Common AD Privilege Escalation Methods

-

By Pentester | Cybersecurity Enthusiast | Red Team | AD Hardening

📅 Published: April 5, 2025

🔖 Tags: ActiveDirectory, PrivilegeEscalation, PenTesting, PowerShell, RedTeam, CyberSecurity

💡 Introduction

In any Windows enterprise environment, Active Directory (AD) is the crown jewel. Compromising a single regular user account is often just the beginning — the real prize lies in escalating privileges to Domain Administrator (DA) or even Enterprise Admin.

This comprehensive guide covers:

  • ✅ All known Active Directory privilege escalation methods
  • ✅ Detection techniques using PowerShell
  • ✅ BloodHound Cypher queries for visualizing attack paths
  • ✅ A fully functional automated PowerShell audit script

Whether you're a red teamer, penetration tester, or defensive analyst, this post will help you understand how attackers move from low-privilege access to full domain compromise — and how to stop them.

🚨 Why This Matters

According to Microsoft and Mandiant, over 80% of network breaches involve some form of identity-based privilege escalation in AD. Misconfigurations like weak service account passwords, excessive ACLs, or misconfigured certificate services are silently exploited every day.

This guide arms you with the knowledge and tools to:

  • Find exploitable paths before attackers do
  • Harden your environment
  • Automate detection with scripts

Let’s dive in.

🔥 Top AD Privilege Escalation Methods Explained

Here’s a breakdown of the most common Active Directory privilege escalation techniques — what they are, how they work, and how attackers use them to reach Domain Administrator (DA).

Method How It Works Privilege Escalation Path
Kerberoasting Requests encrypted service tickets (TGS) for SPN accounts using weak passwords. These tickets can be cracked offline using tools like Hashcat. Crack service account password → Use credentials to access systems with DA privileges or reset other accounts.
AS-REP Roasting Exploits users with "Do not require Kerberos pre-authentication" enabled. An attacker requests an AS-REP ticket without knowing the password. Offline crack the ticket → Gain access to user account → Escalate via group membership or ACL abuse.
ACL Abuse (GenericAll, WriteDacl) Abuses overly permissive Access Control Lists (ACLs) on AD objects (e.g., Domain, User, Group). Add self to Domain Admins group or reset DA password using ResetPassword right.
Unconstrained Delegation Servers with this setting receive full TGTs of users who authenticate to them. If compromised, attacker can steal those TGTs. Steal DA's TGT from memory → Impersonate DA across the domain indefinitely.
Constrained Delegation Allows a server to impersonate a user to specific services. Exploited via S4U2Self/S4U2Proxy extensions. Request access to high-value services (e.g., CIFS on DC) as DA → Gain elevated access.
RBCD (Resource-Based Constrained Delegation) If you have write access to a computer object, you can configure it to trust your machine for delegation. Configure target DC/computer to trust you → Request S4U tickets as DA → Execute code as DA.
DCSync Abuses replication rights (DS-Replication-Get-Changes*) to pull password hashes directly from the DC, mimicking a replica. Extract NTLM hash of DA → Use Pass-the-Hash or create Golden Ticket for full control.
NTLM Relay + PrinterBug Forces a machine (like DC) to authenticate via MS-RPRN (Printer Bug), then relays that auth to LDAP. Relay DC's authentication → Enable unconstrained delegation → DCSync attack.
AD CS ESC1–ESC8 Exploits misconfigured Certificate Authority (CA) templates (e.g., ENROLLEE_SUPPLIES_SUBJECT) to issue certificates for DA accounts. Enroll certificate as DA → Convert to PFX → Request TGT → Authenticate as DA without password.
DNSAdmins → DA DNSAdmins can load arbitrary DLLs via dns.exe. A malicious DLL gives SYSTEM code execution when DNS service restarts. Load DLL → Run code as SYSTEM → Dump LSASS → Extract DA credentials.
GPO Abuse If a user can edit a GPO linked to Domain Controllers or privileged systems, they can push malicious startup scripts. Edit GPO → Add script → Code runs as SYSTEM on DC → Full DA compromise.
Pass-the-Hash (PtH) Uses stolen NTLM hash instead of password to authenticate remotely (via SMB, WMI, etc.). Obtain DA hash (via dumping) → Authenticate to admin shares or execute commands as DA.
Pass-the-Ticket (PtT) Uses stolen Kerberos tickets (TGT or TGS) to impersonate a user without needing the password. Steal DA’s ticket → Inject into memory → Access resources as DA.
Silver Ticket Fake service ticket created using the NTLM hash of a service account (e.g., HOST, CIFS). Forge ticket for DC service → Access DC without triggering Golden Ticket alerts.
Golden Ticket Fake TGT created using KRBTGT account hash. Bypasses domain authentication entirely. Create infinite valid TGTs as any user (e.g., DA) → Full persistence and domain dominance.
Overpass-the-Hash / Pass-the-Key Converts NTLM hash into a Kerberos TGT, enabling Kerberos-based attacks. Turn hash into usable TGT → Perform Kerberoasting, PtT, or lateral movement as DA.
LLMNR/NBT-NS Poisoning Responds to name resolution requests (e.g., mistyped paths), tricking users into sending NTLMv2 hashes. Capture DA’s hash when they connect to a fake share → Crack or relay for access.
Shadow Credentials (Whisker) Adds a public key to an object’s msDS-KeyCredentialLink attribute to enroll certs. Add key to DA account → Request certificate → Authenticate as DA via Kerberos.
Token Impersonation Steals access tokens from processes (especially high-integrity ones) using SeImpersonatePrivilege. Gain SYSTEM access → Steal DA token → Impersonate DA in new session.
LSASS Memory Dumping Dumps LSASS process memory to extract plaintext passwords, hashes, and Kerberos tickets. Local admin → Dump LSASS → Find DA credentials → Reuse elsewhere.

💡 Key Insight: Most escalations rely on misconfigurations, not zero-day exploits. Proper hardening eliminates 90% of these paths.

🛠️ PowerShell Commands: Detect Common Risks

You don’t need admin rights to start hunting. Here are key PowerShell commands that detect high-risk configurations.

🔎 1. Find Kerberoastable Accounts

Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and Enabled -eq $true} `
-Properties ServicePrincipalName, lastLogonDate | Select Name, ServicePrincipalName

🔎 2. Detect AS-REP Roasting Targets

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true -and Enabled -eq $true} `
-Properties DoesNotRequirePreAuth, lastLogonDate

🔎 3. Check for Dangerous ACLs

# Requires PowerView
Invoke-ACLScanner | Where-Object {$_.ActiveDirectoryRights -match "GenericAll"}

🔎 4. List Unconstrained Delegation Hosts

Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Property Name

🔎 5. Find Who Can Perform DCSync

"Domain Admins", "Enterprise Admins", "Replication Operators" | ForEach-Object {
    Get-ADGroupMember $_ -Recursive | Select @{N="Via";E={$_}}, Name
}

⚠️ Run these from a standard domain user session to simulate attacker access.

🕸️ BloodHound: Visualize Attack Paths

BloodHound is a game-changer. Use these Cypher queries in the query tab to uncover hidden privilege escalation routes.

🔗 All Paths to Domain Admins

MATCH (u:User)-[r*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"}) RETURN u,r,g

🔥 Users with GenericAll on Domain

MATCH (n)-[:GenericAll]->(m {domain:"CORP.LOCAL"}) RETURN n,m

🔥 RBCD Misconfigurations

MATCH (u)-[:AllowedToAct]->(c:Computer) RETURN u,c

🔥 ESC1: Vulnerable Certificate Templates

MATCH (u:User)-[r:Enroll]->(t:CertificateTemplate) WHERE t.enrolleeSuppliesSubject = true RETURN u,t,r

💡 Tip: Mark high-value targets (Set-HVT) and owned accounts (Set-Own) to focus attacks.

🧩 The Ultimate: Automated PowerShell Audit Script

Manual checks work — but automation scales. Introducing Invoke-ADAudit.ps1: a lightweight, read-only PowerShell script that scans your AD for common misconfigurations.

✅ Features:

  • No admin rights required (most checks)
  • Outputs to console + CSV log
  • Color-coded severity levels
  • Covers: Kerberoasting, AS-REP, ACLs, Delegation, DCSync, DNSAdmins, RBCD, GPOs, ADCS
  • Safe for production use

📜 Full Script: Invoke-ADAudit.ps1

# Invoke-ADAudit.ps1
# Automated AD Security Checker | For Authorized Use Only
$OutputFile = "$env:TEMP\ADAudit_$(Get-Date -Format 'yyyyMMdd_HHmm').csv"
$results = @()

Write-Host "`n[+] Starting AD Security Audit..." -ForegroundColor Green

Import-Module ActiveDirectory -ErrorAction SilentlyContinue

function Write-Findings {
    param([string]$Check, [string]$Info, [string]$Severity = "Low")
    $color = switch ($Severity) {
        "Critical" { "Red" }
        "High"     { "Magenta" }
        "Medium"   { "Yellow" }
        default    { "Gray" }
    }
    Write-Host "[*] $Check`: $Info" -ForegroundColor $color
    $results += [PSCustomObject]@{
        Check      = $Check
        Info       = $Info
        Severity   = $Severity
        Timestamp  = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    }
}

try {
    $Domain = (Get-ADDomain).Name
    $DomainDN = (Get-ADDomain).DistinguishedName
    Write-Findings "Domain Detected" "$Domain (`$DomainDN`)" "Low"
} catch {
    Write-Host "[!] Failed to query AD. Are you on a domain-joined machine?" -ForegroundColor Red
    exit
}

# 1. Kerberoasting Targets
try {
    $spnUsers = Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and Enabled -eq $true} -Properties ServicePrincipalName, lastLogonDate
    if ($spnUsers) {
        foreach ($u in $spnUsers) {
            Write-Findings "Kerberoastable Account" "$($u.Name) [SPN: $($u.ServicePrincipalName)] Last Logon: $($u.lastLogonDate)" "High"
        }
    } else {
        Write-Findings "Kerberoast Check" "No SPN users found" "Low"
    }
} catch { Write-Findings "Error" "Failed to query SPN users: $_" "Medium" }

# 2. AS-REP Roasting Targets
try {
    $asrepUsers = Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true -and Enabled -eq $true} -Properties DoesNotRequirePreAuth, lastLogonDate
    if ($asrepUsers) {
        foreach ($u in $asrepUsers) {
            Write-Findings "AS-REP Roastable" "$($u.Name) (Pre-Auth Disabled)" "Critical"
        }
    } else {
        Write-Findings "AS-REP Check" "All users require pre-auth" "Low"
    }
} catch { Write-Findings "Error" "Failed to query pre-auth settings: $_" "Medium" }

# 3. Dangerous ACLs
try {
    $domainObj = Get-ADObject -Identity (Get-ADDomain).DistinguishedName
    $acl = (Get-Acl "AD:\$($domainObj.DistinguishedName)")
    foreach ($access in $acl.Access) {
        if ($access.IdentityReference -notmatch "NT AUTHORITY|BUILTIN|DENY") {
            $perms = $access.ActiveDirectoryRights.ToString()
            $identity = $access.IdentityReference.Value
            if ($perms -match "GenericAll|WriteDacl|WriteOwner") {
                Write-Findings "Dangerous ACL" "$identity has '$perms' on Domain" "Critical"
            }
        }
    }
} catch { Write-Findings "Error" "ACL enumeration failed: $_" "Medium" }

# 4. Unconstrained Delegation
try {
    $unconstrained = Get-ADComputer -Filter {TrustedForDelegation -eq $true -and Enabled -eq $true}
    if ($unconstrained) {
        foreach ($c in $unconstrained) {
            Write-Findings "Unconstrained Delegation" "Computer: $($c.Name)" "High"
        }
    } else {
        Write-Findings "Unconstrained Deleg." "None found" "Low"
    }
} catch { Write-Findings "Error" "Unconstrained delegation check failed: $_" "Medium" }

# 5. DCSync-Capable Accounts
try {
    $dcsyncGroups = @("Domain Admins", "Enterprise Admins", "Replication Operators", "Administrators")
    foreach ($group in $dcsyncGroups) {
        $members = Get-ADGroupMember $group -Recursive | Where-Object { $_.objectClass -eq "user" }
        foreach ($m in $members) {
            Write-Findings "DCSync Risk" "$($m.name) via group '$group'" "Critical"
        }
    }
} catch { Write-Findings "Error" "DCSync group membership check failed: $_" "Medium" }

# 6. DNSAdmins Members
try {
    $dnsadmins = Get-ADGroupMember "DNSAdmins" -ErrorAction SilentlyContinue
    if ($dnsadmins) {
        foreach ($u in $dnsadmins) {
            Write-Findings "DNSAdmins Member" "$($u.Name)" "High"
        }
    }
} catch { Write-Findings "DNSAdmins Check" "Group not found or empty" "Low" }

# 7. RBCD Already Configured?
try {
    $rbcdComputers = Get-ADComputer -Filter * -Property msDS-AllowedToActOnBehalfOfOtherIdentity | 
                     Where-Object { $_."msDS-AllowedToActOnBehalfOfOtherIdentity" -ne $null }
    if ($rbcdComputers) {
        foreach ($c in $rbcdComputers) {
            Write-Findings "RBCD Configured" "$($c.Name) allows impersonation" "High"
        }
    }
} catch { }

# 8. ADCS Present?
try {
    $ca = Get-ChildItem "Cert:\LocalMachine\CA" -ErrorAction SilentlyContinue
    if ($ca) {
        Write-Findings "AD CS Detected" "Certificate Authority present" "High"
        Write-Findings "AD CS Warning" "Run Certify.exe for detailed analysis" "High"
    }
} catch { }

# Final Output
Write-Host "`n[+] Audit Complete. Writing results to $OutputFile" -ForegroundColor Green
$results | Export-Csv -Path $OutputFile -NoTypeInformation

Write-Host "`n[📊] Summary:" -ForegroundColor Cyan
$results | Group-Object Severity | ForEach-Object {
    $count = $_.Count
    $severity = $_.Name
    $color = switch ($severity) {
        "Critical" { "Red" }
        "High"     { "Magenta" }
        "Medium"   { "Yellow" }
        default    { "White" }
    }
    Write-Host "    $severity`: $count finding(s)" -ForegroundColor $color
}

Write-Host "`n[📁] Full log saved to: $OutputFile" -ForegroundColor Yellow

🚀 How to Use

  1. Save as Invoke-ADAudit.ps1
  2. Open PowerShell as a domain user
  3. Run: 
    Set-ExecutionPolicy Bypass -Scope Process -Force
    .\Invoke-ADAudit.ps1

📌 Results saved to: %LOCALAPPDATA%\Temp\ADAudit_YYYYMMDD_HHMM.csv

🛡️ Defensive Recommendations

Risk Fix
KerberoastingUse gMSA, enforce strong passwords
AS-REP RoastingEnable pre-auth for all users
DelegationRemove unless absolutely needed
ACL AbuseAudit with BloodHound monthly
ADCS MisconfigDisable web enrollment; audit templates
DNSAdminsRemove non-admin members
LSASSEnable PPL protection
NTLMDisable or enforce signing

📎 Download the Bundle

👉 Download ZIP: AD_Audit_Bundle.zip (coming soon)

Includes:

  • Invoke-ADAudit.ps1
  • RunAudit.bat
  • Tools folder with Certify.exe, SharpHound.exe, Rubeus.exe

Or clone from GitHub:

git clone https://github.com/[]/ad-audit-tools.git

📚 Further Reading

💬 Final Thoughts

Understanding privilege escalation in Active Directory isn't just for attackers — it's essential for defenders. By thinking like an adversary, you can proactively secure your environment.

Use this script responsibly. Harden your AD. Monitor for anomalies. And always stay one step ahead.

🔐 Secure today. Sleep better tonight.

✉️ Subscribe for More

Want more guides on AD exploitation, detection engineering, or red teaming?
🔔 Subscribe to our blog and get weekly updates!

💬 Leave a comment below — what escalation method have you seen most in the wild?

Disclaimer: This content is for educational and authorized testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper permission before conducting security assessments.

Comments

Post a Comment

Popular posts from this blog

Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp)

-
Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp) 🤖 Build Your Own AI Penetration Tester: Claude + MCP + Burp Suite A complete step-by-step tutorial to replicate autonomous security testing (25 labs + 2 BSCP exams solved) ⚡ Inspired by "Sonnet Took the Exam. I Just Watched." Originally published on Notion · Tutorial expanded for hands-on replication 🎯 What you'll build: An autonomous AI agent (Claude Sonnet 4.6) that can browse web apps via Playwright, inspect raw HTTP traffic via Burp Suite, and chain XSS → SQLi → RCE to solve PortSwigger labs — completely on its own. 📚 Table of Contents Overview & Architecture Prerequisites & Hardware Step 1: Install Claude Code & MCP Step 2: Configure Playwright MCP Server Step 3: Burp Suite & Burp MCP Integration ...
Read more

InfluxDB TCP 8086 (Default) — Authentication Bypass & Pentest Notes

-
``` Target: InfluxDB (port 8086) Affected versions: < 1.7.6 (CVE-2019-20933) Vulnerability description InfluxDB versions prior to 1.7.6 contain an authentication bypass in the authenticate function in services/httpd/handler.go . A crafted JWT token may contain an empty SharedSecret , allowing an attacker to bypass authentication and perform sensitive actions such as reading internal metrics, modifying data, or executing administrative operations. Risk No formal risk description available in original advisory. Impact depends on exposed instance and data sensitivity. Recommendation Upgrade to influxdb version 1.7.6~rc0-1 or later. Apply vendor-provided patches and restrict access to port 8086 with network controls. References Exploit: LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 CVE-2019-20933 — MITRE NVD — CVE-2019-20933 InfluxData patch commit Exploitation ...
Read more

Mastering PowerShell Execution Policy Bypass

-
📋 Table of Contents 1. Introduction to PowerShell Execution Policies 2. Understanding Execution Policy Mechanisms 3. Basic Bypass Techniques 4. Advanced Bypass Methods 5. PowerShell Script Signing 6. Converting PowerShell to Executables 7. Advanced Obfuscation Techniques 8. Steganographic Delivery Systems 9. Bypassing Reputation-Based Protection 10. Practical Implementation Scenarios 11. Detection Evasion Strategies 12. Conclusion and Best Practices 🔒 Introduction to PowerShell Execution Policies This guide is used in professional penetration testing training and aligns with MITR...
Read more