Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
active directory
| Question | Answer |
|---|---|
| Question | Answer |
| "Explain the difference between authentication and authorization in Active Directory" | "Authentication verifies identity while authorization determines what an authenticated identity is allowed to do" |
| "What is a security principal and why are SIDs more important than usernames" | "A security principal is any entity that can be authenticated and authorized and SIDs are immutable identifiers used for access control while usernames can change" |
| "How does Kerberos differ from NTLM and when does NTLM still appear" | "Kerberos is ticket-based and mutual while NTLM is challenge-response and NTLM still appears during fallback legacy systems or misconfigurations" |
| "What happens during a Kerberos TGT request" | "The client authenticates to the KDC and receives a TGT encrypted with the KRBTGT secret" |
| "Why is time synchronization critical for Kerberos" | "Kerberos tickets are time-bound and clock skew breaks ticket validation" |
| "What is the role of the KDC and where does it live" | "The KDC issues Kerberos tickets and runs on domain controllers" |
| "Explain the difference between domain admin enterprise admin and local admin" | "Domain admins control a domain enterprise admins control the forest and local admins only control a single machine" |
| "What is AdminSDHolder and what problem does it solve" | "It enforces protected ACLs on high-privilege accounts to prevent unauthorized permission changes" |
| "What types of credential material can be extracted from LSASS" | "Passwords hashes Kerberos tickets and tokens which can be reused without cracking" |
| "Explain pass-the-hash pass-the-ticket and overpass-the-hash" | "They reuse NTLM hashes Kerberos tickets or NTLM hashes to request Kerberos tickets respectively" |
| "Why is credential reuse dangerous in AD" | "It allows lateral movement and privilege escalation without new exploitation" |
| "What conditions allow DCSync" | "Replication permissions like Replicating Directory Changes" |
| "Why can Kerberos tickets work after password changes" | "Tickets remain valid until expiration regardless of password resets" |
| "How do cached domain credentials work" | "They allow logon when a DC is unreachable using stored hashes" |
| "What makes an account vulnerable to Kerberoasting" | "Having an SPN associated with it" |
| "Why is Kerberoasting an offline attack" | "Ticket cracking happens offline without interacting with the domain" |
| "What enables AS-REP roasting" | "Accounts that do not require Kerberos preauthentication" |
| "What is unconstrained delegation" | "A service can impersonate users to any service after authentication" |
| "Compare constrained delegation and RBCD" | "Constrained delegation limits services while RBCD lets the target define who can delegate" |
| "What prerequisites are needed for RBCD abuse" | "Control over a computer or service account and write access to msDS-AllowedToActOnBehalfOfOtherIdentity" |
| "Difference between Golden and Silver tickets" | "Golden tickets forge TGTs while Silver tickets forge service tickets" |
| "Why is KRBTGT compromise critical" | "It allows forging Kerberos TGTs for any user" |
| "What is an ACL in AD" | "A list of permissions defining who can perform actions on an AD object" |
| "Difference between GenericAll GenericWrite and WriteDACL" | "GenericAll is full control GenericWrite allows attribute changes and WriteDACL allows permission modification" |
| "How can WriteOwner be abused" | "Ownership can be changed to then grant full permissions" |
| "What is inheritance in AD" | "Permissions flow from parent objects to child objects" |
| "Why are ACL attacks stealthy" | "They abuse legitimate permissions without obvious exploitation artifacts" |
| "How can group membership be abused indirectly" | "By modifying nested groups or delegated admin groups" |
| "What are Shadow Credentials" | "Abuse of key-based authentication by adding malicious credentials to an account" |
| "Why is AdminSDHolder used for persistence" | "It periodically resets ACLs making malicious permissions reapply" |
| "How can GPOs escalate privileges" | "By deploying scripts or assigning local admin rights" |
| "What permissions allow GPO abuse" | "Edit or create GPO permissions" |
| "How does SYSVOL exposure help attackers" | "It stores scripts and policies readable by all domain users" |
| "What was the GPP vulnerability" | "Encrypted passwords stored with a known key in SYSVOL" |
| "How can logon scripts be abused" | "By executing attacker-controlled commands as privileged users" |
| "Why is local admin a turning point" | "It enables credential dumping and token abuse" |
| "What is SeImpersonatePrivilege" | "A privilege allowing impersonation of higher-privileged tokens" |
| "Why do Potato-style attacks work" | "They exploit token impersonation via privileged services" |
| "How do misconfigured services lead to privesc" | "Writable service binaries or paths allow code execution" |
| "How does SYSTEM access change AD attacks" | "It enables full credential access and machine account abuse" |
| "What is lateral movement" | "Using existing access to reach other systems" |
| "Why does SMB signing prevent NTLM relay" | "It cryptographically binds authentication to the session" |
| "How does BloodHound change engagements" | "It visualizes privilege escalation paths graphically" |
| "Why is WinRM often preferred" | "It is reliable stealthy and uses Kerberos" |
| "What determines lateral movement success" | "Network reachability protocol support and credential privileges" |
| "What is NTDS.dit" | "The AD database storing all domain credential data" |
| "How does DCSync work" | "It abuses replication to request password data from DCs" |
| "What permissions allow replication" | "Replicating Directory Changes and related rights" |
| "Why does DC compromise end engagements" | "It grants total domain control" |
| "What risks remain after password resets" | "Backdoors tickets ACL changes and persistence mechanisms" |
| "Why is persistence part of privilege escalation" | "Because long-term privileged access is the real objective" |
| "How can ACLs provide persistence" | "By granting hidden permissions to attacker-controlled accounts" |
| "Why is AdminSDHolder persistence hard to detect" | "It mimics legitimate system behavior" |
| "How do Golden Tickets enable persistence" | "They bypass authentication controls indefinitely" |
| "What are stealthier persistence methods" | "ACL abuse GPO manipulation and delegation abuse" |
| "Which attacks trigger alerts most often" | "Credential dumping and noisy lateral movement" |
| "Why are ACL attacks harder to detect" | "They use valid permissions without obvious anomalies" |
| "What telemetry helps detect Kerberos abuse" | "Unusual ticket requests delegation usage and event logs" |
| "How does tiered administration help" | "It limits credential exposure across trust boundaries" |
| "How should tradecraft change with hardened NTLM" | "Focus shifts to Kerberos ACLs and misconfigurations" |
| "How do you choose between attack paths" | "By balancing likelihood impact and detectability" |
| "How do you balance speed vs stealth" | "Based on engagement goals and detection tolerance" |
| "Why is DA not always the objective" | "Data access persistence or trust compromise may be higher value" |
| "How do you explain privesc to stakeholders" | "As chained misconfigurations enabling unauthorized access" |
| "What remediation fits systemic AD privesc" | "Privilege review ACL cleanup and architectural changes" |
Created by:
user-2022419