Module 5: Windows Attacks and Defense

These notes are from the practical attack and defense sections in the module. I took my time on each vector so I could look back later without re-reading the whole lab.
Module 5 Navigation
On this page
- Introduction
- AD fundamentals
- AD attack vectors
- 1. Kerberoasting
- 2. AS-REProasting
- 3. GPP password abuse
- 4. GPO modification
- 5. Network share credentials
- 6. AD property leakage
- 7. DCSync
- 8. PrinterBug (print spooler)
- 9. Coercion and UD
- 10. ACL abuse
- 11. AD CS ESC1
- 12. AD CS ESC8
- Skill Assessment
- Cheatsheet
- Key Takeaway
- References
Introduction
This module was dense. I kept the same layout for every attack vector so I could compare prevention, detection, and honeypot ideas without re-reading the whole lab each time.
Active Directory Fundamentals
Core Concepts: Active Directory (AD) is a hierarchical directory service that centralizes Identity and Access Management (IAM) for Windows environments. As the most critical service in an enterprise, a complete AD compromise grants unrestricted access to all systems and data, frequently resulting in ransomware attacks.
Architecture: AD is structured into Domains (objects sharing a database), Trees (grouped domains), and Forests (top-level groupings). Organizational Units (OUs) contain objects like users and groups, while Trusts manage cross-domain access permissions. Domain Controllers (DCs) provide authentication and house the NTDS.DIT file, which is the highly critical AD database.

Authentication: Systems communicate with AD using LDAP. Authentication is handled via password hashes or Kerberos. Kerberos uses a Key Distribution Center (KDC) to issue cryptographic tickets (TGTs and TGSs) to validate identities. The KDC encryption key is derived from the disabled KRBTGT account, the first account created in a domain.
Vulnerabilities & Attack Surface
- Enumeration: Any default, unprivileged user account can query critical network data, such as password policies, computers, and Access Control Lists (ACLs).
- Privilege Escalation: Complex nested groups and the misuse of default groups (like assigning IT staff to “Account Operators”) create hidden paths for attackers to easily escalate to Domain Admin privileges.
- Design Flaws: Devices routinely pull Group Policy Objects (GPOs) from the SYSVOL network share via the SMB protocol. Attackers with privileged credentials can exploit this to remotely execute code on DCs. Additionally, most logon methods leave usable username and password traces on accessed machines.
- Legacy Protocols: Windows defaults to enabling broadcast protocols like NetBIOS and LLMNR, which leak user credentials and hashes across the network.
Critical Network Ports: Understanding the network footprint of AD is essential for mapping and defense:
- 53: DNS
- 88: Kerberos
- 135: WMI/RPC
- 137-139 & 445: SMB
- 389 & 636: LDAP
- 3389: RDP
- 5985 & 5986: PowerShell Remoting (WinRM)
AD Attack Vectors
There are many attack paths into AD. This module covered 13 of them across the labs and skill assessment. I wrote each one up the same way so I could compare prevention, detection, and honeypot ideas side by side later.
1. Kerberoasting
Core Concept: Kerberoasting
- Target: Kerberoasting is a post-exploitation attack that targets Active Directory Service Principal Names (SPNs).
- Mechanism: When a system requests a Kerberos Ticket-Granting Service (TGS) ticket to access a service, Active Directory encrypts this ticket using the service account’s NTLM password hash.
- Goal: Attackers request these encrypted tickets and take them offline to guess the password, which allows them to avoid account lockouts or further network interaction.
The Attack Path
- Ticket Extraction: Attackers utilize automated tools, such as Rubeus, to request and extract TGS tickets for any users in the environment with a registered SPN.
- Encryption Downgrade: Because modern AES encryption is slow and difficult to crack, attackers often attempt to force a downgrade to the older, weaker RC4 encryption algorithm to drastically speed up cracking efforts.
- Offline Cracking: The extracted ticket hashes are moved to the attacker’s machine (such as Kali Linux) and cracked using dictionary wordlists and tools like hashcat or John The Ripper to reveal the plaintext password.

Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Group Managed Service Accounts (gMSAs) | This is the most effective defense. Active Directory manages these accounts automatically by binding them to specific servers and continuously rotating their passwords to random 127-character strings, rendering them impossible to crack. |
| Prevention | Massive Passwords | For applications lacking gMSA support, administrators should manually configure service account passwords to 100+ random characters, up to the Active Directory limit of 127. |
| Prevention | SPN Hygiene | Avoid assigning unnecessary SPNs, and regularly delete SPNs associated with decommissioned servers or services. |
| Detection | Event ID 4769 & Alerts | A TGS ticket request generates Windows Event ID 4769, but relying on this alone is too noisy due to normal operations. Instead, defenders should alert on rapid bursts of requests (which indicates automated tool usage like Rubeus) or any TGS tickets requested using weak RC4 encryption. |
| Defense | Honeypot Accounts | Set a trap by creating a fake, highly privileged account with a legitimate-looking SPN (e.g., SQL or IIS). Make the account an attractive target by making it look old (e.g., password unchanged for 2+ years), but ensure it is secretly uncrackable. Since it has no legitimate business purpose, any Event 4769 ticket request for this account immediately signals an attack. |

AS-REProasting sits in the same Kerberos offline-cracking family. The difference is which account property you are hunting for, not which tool you reach for first.
2. AS-REProasting
Core Concept: AS-REProasting
- Target: AS-REProasting is an attack similar to Kerberoasting, but it specifically targets user accounts that have the “Do not require Kerberos preauthentication” property enabled.
- Mechanism: Because preauthentication is not required, attackers can directly request and extract authentication ticket hashes for these specific users.
- Goal: The attacker takes the extracted hash offline to crack the password, meaning the success of this attack relies heavily on the target having a weak, easily guessable password.
The Attack Path
| Phase | Description |
|---|---|
| Ticket Extraction | Attackers use automated tools like Rubeus (specifically the asreproast action) to scan the domain and extract hashes for any user accounts that do not require Kerberos preauthentication. |
| Hash Formatting | The extracted hash output is moved to an attacking machine (such as Linux) where it must be slightly modified, such as inserting 23$ into the hash string, so that cracking software can recognize it. |
| Offline Cracking | The attacker utilizes password cracking tools like hashcat (using hash-mode 18200) alongside dictionary wordlists to guess the cleartext password offline without triggering lockouts. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Account Reviews | The “Do not require Kerberos preauthentication” property should only be enabled when absolutely necessary, and administrators should conduct quarterly reviews to ensure it hasn’t been misapplied. |
| Prevention | 20+ Character Passwords | Regular user accounts often have weaker passwords than service accounts. If an account absolutely must have preauthentication disabled, assign it a separate password policy requiring at least 20 characters to thwart cracking attempts. |
| Detection | Event ID 4768 Analysis | Requesting these tickets generates Windows Event ID 4768. Because this event happens constantly during normal network use, defenders should monitor it by correlating known good login locations (like specific VLANs) and alerting on requests originating from unusual IP addresses. |
| Detection | Pre-Auth Type & Encryption Alerts | Defenders should scrutinize Event ID 4768 for Pre-Authentication Type 0 (indicating a logon without preauthentication) combined with weak RC4 encryption (Ticket Encryption Type 0x17), which tools like Rubeus default to using. |
| Defense | Honeypot Accounts | Create a decoy account with preauthentication disabled and no legitimate business purpose, so any Event 4768 request for it immediately triggers an alert. To ensure advanced attackers fall for it, the honeypot must look legitimate: it should be an older account, possess some attractive privileges, and have recorded login activity occurring after its last password change. |

From here the module moves into legacy misconfigs that still show up in older domains. GPP was the first one that made me double-check SYSVOL even when the environment looked patched.
3. GPP Password Abuse
Core Concept: GPP Password Abuse
- Target: Group Policy Preferences (GPP) credentials stored in XML files within the domain’s SYSVOL network share.
- Mechanism: Windows Server 2008 allowed administrators to store credentials in GPP, caching them in the SYSVOL folder which is readable by all “Authenticated Users” (any domain user or computer). Microsoft inadvertently published the 32-byte AES private encryption key used to protect these files on MSDN.
- Goal: Attackers access these globally readable XML files, locate the encrypted password, and decrypt it using the publicly available key to instantly obtain cleartext credentials.
The Attack Path
| Phase | Description |
|---|---|
| Discovery & Extraction | Attackers use automated tools like PowerSploit’s Get-GPPPassword function, which automatically parses all XML files located in the Policies folder within the SYSVOL share. |
| Decryption | When the tool detects an account with the cpassword property in the XML file, it automatically decrypts the hash using the publicly known Microsoft AES key. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Patching & Cleanup | Microsoft released patch KB2962486 in 2014 to stop caching new credentials in GPP. However, this patch does not remove existing stored credentials. Administrators must actively assess and manually clear any legacy credentials, especially in environments built before 2015. |
| Detection | File Access Auditing | Administrators can enable file access auditing on the XML policy files to generate Event ID 4663 whenever the file is read. This is highly effective if applied to a dummy XML file unassociated with any real GPO, as any read attempt is immediately suspicious. |
| Detection | Logon Monitoring | Defenders can monitor logon attempts for exposed accounts via Event IDs 4624 (success), 4625 (failure), or 4768 (TGT request). By correlating the originating IP address, defenders can spot anomalous behavior, such as a service account authenticating from a standard user workstation. |
| Defense | Honeypot Accounts | Create a fake, semi-privileged service account and store a deliberately wrong password for it in a dummy GPP XML file. To make it look realistic, simulate dummy tasks so the account appears active. Because the exposed password is wrong, any attacker attempting to use it will trigger failed logon alerts (Event IDs 4625, 4771, 4776), instantly flagging a breach. |

GPO abuse felt like the natural next step after GPP: same Group Policy surface, but the attacker is changing what gets deployed instead of reading what was left behind.
4. GPO Modification Abuse
Core Concept: GPO Modification Abuse
- Target: Active Directory Group Policy Objects (GPOs) and their associated deployment files.
- Mechanism: GPOs are central configuration management tools linked to Organizational Units (OUs). In many environments, GPOs or the network shares hosting their deployment scripts suffer from weak permissions, allowing “Authenticated Users” or “Domain Users” to modify them.
- Goal: An attacker alters a vulnerable GPO to include malicious start-up scripts or scheduled tasks, instantly compromising all computers within the OUs linked to that GPO.
The Attack Path
| Phase | Description |
|---|---|
| Discovery | Attackers enumerate the domain to find GPOs with weak delegation or network shares with misconfigured NTFS permissions. |
| Modification / Replacement | The attacker performs a simple GPO edit to add a malicious task, or replaces a legitimate execution file on a vulnerable network share with malware. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Strict Permissions | Lock down GPO modification rights to specific, highly privileged accounts or groups. Never store deployment files on network shares where broad users have modify permissions. |
| Prevention | Regular Auditing | Actively and regularly review GPO permissions. Administrators can automate tasks to run hourly and alert on any permission deviations. |
| Detection | Event ID 5136 | Enable Directory Service Changes auditing. Any modification to a GPO generates Event ID 5136. If an unexpected user triggers this event, it is an immediate red flag. |
| Defense | Honeypot GPO | Create a deliberately misconfigured GPO linked only to non-critical servers to act as a trap. Mature organizations can monitor this trap continuously to catch attackers attempting to escalate privileges. |
Automated Scripting (Active Defense) To effectively utilize a Honeypot GPO, you can deploy an automated PowerShell script configured as a scheduled task (e.g., running every 15 minutes) to actively neutralize threats:
- The Trigger: The script uses
Get-WinEventto search the Security log for Event ID 5136 occurring within the last 15 minutes, filtering specifically for the unique GUID of the Honeypot GPO. - The Action: If a modification is detected, the script parses the event for the attacker’s username and immediately executes the
Disable-ADAccountcommand. This locks the attacker out of the network and generates Event ID 4725 (account disabled). - The Alert: As it disables the compromised accounts, the script dynamically builds an email body containing the disabled usernames and sends an automated alert to the security team.
- Safety Measure: If a honeypot modification is detected, the GPO should also be automatically unlinked from all locations to prevent any malicious payload from executing.

The next two vectors are both about credentials sitting in plain sight. Network shares came first in the labs, then AD object properties.
5. Exposed Credentials in Network Shares
Core Concept: Exposed Credentials in Network Shares
- Target: Unencrypted credentials and authorization tokens stored within scripts and configuration files (e.g.,
.bat,.ps1,.ini,.config) on network shares. - Mechanism: Shares are often misconfigured with overly permissive access (like “Everyone” or “Users”, which grants access to all domain users). Additionally, administrators mistakenly believe hidden shares (ending in
$) are invisible, but they are easily discoverable by attackers. - Goal: Attackers scan the network for accessible shares, parse the exposed files, and extract cleartext credentials to escalate privileges.
The Attack Path
| Phase | Description |
|---|---|
| Share Discovery | Attackers use automated tools like Invoke-ShareFinder to scan the domain and compile a list of non-default network shares that their current account has read access to, including hidden ones. |
| Credential Extraction | Using automated tools (like SauronEye) or native “Living Off the Land” commands like findstr, attackers search through the discovered files for keywords like “pass”, “pw”, or the domain’s NetBIOS name (e.g., “eagle”) to locate cleartext passwords. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Permission Lockdown | Strictly control access to all domain shares. Never use broad groups like “Everyone” or “Users” (which includes all Domain Users) for share access. |
| Prevention | Regular Scanning | Because you cannot permanently prevent users from leaving credentials in files, administrators must perform regular (e.g., weekly) automated scans to identify newly opened shares or exposed passwords. |
| Detection | One-to-Many Connections | Alert on anomalous network behavior, such as a single workstation connecting to hundreds or thousands of other devices simultaneously, which strongly indicates share scanning via tools like Invoke-ShareFinder. |
| Detection | Logon & Tool Monitoring | Monitor Event IDs 4624 (success), 4625 (failure), and 4768 (TGT request) to spot unusual logins, such as a Domain Admin authenticating from a standard user machine. Note: Windows Defender now flags the specific findstr arguments used in this attack as suspicious. |
| Defense | Honeypot Credentials | Plant a realistic script containing a deliberately wrong password for an active, semi-privileged service account. To look authentic, the account should be older (>2 years) and the file’s modification date must be after the account’s last password change. Any use of this fake password will immediately trigger failed logon alerts (Event IDs 4625, 4771, 4776), catching the attacker. |
AD property leakage is the same idea as open shares, just stored inside the directory instead of a script on a file server.
6. AD Property Credential Leakage
Core Concept: AD Property Credential Leakage
- Vulnerability: Administrators mistakenly store cleartext passwords in Active Directory object properties, such as the
DescriptionorInfofields. - Misconception: Admins often assume administrative rights are required to view these fields, but every standard domain user has read access to them.
- Impact: Attackers can instantly harvest cleartext credentials without needing to crack hashes or exploit complex vulnerabilities.
The Attack Path
| Phase | Action |
|---|---|
| Domain Query | Attackers execute simple PowerShell scripts to search all domain objects for specific keywords (like “pass”) within the Description or Info fields. |
| Extraction | The script instantly returns the target’s SamAccountName alongside the exposed cleartext password. |
Prevention, Detection & Defense Strategies
| Category | Method | Implementation Details |
|---|---|---|
| Prevention | Automation & Education | Automate the user creation process to remove manual password handling and reduce hardcoding risks. Educate highly privileged employees and perform continuous domain assessments. |
| Detection | Logon Baselining | Monitor for abnormal logon behavior (especially for service accounts) using Event IDs 4624 (Successful Logon), 4625 (Failed Logon), and 4768 (Kerberos TGT requested). |
| Detection Limitations | Event ID 4738 | Do not rely on Event ID 4738 (User Account Management) to catch admins adding passwords; it does not log which specific property was altered or what the new value is. |
| Defense | Honeypot Account | Create an enabled, decoy service account (as they appear more manually managed than HR-automated user accounts) and place a deliberately fake password in its Description field. |
| Defense Setup | Honeypot Realism | Ensure the honeypot looks believable by giving it recent login attempts and setting its last password change to 2+ years ago. |
| Alerting | Honeypot Monitoring | Because the exposed password is intentionally incorrect, any attacker attempting to use it will immediately trigger failed logon alerts: Event IDs 4625, 4771 (Failure code 0x18), and 4776. |
DCSync was the point where the module stopped feeling like credential scavenging and started feeling like full-domain impact.
7. DCSync Attacks
Core Concept: DCSync Attacks
- Target: Active Directory password hashes.
- Mechanism: An attacker impersonates a Domain Controller (DC) and requests directory replication from a targeted DC to extract password hashes.
- Prerequisite: The compromised account (whether a user or a computer) must have specific Active Directory permissions assigned: “Replicating Directory Changes” and “Replicating Directory Changes All”.
The Attack Path
| Phase | Description |
|---|---|
| Execution | Attackers utilize tools with DCSync capabilities, such as Mimikatz (using the lsadump::dcsync command), to initiate the replication request. |
| Extraction Scope | The attacker can request the NTLM hash of a specific, highly privileged account (e.g., an Administrator), or use the /all parameter to dump the hashes of the entire AD environment. |
| Exploitation | Once the hashes are extracted, the attacker can use them to perform Pass-the-Hash attacks, allowing them to authenticate against any Domain Controller in the network. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Native Limitations | DCSync abuses normal, required AD operations (DC replication). Therefore, preventing this natively out-of-the-box is not possible without breaking the domain. |
| Prevention | RPC Firewall | Deploy third-party solutions like RPC Firewall to granularly control RPC calls. This can be configured to strictly allow replication requests only from verified Domain Controller IP addresses. |
| Detection | Event ID 4662 | Every DC replication attempt generates Windows Event ID 4662. Defenders should monitor this event to catch unauthorized replication requests. |
| Detection | Anomaly Filtering | Because replication happens constantly, rely on specific filters to avoid false positives: monitor for property 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 in the event. |
| Alerting | Initiator Validation | The most immediate red flag is an Event ID 4662 where the initiator account is a standard user rather than a known DC. Always whitelist valid services that require replication rights, such as Azure AD Connect. |

8. Printer Bug (Print Spooler)
PrinterBug was one of the vectors that stuck with me because it abuses the Windows Print Spooler service, which is still enabled by default on a lot of hosts, including DCs in lab environments.
Core Concept: Windows Print Spooler (PrinterBug)
- Target: The Windows Print Spooler service, which is historically enabled by default on most Windows Desktop and Server operating systems.
- Mechanism: The “PrinterBug” exploits specific remote procedure call (RPC) functions to coerce a target machine, typically a Domain Controller (DC), to automatically authenticate back to an attacker-controlled machine. Microsoft considers this behavior “by-design”.
- Goal: Attackers capture the highly privileged machine account’s authentication ticket (TGT) or relay the connection to further compromise the environment by performing DCSync, obtaining AD CS certificates, or exploiting Unconstrained Delegation.
The Attack Path
| Phase | Description |
|---|---|
| Relay Setup | The attacker configures a relay tool (such as NTLMRelayx) to listen for incoming connections and forward them to a specific target, like a secondary DC, to perform a DCSync attack. Note: This specific path requires SMB Signing to be disabled on the target DC. |
| Triggering the Bug | Using a script (like Dementor) and the credentials of any standard domain user, the attacker sends a request to the target DC’s Print Spooler, forcing it to connect back to the attacker’s listening IP address. |
| Exploitation | The target DC connects to the attacker, who immediately relays that authentication to the secondary DC, successfully dumping the domain’s NTLM hashes without needing direct admin access. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Service Disablement | The most effective mitigation is to completely disable the Print Spooler service on all machines that are not dedicated print servers, especially Domain Controllers. |
| Prevention | Registry Modification | If the service absolutely must remain running locally, administrators can set the RegisterSpoolerRemoteRpcEndPoint registry key to 2. This blocks any incoming remote requests, neutralizing the remote abuse vector. |
| Detection | Logon Anomaly Correlation | Network traces are generally too noisy, and if DCSync is executed via this relay method, Event ID 4662 is NOT generated. Defenders must instead monitor Event ID 4624 (Successful Logon) and alert when a core infrastructure account (like a DC computer account) authenticates from an unexpected, non-infrastructure IP address. |
| Defense | Firewall Honeypot | Organizations can block outbound connections from their servers on ports 139 and 445. The PrinterBug can still be triggered, but the firewall will block the reverse connection and generate a high-fidelity alert. Warning: This is only recommended for highly mature organizations, as keeping the service enabled risks exposure if new Remote Code Execution (RCE) flaws are discovered. |

PrinterBug is one coercion path. Unconstrained delegation is where you send that forced authentication when you want to capture a DC ticket in memory.
9. Coercing Attacks and Unconstrained Delegation
Core Concept: Coercing Attacks & Unconstrained Delegation
- Target: Domain Controllers (DCs) and servers configured with Unconstrained Delegation (UD).
- Mechanism: Attackers exploit vulnerable remote procedure call (RPC) functions to coerce a target machine, typically a DC, into automatically authenticating to an attacker-controlled machine.
- Goal: By forcing the connection, attackers can relay the authentication to steal certificates, perform DCSync, or capture the DC’s highly privileged Ticket-Granting Ticket (TGT) by directing the connection to a server with Unconstrained Delegation.
The Attack Path
| Phase | Description |
|---|---|
| Recon & Setup | The attacker identifies a server trusted for Unconstrained Delegation in the environment and gains administrative access to it. They run a ticket extraction tool (like Rubeus) in monitor mode to listen for incoming tickets. |
| Coercion | From their own machine, the attacker uses an automated coercing script (such as the Coercer tool) to barrage the target DC with vulnerable RPC calls, forcing the DC to authenticate to the compromised UD server. |
| Ticket Capture | When the DC authenticates to the UD server, its TGT is cached in the server’s memory. The attacker’s monitoring tool instantly captures and exports this Base64-encoded ticket. |
| Exploitation | The attacker injects the stolen DC ticket into their session (Pass-the-Ticket). Now operating with DC privileges, they use tools like Mimikatz to execute a DCSync attack, dumping the password hashes for the entire domain. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | RPC Firewall | Windows does not offer native, granular visibility or control over RPC calls. Organizations should deploy a third-party RPC Firewall to selectively block dangerous RPC functions or specific OPNUMs. |
| Prevention | Outbound Port Blocking | Block outbound network traffic on ports 139 and 445 from Domain Controllers and core servers. Only allow outbound connections to strictly required infrastructure, such as other DCs necessary for domain replication. |
| Detection | Firewall Anomaly Correlation | Monitor host firewall logs for a specific pattern: numerous inbound connections to a DC immediately followed by outbound connections on port 445 to a non-infrastructure, unexpected IP address. |
| Detection | Dropped Traffic Alerts | If outbound traffic on ports 139 and 445 is actively blocked, any dropped traffic on these ports logged by the firewall is highly suspicious and serves as an immediate, high-fidelity alert of an attempted coercion attack. |

After the coercion chains, the module went back to permissions mistakes. ACL abuse is quieter on the wire, but BloodHound makes the escalation paths obvious once you start looking. BloodHound was the example the module used for that.
10. Active Directory Object ACL Abuse
Core Concept: Active Directory Object ACL Abuse
- Target: Active Directory Access Control Lists (ACLs) and Access Control Entries (ACEs), which define what permissions users have over specific domain objects.
- Mechanism: Due to human error, poor process management, or overly broad assignments (like granting “Everyone” modify rights), standard unprivileged users sometimes end up with highly permissive delegated rights over sensitive user or computer objects.
- Goal: Attackers abuse these misconfigured permissions to escalate privileges by forcibly taking over identities, stealing local credentials, or compromising infrastructure.
The Attack Path
| Phase | Description |
|---|---|
| Discovery | Attackers use enumeration tools like SharpHound and BloodHound to graph network relationships and identify vulnerable ACL escalation paths, or ADACLScanner to generate specific reports on access control lists. |
| Exploitation (User Objects) | If an attacker has full rights over a target user object, they can simply reset the target’s password to inherit their privileges, or subtly add a bogus SPN to the account to perform a Kerberoasting attack against it. |
| Exploitation (Computer Objects) | If an attacker has full control over a server object, they can read the computer’s extended properties to extract the local LAPS administrator password, or abuse Resource-Based Kerberos Delegation to compromise the machine. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Automation & Assessment | Automate access management to eliminate human error and strictly limit delegated modification rights to administrative accounts. Organizations must also conduct continuous assessments to catch misconfigurations early. |
| Detection | Event ID Limitations | Object modifications trigger Event ID 4738 (User account changed) or Event ID 4742 (Computer account changed). Unfortunately, these events are limited because they do not specify what exact property (like an SPN) was altered. |
| Detection | Naming Convention Baselines | Because the native events lack granularity, defenders should baseline standard administrative behavior. If all privileged accounts use a naming convention (e.g., “admin_”), any Event 4738, 4742, or 4724 (Password Reset) generated by a standard user account is highly suspicious. |
| Defense | Honeypot Account | Create a realistic-looking fake user account and intentionally configure its ACLs so that “Everyone” or many standard users have the right to modify it. |
| Alerting | Active Response | Since no legitimate standard user should modify the honeypot account, any Event ID 4738 triggered for it immediately signals an attack. Mature organizations can automate a response to instantly disable the attacker’s account and trigger a forensic investigation. |

PKI was the hardest block for me to keep straight. The attack steps are clear in the lab, but I could not check the CA logs directly because I could not connect to the CA server.
11. AD CS ESC1 Abuse
Core Concept: AD CS ESC1 Abuse
- Target: Misconfigured Active Directory Certificate Services (AD CS) templates.
- Mechanism: The ESC1 vulnerability occurs when a template allows unprivileged users to enroll, requires no manager approval, permits Client Authentication, and critically, has the
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECTflag enabled. - Goal: Attackers exploit this flag to provide an arbitrary Subject Alternative Name (SAN), allowing them to forge a certificate as any user (including Domain Admins) for authentication and long-term persistence.
The Attack Path
| Phase | Description |
|---|---|
| Discovery | Attackers use tools like Certify to scan the domain’s PKI infrastructure for vulnerable certificate templates. |
| Request | The attacker requests a certificate using the vulnerable template, injecting a highly privileged username (e.g., Administrator) into the alternative name (SAN) parameter. |
| Exploitation | After converting the extracted PEM certificate to a PFX format using OpenSSL, attackers use Rubeus to request a Kerberos TGT with the forged certificate, instantly authenticating as the impersonated administrator. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Template Hardening | The primary defense is to completely disable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag on all certificate templates. |
| Prevention | Manager Approval | If SAN specification is absolutely necessary for business operations, require CA manager approval before certificate issuance to ensure the request is manually verified. |
| Detection | CA Event Logs | Monitor the CA server for Event IDs 4886 (request received) and 4887 (certificate approved). Note: These standard events unfortunately do not display the injected SAN. |
| Detection | Database Auditing | Because the standard logs lack SAN visibility, defenders should use certutil -view or PowerShell scripts to regularly parse the CA’s internal database for issued certificates containing suspicious Subject Alternative Names. |
| Detection | DC Logon Monitoring | Monitor Domain Controllers for Event ID 4768 (Kerberos TGT requested) and specifically alert on unusual TGT requests that utilize certificate-based authentication. |

ESC8 is where the coercion story comes back around: force the DC to authenticate, relay to the CA over HTTP, then use the cert like ESC1.
12. AD CS ESC8 Abuse (Web Enrollment Relay)
Core Concept: AD CS ESC8 Abuse (Web Enrollment Relay)
- Target: Active Directory Certificate Services (AD CS) HTTP web enrollment endpoints.
- Mechanism: The ESC8 vulnerability occurs because AD CS web enrollment interfaces often do not enforce HTTPS, making them vulnerable to NTLM relay attacks.
- Goal: Attackers coerce a highly privileged machine (such as a Domain Controller) into authenticating to them, relay that authentication to the CA, and obtain a valid client authentication certificate for the coerced machine.
The Attack Path
| Phase | Description |
|---|---|
| Relay Setup | Attackers configure a relay tool (like NTLMRelayx) to listen for connections and forward them to the CA’s HTTP endpoint, explicitly requesting a highly privileged certificate template (e.g., the DomainController template). |
| Coercion | Using a standard domain account, the attacker triggers a coercing vulnerability (such as the PrinterBug) to force the target Domain Controller to connect to the attacker’s listening machine. |
| Certificate Extraction | The attacker relays the incoming DC authentication to the CA. The CA successfully authenticates the request and issues a Base64-encoded certificate for the Domain Controller, which the attacker captures. |
| Exploitation | The attacker uses tools like Rubeus to request a Kerberos TGT using the stolen certificate. Now operating as the Domain Controller, they can use Mimikatz to execute a DCSync attack and dump all domain password hashes. |
Prevention, Detection & Defense Strategies
| Category | Mechanism | Implementation Details |
|---|---|---|
| Prevention | Enforce HTTPS | The primary defense against ESC8 is to completely disable HTTP for AD CS web enrollment, or strongly enforce HTTPS (which inherently breaks the relaying process). |
| Prevention | PKI Auditing | Because PKI escalation paths are complex, organizations should regularly scan their environment with tools like Certify to proactively identify vulnerable web endpoints and misconfigured templates. |
| Detection | CA Event Logs | Monitor the CA server for Event IDs 4886 (request received) and 4887 (certificate approved). Relayed requests often expose anomalous behavior, such as explicitly mentioning the template name in the request when a legitimate, direct DC request would not. |
| Detection | TGT Anomalies | Monitor Domain Controllers for Event ID 4768 (Kerberos TGT requested). Defenders should specifically alert on TGT requests that utilize certificate-based authentication where the originating IP address does not match the known IP of the machine account. |
| Detection | Logon Anomalies | Monitor Event ID 4624 (Successful Logon) to spot core infrastructure accounts (like a DC computer account) successfully authenticating from unexpected, non-infrastructure IP addresses (the attacker’s machine). |

Skill Assessment: ESC8 Certificate Logs
The AD CS ESC8 Abuse (Web Enrollment Relay) section was the skill assessment. I could not figure out how to pull the certificate request logs from the Windows side at first, so I used a Kali machine with impacket instead.
Question: Replicate the attack described in this section and view the related 4886 and 4887 logs. Enter the name shown in the Requester field as your answer. (Format: EAGLE.…)
Query used:
impacket-atexec -hashes :fcdc65703dd2b0bd789977f1f3eeaecf EAGLE/[email protected] "wevtutil qe Security /q:\"*[System[(EventID=4886 or EventID=4887)]]\" /f:text /c:10"
Answer: EAGLE\DC2$
Attack Vector Cheatsheet
| Attack Vector | Short Description & Tools | Core Prevention | Key Event IDs | Detection & Honeypot Strategy |
|---|---|---|---|---|
| Kerberoasting | Extracts TGS tickets for offline cracking via Rubeus/hashcat. | Use gMSAs (127-character passwords) or 100+ char manual passwords. | 4769 | Create fake privileged account with an SPN; alert on RC4 ticket requests. |
| AS-REProasting | Extracts hashes for users lacking pre-auth via Rubeus. | Audit “no pre-auth” accounts; require 20+ char passwords. | 4768 | Create decoy account lacking pre-auth; alert on Pre-Auth Type 0 requests. |
| GPP Passwords | Decrypts SYSVOL XML passwords using Microsoft’s published key. | Manually delete legacy XML credentials (patches aren’t enough). | 4663, 4625 | Plant fake password in a dummy XML file; alert on file read or logon attempts. |
| GPO Modification | Alters GPOs to deploy malware via weak permissions. | Strict permission lockdown; automate regular permission audits. | 5136 | Deploy a dummy GPO; auto-disable any account that modifies it. |
| Network Shares | Scans hidden shares for cleartext credentials via findstr. |
Strict share access control; automate regular share scanning. | 4624, 4625 | Plant a script with a fake password; alert on 1-to-many network connections. |
| AD Property Leak | Queries Description/Info fields for hardcoded passwords. | Automate user creation; avoid manual password hardcoding. | 4624, 4625 | Plant fake password in a decoy account’s Description field; alert on use. |
| DCSync | Impersonates DC to dump hashes via replication (Mimikatz). | Use RPC Firewall to strictly allow only DC IP addresses. | 4662 | Alert if the initiator is a standard user/IP, not a known Domain Controller. |
| PrinterBug | Coerces DC authentication via Spooler RPC (NTLMRelayx). | Disable Spooler on DCs or set RPC registry key to 2. |
4624 (4662 is blind here) | Block outbound 139/445; alert on DCs logging in from non-infra IPs. |
| Coercion & UD | Forces DC to authenticate to a compromised Unconstrained server. | RPC Firewall; block outbound 139/445 on core servers. | Firewall Logs | Alert on any dropped outbound 139/445 traffic from Domain Controllers. |
| ACL Abuse | Abuses weak object permissions to take over identities. | Automate access management; enforce strict delegation limits. | 4738, 4742 | Create a decoy user with broad ACLs; alert on any modification. |
| AD CS ESC1 | Forges certs using arbitrary Subject Alternative Names (SAN). | Disable SAN flags; require CA manager approval for requests. | 4886, 4768 | Manually audit CA database for forged SANs; monitor anomalous cert logins. |
| AD CS ESC8 | Relays NTLM to CA HTTP endpoints to steal DC certificates. | Enforce HTTPS for all web enrollment endpoints. | 4886, 4768 | Alert on IP mismatches and explicitly named templates in CA requests. |

Key Takeaway
Active Directory is vulnerable by design, meaning defense is never just a single control. It requires understanding your overall security posture, knowing which attack paths you face, and enabling the exact telemetry needed to spot them. Crucially, defenders must recognize how benign behaviors can be exploited, which Event IDs actually fire, and where native logging goes blind (such as Printer Bug relay paths bypassing detection, coarse 4738 object changes lacking property specifics, and CA logs missing SAN details). And yes, a single event alone might never lead to a conclusion.
Key Points:
- Legacy Flaws Persist: Weak service account passwords and legacy misconfigurations (GPP XMLs, AD property fields, open network shares) remain common and highly exploitable in real environments.
- Honeypot Precision: Honeypots only work if they look legitimate and are carefully configured; once deployed, any interaction with them is treated as a high-fidelity attack.
- Correlation is Mandatory: Coercion chains (Print Spooler, ESC8, Unconstrained Delegation) often require correlating network traffic and IP anomalies rather than relying on a single Event ID.
- Quick Reference: The master cheatsheet at the bottom of this page is the primary guide to revisit first for aligning attacks, prevention, and detection.
References
[HTB Academy] Certified Defensive Security Analyst (CDSA) - Module 5: Windows Attacks and Defense. https://academy.hackthebox.com/