Module 5: Windows Attacks and Defense

Module 5 cover: Windows attacks and defense cover illustration

These notes are from the practical attack and defense sections in the module. I took my time on each vector so I could look back later without re-reading the whole lab.

Module 5 Navigation

On this page

Introduction

This module was dense. I kept the same layout for every attack vector so I could compare prevention, detection, and honeypot ideas without re-reading the whole lab each time.

Active Directory Fundamentals

Core Concepts: Active Directory (AD) is a hierarchical directory service that centralizes Identity and Access Management (IAM) for Windows environments. As the most critical service in an enterprise, a complete AD compromise grants unrestricted access to all systems and data, frequently resulting in ransomware attacks.

Architecture: AD is structured into Domains (objects sharing a database), Trees (grouped domains), and Forests (top-level groupings). Organizational Units (OUs) contain objects like users and groups, while Trusts manage cross-domain access permissions. Domain Controllers (DCs) provide authentication and house the NTDS.DIT file, which is the highly critical AD database.

Active Directory architectural hierarchy diagram

Authentication: Systems communicate with AD using LDAP. Authentication is handled via password hashes or Kerberos. Kerberos uses a Key Distribution Center (KDC) to issue cryptographic tickets (TGTs and TGSs) to validate identities. The KDC encryption key is derived from the disabled KRBTGT account, the first account created in a domain.

Vulnerabilities & Attack Surface

Critical Network Ports: Understanding the network footprint of AD is essential for mapping and defense:

AD Attack Vectors

There are many attack paths into AD. This module covered 13 of them across the labs and skill assessment. I wrote each one up the same way so I could compare prevention, detection, and honeypot ideas side by side later.

1. Kerberoasting

Core Concept: Kerberoasting

The Attack Path

  1. Ticket Extraction: Attackers utilize automated tools, such as Rubeus, to request and extract TGS tickets for any users in the environment with a registered SPN.
  2. Encryption Downgrade: Because modern AES encryption is slow and difficult to crack, attackers often attempt to force a downgrade to the older, weaker RC4 encryption algorithm to drastically speed up cracking efforts.
  3. Offline Cracking: The extracted ticket hashes are moved to the attacker’s machine (such as Kali Linux) and cracked using dictionary wordlists and tools like hashcat or John The Ripper to reveal the plaintext password.

Kerberoasting attack path reference

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Group Managed Service Accounts (gMSAs) This is the most effective defense. Active Directory manages these accounts automatically by binding them to specific servers and continuously rotating their passwords to random 127-character strings, rendering them impossible to crack.
Prevention Massive Passwords For applications lacking gMSA support, administrators should manually configure service account passwords to 100+ random characters, up to the Active Directory limit of 127.
Prevention SPN Hygiene Avoid assigning unnecessary SPNs, and regularly delete SPNs associated with decommissioned servers or services.
Detection Event ID 4769 & Alerts A TGS ticket request generates Windows Event ID 4769, but relying on this alone is too noisy due to normal operations. Instead, defenders should alert on rapid bursts of requests (which indicates automated tool usage like Rubeus) or any TGS tickets requested using weak RC4 encryption.
Defense Honeypot Accounts Set a trap by creating a fake, highly privileged account with a legitimate-looking SPN (e.g., SQL or IIS). Make the account an attractive target by making it look old (e.g., password unchanged for 2+ years), but ensure it is secretly uncrackable. Since it has no legitimate business purpose, any Event 4769 ticket request for this account immediately signals an attack.

Kerberoasting prevention and detection reference

AS-REProasting sits in the same Kerberos offline-cracking family. The difference is which account property you are hunting for, not which tool you reach for first.

2. AS-REProasting

Core Concept: AS-REProasting

The Attack Path

Phase Description
Ticket Extraction Attackers use automated tools like Rubeus (specifically the asreproast action) to scan the domain and extract hashes for any user accounts that do not require Kerberos preauthentication.
Hash Formatting The extracted hash output is moved to an attacking machine (such as Linux) where it must be slightly modified, such as inserting 23$ into the hash string, so that cracking software can recognize it.
Offline Cracking The attacker utilizes password cracking tools like hashcat (using hash-mode 18200) alongside dictionary wordlists to guess the cleartext password offline without triggering lockouts.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Account Reviews The “Do not require Kerberos preauthentication” property should only be enabled when absolutely necessary, and administrators should conduct quarterly reviews to ensure it hasn’t been misapplied.
Prevention 20+ Character Passwords Regular user accounts often have weaker passwords than service accounts. If an account absolutely must have preauthentication disabled, assign it a separate password policy requiring at least 20 characters to thwart cracking attempts.
Detection Event ID 4768 Analysis Requesting these tickets generates Windows Event ID 4768. Because this event happens constantly during normal network use, defenders should monitor it by correlating known good login locations (like specific VLANs) and alerting on requests originating from unusual IP addresses.
Detection Pre-Auth Type & Encryption Alerts Defenders should scrutinize Event ID 4768 for Pre-Authentication Type 0 (indicating a logon without preauthentication) combined with weak RC4 encryption (Ticket Encryption Type 0x17), which tools like Rubeus default to using.
Defense Honeypot Accounts Create a decoy account with preauthentication disabled and no legitimate business purpose, so any Event 4768 request for it immediately triggers an alert. To ensure advanced attackers fall for it, the honeypot must look legitimate: it should be an older account, possess some attractive privileges, and have recorded login activity occurring after its last password change.

AS-REProasting reference

From here the module moves into legacy misconfigs that still show up in older domains. GPP was the first one that made me double-check SYSVOL even when the environment looked patched.

3. GPP Password Abuse

Core Concept: GPP Password Abuse

The Attack Path

Phase Description
Discovery & Extraction Attackers use automated tools like PowerSploit’s Get-GPPPassword function, which automatically parses all XML files located in the Policies folder within the SYSVOL share.
Decryption When the tool detects an account with the cpassword property in the XML file, it automatically decrypts the hash using the publicly known Microsoft AES key.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Patching & Cleanup Microsoft released patch KB2962486 in 2014 to stop caching new credentials in GPP. However, this patch does not remove existing stored credentials. Administrators must actively assess and manually clear any legacy credentials, especially in environments built before 2015.
Detection File Access Auditing Administrators can enable file access auditing on the XML policy files to generate Event ID 4663 whenever the file is read. This is highly effective if applied to a dummy XML file unassociated with any real GPO, as any read attempt is immediately suspicious.
Detection Logon Monitoring Defenders can monitor logon attempts for exposed accounts via Event IDs 4624 (success), 4625 (failure), or 4768 (TGT request). By correlating the originating IP address, defenders can spot anomalous behavior, such as a service account authenticating from a standard user workstation.
Defense Honeypot Accounts Create a fake, semi-privileged service account and store a deliberately wrong password for it in a dummy GPP XML file. To make it look realistic, simulate dummy tasks so the account appears active. Because the exposed password is wrong, any attacker attempting to use it will trigger failed logon alerts (Event IDs 4625, 4771, 4776), instantly flagging a breach.

GPP password abuse reference

GPO abuse felt like the natural next step after GPP: same Group Policy surface, but the attacker is changing what gets deployed instead of reading what was left behind.

4. GPO Modification Abuse

Core Concept: GPO Modification Abuse

The Attack Path

Phase Description
Discovery Attackers enumerate the domain to find GPOs with weak delegation or network shares with misconfigured NTFS permissions.
Modification / Replacement The attacker performs a simple GPO edit to add a malicious task, or replaces a legitimate execution file on a vulnerable network share with malware.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Strict Permissions Lock down GPO modification rights to specific, highly privileged accounts or groups. Never store deployment files on network shares where broad users have modify permissions.
Prevention Regular Auditing Actively and regularly review GPO permissions. Administrators can automate tasks to run hourly and alert on any permission deviations.
Detection Event ID 5136 Enable Directory Service Changes auditing. Any modification to a GPO generates Event ID 5136. If an unexpected user triggers this event, it is an immediate red flag.
Defense Honeypot GPO Create a deliberately misconfigured GPO linked only to non-critical servers to act as a trap. Mature organizations can monitor this trap continuously to catch attackers attempting to escalate privileges.

Automated Scripting (Active Defense) To effectively utilize a Honeypot GPO, you can deploy an automated PowerShell script configured as a scheduled task (e.g., running every 15 minutes) to actively neutralize threats:

GPO modification abuse reference

The next two vectors are both about credentials sitting in plain sight. Network shares came first in the labs, then AD object properties.

5. Exposed Credentials in Network Shares

Core Concept: Exposed Credentials in Network Shares

The Attack Path

Phase Description
Share Discovery Attackers use automated tools like Invoke-ShareFinder to scan the domain and compile a list of non-default network shares that their current account has read access to, including hidden ones.
Credential Extraction Using automated tools (like SauronEye) or native “Living Off the Land” commands like findstr, attackers search through the discovered files for keywords like “pass”, “pw”, or the domain’s NetBIOS name (e.g., “eagle”) to locate cleartext passwords.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Permission Lockdown Strictly control access to all domain shares. Never use broad groups like “Everyone” or “Users” (which includes all Domain Users) for share access.
Prevention Regular Scanning Because you cannot permanently prevent users from leaving credentials in files, administrators must perform regular (e.g., weekly) automated scans to identify newly opened shares or exposed passwords.
Detection One-to-Many Connections Alert on anomalous network behavior, such as a single workstation connecting to hundreds or thousands of other devices simultaneously, which strongly indicates share scanning via tools like Invoke-ShareFinder.
Detection Logon & Tool Monitoring Monitor Event IDs 4624 (success), 4625 (failure), and 4768 (TGT request) to spot unusual logins, such as a Domain Admin authenticating from a standard user machine. Note: Windows Defender now flags the specific findstr arguments used in this attack as suspicious.
Defense Honeypot Credentials Plant a realistic script containing a deliberately wrong password for an active, semi-privileged service account. To look authentic, the account should be older (>2 years) and the file’s modification date must be after the account’s last password change. Any use of this fake password will immediately trigger failed logon alerts (Event IDs 4625, 4771, 4776), catching the attacker.

AD property leakage is the same idea as open shares, just stored inside the directory instead of a script on a file server.

6. AD Property Credential Leakage

Core Concept: AD Property Credential Leakage

The Attack Path

Phase Action
Domain Query Attackers execute simple PowerShell scripts to search all domain objects for specific keywords (like “pass”) within the Description or Info fields.
Extraction The script instantly returns the target’s SamAccountName alongside the exposed cleartext password.

Prevention, Detection & Defense Strategies

Category Method Implementation Details
Prevention Automation & Education Automate the user creation process to remove manual password handling and reduce hardcoding risks. Educate highly privileged employees and perform continuous domain assessments.
Detection Logon Baselining Monitor for abnormal logon behavior (especially for service accounts) using Event IDs 4624 (Successful Logon), 4625 (Failed Logon), and 4768 (Kerberos TGT requested).
Detection Limitations Event ID 4738 Do not rely on Event ID 4738 (User Account Management) to catch admins adding passwords; it does not log which specific property was altered or what the new value is.
Defense Honeypot Account Create an enabled, decoy service account (as they appear more manually managed than HR-automated user accounts) and place a deliberately fake password in its Description field.
Defense Setup Honeypot Realism Ensure the honeypot looks believable by giving it recent login attempts and setting its last password change to 2+ years ago.
Alerting Honeypot Monitoring Because the exposed password is intentionally incorrect, any attacker attempting to use it will immediately trigger failed logon alerts: Event IDs 4625, 4771 (Failure code 0x18), and 4776.

DCSync was the point where the module stopped feeling like credential scavenging and started feeling like full-domain impact.

7. DCSync Attacks

Core Concept: DCSync Attacks

The Attack Path

Phase Description
Execution Attackers utilize tools with DCSync capabilities, such as Mimikatz (using the lsadump::dcsync command), to initiate the replication request.
Extraction Scope The attacker can request the NTLM hash of a specific, highly privileged account (e.g., an Administrator), or use the /all parameter to dump the hashes of the entire AD environment.
Exploitation Once the hashes are extracted, the attacker can use them to perform Pass-the-Hash attacks, allowing them to authenticate against any Domain Controller in the network.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Native Limitations DCSync abuses normal, required AD operations (DC replication). Therefore, preventing this natively out-of-the-box is not possible without breaking the domain.
Prevention RPC Firewall Deploy third-party solutions like RPC Firewall to granularly control RPC calls. This can be configured to strictly allow replication requests only from verified Domain Controller IP addresses.
Detection Event ID 4662 Every DC replication attempt generates Windows Event ID 4662. Defenders should monitor this event to catch unauthorized replication requests.
Detection Anomaly Filtering Because replication happens constantly, rely on specific filters to avoid false positives: monitor for property 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 in the event.
Alerting Initiator Validation The most immediate red flag is an Event ID 4662 where the initiator account is a standard user rather than a known DC. Always whitelist valid services that require replication rights, such as Azure AD Connect.

DCSync attack reference

8. Printer Bug (Print Spooler)

PrinterBug was one of the vectors that stuck with me because it abuses the Windows Print Spooler service, which is still enabled by default on a lot of hosts, including DCs in lab environments.

Core Concept: Windows Print Spooler (PrinterBug)

The Attack Path

Phase Description
Relay Setup The attacker configures a relay tool (such as NTLMRelayx) to listen for incoming connections and forward them to a specific target, like a secondary DC, to perform a DCSync attack. Note: This specific path requires SMB Signing to be disabled on the target DC.
Triggering the Bug Using a script (like Dementor) and the credentials of any standard domain user, the attacker sends a request to the target DC’s Print Spooler, forcing it to connect back to the attacker’s listening IP address.
Exploitation The target DC connects to the attacker, who immediately relays that authentication to the secondary DC, successfully dumping the domain’s NTLM hashes without needing direct admin access.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Service Disablement The most effective mitigation is to completely disable the Print Spooler service on all machines that are not dedicated print servers, especially Domain Controllers.
Prevention Registry Modification If the service absolutely must remain running locally, administrators can set the RegisterSpoolerRemoteRpcEndPoint registry key to 2. This blocks any incoming remote requests, neutralizing the remote abuse vector.
Detection Logon Anomaly Correlation Network traces are generally too noisy, and if DCSync is executed via this relay method, Event ID 4662 is NOT generated. Defenders must instead monitor Event ID 4624 (Successful Logon) and alert when a core infrastructure account (like a DC computer account) authenticates from an unexpected, non-infrastructure IP address.
Defense Firewall Honeypot Organizations can block outbound connections from their servers on ports 139 and 445. The PrinterBug can still be triggered, but the firewall will block the reverse connection and generate a high-fidelity alert. Warning: This is only recommended for highly mature organizations, as keeping the service enabled risks exposure if new Remote Code Execution (RCE) flaws are discovered.

PrinterBug and print spooler reference

PrinterBug is one coercion path. Unconstrained delegation is where you send that forced authentication when you want to capture a DC ticket in memory.

9. Coercing Attacks and Unconstrained Delegation

Core Concept: Coercing Attacks & Unconstrained Delegation

The Attack Path

Phase Description
Recon & Setup The attacker identifies a server trusted for Unconstrained Delegation in the environment and gains administrative access to it. They run a ticket extraction tool (like Rubeus) in monitor mode to listen for incoming tickets.
Coercion From their own machine, the attacker uses an automated coercing script (such as the Coercer tool) to barrage the target DC with vulnerable RPC calls, forcing the DC to authenticate to the compromised UD server.
Ticket Capture When the DC authenticates to the UD server, its TGT is cached in the server’s memory. The attacker’s monitoring tool instantly captures and exports this Base64-encoded ticket.
Exploitation The attacker injects the stolen DC ticket into their session (Pass-the-Ticket). Now operating with DC privileges, they use tools like Mimikatz to execute a DCSync attack, dumping the password hashes for the entire domain.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention RPC Firewall Windows does not offer native, granular visibility or control over RPC calls. Organizations should deploy a third-party RPC Firewall to selectively block dangerous RPC functions or specific OPNUMs.
Prevention Outbound Port Blocking Block outbound network traffic on ports 139 and 445 from Domain Controllers and core servers. Only allow outbound connections to strictly required infrastructure, such as other DCs necessary for domain replication.
Detection Firewall Anomaly Correlation Monitor host firewall logs for a specific pattern: numerous inbound connections to a DC immediately followed by outbound connections on port 445 to a non-infrastructure, unexpected IP address.
Detection Dropped Traffic Alerts If outbound traffic on ports 139 and 445 is actively blocked, any dropped traffic on these ports logged by the firewall is highly suspicious and serves as an immediate, high-fidelity alert of an attempted coercion attack.

Coercion and unconstrained delegation reference

After the coercion chains, the module went back to permissions mistakes. ACL abuse is quieter on the wire, but BloodHound makes the escalation paths obvious once you start looking. BloodHound was the example the module used for that.

10. Active Directory Object ACL Abuse

Core Concept: Active Directory Object ACL Abuse

The Attack Path

Phase Description
Discovery Attackers use enumeration tools like SharpHound and BloodHound to graph network relationships and identify vulnerable ACL escalation paths, or ADACLScanner to generate specific reports on access control lists.
Exploitation (User Objects) If an attacker has full rights over a target user object, they can simply reset the target’s password to inherit their privileges, or subtly add a bogus SPN to the account to perform a Kerberoasting attack against it.
Exploitation (Computer Objects) If an attacker has full control over a server object, they can read the computer’s extended properties to extract the local LAPS administrator password, or abuse Resource-Based Kerberos Delegation to compromise the machine.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Automation & Assessment Automate access management to eliminate human error and strictly limit delegated modification rights to administrative accounts. Organizations must also conduct continuous assessments to catch misconfigurations early.
Detection Event ID Limitations Object modifications trigger Event ID 4738 (User account changed) or Event ID 4742 (Computer account changed). Unfortunately, these events are limited because they do not specify what exact property (like an SPN) was altered.
Detection Naming Convention Baselines Because the native events lack granularity, defenders should baseline standard administrative behavior. If all privileged accounts use a naming convention (e.g., “admin_”), any Event 4738, 4742, or 4724 (Password Reset) generated by a standard user account is highly suspicious.
Defense Honeypot Account Create a realistic-looking fake user account and intentionally configure its ACLs so that “Everyone” or many standard users have the right to modify it.
Alerting Active Response Since no legitimate standard user should modify the honeypot account, any Event ID 4738 triggered for it immediately signals an attack. Mature organizations can automate a response to instantly disable the attacker’s account and trigger a forensic investigation.

AD ACL abuse reference

PKI was the hardest block for me to keep straight. The attack steps are clear in the lab, but I could not check the CA logs directly because I could not connect to the CA server.

11. AD CS ESC1 Abuse

Core Concept: AD CS ESC1 Abuse

The Attack Path

Phase Description
Discovery Attackers use tools like Certify to scan the domain’s PKI infrastructure for vulnerable certificate templates.
Request The attacker requests a certificate using the vulnerable template, injecting a highly privileged username (e.g., Administrator) into the alternative name (SAN) parameter.
Exploitation After converting the extracted PEM certificate to a PFX format using OpenSSL, attackers use Rubeus to request a Kerberos TGT with the forged certificate, instantly authenticating as the impersonated administrator.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Template Hardening The primary defense is to completely disable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag on all certificate templates.
Prevention Manager Approval If SAN specification is absolutely necessary for business operations, require CA manager approval before certificate issuance to ensure the request is manually verified.
Detection CA Event Logs Monitor the CA server for Event IDs 4886 (request received) and 4887 (certificate approved). Note: These standard events unfortunately do not display the injected SAN.
Detection Database Auditing Because the standard logs lack SAN visibility, defenders should use certutil -view or PowerShell scripts to regularly parse the CA’s internal database for issued certificates containing suspicious Subject Alternative Names.
Detection DC Logon Monitoring Monitor Domain Controllers for Event ID 4768 (Kerberos TGT requested) and specifically alert on unusual TGT requests that utilize certificate-based authentication.

AD CS ESC1 reference

ESC8 is where the coercion story comes back around: force the DC to authenticate, relay to the CA over HTTP, then use the cert like ESC1.

12. AD CS ESC8 Abuse (Web Enrollment Relay)

Core Concept: AD CS ESC8 Abuse (Web Enrollment Relay)

The Attack Path

Phase Description
Relay Setup Attackers configure a relay tool (like NTLMRelayx) to listen for connections and forward them to the CA’s HTTP endpoint, explicitly requesting a highly privileged certificate template (e.g., the DomainController template).
Coercion Using a standard domain account, the attacker triggers a coercing vulnerability (such as the PrinterBug) to force the target Domain Controller to connect to the attacker’s listening machine.
Certificate Extraction The attacker relays the incoming DC authentication to the CA. The CA successfully authenticates the request and issues a Base64-encoded certificate for the Domain Controller, which the attacker captures.
Exploitation The attacker uses tools like Rubeus to request a Kerberos TGT using the stolen certificate. Now operating as the Domain Controller, they can use Mimikatz to execute a DCSync attack and dump all domain password hashes.

Prevention, Detection & Defense Strategies

Category Mechanism Implementation Details
Prevention Enforce HTTPS The primary defense against ESC8 is to completely disable HTTP for AD CS web enrollment, or strongly enforce HTTPS (which inherently breaks the relaying process).
Prevention PKI Auditing Because PKI escalation paths are complex, organizations should regularly scan their environment with tools like Certify to proactively identify vulnerable web endpoints and misconfigured templates.
Detection CA Event Logs Monitor the CA server for Event IDs 4886 (request received) and 4887 (certificate approved). Relayed requests often expose anomalous behavior, such as explicitly mentioning the template name in the request when a legitimate, direct DC request would not.
Detection TGT Anomalies Monitor Domain Controllers for Event ID 4768 (Kerberos TGT requested). Defenders should specifically alert on TGT requests that utilize certificate-based authentication where the originating IP address does not match the known IP of the machine account.
Detection Logon Anomalies Monitor Event ID 4624 (Successful Logon) to spot core infrastructure accounts (like a DC computer account) successfully authenticating from unexpected, non-infrastructure IP addresses (the attacker’s machine).

AD CS ESC8 reference

Skill Assessment: ESC8 Certificate Logs

The AD CS ESC8 Abuse (Web Enrollment Relay) section was the skill assessment. I could not figure out how to pull the certificate request logs from the Windows side at first, so I used a Kali machine with impacket instead.

Question: Replicate the attack described in this section and view the related 4886 and 4887 logs. Enter the name shown in the Requester field as your answer. (Format: EAGLE.…)

Query used:

impacket-atexec -hashes :fcdc65703dd2b0bd789977f1f3eeaecf EAGLE/[email protected] "wevtutil qe Security /q:\"*[System[(EventID=4886 or EventID=4887)]]\" /f:text /c:10"

Answer: EAGLE\DC2$

Attack Vector Cheatsheet

Attack Vector Short Description & Tools Core Prevention Key Event IDs Detection & Honeypot Strategy
Kerberoasting Extracts TGS tickets for offline cracking via Rubeus/hashcat. Use gMSAs (127-character passwords) or 100+ char manual passwords. 4769 Create fake privileged account with an SPN; alert on RC4 ticket requests.
AS-REProasting Extracts hashes for users lacking pre-auth via Rubeus. Audit “no pre-auth” accounts; require 20+ char passwords. 4768 Create decoy account lacking pre-auth; alert on Pre-Auth Type 0 requests.
GPP Passwords Decrypts SYSVOL XML passwords using Microsoft’s published key. Manually delete legacy XML credentials (patches aren’t enough). 4663, 4625 Plant fake password in a dummy XML file; alert on file read or logon attempts.
GPO Modification Alters GPOs to deploy malware via weak permissions. Strict permission lockdown; automate regular permission audits. 5136 Deploy a dummy GPO; auto-disable any account that modifies it.
Network Shares Scans hidden shares for cleartext credentials via findstr. Strict share access control; automate regular share scanning. 4624, 4625 Plant a script with a fake password; alert on 1-to-many network connections.
AD Property Leak Queries Description/Info fields for hardcoded passwords. Automate user creation; avoid manual password hardcoding. 4624, 4625 Plant fake password in a decoy account’s Description field; alert on use.
DCSync Impersonates DC to dump hashes via replication (Mimikatz). Use RPC Firewall to strictly allow only DC IP addresses. 4662 Alert if the initiator is a standard user/IP, not a known Domain Controller.
PrinterBug Coerces DC authentication via Spooler RPC (NTLMRelayx). Disable Spooler on DCs or set RPC registry key to 2. 4624 (4662 is blind here) Block outbound 139/445; alert on DCs logging in from non-infra IPs.
Coercion & UD Forces DC to authenticate to a compromised Unconstrained server. RPC Firewall; block outbound 139/445 on core servers. Firewall Logs Alert on any dropped outbound 139/445 traffic from Domain Controllers.
ACL Abuse Abuses weak object permissions to take over identities. Automate access management; enforce strict delegation limits. 4738, 4742 Create a decoy user with broad ACLs; alert on any modification.
AD CS ESC1 Forges certs using arbitrary Subject Alternative Names (SAN). Disable SAN flags; require CA manager approval for requests. 4886, 4768 Manually audit CA database for forged SANs; monitor anomalous cert logins.
AD CS ESC8 Relays NTLM to CA HTTP endpoints to steal DC certificates. Enforce HTTPS for all web enrollment endpoints. 4886, 4768 Alert on IP mismatches and explicitly named templates in CA requests.

AD attack vector cheatsheet summary

Key Takeaway

Active Directory is vulnerable by design, meaning defense is never just a single control. It requires understanding your overall security posture, knowing which attack paths you face, and enabling the exact telemetry needed to spot them. Crucially, defenders must recognize how benign behaviors can be exploited, which Event IDs actually fire, and where native logging goes blind (such as Printer Bug relay paths bypassing detection, coarse 4738 object changes lacking property specifics, and CA logs missing SAN details). And yes, a single event alone might never lead to a conclusion.

Key Points:

References

[HTB Academy] Certified Defensive Security Analyst (CDSA) - Module 5: Windows Attacks and Defense. https://academy.hackthebox.com/