What is Active Directory?

Image title

What is Active Directory ?

Active Directory (AD)is a directory service used to manage Windows networks. It serves as a centralized database that stores and organizes information about various objects within the network, such as user accounts, computers, groups, and resources. AD makes this information easily accessible to users and administrators, enabling efficient management and authentication across the network. It provides features like authentication, authorization, and policy enforcement, making it a fundamental component of Windows-based network environments

LDAP, the foundation of Active Directory, was first introduced in RFCs as early as 1971. Active Directory was predated by the X.500 organizational unit concept, which was the earliest version of all directory systems created by Novell and Lotus and released in 1993 as Novell Directory Services.

CRT.LOCAL is a root domain which contains multiple subdomains i.e KID.CRT.LOCAL and DEV.CRT.LOCAL as well as the other objects that make up a domain such as users, groups, computers, and more

CRT.LOCAL/
├── KID.CRT.LOCAL
│   ├── GPOs
│   └── OU
│       └── EMPLOYEES
│           ├── COMPUTERS
│           │   └── MS01
│           ├── GROUPS
│           │   └── Domain Admins
│           └── USERS
│               └── cryptex.hac
├── DEV.CRT.LOCAL

A Domain Controller (DC)

A Domain Controller (DC) is a server that runs the Active Directory Domain Services (AD DS) role in the Windows Server operating system, serves as a centralized database that stores and organizes information about various objects within the network, such as user accounts, computers, groups, and resources

Functions of a Domain Controller are

Authentication: A DC validates the credentials of users and computers when they attempt to access network resources. It verifies the identity of the entity requesting access and grants or denies access based on the configured security policies.
User and Computer Management: A DC stores and manages information about user accounts, computer accounts, groups, and other objects within the Active Directory database. It allows administrators to create, modify, and delete user and computer accounts, assign group memberships, and define access permissions.
Replication: In multi-DC environments, distributes information across domain controllers.
Group Policy: Domain Controllers host Group Policy Objects (GPOs) that define and enforce security settings, configurations, and restrictions on user and computer accounts. Group Policies are applied to targeted users and computers to manage their behavior and control access to resources.
DNS Resolution: Domain Controllers typically provide DNS (Domain Name System) services for the network, resolving domain names to IP addresses and enabling communication between network devices

Image title

What is Forest ?

Image title

A forest is a collection of Active Directory domains. It is the topmost container and contains all of the AD objects , including but not limited to domains, users, groups, computers, and Group Policy objects. A forest - which is a security boundary - may contain multiple domains and each domain may contain multiple OUs

⇒ example :- we have Forest name CRT.LOCAL in which we can create multiple domain like KID.CRT.LOCAL XYZ.CRT.LOCAL

Image title

  
                           CRT.LOCAL
                              |
           ___________________|_____________________
          |                                         |
       child1                                   child2
    KID.CRT.LOCAL                              DEV.CRT.LOCAL
                             /\
                             ||
                             ||
                         BIDIRECTIONAL
                             ||
                             ||
                             \/
                             
                          RCE.LOCAL
                              |
           ___________________|_____________________
          |                                         |
       child1                                   child2
   KID.RCE.LOCAL                               DEV.RCE.LOCAL

This diagram below shows two forests, CRT.LOCAL and RCE.LOCAL. The two-way arrow represents a bidirectional trust between the two forests, meaning that users in CRT.LOCAL can access resources in RCE.LOCAL and vice versa. We can also see multiple child domains under each root domain. In this example, we can see that the root domain trusts each of the child domains, but the child domains in forest A do not necessarily have trusts established with the child domains in forest B. This means that a user that is part of KID.CRT.LOCAL would NOT be able to authenticate to machines in the DEV.RCE.LOCAL domain by default even though a bidirectional trust exists between the top-level CRT.LOCAL and RCE.LOCAL domains. To allow direct communication from KID.CRT.LOCAL and DEV.RCE.LOCAL, another trust would need to be set up.

note that this is a simplified representation, and the actual trust relationships and domain structures in your environment may be more complex

Active Directory Key Terminology

Object

An object can be defined as ANY resource present within an Active Directory environment such as OUs, printers, users, domain controllers, etc.

Attributes

Every object in Active Directory has an associated set of attributes used to define characteristics of the given object. A computer object contains attributes such as the hostname and DNS name. All attributes in AD have an associated LDAP name that can be used when performing LDAP queries, such as displayName for Full Name and given name for First Name.

Schema

The Active Directory schema is essentially the blueprint of any enterprise environment, it defines objects and their attributes.

Domain

A domain is a logical group of objects such as computers, users, OUs, groups, etc. We can think of each domain as a different city within a state or country. Domains can operate entirely independently of one another or be connected via trust relationships.

Global Catalog

Contains information about every object in the directory.A global catalog (GC) is a domain controller that stores copies of ALL objects in an Active Directory forest. The GC stores a full copy of all objects in the current domain and a partial copy of objects that belong to other domains in the forest. Standard domain controllers hold a complete replica of objects belonging to its domain but not those of different domains in the forest. The GC allows both users and applications to find information about any objects in ANY domain in the forest

Forest

Tree

A tree is a collection of Active Directory domains that begins at a single root domain. A forest is a collection of AD trees. Each domain in a tree shares a boundary with the other domains. A parent-child trust relationship is formed when a domain is added under another domain in a tree. Two trees in the same forest cannot share a name (namespace). Let’s say we have two trees in an AD forest: CRT.LOCAL and RCE.LOCAL. A child domain of the first would be DEV.CRT.LOCAL while a child domain of the second could be DEV.RCE.LOCAL. All domains in a tree share a standard Global Catalog which contains all information about objects that belong to the tree

Container

Container objects hold other objects and have a defined place in the directory subtree hierarchy.

Organizational Units (OUs)

An organizational unit, or OU from here on out, is a container that systems administrators can use to store similar objects for ease of administration. OUs are often used for administrative delegation of tasks without granting a user account full administrative rights. For example, we may have a top-level OU called Employees and then child OUs under it for the various departments such as Marketing, HR, Finance, Help Desk, etc. If an account were given the right to reset passwords over the top-level OU, this user would have the right to reset passwords for all users in the company. However, if the OU structure were such that specific departments were child OUs of the Help Desk OU, then any user placed in the Help Desk OU would have this right delegated to them if granted

Leaf

Leaf objects do not contain other objects and are found at the end of the subtree hierarchy.

Global Unique Identifier (GUID)

A GUID is a unique 128-bit value assigned when a domain user or group is created. This GUID value is unique across the enterprise, similar to a MAC address. Every single object created by Active Directory is assigned a GUID, not only user and group objects. The GUID is stored in the ObjectGUID attribute. When querying for an AD object (such as a user, group, computer, domain, domain controller, etc.), we can query for its objectGUID value using PowerShell or search for it by specifying its distinguished name. GUIDs are used by AD to identify objects. Searching in Active Directory by GUID value is probably the most accurate and reliable way to find the exact object you are looking for. The ObjectGUID property never changes and is associated with the object for as long as that object exists in the domain

Security principals

Image title

Security principals are anything that the operating system can authenticate, including users, computer accounts, or even threads/processes that run in the context of a user or computer account (i.e., an application such as Tomcat running in the context of a service account within the domain). In AD, security principles are domain objects that can manage access to other resources within the domain. We can also have local user accounts and security groups used to control access to resources on only that specific computer. These are not managed by AD but rather by the Security Accounts Manager (SAM).

Security Identifier (SID)

A security identifier, or SID is used as a unique identifier for a security principal or security group. Every account, group, or process has its own unique SID, which, in an AD environment, is issued by the domain controller and stored in a secure database. A SID can only be used once. Even if the security principle is deleted, it can never be used again in that environment to identify another user or group. When a user logs in, the system creates an access token for them which contains the user’s SID. There are also well-known SIDs that are used to identify generic users and groups. These are the same across all operating systems. An example is the Everyone group.

Distinguished Name (DN)

A Distinguished Name (DN) describes the full path to an object in AD (such as cn=cryptex, ou=IT, ou=Employees, dc=crt, dc=local). In this example, the user cryptex works in the IT department of the company crt, and his account is created in an Organizational Unit (OU) that holds accounts for company employees. The Common Name (CN) cryptex is just one way the user object could be searched for or accessed within the domain.

sAMAccountName

The sAMAccountName is the user’s logon name. Here it would just be cryptex. It must be a unique value and 20 or fewer characters.

userPrincipalName

Image title

The userPrincipalName attribute is another way to identify users in AD. This attribute consists of a prefix (the user account name) and a suffix (the domain name) in the format of cryptex@crt.local. This attribute is not mandatory

Replication

Replication happens in AD when AD objects are updated and transferred from one Domain Controller to another. Whenever a DC is added, connection objects are created to manage replication between them

Service Principal Name (SPN)

Image title Source

Here we can see that for user ADFS01$ is an computer account name whose SPN is HTTP/adfs01.us.renovations.com Similiary we can also set SPN for user account

A Service Principal Name (SPN) is a special name that identifies a specific service on a computer network.SPN can be set for both computer account name and user account name. It helps in authenticating users without revealing their actual account names. Instead of using the real names, applications can use the SPN to request authentication from a service. The SPN has two parts: the service type (like HTTP or SQL) and the service name (like the server’s hostname). With SPNs, clients can securely connect to services without knowing the underlying account names

Read-Only Domain Controller (RODC)

A Read-Only Domain Controller (RODC) is a type of computer that helps keep a network secure. It is designed to be used in places where security is a concern, like remote or branch offices. An RODC works by having a copy of important information, called the Active Directory database, but it can only read it. It can’t make any changes to the database. This helps protect the network because even if someone tries to hack into the RODC, they can’t change anything important.

Group Policy Object (GPO)

Group Policy Objects (GPOs) are virtual collections of policy settings. Each GPO has a unique GUID. Think of a GPO as a collection of instructions that tell computers or users how to behave. These instructions can control things like security settings, desktop appearance, software installation, and more. GPOs are stored on a domain controller, which is a server that manages the network. When a computer or user logs into the network, it receives the appropriate GPOs from the domain controller and applies them according to the specified rules.

Access Control List (ACL)

Image title

source

An Access Control List (ACL) is like a security guard for files, folders, or other resources on a computer or network. It determines who can access or modify those resources and what actions they can perform. Every object has an ACL, but can have multiple ACEs because multiple security principals can access objects in AD. ACLs can also be used for auditing access within AD

Think of an ACL as a list of permissions that specify who is allowed to do what with a particular resource. Each entry in the ACL contains a user or group name and the specific permissions granted to them.

For example, an ACL may allow the “Administrators” group to have full control over a folder, meaning they can create, modify, and delete files within it. On the other hand, it may only grant “Read” permissions to the “Employees” group, allowing them to view the files but not make any changes.

security principals are the users, groups, or computer accounts that require access to network resources, while ACLs define the specific permissions and access rights granted or denied to those security principals on individual resources. Security principals represent the entities seeking access, whereas ACLs govern the actual access control for resources.

Access Control Entities (ACEs)

Image title

Each Access Control Entity (ACE) are like small instructions within the ACL that determine what a specific user, group, or computer can do with a particular file, folder, or other resource. Each ACE contains the name of a security principal and the specific permissions (such as read, write, execute) granted or denied to that principal

There are Three types of ACE’s

Access Denied ACE: Used within a DACL to show that a user or group is explicitly denied access to an object.
Access Allowed ACE: Used within a DACL to show that a user or group is explicitly granted access to an object.
System Audit ACE: Used within a SACL to generate audit logs when a user or group attempts to access an object. It records whether access was granted or not and what type of access occurred.

ACEs Permissions

ForceChangePassword abused with Set-DomainUserPassword: The ForceChangePassword privilege allows an attacker to reset a user’s password without first knowing their password . It was abused by utilizing the Set-DomainUserPassword command to change the password of a domain user without their knowledge or consent.
Add Members abused with Add-DomainGroupMember: The Add Members privilege grants the ability to an attacker to add members to a domain group. In this scenario, an attacker aims to escalate their privileges within a target organization. They have identified a critical group, “Domain Admins,” that grants extensive privileges within the domain. The attacker wants to add their own account, “attackeruser,” to this group to gain administrative access. By abusing the Add Members privilege, we can add account to “Domain Admins”.
Generic All: The “GenericAll” this grants us full control over a target object. Depending on having this privilege over a user account allows an attacker to perform various actions, such as resetting the user’s password, changing the user’s password, setting service principle names, removing pre-authentication requirements, and launching Kerberos or ASP roasting attacks. When having access over a group, an attacker can add or remove users from the group, taking into consideration the permissions granted to the group. If this privilege is granted on a computer object, it enables the attacker to potentially carry out a resource-based constrained delegation attack also if the Local Administrator Password Solution (LAPS) is in use in the environment, we can read the LAPS password and gain local admin access to the machine which may aid us in lateral movement or privilege escalation in the domain if we can obtain privileged controls or gain some sort of privileged access
Generic Write: gives us the right to write to any non-protected attribute on an object. If we have this access over a user, we could assign them an SPN and perform a Kerberoasting attack (which relies on the target account having a weak password set). Over a group means we could add ourselves or another security principal to a given group. Finally, if we have this access over a computer object, we could perform a resource-based constrained delegation attack
WriteDACL abused with Add-DomainObjectACL: The “WriteDACL” privilege allows an attacker to modify the Discretionary Access Control List (DACL) on an object,i.e modify object’s ACEs and give attacker full control right over the object. For example, let’s say there is a critical file share on the domain controller called “FinanceData” that should only be accessible to specific groups or users. The attacker, leveraging the “WriteDACL” privilege the attacker adds their own account, “attackeruser,” to the DACL of the “FinanceData” file share with “FullControl” rights. This grants the attacker unrestricted access to the file share, potentially allowing them to view, modify, or delete sensitive financial data.
AddSelf abused with Add-DomainGroupMember - shows security groups that a user can add themselves to
AllExtendedRights - ability to add user to a group or reset password
WriteOwner - change object owner to attacker controlled user take over the object

Image title

This graphic, adapted from a graphic created by Charlie Bromberg (Shutdown), shows an excellent breakdown of the varying possible ACE attacks and the tools to perform these attacks from both Windows and Linux (if applicable).

Discretionary Access Control List (DACL)

Image title

source

We see the ACL for the user account ATALAB in the image above. Each item under Permission entries makes up the DACL for the user account, while the individual entries (such as Full Control or List Contents) are ACE entries showing rights granted over this user object to various users and groups.

The terms “Discretionary Access Control List (DACL)” and “Access Control List (ACL)” are often used interchangeably, and in some contexts, they refer to the same thing.

Discretionary Access Control List (DACL): defines which security principals are granted or denied access to an object. DACLs are made up of ACEs that either allow or deny access. When someone attempts to access an object, the system will check the DACL for the level of access that is permitted. If a DACL does not exist for an object, all who attempt to access the object are granted full rights. If a DACL exists, but does not have any ACE entries specifying specific security settings, the system will deny access to all users, groups, or processes attempting to access it . The DACL is composed of individual ACEs that specify the permissions granted or denied to specific users, groups, or computer accounts

To summarize, the DACL is a subset or component of the broader ACL.

Fully Qualified Domain Name (FQDN)

An FQDN is the complete name for a specific computer or host. It is written with the hostname and domain name in the format [host name].[domain name].[tld] n example would be the host DC01 in the domain CRT.LOCAL. The FQDN here would be DC01.CRT.LOCAL

Tombstone

A tombstone is a container object in AD that holds deleted AD objects. When an object is deleted from AD, the object remains for a set period of time known as the Tombstone Lifetime

AD Recycle Bin

The AD Recycle Bin was first introduced in Windows Server 2008 R2 to facilitate the recovery of deleted AD objects. This made it easier for sysadmins to restore objects, avoiding the need to restore from backups, restarting Active Directory Domain Services (AD DS), or rebooting a Domain Controller

SYSVOL

The SYSVOL folder, or share, stores copies of public files in the domain such as system policies, Group Policy settings, logon/logoff scripts, and often contains other types of scripts that are executed to perform various tasks in the AD environment

leaf objects

which means that they cannot contain any other objects within them example:-

Contacts :- A contact object is usually used to represent an external user and contains informational attributes such as first name, last name, email address, telephone number, etc
Printers:- A printer object points to a printer accessible within the AD network
Computers:- A computer object is any computer joined to the AD network (workstation or server)

AdminSDHolder

In simple terms, AdminSDHolder acts as a security guard for administrative accounts in Active Directory. It ensures that these accounts have the necessary protections and restrictions to prevent misuse or unauthorized access The purpose of AdminSDHolder is to prevent accidental or intentional modifications to the security settings of administrative accounts. It periodically compares the security settings of these accounts with the AdminSDHolder object and automatically restores any changes made to ensure consistent security.

adminCount

adminCount is an attribute in Microsoft Active Directory that keeps track of the number of times an object has been marked as an administrative account. When an object is marked as an administrative account, its adminCount value is set to 1, indicating that it has elevated privileges and should be treated as such. Attackers will often look for accounts with the adminCount attribute set to 1

Active Directory Users and Computers (ADUC)

ADUC is a GUI console commonly used for managing users, groups, computers, and contacts in AD. Changes made in ADUC can be done via PowerShell as well

sIDHistory

This attribute holds any SIDs that an object was assigned previously

NTDS.DIT

The NTDS.DIT file can be considered the heart of Active Directory. It is stored on a Domain Controller at C:\Windows\NTDS\ and is a database that stores AD data such as information about user and group objects, group membership, and, most important to attackers and penetration testers, the password hashes for all users in the domain. Once full domain compromise is reached, an attacker can retrieve this file, extract the hashes, and either use them to perform a pass-the-hash attack or crack them offline. If the setting Store password with reversible encryption is enabled, then the NTDS.DIT will also store the cleartext passwords for all users created or who changed their password after this policy was set

MSBROWSE

MSBROWSE is a Microsoft networking protocol that was used in early versions of Windows-based local area networks (LANs) to provide browsing services. It was used to maintain a list of resources, such as shared printers and files, that were available on the network, and to allow users to easily browse and access these resources.

BASIC USER PRIVILEGE

Privilege	Description
`SeRemoteInteractiveLogonRight`	This privilege could give our target user the right to log onto a host via Remote Desktop (RDP), which could potentially be used to obtain sensitive data or escalate privileges.
`SeBackupPrivilege`	This grants a user the ability to create system backups and could be used to obtain copies of sensitive system files that can be used to retrieve passwords such as the SAM and SYSTEM Registry hives and the NTDS.dit Active Directory database file.
`SeDebugPrivilege`	This allows a user to debug and adjust the memory of a process. With this privilege, attackers could utilize a tool such as Mimikatz to read the memory space of the Local System Authority (LSASS) process and obtain any credentials stored in memory.
`SeImpersonatePrivilege`	This privilege allows us to impersonate a token of a privileged account such as `NT AUTHORITY\SYSTEM`. This could be leveraged with a tool such as JuicyPotato, RogueWinRM, PrintSpoofer, etc., to escalate privileges on a target system.
`SeLoadDriverPrivilege`	A user with this privilege can load and unload device drivers that could potentially be used to escalate privileges or compromise a system.
`SeTakeOwnershipPrivilege`	This allows a process to take ownership of an object. At its most basic level, we could use this privilege to gain access to a file share or a file on a share that was otherwise not accessible to us.

I would like to bring to your attention that the content presented below , is derived from the HTB Academy module as part of my personal study and learning process. I have utilized the HTB Academy module as a valuable resource to create a comprehensive cheatsheet, consolidating essential information for reference purposes

Forest structure can contain one or more domains
Active Directory provides authentication and authorization within a Windows domain environment
Schema is known as the “Blueprint” of an Active Directory environment
Service Principal Name uniquely identifies a Service instance
Group Policy objects can be applied to user and computer objects
Tombstone container in AD holds deleted objects
NTDS.DIT file contains the hashes of passwords for all users in a domain
Organizational Units are objects that are used to store similar objects for ease of administration
Domain Controller AD object handles all authentication requests for a domain
PDC Emulator role maintains time for a domain
Windows Server 2008 R2 domain functional level introduced Managed Service Accounts
Cross-Link type of trust is a link between two child domains in a forest
Relative ID Master role ensures that objects in a domain are not assigned the same SID
88 for Kerberos and RFC 4511 for LDAP
ObjectGUID user naming attribute is unique to the user and will remain so even if the account is deleted
security group type is best utilized for assigning permissions and right to users
A “Global Group” can only contain accounts from the domain where it was created
SeBackupPrivilege user right grants a user the ability to make backups of a system
Application Control Policies security policies can block certain users from running all executables

What is Active Directory?