This is the richest source of information for the devices connected to a domain network. It also gives system administrators control over these devices. It can be referred to as a phone book of any network and it stores information about all the valuable things that hackers might be looking for in a network. The Active Directory (AD) has so many capabilities that hackers are ready to exhaust their resources to get to it once they breach a network. Network scanners, insider threats, and remote access tools can be used to give hackers access to the AD.
The AD stores the names of users in a network alongside their roles in an organization. The directory allows administrators to change passwords for any user in a network. This is a very easy way for hackers to gain access to other computers on a network with minimal effort. The AD also allows administrators to change the privileges of users and therefore hackers can use it to elevate some accounts to domain administrators. There are very many things that hackers can do from the AD. It is, therefore, a key target of an attack and the reason why organizations strive to secure the server that plays this role.
By default, the authentication process in a Windows system that belongs to an AD domain will take place using Kerberos. There also many services that will register on the AD to get their service principal name (SPN). Depending on the Red Team's strategy, the first step in attacking an AD is to perform recon on the environment, which could start by only harvesting basic information from the domain. One way to do that without making noise is to use the PowerShell scripts from PyroTek3 (https://github.com/PyroTek3/PowerShell-AD-Recon).
For this basic info, you could use the following command:
Get-PSADForestInfo
The next step could be to find out which SPNs are available. To obtain all SPNs from an AD you could use this command:
Discover-PSInterestingServices -GetAllForestSPNs
This will give you a good amount of information that can be used to continue the attack. If you want to know only the service accounts that are currently configured with an SPN, you could also use the following command:
Find-PSServiceAccounts -Forest
You could also leverage mimikatz to obtain information about the Kerberos tickets, using the following command:
mimikatz # kerberos::list
Another approach is to attack AD by exploiting the vulnerability MS14-068 (9). Although this vulnerability is old (November 2014), it is very powerful since it allows a user with a valid domain account to obtain administrator privileges by creating a forged privilege account certificate (PAC) that contains the administrator account membership, inside a ticket request (TG_REQ) sent to the key distribution center (KDC).