#AD DS

Active Directory Domain Services (AD DS) is the beating heart of many Windows environments, and therefore a convenient place for attackers to set up camp. This page is a mock overview of common AD DS abuse paths, detection ideas, and basic operational notes.

#Kerberoasting

Kerberoasting targets service accounts by requesting service tickets (TGS) and cracking them offline. If a service account has a weak password, it’s basically a gift basket.

#What you need

• A domain user account (often any authenticated user).
• Network reachability to a domain controller (for ticket requests).
• SPNs set on service accounts (the whole point).

#Why it works

Kerberos service tickets are encrypted with the service account’s key. If you can obtain the ticket, you can try cracking it offline. The domain won’t rate-limit your GPU.

#Quick checklist

• Enumerate SPNs.
• Request TGS tickets.
• Export hashes.
• Crack responsibly (or don’t, depending on which side of the fence you live on).

#Defensive notes

• Use long random passwords for service accounts.
• Prefer gMSA where possible.
• Monitor for abnormal volumes of TGS requests.
• Track SPN changes and unusual account usage.

#AS-REP Roasting

AS-REP roasting is similar in spirit, but targets users with Do not require Kerberos preauthentication enabled. That setting is basically “please crack me.”

This is a paragraph.

What you need

• A username list or a way to enumerate users.
• Accounts with preauth disabled.
• Offline cracking capability.

Basic flow

1. Find accounts without preauth.
2. Request AS-REP for those users.
3. Crack offline.

Detection ideas

• Look for unusual AS-REQ patterns for many users.
• Alert on preauth disabled changes.
• Enforce policy: preauth disabled should be rare, documented, and audited.

#Rubeus example

Rubeus is frequently used to interact with Kerberos tickets and perform operations like kerberoasting, as-rep roasting, pass-the-ticket, and more. This is a mock snippet, not a real playbook.