This chapter covers Active Directory (AD) directory services, a core component of Windows-based enterprise networks. For the SY0-701 exam (Objective 4.6: Security Operations), you must understand how AD authenticates users, enforces security policies, and how attackers exploit misconfigurations or weaknesses. We will explore AD’s architecture, authentication protocols (Kerberos, NTLM), Group Policy, and common attacks like Golden Ticket, DCSync, and Kerberoasting. You will learn both the defensive configuration and the forensic indicators of compromise.
Jump to a section
Imagine a secure embassy with multiple buildings (domain controllers), each containing classified files (user accounts, group policies). The ambassador (Domain Admin) issues a master key (KRBTGT hash) to the security chief (Kerberos service). When a diplomat (user) wants to access a building (resource), they first go to the security desk (Authentication Service) and prove their identity with a passport (password hash). The desk issues a temporary, signed badge (TGT) that includes the diplomat’s photo, ID, and a secret code (session key) known only to the desk and the diplomat. This badge is valid for 10 hours (default TGT lifetime) and can be used to request entry passes to specific buildings. For each building, the diplomat presents the badge to the building’s guard (Ticket Granting Service), who verifies the badge’s signature (using the master key) and issues a building-specific pass (service ticket) that includes the diplomat’s ID and a new secret code (service session key). The guard records the visit in a log (Kerberos event 4768 for TGT, 4769 for service ticket). An attacker who steals the master key (KRBTGT hash) can forge badges and passes for anyone, impersonating any user. Similarly, if an attacker steals a diplomat’s badge (TGT) before it expires, they can use it to request passes to any building until the badge expires. The embassy’s countermeasure is to regularly change the master key (reset KRBTGT password twice) and enforce short badge lifetimes (e.g., 4 hours). This mirrors Active Directory’s Kerberos authentication: the KRBTGT account’s hash is used to sign TGTs, and if compromised, attackers can forge Golden Tickets. Defenders rotate KRBTGT passwords and limit ticket lifetimes.
What is Active Directory and Why Does It Matter for Security?
Active Directory (AD) is Microsoft’s directory service for Windows domain networks. It stores information about objects (users, computers, groups, printers) and makes this information available to authorized users on the network. AD uses a hierarchical database (the NTDS.dit file) and relies on DNS for name resolution. From a security perspective, AD is the central authentication and authorization authority. If AD is compromised, the entire network is compromised. SY0-701 tests your ability to secure AD, detect attacks, and respond to incidents.
How AD Authentication Works Mechanically
AD supports two primary authentication protocols:
Kerberos (RFC 4120) – The default protocol since Windows 2000. The process: 1. The user logs on with a password. The client hashes the password and sends an authentication request (AS-REQ) to the Domain Controller’s Authentication Service (AS). 2. The AS checks the user’s existence and status (not locked out, password not expired). If valid, it returns a Ticket Granting Ticket (TGT) encrypted with the KRBTGT account’s NTLM hash. The TGT includes a session key and a timestamp. 3. When the user wants a resource (e.g., a file server), the client sends the TGT to the Ticket Granting Service (TGS) with a request for a service ticket (TGS-REQ). 4. The TGS decrypts the TGT using the KRBTGT hash, validates the timestamp, and issues a service ticket encrypted with the target service’s NTLM hash. 5. The client presents the service ticket to the resource server, which decrypts it and grants access.
NTLM (NT LAN Manager) – Used when Kerberos fails (e.g., older systems, non-Windows). It is a challenge-response protocol: 1. The client sends a request to the server. 2. The server responds with a random challenge (8-byte nonce). 3. The client computes an NTLM hash of the user’s password and encrypts the challenge with it, then sends the response. 4. The server forwards the challenge and response to a Domain Controller, which compares the response to its own computed value.
Key Security Components:
- KRBTGT Account: The service account for the Kerberos Key Distribution Center (KDC). Its password hash is used to sign all TGTs. Compromise of this hash allows forging Golden Tickets.
- NTDS.dit: The AD database file located at C:\Windows\NTDS\NTDS.dit. Contains all objects and their attributes, including password hashes.
- Group Policy: A framework for applying security settings to computers and users across the domain. Policies are stored in SYSVOL and applied via Group Policy Objects (GPOs).
- LDAP (Lightweight Directory Access Protocol): Used to query and modify AD. Runs on ports 389 (TCP/UDP) and 636 (LDAPS).
- DNS: AD integrated DNS zones support dynamic updates and are critical for locating DCs (SRV records).
How Attackers Exploit Active Directory
Golden Ticket Attack: An attacker with domain admin privileges extracts the KRBTGT hash using tools like Mimikatz (lsadump::dcsync). They then forge a TGT for any user (e.g., a non-existent account) with arbitrary group memberships (e.g., Domain Admins). The forged ticket is valid until the KRBTGT password is changed twice. Countermeasure: Reset the KRBTGT password twice (with a 10-hour wait between) and monitor for anomalous TGT requests (Event ID 4768 with unusual user accounts or large ticket lifetimes).
Silver Ticket Attack: Forge a service ticket for a specific service (e.g., CIFS on a file server) using the service account’s NTLM hash. This grants access to that service without needing a TGT. Countermeasure: Use managed service accounts (gMSA) with automatic password rotation and monitor Event ID 4769 for service ticket requests without a preceding TGT.
DCSync Attack: An attacker with domain replication rights (often a Domain Admin) uses Mimikatz or other tools to request replication of password hashes from a Domain Controller. This effectively dumps all user hashes. Countermeasure: Restrict Replication-Getting-Changes privilege to only legitimate DCs (using Protected Users group and monitoring Event ID 4662).
Kerberoasting: An attacker requests service tickets for any user account with a Service Principal Name (SPN). The ticket is encrypted with the service account’s NTLM hash. The attacker extracts the ticket offline and cracks the hash. Countermeasure: Use strong, complex passwords for service accounts (at least 25 characters), use Managed Service Accounts, and monitor for excessive TGS requests (Event ID 4769 with RC4 encryption type).
Pass-the-Hash (PtH): Using NTLM, an attacker captures the NTLM hash from a compromised machine (e.g., via LSASS memory dump) and presents it to authenticate without knowing the password. Countermeasure: Enable Credential Guard, use Restricted Admin mode for RDP, and implement network segmentation.
Pass-the-Ticket (PtT): Similar to PtH but uses Kerberos tickets. The attacker extracts a TGT or service ticket from LSASS and reuses it. Countermeasure: Shorten ticket lifetimes, enable Kerberos Armoring (FAST) in Windows 8.1/Server 2012 R2+, and monitor for ticket reuse across different source IPs.
Defensive Configuration and Hardening
Enable Advanced Audit Policies: Configure auditing for: Account Logon (Kerberos events 4768, 4769, 4776), Account Management (4720-4739), and Directory Service Access (4662, 5136).
Use Protected Users Group: Members cannot use NTLM, DES, RC4, or delegation. Prevents PtH and Kerberoasting against these accounts.
Implement Tiered Administration: Separate admin accounts into tiers (Tier 0: Domain Admins, Tier 1: Server Admins, Tier 2: Workstation Admins). Restrict logon rights.
Deploy LAPS (Local Administrator Password Solution): Randomizes local admin passwords on computers, preventing lateral movement using common passwords.
Enable SMB Signing and LDAP Signing: Prevents NTLM relay attacks.
Use Group Policy to Harden: Disable LM and NTLMv1, set minimum NTLM session security, enable PowerShell logging, and restrict privileged group membership.
Real Commands and Tools
Mimikatz (Offensive):
privilege::debug
lsadump::lsa /patch # Extract NTLM hashes from LSASS
lsadump::dcsync /domain:contoso.com /user:krbtgt # DCSync
kerberos::golden /user:fakeadmin /domain:contoso.com /sid:S-1-5-21-... /krbtgt:hash /ptt # Golden TicketDefensive Tools:
# Check KRBTGT password last changed
get-aduser krbtgt -properties * | fl
# Reset KRBTGT password (must do twice)
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "NewPass" -AsPlainText -Force)
# Query for service accounts with SPNs (Kerberoasting target)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Enable Kerberos logging (Event 4768, 4769)
wevtutil sl "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational" /e:trueGolden Ticket Attack Kill Chain
1. **Reconnaissance:** Attacker gains initial foothold (e.g., phishing) and elevates to domain admin via privilege escalation (e.g., exploiting unpatched DC). 2. **Hash Extraction:** Using Mimikatz, attacker runs `lsadump::dcsync /user:krbtgt` to extract the KRBTGT account’s NTLM hash. This requires Replication-Getting-Changes rights (typically Domain Admin). 3. **Ticket Forging:** Attacker uses `kerberos::golden` with the KRBTGT hash, specifying any username (even non-existent), domain SID, and group SIDs (e.g., Domain Admins). The resulting TGT is valid for 10 years by default. 4. **Pass-the-Ticket:** The forged ticket is injected into the current logon session using `/ptt` or saved to a file for later use. 5. **Persistence:** The attacker can now access any resource in the domain as any user until the KRBTGT password is changed twice. Logs: Event 4768 will show a TGT request for the forged user (if the user exists, but if non-existent, no log). Anomalous TGT lifetime (e.g., 10 years) can be detected if auditing is configured to log ticket options.
DCSync Attack Execution
1. **Privilege Escalation:** Attacker compromises an account with Replication-Getting-Changes rights (e.g., Domain Admin, Enterprise Admin, or accounts delegated these rights). 2. **Initiate Replication:** Attacker runs `lsadump::dcsync /domain:contoso.com /user:administrator` from Mimikatz on a machine that can reach a DC. This simulates a Domain Controller requesting replication. 3. **Hash Retrieval:** The DC responds with the requested user’s password hash (NTLM and Kerberos). The attacker saves these for offline cracking or PtH. 4. **Lateral Movement:** Using the extracted hash, the attacker can authenticate as that user (e.g., Pass-the-Hash) to access other systems. 5. **Cover Tracks:** Attacker may delete replication logs or use a non-standard DC. Logs: Event 4662 (Directory Service Access) with access mask 0x100 (Replication-Getting-Changes) and object GUID of the domain NC. This event is often high-volume, making detection difficult.
Kerberoasting Attack Process
1. **Reconnaissance:** Attacker enumerates user accounts with Service Principal Names (SPNs) using tools like `setspn -T contoso.com -Q */*` or PowerView (`Get-NetUser -SPN`). 2. **Request Service Ticket:** For each target account, the attacker requests a TGS (service ticket) for the SPN using a tool like `Add-Type -AssemblyName System.IdentityModel` or Rubeus (`Rubeus kerberoast`). The TGS is encrypted with the service account’s NTLM hash. 3. **Extract Ticket:** The TGS is saved in a format (e.g., hashcat-compatible .kirbi or .ccache). 4. **Offline Cracking:** The attacker cracks the hash offline using tools like Hashcat or John the Ripper. If the password is weak (e.g., <25 characters), it is cracked quickly. 5. **Account Compromise:** The cracked password allows the attacker to log in as the service account, potentially gaining access to the service’s resources. Logs: Event 4769 (Kerberos Service Ticket Requested) with encryption type 0x17 (RC4) for the target SPN. Multiple requests from the same user for different SPNs are suspicious.
Defending Against Pass-the-Hash
1. **Identify PtH Risk:** Audit all systems for NTLM usage. Disable NTLM where possible via Group Policy: Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers (set to Deny All). 2. **Enable Credential Guard:** On Windows 10/11 Enterprise and Server 2016+, enable Virtualization-Based Security (VBS) and Credential Guard via Group Policy or registry. This isolates LSASS secrets in a virtualized container, preventing Mimikatz from reading hashes. 3. **Use Restricted Admin Mode for RDP:** Enable via Group Policy or `New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0 -PropertyType DWORD`. This prevents credential caching. 4. **Implement Just Enough Administration (JEA):** Limit users to specific commands. 5. **Monitor Logs:** Look for Event ID 4624 (logon type 3 – network) with a logon process of NtLmSsp and elevated privileges. Also monitor for multiple failed logon attempts (Event 4776).
Incident Response for AD Compromise
1. **Containment:** Immediately isolate compromised accounts and systems. Disable the KRBTGT account (temporarily) to invalidate all TGTs. 2. **Eradication:** Reset KRBTGT password twice (with a 10+ hour gap) to invalidate Golden Tickets. Reset all service account passwords. 3. **Evidence Collection:** Capture memory dumps from DCs, export relevant event logs (4768, 4769, 4662, 5136), and take forensic images of affected systems. 4. **Analysis:** Determine the initial access vector (e.g., phishing, unpatched vulnerability). Use tools like BloodHound to map attack paths. 5. **Recovery:** Restore from known good backups if necessary. Rebuild compromised DCs. 6. **Post-Incident:** Implement additional controls: enable Protected Users group, restrict delegation, and enforce MFA for all admin accounts.
Scenario 1: SOC Analyst Detecting a Golden Ticket Attack
A SOC analyst notices an alert from their SIEM: Event ID 4768 (Kerberos TGT Request) for user 'jdoe' from a workstation IP at 3:00 AM, but the ticket lifetime is set to 10 years (default is 10 hours). The analyst checks the user's account and finds it is disabled. The attacker used a Golden Ticket for a disabled account. The analyst immediately escalates to the incident response team, who isolate the workstation and the domain controller that issued the ticket. They reset the KRBTGT password twice and force a domain-wide password reset for all users. Common mistake: The analyst ignores the event because the user is disabled, assuming no authentication possible. However, a Golden Ticket bypasses account status checks.
Scenario 2: Engineer Responding to DCSync
An engineer runs a routine audit of Directory Service Access events (4662) and sees an access mask 0x100 (Replication-Getting-Changes) for the domain NC from a non-DC server. The engineer investigates and finds that the server is a member server with an account that has been delegated replication rights. The engineer immediately revokes the delegation, resets the server’s computer account password, and checks for any exported hashes. The correct response is to assume the KRBTGT hash is compromised and reset it twice. Common mistake: The engineer only revokes the delegation without resetting KRBTGT, leaving the door open for Golden Ticket attacks.
Scenario 3: Blue Team Mitigating Kerberoasting
A blue team member runs a scan for service accounts with weak passwords. They find 50 accounts with SPNs and passwords shorter than 20 characters. They change all service account passwords to random 40-character strings and enable Managed Service Accounts (gMSA) for new services. They also configure Group Policy to require AES encryption for Kerberos (disable RC4). The team monitors Event 4769 for RC4 encryption type (0x17) and sees a spike from a single user, indicating an ongoing Kerberoasting attempt. They disable the user account and investigate. Common mistake: The team only changes the passwords but does not disable RC4, allowing attackers to still request RC4-encrypted tickets.
What SY0-701 Tests on This Objective (4.6 Security Operations)
The exam expects you to:
Understand the role of AD in centralized authentication and authorization.
Identify common attacks: Golden Ticket, Silver Ticket, DCSync, Kerberoasting, Pass-the-Hash, Pass-the-Ticket.
Know the countermeasures: KRBTGT password rotation, Managed Service Accounts, Credential Guard, Restricted Admin mode, LAPS, Protected Users group.
Recognize logs and events: 4768 (TGT), 4769 (service ticket), 4662 (directory service access), 4776 (NTLM logon).
Apply Group Policy to harden AD: disable LM, NTLMv1, enable signing, restrict NTLM.
Most Common Wrong Answers and Why Candidates Choose Them
Wrong: 'To prevent Golden Ticket attacks, disable the KRBTGT account.' Why chosen: Candidates think disabling the account stops ticket issuance. Correct: Disabling KRBTGT breaks Kerberos entirely; you must reset its password twice.
Wrong: 'Kerberoasting can be prevented by disabling RC4 encryption.' Why chosen: RC4 is the weak link, but disabling it alone forces AES, which is stronger. Correct: Kerberoasting still works with AES if the password is weak; you must also use strong passwords and Managed Service Accounts.
Wrong: 'DCSync requires Domain Admin privileges.' Why chosen: Domain Admins have replication rights by default. Correct: Any account with Replication-Getting-Changes delegation can perform DCSync; not just Domain Admins.
Wrong: 'Pass-the-Hash is prevented by using Kerberos.' Why chosen: Kerberos is more secure than NTLM. Correct: Pass-the-Ticket is the Kerberos equivalent; PtH is prevented by Credential Guard and disabling NTLM.
Specific Terms and Values on the Exam - KRBTGT: The account that signs TGTs. - NTDS.dit: The AD database file. - Ports: 389 (LDAP), 636 (LDAPS), 88 (Kerberos), 445 (SMB for replication). - Event IDs: 4768, 4769, 4662, 4776. - Encryption types: RC4 (0x17), AES128 (0x12), AES256 (0x13).
Common Trick Questions - Question asks about 'Silver Ticket' but describes a 'Golden Ticket' attack. Trick: Silver Ticket forges a service ticket (not TGT) and targets a specific service. - 'Which attack extracts password hashes from a DC?' Trick: DCSync, not Pass-the-Hash. PtH uses already captured hashes.
Decision Rule for Eliminating Wrong Answers On scenario questions: Identify the attack first (e.g., 'attacker uses a forged TGT' = Golden Ticket). Then the countermeasure must directly address the root cause (e.g., reset KRBTGT). Eliminate answers that suggest disabling services, changing user passwords, or using firewall rules – these are not primary defenses.
Active Directory uses Kerberos (default) and NTLM for authentication; Kerberos is more secure but still vulnerable to ticket-based attacks.
The KRBTGT account's hash is used to sign all TGTs; compromise allows Golden Ticket attacks.
Countermeasure for Golden Ticket: Reset KRBTGT password twice with at least 10-hour interval.
DCSync attack extracts password hashes from a DC using replication; requires Replication-Getting-Changes right.
Kerberoasting exploits service accounts with SPNs; defend with strong passwords (25+ chars) and Managed Service Accounts.
Pass-the-Hash and Pass-the-Ticket reuse stolen credentials; mitigated by Credential Guard, Restricted Admin, and disabling NTLM.
Key event IDs: 4768 (TGT), 4769 (service ticket), 4662 (directory service access), 4776 (NTLM logon).
LAPS randomizes local admin passwords to prevent lateral movement; gMSA automates service account password management.
Protected Users group disables NTLM, DES, RC4, and delegation for its members.
Group Policy can enforce NTLM restrictions, Kerberos encryption (disable RC4), and auditing settings.
Ports: 88 (Kerberos), 389 (LDAP), 636 (LDAPS), 445 (SMB).
Always assume KRBTGT compromise if any admin-level breach is detected; reset immediately.
These come up on the exam all the time. Here's how to tell them apart.
Golden Ticket Attack
Forge a TGT (Ticket Granting Ticket) using KRBTGT hash.
Grants access to any resource in the domain.
Requires KRBTGT hash (Domain Admin privileges).
Valid until KRBTGT password is changed twice.
Logged as Event 4768 with anomalous ticket lifetime.
Silver Ticket Attack
Forge a service ticket (TGS) using a service account's NTLM hash.
Grants access only to a specific service (e.g., CIFS, HTTP).
Requires the service account's hash (often lower privileges).
Valid until the service account password is changed.
Logged as Event 4769 for that specific SPN.
NTLM Authentication
Challenge-response protocol.
Uses NTLM hash for encryption.
Susceptible to Pass-the-Hash and relay attacks.
No ticket lifetime; no mutual authentication by default.
Logs: Event 4776 (NTLM logon).
Kerberos Authentication
Ticket-based protocol using symmetric keys.
Uses KRBTGT and service account hashes.
Susceptible to Golden/Silver Ticket and Pass-the-Ticket.
Tickets have configurable lifetimes (default 10 hours).
Logs: Events 4768, 4769.
LAPS (Local Administrator Password Solution)
Manages local admin passwords on domain-joined computers.
Passwords are stored in AD and rotated regularly.
Prevents lateral movement using common local admin passwords.
Applies to built-in Administrator account or custom accounts.
Does not require any changes to service configuration.
Group Managed Service Accounts (gMSA)
Manages service account passwords automatically.
Passwords are managed by the domain and rotated periodically.
Prevents Kerberoasting and password guessing for services.
Requires services to support gMSA (Windows 2012+).
Eliminates the need to manually manage service account passwords.
Mistake
Resetting the KRBTGT password once is enough to invalidate Golden Tickets.
Correct
You must reset the KRBTGT password twice. The first reset creates a new password, but the old password is still cached for replication purposes. Only after the second reset (after a 10-hour wait for replication) are all previous TGTs invalidated.
Mistake
Kerberoasting only works with RC4 encryption.
Correct
Kerberoasting works with any encryption type if the service account password is weak. AES-encrypted tickets can still be cracked offline, though it is slower. The key defense is a strong password, not just disabling RC4.
Mistake
DCSync requires physical access to a Domain Controller.
Correct
DCSync is a remote attack. The attacker initiates a replication request from any machine that has network access to a DC, using an account with replication rights. No physical access is needed.
Mistake
Pass-the-Hash only works with NTLMv1.
Correct
Pass-the-Hash works with any NTLM version (v1 or v2) because the hash is the same. The attack uses the NTLM hash directly, not the plaintext password. NTLMv2 does not prevent PtH.
Mistake
Enabling Credential Guard completely prevents credential theft.
Correct
Credential Guard protects LSASS secrets from direct memory access, but attackers can still use other techniques like keyloggers, token theft, or exploiting the system before Credential Guard is enabled. It significantly reduces but does not eliminate risk.
A Golden Ticket forges a TGT (Ticket Granting Ticket) using the KRBTGT account hash, giving access to any resource in the domain. A Silver Ticket forges a service ticket for a specific service using that service account's hash, granting access only to that service. Golden Ticket requires Domain Admin privileges to get the KRBTGT hash; Silver Ticket may require lower privileges if the service account hash is compromised. On the exam, remember that Golden = TGT (domain-wide), Silver = service ticket (specific).
Monitor Event ID 4662 (Directory Service Access) with access mask 0x100 (Replication-Getting-Changes) on the domain NC (GUID: {19195a5b-6da0-11d0-afd3-00c04fd930c7}). A single request from a non-DC machine is suspicious. Also watch for Event 5136 (Directory Service Change) if objects are modified. Use tools like Microsoft's Advanced Threat Analytics (ATA) or Azure ATP to detect anomalous replication behavior.
No. Disabling RC4 forces Kerberos to use AES encryption, but the service ticket is still encrypted with the service account's hash. An attacker can still request AES-encrypted tickets and crack them offline, though AES cracking is slower. The primary defense is using strong, random passwords (25+ characters) for service accounts, or better, using Managed Service Accounts (gMSA) that automatically rotate passwords.
The KRBTGT account is the service account for the Key Distribution Center (KDC) in Kerberos. Its password hash is used to encrypt and sign all Ticket Granting Tickets (TGTs). If an attacker obtains this hash, they can forge TGTs for any user, granting themselves domain admin privileges. Because the KRBTGT password is rarely changed, this is a high-value target. Defenders must protect it with strong access controls and reset it immediately if compromise is suspected.
LAPS (Local Administrator Password Solution) automatically manages and rotates the local administrator password on each domain-joined computer. The password is stored in AD as a confidential attribute and can be retrieved only by authorized users. Without LAPS, many organizations set the same local admin password on all machines, allowing an attacker who compromises one system to use that password to access others. LAPS randomizes each password, so a breach of one machine does not grant access to others.
The Protected Users group is a security group introduced in Windows 8.1 and Server 2012 R2. Members cannot use NTLM authentication, DES or RC4 encryption, or credential delegation. This prevents Pass-the-Hash, Kerberoasting (since only AES tickets are issued), and credential forwarding. It is ideal for high-value accounts like Domain Admins. However, it may break compatibility with older applications that require NTLM.
Enable advanced audit policies: 'Audit Kerberos Authentication Service' (Event 4768, 4769), 'Audit Directory Service Access' (Event 4662), 'Audit Account Logon' (Event 4776 for NTLM), and 'Audit Logon' (Event 4624). Also enable Kerberos KDC operational log (`Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational`) for detailed ticket information. Forward these logs to a SIEM for correlation and alerting.
You've just covered Directory Services — Active Directory — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?