Regardless of the rise of cloud id suppliers and Zero Belief initiatives, Active Directory stays current in the overwhelming majority of enterprise environments. Consequently, it continues to be probably the most enticing targets for attackers searching for privilege escalation and area dominance. In practically each purple crew engagement, the trail to full area compromise runs straight via AD misconfigurations which have existed for years — undetected.
Listed here are the 5 commonest ones penetration testers discover as we speak.
1. Kerberoasting — Service Accounts with Weak Passwords
Kerberoasting is likely one of the most properly-recognized Active Directory assaults, and it nonetheless works in 2026. Any area person can request a Kerberos service ticket for any account with a Service Principal Title (SPN). That ticket is encrypted with the service account’s password hash — and will be cracked offline, with no alerts triggered.
Repair: Service accounts ought to use robust, randomized passwords (25+ characters) or get replaced with Group Managed Service Accounts (gMSA), which rotate passwords robotically.
Detection: Monitor Occasion ID 4769 for uncommon volumes of TGS requests, particularly from a single person requesting tickets for a number of companies in a short while window.
2. AS-REP Roasting — Accounts With out Pre-Authentication
When Kerberos pre-authentication is disabled on an account, any unauthenticated attacker can request an AS-REP response for that person. The response incorporates knowledge encrypted with the person’s password hash — crackable offline, no credentials wanted.
Repair: Audit your AD for accounts with `DONT_REQUIRE_PREAUTH` set and allow pre-authentication in every single place. There are only a few reliable causes to disable it.
Detection: Monitor Occasion ID 4768 for AS-REP requests from sudden sources or for accounts that shouldn’t be authenticating externally.
3. Extreme Privileges and ACL Abuse
Active Directory permissions are inherited, collected, and barely cleaned up. Over time, low-privileged customers and repair accounts accumulate rights they need to by no means have — resembling `GenericAll`, `WriteDACL`, or `ForceChangePassword` on delicate accounts or teams.
These ACL misconfigurations are the present that retains giving for attackers. Instruments like BloodHound make it trivial to visualize assault paths via these relationships and discover routes to Domain Admin that nobody realized existed.
Repair: Run BloodHound CE commonly and audit ACLs on privileged objects. Apply the precept of least privilege and take away any permissions that can’t be justified.
Detection: Monitor for sudden ACL modifications by way of Occasion ID 5136 (Directory Service Object Modified).
4. Unconstrained Delegation
When a pc or service account is configured for unconstrained delegation, any person who authenticates to that service arms over their Kerberos Ticket Granting Ticket (TGT). If an attacker compromises a machine with unconstrained delegation, they will seize TGTs and impersonate any person who authenticated — together with Domain Admins.
Repair: Change unconstrained delegation with constrained delegation or Useful resource-Based mostly Constrained Delegation (RBCD) wherever potential.
Detection: Audit delegation settings commonly. Flag any new accounts granted unconstrained delegation and monitor for uncommon TGT exercise.
5. DPAPI Credential Publicity
The Home windows Information Safety API (DPAPI) is used to encrypt saved credentials — browser passwords, Wi-Fi keys, RDP credentials, and extra. DPAPI abuse deserves an article of its personal due to the affect it may possibly have throughout put up-exploitation actions in Active Directory environments — grasp the artwork of DPAPI exploitation by studying this complete technical information.
In a site setting, DPAPI grasp keys are backed up to the Domain Controller. With the precise privileges, an attacker can decrypt credentials from any machine in the area — silently and with out triggering most safety instruments.
Repair: Limit entry to DPAPI backup keys and audit which accounts have DPAPI-associated privileges on Domain Controllers.
Detection: Monitor for uncommon entry to `lsass.exe` and DPAPI-associated registry keys. Correlate with lateral motion indicators.
(*5*)How Defenders Can Detect These Assaults — Key Occasion IDs
| Occasion ID | Description |
| 4768 | Kerberos AS-REQ (monitor for pre-auth disabled accounts) — not enabled by default |
| 4769 | Kerberos TGS-REQ (monitor for Kerberoasting patterns) — not enabled by default |
| 5136 | Directory Service Object Modified (ACL modifications) |
| 4742 | Pc Account Modified (delegation modifications) |
| 4662 | Operation carried out on AD object (monitor for DPAPI grasp key entry) |
Run BloodHound CE on a steady foundation — not simply throughout incident response. Deal with it as a everlasting visibility instrument, not a one-time audit.
Conclusion
Attackers don’t want zero-days to compromise an enterprise. They want a legitimate area person account and some hours with BloodHound. The misconfigurations described in this text should not theoretical — they’re discovered in actual environments, in actual engagements, each single day.
The excellent news is that almost all of them are fixable. The unhealthy information is that almost all organizations don’t know they’ve them.
Source link
#Active #Directory #Misconfigurations #Lead #Domain #Compromise #Techwrix
