Active Directory Misconfigurations

Active Directory (AD) is the backbone of identity and access management in the vast majority of enterprise Windows environments. AD misconfigurations encompass a broad range of security weaknesses in the directory service's configuration, including excessive privileges assigned to user and service accounts, insecure Kerberos delegation settings, weak Group Policy configurations, misconfigured access control lists (ACLs) on AD objects, accounts configured with "Do not require Kerberos preauthentication" (AS-REP roastable), service accounts with SPNs set and weak passwords (Kerberoastable), and a lack of tiered administration model.

The complexity of Active Directory, combined with years of organic growth and administrative changes, makes misconfigurations nearly ubiquitous. Most enterprise AD environments contain numerous attack paths from standard domain user to Domain Admin that can be identified and exploited by skilled attackers. Common misconfigurations include: Domain Users groups with excessive privileges, unconstrained delegation configured on servers, Group Policy Preferences (GPP) containing embedded credentials, service accounts that are members of Domain Admins, LAPS (Local Administrator Password Solution) not deployed, and overly permissive ACLs that allow low-privileged users to modify high-privileged objects.

AD compromise represents one of the most severe outcomes of a security breach, as it provides the attacker with control over the entire identity infrastructure. With Domain Admin or equivalent privileges, an attacker can access any system, read any data, create persistent backdoor accounts, deploy group policy-based malware to every domain-joined computer, and extract credentials for every user in the organisation. Recovering from a full AD compromise often requires a complete environment rebuild.

Attackers enumerate Active Directory misconfigurations using standard LDAP queries, which any authenticated domain user can perform. Tools like BloodHound (with SharpHound or Bloodhound.py collectors) provide automated mapping of AD relationships, privileges, and attack paths: bloodhound-python -c All -u user -p password -d domain.local -ns dc_ip. The resulting graph database visualises paths from any compromised user to Domain Admin, highlighting exploitable misconfigurations like GenericAll permissions, WriteDACL access, or group membership changes that enable privilege escalation.

Kerberoasting is one of the most common AD attack techniques. Service accounts with SPNs (Service Principal Names) issue Kerberos TGS tickets encrypted with their password hash. Any authenticated user can request these tickets and then attempt to crack them offline. The attack uses Impacket's GetUserSPNs.py: GetUserSPNs.py domain.local/user:password -dc-ip dc_ip -outputfile kerberoast.txt, followed by offline cracking with Hashcat: hashcat -m 13100 kerberoast.txt wordlist.txt. Service accounts with weak passwords are cracked in minutes, often yielding highly privileged accounts. Similarly, AS-REP roasting targets accounts without Kerberos preauthentication: GetNPUsers.py domain.local/ -dc-ip dc_ip -usersfile users.txt -format hashcat.

Unconstrained delegation allows a compromised server to impersonate any user who authenticates to it, to any service. If an attacker compromises a server with unconstrained delegation, they can coerce a domain controller to authenticate to it (using PrinterBug or PetitPotam) and capture the DC's TGT, effectively gaining domain admin privileges. Constrained delegation misconfigurations and resource-based constrained delegation (RBCD) attacks provide additional escalation paths. ACL-based attacks exploit misconfigured permissions: for example, if a compromised user has GenericAll permissions on a Domain Admin group, they can add themselves to that group. Tools like PowerView, ADModule, and BloodHound are used to identify and exploit these paths.

• Complete domain compromise granting the attacker administrative control over every domain-joined system, user account, and resource
• Credential theft for all domain users through DCSync attacks (replicating password hashes from domain controllers) or NTDS.dit extraction
• Persistent backdoor access through creation of rogue admin accounts, Golden Tickets (forged Kerberos TGTs), Silver Tickets, or skeleton key attacks
• Mass malware deployment using Group Policy to push malicious scripts or software to every domain-joined computer
• Data exfiltration at scale with unrestricted access to file shares, databases, email, and application data across the entire organisation
• Privilege escalation from any standard domain user to Domain Admin through chained AD attack paths
• Business disruption through mass account lockouts, Group Policy manipulation, or Active Directory database corruption
• Extremely costly and complex recovery, as full AD compromise typically requires complete environment rebuild to eliminate attacker persistence

1. Deploy BloodHound in an audit capacity to map all attack paths to Domain Admin and systematically remediate the shortest and most exploitable paths by removing unnecessary privileges, group memberships, and ACL entries
2. Implement a tiered administration model (Microsoft's Enhanced Security Admin Environment / Red Forest) separating Tier 0 (domain controllers, AD admin accounts), Tier 1 (servers), and Tier 2 (workstations) with strict controls preventing credential exposure across tiers
3. Enforce strong passwords (25+ character randomly generated) on all service accounts with SPNs, or preferably migrate to Group Managed Service Accounts (gMSA) which automatically rotate complex passwords, eliminating the Kerberoasting risk
4. Disable "Do not require Kerberos preauthentication" on all accounts unless there is a documented exception with compensating controls, and audit regularly for this flag being set
5. Replace unconstrained delegation with constrained delegation or resource-based constrained delegation on all servers. No server other than domain controllers should have unconstrained delegation configured
6. Deploy LAPS (Local Administrator Password Solution) or Windows LAPS to ensure unique, randomly generated local administrator passwords on every domain-joined workstation and server, preventing pass-the-hash lateral movement with local admin credentials
7. Implement Protected Users security group membership for all privileged accounts and enable Credential Guard on workstations to prevent credential theft from memory
8. Conduct quarterly AD security assessments using tools like PingCastle, Purple Knight, or BloodHound to detect configuration drift and newly introduced misconfigurations

Active Directory testing should begin with comprehensive enumeration from an authenticated domain user perspective. Run BloodHound data collection: bloodhound-python -c All -u user -p password -d domain.local -ns dc_ip or use SharpHound from a domain-joined system: SharpHound.exe -c All --outputdirectory C: emp. Import the data into the BloodHound GUI and analyse the pre-built queries: "Shortest Path to Domain Admin", "Find Kerberoastable Users", "Find AS-REP Roastable Users", "Find Computers with Unconstrained Delegation", and "Shortest Path from Owned Principals". Each identified attack path represents a reportable finding.

Perform targeted AD attacks to validate exploitability. Execute Kerberoasting: GetUserSPNs.py domain.local/user:password -dc-ip dc_ip -request -outputfile kerberoast.txt, then attempt to crack the tickets: hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule. Test AS-REP roasting: GetNPUsers.py domain.local/ -dc-ip dc_ip -usersfile domain_users.txt -format hashcat -outputfile asrep.txt. Enumerate delegation: findDelegation.py domain.local/user:password -dc-ip dc_ip. Check for GPP passwords: crackmapexec smb dc_ip -u user -p password -M gpp_password. Enumerate ACL misconfigurations with PowerView: Find-InterestingDomainAcl -ResolveGUIDs.

Use PingCastle for a comprehensive AD security health check: PingCastle.exe --healthcheck --server dc_ip. This generates a detailed report with a security score and specific findings across four categories: Stale Objects, Privileged Accounts, Trusts, and Anomalies. For manual enumeration, use LDAP queries via ldapsearch or PowerShell AD module to identify: accounts with AdminCount=1, users with SPN set, accounts with "DONT_REQ_PREAUTH" flag, computers with "TRUSTED_FOR_DELEGATION" flag, and nested group memberships that grant unexpected privileges. Document each finding with the specific misconfiguration, the affected objects, the attack path it enables, and the potential impact if exploited.