Auditoría básica de ciberseguridad a un dominio de Microsoft

Basic cybersecurity audit of a Microsoft domain

The Active Directory (Active Directory) is a critical component in the infrastructure of many organizations, used to manage resources and users in environments Windows. The Active Directory audit is essential to ensure the network security and data integrity. Next, starting from assumed commitment that a domain user has been breached, we will explore the main attack vectors that we must identify:

1. Privilege Escalation Local

But not is always necessary, it is highly recommended to start with permissions administration on the attacking machine. In this way the use of tools It will be much more comfortable. To do this you can use tools such as PowerUp, WinPeas or SeatBelt among others, to identify paths that allow a escalation to local administrator.

2. Password Policies

A politic weak password can be useful for carrying out passwordspraying attacks (this must be done carefully so as not to block accounts) or for the subsequent cracking of identified hashes. Furthermore, if there is no blocking policy after failed attempts, it would be possible to brute force against the entire domain without fear of blocking user accounts.

3. Identify secrets in shared folders.

Once If you have a domain user, it is recommended to list the folders shared files that you have access to (for example, with smbclient). In Occasionally, documents can be identified that contain some type of credential, which may be valid or serve as a starting point for guess other passwords.

4. Identification of systems obsolete operations

Must be verify that out of support operating systems are not being used and/or outdated. This type of equipment can be very useful, since it is highly likely to have exploitable vulnerabilities with exploits public. Even if they are not relevant objectives, accessing them can be interesting to obtain the credentials they have stored. Is very It is important to notify the IT manager that you are going to use exploits, in case these could cause a drop in the company's service.

5. Account identification privileged

Is very interesting to carry out an initial enumeration process in which identify the target accounts that allow the entire amount to be committed domain. During this enumeration phase, not only the accounts of Domain admin, but it is also important to identify accounts with permissions special ones that allow movements to be carried out in the domain. In points Next we will see why this is important.

6. Identification and Abuse accounts with Constrained Delegation

At a point Previously it was indicated that it was necessary to identify accounts with permissions high, as this is a specific type of privileged account. These can have delegated to them the power to impersonate any user of the domain for a series of specific services. Thanks to this, if it is achieved compromise an account with constrained delegation, it is possible to impersonate to any user for Windows services like host, RPCSS, http, wsman, cifs, ldap, krbtgt or winrm.

8. Identification and Abuse ofUnconstrained Delegation

This is another type of high-interest privileged account. These accounts are authorized to receive and store TGT (Ticket Granting Ticket) of kerberos of any account. That is why, by accessing them, it would be possible to extract the tickets stored in them. On the other hand, it is also possible to forced authentication attacks on this machine, that is, forcing any domino machine to authenticate against the unconstrained machine engaged. In this way, the new victim (the domain controller, for example) example) would send a copy of your TGT to the unconstrained machine, being possible interception.

9. Identify and Abuse DCSync permissions

We continue with interesting privileged accounts. In this case it is necessary to identify accounts with DCSync permissions, that is, accounts that have DS-Replication-Get-Changes-All permissions and DS-Replication-Get-Changes. If we manage to compromise a credential With these permissions, we can carry out a DCSync attack, or what is same, pretend that we are a domain controller that wants to synchronize its database (ntds.dit) with that of the real domain controller. This way All domain hashes would be obtained, including those of the Domain Admin.

10. Identify and AbuseResource-Based Constrained Delegation

Yes like Attackers can identify an account with “GenericWrite” permissions or “GenericAll” over “ActiveDirectoryRights”, will mean that this account has the ability to grant constrained delegation permissions to any domain account. This means that, if we compromise this account, We can indicate that any account on the domain can request TGSs (Ticket Guarantee Service) for services on any machine in the domain, including our main target: the domain controller.

11. Identify and Abuse Vulnerable Certificate Templates

This type of attack is based on using tools like certify or certipy to identify vulnerable certificate templates in the CA (certificate corporate authority. There are a number of vulnerable scenarios possible, which allow an attacker to request certificates on behalf of others users, for example, from a Domain Admin or from any account privileged.

12. Identify Services Vulnerable

It is possible that In the active directories there are machines with services other than those of the active directory deployed (although it is not a good practice), for example, Jenkins or SQL services. It is important to identify these services to check if they are vulnerable, since in many cases they can serve as an access point to the machine they are running on. The situation ideal for an attacker would be to identify a service that they can exploit, and that this was being executed with a local administrator user of the machine. In this way, by achieving remote code execution through the exploitable service, it would be possible to compromise the entire machine.

13. Kerberoasting

Kerberoasting is an attack that is based on the exploitation of service accounts that have associated Service Principal Names (SPNs). These SPNs are records that associate a specific service or application with a service account on the Active Directory.

The objective of to do kerberoasting is to request tickets from these service accounts to, later, decrypt them offline and obtain the original passwords. This it is possible since part of the requested ticket is encrypted using a key derived from the original password.

14. Credential Extraction

Once compromised any machine, the procedure to follow is to extract from the same any stored password. Tools can be used for this. like Mimikatz. These credentials can be useful for making moves laterals across the domain, compromising machines on which users that are being collected are local administrators.


We have just seen just a few of the most used techniques during an audit, but attackers discover new techniques every day, each one more innovative. For this reason we invite you to investigate and discover your own paths to controllers of domain.

Ignacio Sánchez, Cybersecurity Analyst at Zerolynx.

return to blog

Leave a comment

Please note that comments must be approved before they are published.