of the protocol?

Correct. In NTLM, the client computes: NT_RESPONSE = HMAC-MD5(NTLM_hash, server_challenge + client_challenge). The hash is used directly as the keying material — possessing the hash allows computing a valid response without knowing the plaintext password.

Incorrect. The NTLM hash is used as the keying material for computing the challenge response (HMAC-MD5). The hash is never transmitted and the plaintext is never used — so possessing the hash is sufficient to authenticate.

9. Which Windows feature, when enabled, prevents Mimikatz from reading NTLM hashes and Kerberos tickets from lsass memory?

Correct. Credential Guard uses VBS to run a protected lsass instance in VTL1, isolated from the normal OS (VTL0). Even with kernel-level access, attackers cannot read credentials from the VTL1-protected lsass process.

Incorrect. Credential Guard is the correct answer. AppLocker is easily bypassed by renaming. BitLocker protects at-rest data. Only Credential Guard architecturally isolates credential material from standard kernel-mode access.

10. Unconstrained Delegation combined with printer spooler coercion is dangerous because:

Correct. When a DC authenticates to a host with unconstrained delegation, it sends its full TGT as part of the Kerberos delegation mechanism. The attacker extracts this DC TGT and uses pass-the-ticket to authenticate as the DC — enabling DCSync and full domain compromise.

Incorrect. The vulnerability is that unconstrained delegation receives and caches the authenticating principal's TGT. Coercing a DC authentication deposits the DC's TGT, which the attacker extracts using Mimikatz (sekurlsa::tickets) or Rubeus (dump).

11. SID History injection for child-to-parent forest escalation requires which condition in the default intra-forest trust configuration?

Correct. Microsoft disables SID filtering between parent and child domains within the same forest by default (to support legitimate SIDHistory-based migration). This means extra SIDs in forged TGTs — including the parent domain's Enterprise Admins SID — are accepted by the parent KDC.

Incorrect. The key fact is that SID filtering is OFF by default for intra-forest child-to-parent trusts. This design decision (supporting legitimate migrations) is what enables the SID History escalation attack without any attacker configuration changes.

12. What is the DSRM (Directory Services Restore Mode) account, and why is it an AD persistence target?

Correct. DSRM is a local (not domain) account on each DC used for offline AD recovery. By setting the DSRMAdminLogonBehavior registry key to 2 and setting a known DSRM password, attackers maintain persistent local admin on DCs that survives complete domain-level password resets.

Incorrect. DSRM is a local administrator account on each DC for recovery purposes. Its value as a persistence mechanism comes from the DSRMAdminLogonBehavior registry setting that allows network logon — and because it's a local account, domain password changes don't affect it.

13. AI-assisted attack path analysis in BloodHound primarily improves on manual analysis by:

Correct. AI's contribution is analytical augmentation: making complex graph analysis accessible through natural language, following chains beyond normal human attention span, and prioritizing results — not automating exploitation or replacing infrastructure components.

Incorrect. AI assists analysis, not exploitation or infrastructure. Its value is in Cypher generation from natural language, multi-hop reasoning, and path prioritization for human analysts to act on.

14. Which Microsoft tool / script is recommended for KRBTGT password reset during Golden Ticket incident response?

Correct. New-KrbtgtKeys.ps1 (published by Microsoft's ATA team) handles the KRBTGT reset safely, including warnings about replication timing, guidance on the required second reset, and simulation mode for testing. Using Set-ADAccountPassword directly is error-prone and may not account for replication delays.

Incorrect. Microsoft's recommended tool is New-KrbtgtKeys.ps1, which handles safe reset sequencing, replication waits, and provides simulation mode. Ad-hoc password resets can cause replication issues or fail to properly invalidate existing tickets.

15. Which combination of AD security controls most effectively reduces Kerberoasting impact (not prevention, but impact reduction)?

Correct. gMSA accounts have 240-character randomly generated passwords that automatically rotate — making offline cracking computationally infeasible regardless of hardware. Combined with least-privilege for service accounts (so a cracked account provides minimal lateral movement value), this reduces Kerberoasting impact dramatically without removing SPNs.

Incorrect. Group Managed Service Accounts (gMSA) are the correct answer. 240-character auto-rotated passwords make Kerberoasted tickets uncrackable regardless of GPU resources. Removing SPNs breaks legitimate services; Protected Users breaks many service account functions.