Active Directory - Red Teaming - Part 1
What is Red Teaming?
Red teaming in Active Directory is the process of simulating real-world cyberattacks to identify weaknesses in an organization’s AD environment. It focuses on gaining initial access, escalating privileges, and moving laterally to reveal security gaps before real attackers exploit them.
Red Teams are divided into 3 Groups:
Red teams are typically divided into three groups: Cyber, which tests digital defenses through hacking simulations (e.g., network penetration, AD attacks); Social, which exploits human behavior using tactics like phishing or impersonation; and Physical, which attempts to bypass physical security by tailgating, lockpicking, or accessing restricted areas.
Red Team Emulation
Emulates (copies) the behavior of a specific real-world threat group—including their tools, techniques, and attack patterns.
Example: Acting exactly like APT29, using the same phishing style, malware families, and stealthy lateral movement they are known for.
Goal: Test how well defenses can detect and respond to that specific adversary’s TTPs.
Red Team Simulation
Simulates a realistic attack scenario, but not tied to any particular threat actor.
Example: Performing a generic ransomware attack simulation—phishing, privilege escalation, lateral movement—without following any one attacker group’s style.
Goal: Test overall security readiness, incident response, and detection capabilities for broad attack categories.
In simple terms
Emulation = “Copy a known attacker.”
Simulation = “Act like an attacker, but not a specific one.”
Penetration Testing in Active Directory
Focuses on finding technical vulnerabilities inside the AD environment such as weak passwords, misconfigured permissions, unpatched systems, or vulnerable services.
The tester uses common AD attack techniques (Kerberoasting, AS-REP Roasting, LDAP enumeration, privilege escalation paths) to identify issues and report them.
Goal: Find as many AD weaknesses as possible so they can be fixed.
Example:
A pentester runs BloodHound to map AD privileges, discovers an ACL misconfiguration that allows privilege escalation, exploits it, and documents the issue.
Red Teaming in Active Directory
Simulates a real attacker’s full attack path inside AD, focusing on stealth, evasion, and achieving a mission (e.g., obtain Domain Admin or steal sensitive data).
Uses advanced AD attack chains, but only those needed to reach the objective—not everything.
Goal: Test detection, response, and how well the blue team can stop an actual AD compromise.
Example:
A red team phishes an employee, steals AD credentials, quietly moves laterally, avoids detection systems, and escalates to Domain Admin—just like a real attacker would.
In Simple Terms (Active Directory Context)
Pentest (AD): “Find all the AD vulnerabilities.”
Red Team (AD): “Act like a real attacker to see if we can take over AD without being caught.”
1. Penetration Testing
Goal:
Find as many vulnerabilities as possible within a defined scope.
Characteristics:
Broad coverage, shallow depth
Typically time-boxed (1–2 weeks)
Testers try to identify and exploit vulnerabilities
Usually no stealth requirement
Focus is on technical weaknesses (apps, systems, networks)
Often done with cooperation from IT team
Produces a list of findings, severity, and fixes
Goal:
Simulate a real-world adversary to test the organization’s detection, response, and resilience.
Characteristics:
-
Narrow scope, deep depth
-
Focuses on end-to-end attack chains
-
Stealthy — avoids detection
-
Tests people, processes, and technology
-
Often mapped to adversary TTPs (e.g., MITRE ATT&CK)
-
Blue Team usually not informed ("assume breach" scenario)
-
Success measured by achieving a mission objective, such as:
-
domain compromise
-
data exfiltration
-
privilege escalation
Collecting publicly available information about the target—such as employee names, technologies used, or exposed online assets—to understand attack surfaces.
Example: Scraping LinkedIn for staff roles or discovering outdated software versions from public job postings.
2. Initial Access & Execution
Attempting to gain the first point of entry into the environment through social engineering, exposed services, or supply-chain weaknesses.
Example: A phishing document that lures an employee into running a benign macro simulation during testing.
3. Persistence & Privilege Escalation
Maintaining access after initial entry and seeking higher privileges to control more systems.
Example: Setting up a harmless scheduled task in a test environment to simulate a persistence mechanism while analyzing policy weaknesses.
4. Lateral Movement with Defensive Evasion
Moving across other systems or network segments while attempting to avoid detection by defensive tools.
Example: Using legitimate remote-administration tools (in a controlled test) to mimic how an attacker might pivot without triggering alerts.
5. Discovery & Data Collection
Mapping internal systems, configurations, and accessing data relevant to the red-team objectives.
Example: Enumerating file shares or identifying critical servers to assess how an attacker might prioritize targets.
6. Data Exfiltration & High-Level Persistence
Simulating the extraction of sensitive data and establishing long-term footholds that survive resets or password changes.
Example: Exfiltrating dummy test data through approved channels to validate DLP controls, or documenting where an attacker might implant long-term access.
1. Extensive OSINT — Analogy: Planning a Bank Heist by Observation
A thief spends days watching a bank from across the street—when employees arrive, what security guards do, which doors are used, and what brand of locks are installed.
Cyber analogy: A red teamer studies a company’s public website, employee social media, GitHub repos, and job postings to understand their technology stack and weak spots.
2. Initial Access & Execution — Analogy: Entering the Building
The thief tricks an employee into holding the door open or finds a window that was accidentally left unlocked.
Cyber analogy: A red teamer gains a foothold via a harmless phishing test or an exposed login portal to understand how an attacker could enter.
3. Persistence & Privilege Escalation — Analogy: Hiding Inside and Getting Master Keys
Once inside, the thief hides in a storage room to avoid being detected and later swipes a janitor’s master key to access more areas.
Cyber analogy: A red teamer sets up a legitimate scheduled job in a test network to simulate persistence and identifies misconfigurations that would let an attacker elevate permissions.
4. Lateral Movement with Defensive Evasion — Analogy: Sneaking to Other Rooms Without Being Seen
The thief quietly moves between rooms using service corridors, avoiding cameras and guards, to reach valuable areas.
Cyber analogy: A red teamer uses approved administrative tools to pivot across systems, testing how well monitoring detects unusual movement.
The thief maps the building layout, finds the vault, and checks where documents or money are kept.
Cyber analogy: A red teamer identifies key servers, network shares, and critical business data to understand potential attacker priorities.
6. Data Exfiltration & High-Level Persistence — Analogy: Smuggling Documents Out and Leaving a Hidden Way Back In
The thief takes photos of documents and hides a spare key outside the building to return later.
Cyber analogy: A red teamer tests DLP controls by transferring dummy data to see if alarms trigger and documents how an attacker might maintain long-term access.
Below are clear, safe, 2-line explanations for each AD red-team infrastructure term and security concept, with simple examples.
1. C2 Server (Command-and-Control Server)
A central server used by a red team to remotely manage implants, issue commands, and receive results in a controlled test.
Example: A Cobalt Strike or Mythic server that coordinates simulated attacker activity.
A server that only hosts files or payloads and delivers them when a target system requests them.
Example: A lightweight web server that provides a benign test executable or script during an exercise.
A server placed between the target and the C2 server to hide the real infrastructure and blend traffic.
Example: A proxy server that forwards only specific requests to the real C2 and drops everything else.
Adversary Emulation
Replicates a known threat actor’s specific behaviors, tools, and techniques to test defenses accurately.
Example: Simulating APT29’s workflow using their documented TTPs.
A more general test that imitates attacker behavior without copying a specific threat group.
Example: Performing a simulated phishing attack to assess user awareness.
A highly skilled, well-funded threat group that maintains long-term access to targets.
Example: Nation-state groups conducting months-long cyber espionage.
A vulnerability is a weakness in a system; an exploit is a method used to take advantage of that weakness.
Example: A missing patch (vulnerability) and a technique to gain access through it (exploit).
Demilitarized Zone Network (DMZ)
A network segment exposed to the internet but isolated from the internal network for security.
Example: Hosting a public web server in a DMZ so the internal LAN stays protected.
A more tightly controlled zone between the DMZ and internal LAN, with stricter monitoring and limited access routes.
Example: Application servers that talk to both the DMZ web server and internal database.
Structured descriptions of how attackers operate: tactics = goals, techniques = how they achieve them, procedures = detailed steps.
Example: Tactic (lateral movement - Gaining Access), technique (RDP usage), procedure (connecting via stolen credentials).
Operational Terms
Listener
A service waiting to accept incoming connections from agents, shells, or payload callbacks.
Example: A listener that waits for a reverse shell connection.
The act of taking advantage of a vulnerability to gain unauthorized access during a controlled test.
Example: Using a known flaw to simulate entry into a test system.
Singles: One-piece payloads that contain everything needed to execute.
Example: A single script that runs immediately without needing extra downloads.
Stages: Additional payload components delivered after the initial foothold.
Example: A small file pulling down a larger agent later.
Stagers: The initial lightweight code that downloads the stage.
Example: A tiny script that fetches the full implant.
Shells: Interfaces providing command execution on a remote machine.
Example: A command prompt session controlled remotely.
Reverse Shell: The target machine connects back to the red team’s listener to provide command access.
Example: A test host initiating an outbound connection to a C2.
Bind Shell: The target opens a port and waits for the operator to connect.
Example: A host listening on port 4444 for a remote connection.
Enterprise environment with Active Directory:
-
Internet – The global network of interconnected systems outside the enterprise perimeter, accessible publicly. It is the primary source of external threats and communication.
-
Firewall – A security device or software that filters incoming and outgoing network traffic based on defined policies. It protects internal networks from unauthorized access.
-
DMZ Network (Demilitarized Zone) – A semi-isolated network segment between the internet and internal networks. Hosts public-facing services while limiting direct access to the enterprise network.
-
Enterprise Network – The internal corporate network connecting users, servers, and services under central management, often integrated with Active Directory.
-
Militarized Network – Another term for a highly secure network segment, often overlapping with DMZ, designed to isolate sensitive systems from external threats.
-
Red Team – A group of security professionals who simulate real-world attacks to test and improve an organization’s defenses.
Description for each component in an Enterprise Network, with examples:
-
Enterprise Network – The internal network of an organization connecting all users, computers, and servers. It is managed centrally, often using Active Directory, to control access and security. Example: A company network where employees access shared drives and applications.
-
Web Server – A server that hosts websites or web applications, responding to user requests over HTTP/HTTPS. Example: A corporate website hosted on Apache or IIS servers.
-
Mail Server – A server that handles sending, receiving, and storing emails within an organization. Example: Microsoft Exchange Server managing company emails.
-
Database Server – A server that stores and manages structured data for applications or users. Example: SQL Server or Oracle storing customer and product data.
-
Bastion Host (Jump Server) – A secure server used to access internal systems from an external network. Example: Admins connect to a jump server before accessing sensitive database servers.
-
Automation Server – A server that runs automated tasks, scripts, or workflows to reduce manual effort. Example: Jenkins or Ansible server deploying code or managing system updates automatically.
Active Directory (AD) terms—Forest, Domain, Organizational Units (OUs), and Groups—with simple scenarios and real-world examples.
1. Forest
Definition
A Forest is the top-level container in Active Directory.
It is the security and trust boundary and can contain multiple domains.
Key Points
All domains inside a forest trust each other automatically.
Forest defines the overall AD structure.
Scenario Example
A large multinational company, TechGlobal Inc, has offices in different countries:
USA
Germany
India
Each region needs its own domain to manage resources independently.
So TechGlobal creates one AD Forest:
👉 Forest Name: techglobal.com
👉 Contains these domains:
usa.techglobal.com
germany.techglobal.com
india.techglobal.com
All domains trust one another because they are in the same forest.
2. Domain
Definition
A Domain is a logical group of:
Users
Computers
Groups
OUs
Policies
It shares a common database and security policies.
Scenario Example
Inside TechGlobal Forest, the USA office has its own domain:
👉 Domain: usa.techglobal.com
This domain stores:
All US employees’ user accounts
US computers and servers
US security policies (e.g., password rules)
Someone in the India domain cannot log in to the US servers unless permission is explicitly given, even though trust exists.
3. Organizational Units (OUs)
Definition
An Organizational Unit is a container inside a domain used to:
Organize users, computers, and groups
Apply Group Policies (GPOs)
Delegate administrative permissions
Scenario Example
In the usa.techglobal.com domain, the IT admin organizes resources using OUs:
OUs:
USA_Users
USA_Computers
USA_Departments
Sales
Finance
HR
IT
Example:
All Sales employees → placed in OU: Sales
All Finance computers → placed in OU: Finance_Computers
Why use OUs?
Because the IT admin can:
Apply a group policy only to the Finance OU
Allow the HR manager to reset passwords only for HR OU users
Prevent Sales computers from installing unauthorized software
4. Groups
Definition
A Group is a collection of users, computers, or other groups.
Used mainly for:
Assigning permissions
Managing access
Simplifying admin tasks
Types of Groups in AD
Security Groups – used for permissions (e.g., file access)
Distribution Groups – used for email lists
Scenario Example
Inside the Sales OU, TechGlobal creates groups:
Security Groups
Sales_ReadAccess → can read files in Sales Share
Sales_ModifyAccess → can edit files
Users are then added based on job role:
John (Sales Executive) → Sales_ReadAccess
Mary (Sales Manager) → Sales_ModifyAccess
Distribution Groups
Automatically emails all Sales employees
Putting It All Together (Complete Scenario)
Forest: techglobal.com
Domains:
usa.techglobal.com
germany.techglobal.com
india.techglobal.com
Inside usa.techglobal.com Domain:
OUs:
USA_Users
USA_Computers
Departments
HR
Sales
Finance
Groups for Sales:
Sales_ReadAccess (security)
Sales_ModifyAccess (security)
All_Sales (distribution)
User Example:
John Smith (Sales → USA_Users/Sales OU)
Member of Sales_ReadAccess
Receives sales emails via All_Sales
Result:
John can access only sales-related shared folders.
Finance policies do not affect John because he is in the Sales OU.
Admin can easily manage access by adding/removing users from groups.
| AD Term | What It Is | Example |
|---|---|---|
| Forest | Top-level security boundary | techglobal.com |
| Domain | Contains users, computers, policies | usa.techglobal.com |
| OU | Organizes domain objects | OU: Sales, OU: HR |
| Group | Grants permissions & email distribution | Sales_ReadAccess, All_Sales |
Active Directory Objects and Kerberos Ticket Components you listed.
ACTIVE DIRECTORY OBJECTS – Explained with Scenarios
1. Domain Users
Definition
A Domain User is an account created in Active Directory for a person who needs access to domain resources.
Scenario Example
Company: TechGlobal Inc
Domain: corp.techglobal.com
The HR department hires a new employee John Davis.
The IT admin creates a domain user account:
Username: j.davis
Account Location:
corp.techglobal.com/UsersPermissions: Access to email, HR portal, shared drives
Now John can:
Log in to any corporate workstation
Access HR-shared folders
Receive GPO settings automatically
2. Domain Groups (Global Groups)
Definition
A Global Group contains users from the same domain and is commonly used to assign permissions.
Scenario Example
Department: Sales
The domain admin creates groups:
GG_Sales_Read
GG_Sales_Write
Users:
Alice → Sales Executive
Robert → Sales Manager
Group assignment:
Alice → GG_Sales_Read
Robert → GG_Sales_Write
File server permissions:
GG_Sales_Read → Read access to
\\FileServer\SalesGG_Sales_Write → Modify access
Now:
Alice can view but not edit sales reports.
Robert can edit them.
Benefit: Manage permissions by groups, not individuals.
3. Domain Computers
Definition
A Domain Computer is a workstation or server that has been joined to the Active Directory domain.
Scenario Example
A new laptop is issued to John Davis.
Steps:
IT joins the laptop to domain corp.techglobal.com
Computer object appears in AD under:
corp.techglobal.com/Computers→ LAPTOP-12345
Benefits:
Laptop receives GPOs (security, software updates)
John can log in using his domain user account
Admins can manage it remotely through AD tools
4. Group Policy Objects (GPOs)
Definition
A GPO is a set of rules that controls:
Security settings
Software installations
Desktop configurations
Password policies
GPOs can apply to:
Users
Computers
OUs
Scenario Example
The IT team wants:
All users’ screensavers to auto-lock after 10 minutes.
Disable USB storage on all Finance computers.
So they create two GPOs:
GPO 1: ScreenLock_GPO
Applies to All Domain Users
Setting: Lock after 10 minutes
GPO 2: Finance_USB_Block_GPO
Applied to OU: Finance_Computers
Setting: Disable USB storage devices
Now:
Every user’s screen locks after 10 minutes.
Only Finance computers have USB disabled.
KERBEROS AUTHENTICATION OBJECTS IN AD
Kerberos is the authentication protocol used in Active Directory.
Here are the two main components you listed:
5. Ticket Granting Ticket (TGT)
Definition
A TGT is issued to a user after they log in.
It proves the user's identity to the domain controller without requiring a password again.
Scenario Example (John logs in)
John presses Ctrl+Alt+Del and enters:
Username: j.davis
Password: *****
The Domain Controller verifies his credentials.
The DC issues John a Ticket Granting Ticket (TGT).
This TGT:
Is encrypted with the KRBTGT account key
Lets John request access to other services without re-entering his password
So when John uses:
Shared folder
Email server
Printer
Windows uses the TGT silently.
6. Ticket Granting Service (TGS) Ticket
Definition
A TGS Ticket is issued when a user wants access to a specific service.
While TGT verifies identity,
TGS ticket gives permission to a specific resource.
Scenario Example (Accessing a shared folder)
John wants to access \\FileServer01\HRDocs.
John’s computer sends his TGT to the Kerberos Ticket Granting Service (TGS).
TGS checks:
Is John allowed to access FileServer01 service?
If yes → TGS issues a TGS Ticket for
FileServer01.John’s computer sends the TGS Ticket to the FileServer01.
FileServer grants access.
In short:
TGT = “I am John Davis”
TGS Ticket = “John Davis has permission to access this service”
Complete Real-World Flow
John Logs In
✔ AD verifies password
✔ John receives TGT
John Opens File Share
✔ Sends TGT → TGS
✔ Receives TGS Ticket for FileServer
✔ Access granted to shared folder (based on AD group membership)
John’s Access Controlled By:
Domain User Account
Global Groups (e.g., GG_HR_Read)
GPOs applied to his OU
Computer object where he logs in
Summary Table
| Object | Description | Example |
|---|---|---|
| Domain Users | User accounts in AD | j.davis |
| Domain Groups | Group of users for permissions | GG_Sales_Read |
| Domain Computers | Machines joined to the domain | LAPTOP-12345 |
| GPOs | Policies applied to users/computers | ScreenLock_GPO |
| TGT | Proves identity to domain | Issued at login |
| TGS Ticket | Proves access to specific service | Access to FileServer |
Below is a clear, practical explanation of Logical Components and Physical Components of Active Directory using simple language, real-life examples, and scenarios based on the structure shown in your image.
ACTIVE DIRECTORY – Logical vs Physical Components
Active Directory is made up of:
Logical components → How AD data is organized
Physical components → How AD is implemented in the real world
Think of it like a library:
Logical components = how books are categorized
Physical components = shelves, rooms, and buildings
Let’s break each one down.
LOGICAL COMPONENTS (How AD is Organized)
Logical components help manage users, computers, structure, and policies in an organized way.
Sites
Meaning
Logical grouping of network locations (usually IP subnets).
Scenario
TechGlobal has 3 offices:
New York
London
Singapore
Each location becomes an AD Site:
Site 1: NewYork-Site
Site 2: London-Site
Site 3: Singapore-Site
This helps:
Control authentication traffic
Ensure users connect to the nearest Domain Controller
Faster login and policy updates
Organizational Units (OUs)
Meaning
Used to organize users, computers, and groups.
Scenario
In the New York site, IT creates OUs:
NY_Users
NY_Computers
NY_Departments
Sales
Finance
HR
OUs allow:
Delegated administration
Targeted GPO application
Schema
Meaning
Defines what objects can exist and what attributes they have.
Think of schema as a master blueprint.
Scenario
Schema says:
A User object must have:
FirstName
LastName
Password
Email
If a developer adds a custom application requiring a “BusinessUnit” attribute, the schema must be updated.
Partitions (Naming Contexts)
Meaning
AD database is divided into partitions.
The main partitions:
Schema Partition
Configuration Partition
Domain Partition
Application Partition
Scenario
Schema partition → rules for AD objects
Configuration → AD topology (sites, services)
Domain partition → domain-specific users, groups, computers
Application → DNS records
This separation prevents unnecessary replication across the entire forest.
Domain Trees
Meaning
Domains connected in hierarchical parent–child relationships.
Scenario
TechGlobal creates:
corp.techglobal.com (parent)
usa.corp.techglobal.com (child)
asia.corp.techglobal.com (child)
All share the same DNS namespace → called a Domain Tree.
Domain
Meaning
A security boundary containing:
Users
Computers
Groups
OUs
Policies
Scenario
Domain: corp.techglobal.com
Contains:
4000 users
3000 computers
40 departments
Domains help administer resources securely and independently.
Forest
Meaning
The highest-level logical container.
A forest can contain multiple domains.
Scenario
TechGlobal has:
techglobal.com
techglobal-europe.com
Both domains trust each other → one forest.
PHYSICAL COMPONENTS (How AD Works in Real World)
These are the actual servers, databases, and replicas that make AD function.
Domain Controllers (DCs)
Meaning
Servers that store and manage:
User authentication
AD database
Group policies
Scenario
TechGlobal New York has:
DC1
DC2
Users in New York authenticate using these two DCs.
If DC1 fails, DC2 handles all requests → high availability.
Read-Only Domain Controller (RODC)
Meaning
A Domain Controller with read-only copy of AD database.
Scenario
Remote branch office in a risky location:
No strong security
Limited IT staff
They install an RODC so:
AD cannot be modified locally
Stolen server won’t reveal passwords
Faster login for local employees
Global Catalog (GC)
Meaning
A special role on a Domain Controller containing a partial read-only copy of every object in the forest.
Scenario
User "John" in U.S. searches:
“Find Mary in Europe office”
Only GC can search across domains and forests.
GC helps in:
Universal group membership
Forest-wide searches
Login authentication
Data Store
Meaning
The physical AD database files stored on DCs.
Stored in:
C:\Windows\NTDS\ntds.dit
Scenario
AD stores:
Usernames
Password hashes
Groups
GPO links
All stored in the AD DS database files on each DC.
If a DC is restored from backup, the data store recovers all objects.
PUTTING IT ALL TOGETHER (Scenario)
Company: TechGlobal Inc
Locations: US, UK, India
Forest: techglobal.com
Logical Components
| Component | Example |
|---|---|
| Sites | NewYork-Site, London-Site |
| OUs | Sales, HR, IT |
| Schema | Defines user attributes |
| Partitions | Schema, Domain, Configuration |
| Domain Tree | asia.techglobal.com → child of corp |
| Domain | corp.techglobal.com |
| Forest | techglobal.com |
Physical Components
| Component | Example |
|---|---|
| Domain Controllers | NY-DC1, NY-DC2 |
| RODC | India Branch Office RODC |
| Global Catalog | NY-DC1 hosts GC |
| Data Store | AD database files on each DC |
Simple Understanding
Logical = How AD is structured
(Like folders and hierarchy)
Physical = How AD works
(Like servers and databases)
Below is a clear and scenario-based explanation of all the Privileged Groups shown in your image and the privileges they hold, with real-world examples to make everything easy to understand.
ACTIVE DIRECTORY – Privileged Groups Explained with Scenarios
Privileged groups are high-level security groups that have elevated permissions in Active Directory.
Their misuse can compromise the entire domain or even the entire forest.
Let’s go group by group.
Domain Admins (DA)
Privileges
Full administrative control over the entire domain
Can manage:
User accounts
Group memberships
Group Policies
Domain controllers
File servers
Security configurations
Scenario
Company: TechGlobal Inc
Domain: corp.techglobal.com
John, the senior AD administrator, is a member of Domain Admins.
John can:
Reset any user’s password, including CEO
Create or delete OUs
Manage Group Policies
Add computers to the domain
Shut down or manage domain controllers
If John makes a mistake → it affects the whole domain.
Domain Admin is one of the most powerful roles in AD.
Enterprise Admins (EA)
Privileges
Highest privilege group in the entire forest
Exists only in the forest root domain
Automatically added to Domain Admins of every child domain
Can create or modify domains and trusts
Scenario
Forest root domain: techglobal.com
Child domains:
us.techglobal.com
eu.techglobal.com
Sara is a member of “Enterprise Admins” in the forest root domain.
Sara can:
Create a new child domain (e.g., asia.techglobal.com)
Remove or edit a domain
Change cross-domain trust relationships
Modify forest-wide schema settings
Administer all domain admins across all child domains
EA = God-mode account.
Typically kept empty and used only for highly critical tasks.
BUILTIN\Administrators (Local Administrators on DC)
Privileges
Full local admin rights on a Domain Controller
Can manage:
Local security policies
Services
Logs
Backups
Files
Scenario
Domain Controller: DC01
Michael is added to BUILTIN\Administrators group.
He can:
Install updates or software on DC01
Restart services
Modify registry
Read AD database files (ntds.dit), if given file access
Configure firewall rules
Note:
Being a local admin on a DC is almost as dangerous as being a Domain Admin because the DC = the domain.
Server Operators
Privileges
They can:
Manage servers without being Domain Admin
Start/stop services
Backup/restore data
Log on locally
Shut down domain controllers
Manage shared folders
But they cannot:
Change security settings
Modify domain-wide GPO
Change Domain Admin accounts
Scenario
In TechGlobal, mid-level IT technicians need to:
Restart services
Deploy backups
Maintain servers
So they are added to Server Operators group.
They can:
Restart services on DC
Restore system state backup
Shut down the DC during maintenance
But they cannot:
Create domain users
Modify domain policies
This group is for server maintenance, not full control.
Account Operators
Privileges
Can manage non-privileged user accounts:
Create users
Reset passwords
Modify user attributes
Disable/enable accounts
Create groups (non-admin groups)
They cannot:
Modify Domain Admins
Modify Enterprise Admins
Modify Server Operators
Scenario
HR Teams require password resets and new user creation.
Lisa (HR specialist) is added to Account Operators.
Lisa can:
Create user accounts for new employees
Reset forgotten passwords
Disable terminated employee accounts
Create non-admin groups like “SalesTeam”
But Lisa cannot:
Reset the password of a Domain Admin
Modify Server Operators
Create an Admin account
This keeps administrative control safe while allowing HR to handle routine tasks.
Summary Table (with simple definitions)
| Privileged Group | What It Can Do | Example Scenario |
|---|---|---|
| Domain Admins (DA) | Full domain control | John manages all domain resources |
| Enterprise Admins (EA) | Full forest control | Sara creates a new child domain |
| BUILTIN\Administrators | Local admin on DC | Michael installs updates on DC01 |
| Server Operators | Server maintenance | Tech team restarts DC services |
| Account Operators | Manage normal user accounts | HR staff resets employee passwords |
Why These Groups Matter (Real Security Impact)
If Domain Admin is compromised → entire domain is compromised
If Enterprise Admin is compromised → whole forest is compromised
Server Operators can potentially escalate privilege (they can shut down DCs)
Account Operators can create accounts → possible insider abuse
Therefore:
These groups should have VERY FEW members
Their activities must be highly monitored
MFA and auditing should always be enabled
Below is a clear, simple, and scenario-based explanation of Kerberos Authentication, TGT, TGS, and Kerberos Delegation—exactly the way you would answer in interviews or exams.
What is Kerberos Authentication?
Kerberos is a secure authentication protocol used in Active Directory environments.
It allows users and computers to prove their identity over the network without sending passwords.
It works using:
Tickets
Shared secrets (keys)
Encryption
💡 Simple Explanation
Kerberos uses a “ticket-based” system.
Instead of entering your password every time you access a resource, you log in once, receive a ticket, and use that ticket for all future access.
Key Components of Kerberos
| Component | Description |
|---|---|
| KDC (Key Distribution Center) | Runs on Domain Controllers, issues Kerberos tickets |
| AS (Authentication Service) | Verifies user credentials |
| TGS (Ticket Granting Service) | Issues service tickets for resources |
| TGT (Ticket Granting Ticket) | Your identity ticket after login |
| Service Ticket (TGS Ticket) | Allows access to services (File servers, SQL, etc.) |
1. What is a TGT (Ticket Granting Ticket)?
✔ Definition
A TGT is a special ticket issued after a user logs in successfully.
It proves the user’s identity to the domain controller without asking for the password again.
✔ What It Contains
User identity
Expiration time
Encryption using the KRBTGT account
✔ Scenario
User: John
John logs into Windows using:
Username: john.d
Password
Domain Controller (KDC) verifies the password.
KDC issues John’s TGT.
Now John can access other resources (file shares, printers, applications) without entering his password again.
2. What is a TGS Ticket (Service Ticket)?
✔ Definition
A TGS Ticket is issued by the KDC when a user wants access to a specific service (like SQL Server, File Share, or Website).
✔ Scenario
John wants to access:
\\FILESERVER01\HRDocs
John’s PC sends his TGT to the KDC (TGS component).
KDC verifies the TGT.
KDC issues a TGS Ticket for FILESERVER01.
John’s PC sends that ticket to FILESERVER01.
Access granted.
👉 Key Difference
TGT → Proves identity
TGS Ticket → Proves permission to access a specific service
Kerberos Authentication Flow (Simple)
User logs in → gets TGT
User accesses service → system uses TGT to request a TGS ticket
User presents TGS ticket to service → access granted
What is Kerberos Delegation?
Kerberos Delegation allows a service to act on behalf of a user to access another backend service.
This is used when:
A user accesses a web app
The web app needs to access a database as the user
✔ Example:
User → Web Server → Database
The database should see the user’s identity, not the web server’s identity.
Types of Kerberos Delegation
Unconstrained Delegation
Service can act as the user for any service.
HIGHLY insecure.
The service can request any TGS ticket for the user.
Used only in old environments.
Example
ServerA is allowed to impersonate users for any backend service in the domain.
→ Dangerous because ServerA can impersonate any user (even Domain Admin).
Constrained Delegation
Service can act as the user only for specific services.
More secure.
Admin explicitly specifies:
“This server → can access → SQL01 → on behalf of users”
Example
A web application (IIS01) needs to access:
SQL Server (SQL01)
Admin configures delegation:
IIS01 is allowed to present user credentials only to SQL01
Resource-Based Constrained Delegation (RBCD) (Newer & recommended)
Controlled on the resource/server side, not the service side.
Much more secure.
Flexible and granular.
Example
SQL01 (resource) is configured to allow access only from IIS01.
This prevents privilege escalation attacks common in older delegated methods.
Scenario That Explains Delegation Easily
🖥 User: Mary
🌐 App Server: App01
🗄 Database Server: SQL01
Mary logs into a web portal hosted on App01.
The web application needs Mary’s identity to fetch her records from SQL01, not a generic service account.
Kerberos Delegation allows App01 to:
Receive Mary’s ticket
Request a new ticket as Mary to access SQL01
Return Mary’s data
Without delegation:
SQL01 would not know who Mary is
It would see only App01’s identity
Short Interview-Friendly Answer
Kerberos is a ticket-based authentication protocol used in Active Directory to securely authenticate users without sending passwords over the network.
During login, the user receives a TGT (Ticket Granting Ticket).
When accessing resources, the TGT is used to obtain a TGS (Service Ticket).
Kerberos Delegation allows a service to act on behalf of a user to access another service, with types including Unconstrained Delegation, Constrained Delegation, and Resource-Based Constrained Delegation.
Below is a clear, simple, and scenario-focused explanation of Authorization in Active Directory, including Security Tokens, User Rights, SIDs, ACL/ACE, and DACL/SACL with real-world examples that match interview expectations.
Authorization in Active Directory
Authorization determines what a user can do after they have successfully authenticated.
Authentication = Who are you?
Authorization = What are you allowed to do?
Active Directory uses:
Security tokens
SIDs (Security Identifiers)
ACLs (Access Control Lists)
User rights
ACEs (Access Control Entries)
Let’s break each down.
1. Security Tokens
✔ Definition
A security token is created after a user logs in.
It contains all the SIDs (identifiers) of:
User
Groups the user belongs to
Privileges and rights
Whenever the user accesses a resource, Windows checks this token.
✔ Scenario
User: John (member of Sales group)
John logs in.
His token includes:
SID of John’s user account
SID of Sales group
SID of Domain Users
SID of “Authenticated Users”
Any other security groups he belongs to
When John tries to access \\Fileserver\SalesShare, Windows checks:
Does John’s token contain a SID that has permission?
💡 No need to re-login — token is used throughout the session.
2. User Rights
✔ Definition
User rights (or privileges) define what actions a user can perform on the system.
Examples:
Log on locally
Access computer from the network
Shut down the system
Backup/restore files
Take ownership of files
These are assigned via Group Policy.
✔ Scenario
Company wants only admins to shut down the Domain Controllers.
GPO is set:
"Shut down the system" → only Domain Admins
If user "Lisa" tries to shut down a DC:
She gets access denied because her token lacks the privilege.
3. SIDs (Security Identifiers)
Two important types:
3.1 Individual SID (User SID)
Unique identifier for every user account
NEVER reused, even if username is deleted and recreated
✔ Scenario
John is deleted and recreated with the same username.
He looks the same, but:
Old SID ≠ new SID
Old permissions will NOT apply to new account
Because permissions follow SID, not the username.
3.2 Group SID
Each security group has its own SID
A user's token includes SIDs of all groups they belong to
✔ Scenario
Sales group SID = S-1-5-21-1234-5678-91011-2000
Share Permission:
Access to SalesShare is granted to this SID
If John is added to the Sales group:
John gets access automatically
Because his token now includes the group SID
4. ACL and ACE
ACL (Access Control List)
A list of all permissions assigned to an object.
Stored on:
Files
Folders
Printers
AD objects
Registry keys
ACE (Access Control Entry)
A single entry inside an ACL.
An ACE defines:
Which SID has which permission
(e.g., read, write, modify)
Scenario
Folder: \FileServer\FinanceDocs
ACL:
ACE1: Finance Group → Read
ACE2: Finance Managers → Modify
ACE3: CEO → Full Control
When James (Finance Employee) tries access:
His token has SID of Finance Group → access granted.
5. DACL and SACL
DACL (Discretionary Access Control List)
Controls who can access an object
Contains ACEs like:
Read
Write
Modify
Full Control
A missing or empty DACL = ANYONE can access (very dangerous)
Scenario
Admin sets DACL on HR folder:
| SID | Permission |
|---|---|
| HR Group | Full Control |
| Domain Admins | Full Control |
If user James (Finance) attempts access:
His SID not in DACL → Access Denied
SACL (System Access Control List)
Defines what actions to audit
Triggers Security Events in Event Logs
Used for tracking successful/failed access
Scenario
Security team wants to audit:
Every failed attempt to open CEO folder
They configure SACL:
Audit → Fail → Read access attempts
If a user attempts unauthorized access:
Event 4625 (audit failure) appears in Security Log
Security team gets alerted
Bringing Everything Together (Full Scenario)
Company Folder: \\FileServer\Projects\ProjectA
1. DACL (permissions)
Engineering Group → Modify
ProjectA Managers → Full Control
Domain Admins → Full Control
2. SACL (auditing)
Audit failed access attempts
Audit successful changes
3. User Logs In
User: Alice, in "Engineering Group"
Security Token includes:
Alice’s SID
Engineering SID
Domain Users SID
4. Alice Tries Access
Windows compares:
Alice’s token
vsDACL on the folder
Result:
✔ Engineering SID has Modify → Alice gets access
5. Unauthorized Access Attempt
User: Tom (HR)
His SID not in DACL → Denied
A SACL entry logs:
“Failed access by SID S-1-5-21-9999…”
Simple Interview Summary
Authorization in AD determines what users can do using SIDs, security tokens, and ACLs.
A user’s security token contains their SID and group SIDs.
ACLs contain ACEs that define permissions.
DACL specifies who can access an object, while SACL logs access attempts.
User rights (privileges) define system-level abilities—like shutting down a computer or backing up files.
Below is a clear, structured, red-team–focused explanation of Technologies & Exploitation Areas in Red Teaming, covering:
Web Technology
Network Technology
Cloud Technology
Physical Technology
Wireless Technology
Each includes:
✔ Definition
✔ Common vulnerabilities
✔ Realistic red-team exploitation scenarios
✔ Tools used
Technologies & Exploitation in Red Teaming
A red team simulates real-world adversarial techniques to test an organization’s detection, response, and overall security posture. Red teaming spans multiple technology layers.
Web Technology Exploitation
✔ What it covers
Websites
Web applications
APIs
Web servers
Backend databases and microservices
✔ Common vulnerabilities
SQL Injection (SQLi)
Cross-site Scripting (XSS)
Authentication bypass
Broken Access Control
Sensitive data exposure
SSRF (Server-Side Request Forgery)
IDOR (Insecure Direct Object Reference)
Weak session management
🔥 Red Team Scenario
A red team targets a company’s employee portal.
Finds a login page vulnerable to SQL Injection
Payload:' OR '1'='1
→ Bypass loginAccesses internal leave management dashboard
Uses IDOR to access other users' data:
Example:/profile?id=101→ Change to/profile?id=102Escalates to admin using an XSS payload to steal session cookies
🔧 Tools
Burp Suite
OWASP ZAP
SQLMap
Nikto
Gobuster / Dirsearch
Postman (API testing)
2️⃣ Network Technology Exploitation
✔ What it includes
Internal networks
Servers
Workstations
Domain Controllers (Active Directory)
Protocols (SMB, FTP, RDP, LDAP)
Routers, switches, firewalls
✔ Common vulnerabilities
Weak or reused passwords
Missing patches
Misconfigured SMB shares
Open ports leaking info
Vulnerable services (e.g., old Apache, Tomcat)
Lateral movement weaknesses in Active Directory
🔥 Red Team Scenario
Objective: Compromise internal network.
Attacker gains a foothold via phishing → limited user shell
Enumerates network using:
net viewsmbclientnmap
Finds share
\\finance\publicwith sensitive filesCaptures NTLM hashes using:
Responder / ntlmrelayx
Uses Pass-the-Hash (PtH) to RDP to a server
Performs Kerberoasting → gains Domain Admin credentials
Full network compromise
🔧 Tools
Nmap
BloodHound
Responder / Impacket
CrackMapExec
Mimikatz
Cobalt Strike
Metasploit
Cloud Technology Exploitation
✔ What it covers
AWS, Azure, GCP
SaaS apps (O365, Salesforce)
Cloud IAM
Serverless (Lambda, Azure Functions)
Storage buckets
Cloud networking & identity
✔ Common vulnerabilities
Over-permissive IAM roles
Public S3/Blob buckets
Lack of MFA
Misconfigured API Gateways
Unpatched cloud instances
Secrets in cloud metadata service
Exposed keys/token leaks in GitHub
Red Team Scenario
Target: Company using AWS & Office 365.
Find leaked AWS keys on GitHub
Use the keys to enumerate IAM permissions
Discover "S3:ListBuckets" and "S3:GetObject"
→ Download confidential documentsUse IAM privilege escalation to create an admin user
Deploy backdoor Lambda function for persistence
Use O365 brute-force to compromise email account
Set up email forwarding rule to exfiltrate data silently
🔧 Tools
ScoutSuite
Prowler
Pacu (AWS exploitation framework)
CloudBrute
MicroBurst (Azure)
Mimikatz/AzureHound (for hybrid AD)
4️⃣ Physical Technology Exploitation
✔ What it covers
Building access
Security controls
RFID badges
Cameras
Sensors
Smart locks
Server rooms
Workstation access and unattended devices
✔ Common vulnerabilities
Tailgating
Weak door locks
Unattended laptops
Unsecured server rooms
USB ports enabled
No badge enforcement
🔥 Red Team Scenario
Objective: Access internal network physically.
Red team member dresses as a delivery person
Tailgates behind an employee into the office
Enters an unlocked conference room
Finds an unattended laptop (logged in)
Plants a USB drop implant (Rubber Ducky or Bash Bunny)
Device executes:
Credential harvesting
Reverse shell to attacker
Full entry point for deeper network penetration
🔧 Tools
Proxmark3 (RFID cloning)
Bash Bunny / Rubber Ducky
Hardware keyloggers
Portable Wi-Fi Pineapple
Lockpicking tools
5️⃣ Wireless Technology Exploitation
✔ What it covers
Wi-Fi networks
Bluetooth
NFC
RFID
Zigbee/IoT devices
✔ Common vulnerabilities
WPS enabled
Weak WPA2 Passwords
Evil Twin attacks
Misconfigured guest network
IoT devices on open network
Bluetooth pairing flaws
🔥 Red Team Scenario
Objective: Gain wireless access to internal network.
Create Evil Twin AP using Wi-Fi Pineapple
→ Users connect automaticallyCapture WPA2 handshake
Brute-force Wi-Fi password
Gain entry to corporate Wi-Fi
From Wi-Fi, scan internal network
Exploit vulnerable IoT camera
Pivot into main LAN network
🔧 Tools
Wi-Fi Pineapple
Aircrack-ng
Kismet
Bettercap
hcxdumptool / hashcat
BlueHydra (Bluetooth)
🔥 Full Red Team Attack Chain Example (All Technologies Combined)
Step 1 — Wireless Entry
Attackers crack weak WPA2 key → gain Wi-Fi access.
Step 2 — Network Recon
Scan internal network → find vulnerable server.
Step 3 — Web Exploitation
Exploit SSRF → read AWS metadata instance → obtain cloud keys.
Step 4 — Cloud Exploitation
Use keys to dump S3 buckets → find employee badge design.
Step 5 — Physical Intrusion
Clone badge → enter office → plant hardware backdoor.
Step 6 — Domain Compromise
Use internal access to steal AD credentials → escalate to Domain Admin.
Complete compromise achieved.
Complete Work Flow
Below is a complete red-team attack flow mapped end-to-end using the MITRE ATT&CK framework, showing how an attacker can compromise an organization starting from an external foothold to full domain takeover.
This is a single scenario, with each phase mapped to ATT&CK Tactics & Techniques (IDs included).
🔥 MITRE ATT&CK End-to-End Red Team Example Flow
Scenario:
A red team targets a company using Office 365, internal AD, and cloud workloads. The attack starts with phishing, leads to internal network compromise, and ends with domain admin control.
1️⃣ Reconnaissance (TA0043)
T1593 – Search Open Websites / Open-Source Intelligence
Red team identifies:
Employee names on LinkedIn
Email format from company website
Tech stack using shodan + builtwith
2️⃣ Resource Development (TA0042)
T1587.001 – Develop Phishing Malware
Create:
Fake Office 365 login page
Malicious Word doc with macro payload
3️⃣ Initial Access (TA0001)
T1566.002 – Spearphishing Link
An employee receives an email:
“Please review the updated salary structure.”
Employee clicks → enters credentials on fake O365 portal.
T1078 – Valid Accounts
Attacker now logs into the real Office 365 with stolen credentials.
4️⃣ Execution (TA0002)
T1059 – Command & Scripting Interpreter
Once attacker logs in, creates a PowerShell script via O365 "Runbook" to drop a payload on the connected workstation (Hybrid AD joined).
5️⃣ Persistence (TA0003)
T1546 – Event Triggered Execution
Attacker sets a startup script in the user's OneDrive folder which syncs automatically to PC → auto-executes payload.
6️⃣ Privilege Escalation (TA0004)
T1068 – Exploiting Vulnerable Services
Workstation is unpatched → privilege escalation to SYSTEM via PrintNightmare (example).
7️⃣ Defense Evasion (TA0005)
T1562.004 – Disable Security Tools
Attacker disables real-time monitoring using PowerShell:
Set-MpPreference -DisableRealtimeMonitoring $true
8️⃣ Credential Access (TA0006)
T1003.001 – LSASS Dumping
Dump LSASS with:rundll32.exe comsvcs.dll, MiniDump
Extract NTLM hashes using Mimikatz.
9️⃣ Discovery (TA0007)
T1018 – Remote System Discovery
Enumerate network shares:
net view /domain
T1069.002 – Permission Groups Discovery (Domain Groups)
Use BloodHound to map AD privileges.
🔟 Lateral Movement (TA0008)
T1021.001 – Remote Desktop Protocol (RDP)
Use Pass-the-Hash to RDP into a file server.
1️⃣1️⃣ Collection (TA0009)
T1039 – File Collection
Attacker downloads finance department files.
1️⃣2️⃣ Command & Control (TA0011)
T1071.001 – Web C2 Channel
Communication over HTTPS using Cobalt Strike beacon.
1️⃣3️⃣ Exfiltration (TA0010)
T1048 – Exfiltration Over Web Services
Files uploaded to attacker Dropbox account.
1️⃣4️⃣ Impact (TA0040)
T1486 – Data Encryption
Not always done in red teaming, but example:
Encrypt only a small subset of files to simulate ransomware impact.
⭐ FINALLY — Domain Admin Compromise Path (Critical Highlight)
After lateral movement:
T1558.003 – Kerberoasting
Attacker requests service tickets for SPNs.
Uses Hashcat to crack service account password → gets privileged AD credentials.
T1098 – Account Manipulation
Adds self to Domain Admins group.
→ Full Domain Takeover Achieved
🌐 Complete MITRE Mapping Summary
| Phase | MITRE Tactic | Technique (ID) | Description |
|---|---|---|---|
| Recon | TA0043 | T1593 | Public info gathering |
| Resource Dev | TA0042 | T1587 | Build phishing infrastructure |
| Initial Access | TA0001 | T1566.002 | Spear-phishing link |
| Exec | TA0002 | T1059 | PowerShell payload |
| Persistence | TA0003 | T1546 | Startup persistence |
| Priv Esc | TA0004 | T1068 | Exploit vulnerable service |
| Defense Evasion | TA0005 | T1562 | Disable AV |
| Credential Access | TA0006 | T1003.001 | Dump credentials |
| Discovery | TA0007 | T1018 | Network mapping |
| Lateral Movement | TA0008 | T1021 | RDP w/ PtH |
| Collection | TA0009 | T1039 | File collection |
| C2 | TA0011 | T1071 | HTTPS beacon |
| Exfiltration | TA0010 | T1048 | Upload data |
| Impact | TA0040 | T1486 | Targeted encryption |
References
Below are the official MITRE ATT&CK links for EVERY technique used in the scenario I described earlier.
These URLs point directly to the MITRE ATT&CK website with full technique details.
1️⃣ Reconnaissance
T1593 – Search Open Websites / OSINT
https://attack.mitre.org/techniques/T1593/
2️⃣ Resource Development
T1587 – Develop Capabilities (Phishing, Malware, etc.)
https://attack.mitre.org/techniques/T1587/
3️⃣ Initial Access
T1566.002 – Spearphishing Link
https://attack.mitre.org/techniques/T1566/002/
T1078 – Valid Accounts
https://attack.mitre.org/techniques/T1078/
4️⃣ Execution
T1059 – Command & Scripting Interpreter (PowerShell)
https://attack.mitre.org/techniques/T1059/
5️⃣ Persistence
T1546 – Event Triggered Execution
https://attack.mitre.org/techniques/T1546/
6️⃣ Privilege Escalation
T1068 – Exploitation for Privilege Escalation
https://attack.mitre.org/techniques/T1068/
7️⃣ Defense Evasion
T1562.004 – Disable Security Tools
https://attack.mitre.org/techniques/T1562/004/
8️⃣ Credential Access
T1003.001 – LSASS Memory Dumping (Mimikatz)
https://attack.mitre.org/techniques/T1003/001/
9️⃣ Discovery
T1018 – Remote System Discovery
https://attack.mitre.org/techniques/T1018/
T1069.002 – Permission Groups Discovery (Domain Groups)
https://attack.mitre.org/techniques/T1069/002/
🔟 Lateral Movement
T1021.001 – Remote Desktop Protocol
https://attack.mitre.org/techniques/T1021/001/
1️⃣1️⃣ Collection
T1039 – File and Directory Discovery / Collection
https://attack.mitre.org/techniques/T1039/
1️⃣2️⃣ Command & Control
T1071.001 – Web Protocols (HTTPS C2)
https://attack.mitre.org/techniques/T1071/001/
1️⃣3️⃣ Exfiltration
T1048 – Exfiltration Over Web Services
https://attack.mitre.org/techniques/T1048/
1️⃣4️⃣ Impact
T1486 – Data Encrypted for Impact (Ransomware)
https://attack.mitre.org/techniques/T1486/
⭐ Domain Admin Path Techniques (Important)
T1558.003 – Kerberoasting
https://attack.mitre.org/techniques/T1558/003/
T1098 – Account Manipulation (Add to Domain Admins)
https://attack.mitre.org/techniques/T1098/
Comments
Post a Comment