Hacking Windows Active Directory in 10 minutes

So you are basically probing the domain for bad permissions.

Exactly. We're looking for uh the user that we have compromised or a group that that user is in. We're looking for where there are any permissions that might give us an edge somewhere else or allow

us to pivot or elevate our privileges somewhere that you know using the permissions that we currently have. And

we're going to see a couple things here.

We're going to look and see, okay, it's set for server authentication and it we can see in the enrollment permissions that template managers can enroll. So,

we know that Susie can now enroll in this template. But in order to abuse

this template. But in order to abuse this, there's a couple conditions that need to be met. Wow, dude. And that

took, if I hadn't interrupted you, 5 10 minutes maybe. What's crazy too is you

minutes maybe. What's crazy too is you can automate that because you can automate the searching for it, the abuse of it. And this is one of the most

of it. And this is one of the most dangerous attacks in that I see in internal pentesting.

Everyone, David Bumble back with a very special guest. Spencer, welcome to the

special guest. Spencer, welcome to the show.

David, thanks for having me, man.

Great to have you here. Now, before we continue with the interview, I need to say that this video is sponsored by Threat Locker. I really want to thank

Threat Locker. I really want to thank them for sponsoring this video and my trip to ZTW26. Spencer, you actually presented this demo here in the hacking labs. Is that right?

labs. Is that right?

Yeah, yesterday. It was super fun. It

was a packed house. It was just a blast.

So just for people who don't know you or don't know about your YouTube channel, give us a bit of your background and what you've been up to in the last few years.

Yeah. So I've been a internal pentester specifically for the last 5 years or so, but I like to jokingly say I'm a recovering CIS admin cuz I grew up in IT help desk. That's how I got started in

help desk. That's how I got started in IT and security. IT help desk to CIS admin to now pentester and Windows active directory internal environments is kind of my happy place. So that's

kind of how I approach pentesting and security in general. So you have your own YouTube channel. What kind of content are you posting?

Yeah. So a lot of the stuff that I grew up with is IT security stuff, IT help desk. So that's the kind of the crowd

desk. So that's the kind of the crowd and people I resonate most with. So

that's the kind of content I like to make is like the content that for for me when I was an IT admin, it's the content that I wish I had from a security perspective.

So a lot of the stuff that I talk about on YouTube on my uh YouTube channel at TechSpense is for IT admins, CIS admins, IT security folks, and a little bit for pentesters. Um, and that's the primary

pentesters. Um, and that's the primary kind of motivator for my content.

So, I've put Spencer's YouTube channel link below. Go sub. Go show the love

link below. Go sub. Go show the love because today you're gonna show something really cool.

Yeah. So, I'm super excited and I think this is kind of a unique approach to pentesting um because it's Windowsbased which is different from the Cali world of pentesting, but uh so to set this up,

we've got uh a couple things in this lab and we're going to find misconfigured permissions.

So, sorry, just uh to interrupt. This is

a active directory hack. Is that right?

So what we're doing is an AD hacking lab. Love it. Active directory. And so

lab. Love it. Active directory. And so

what we're going to start with is we're going to look for misconfigured permissions. It's one of the most common

permissions. It's one of the most common issues that I see in internal pen testing against active directory is you have a whole bunch of permissions and a lot of them are misconfigured, right?

Allowing a lot of different dangerous things. So the first thing we're going

things. So the first thing we're going to do is we're going to look for misconfigured permissions. That's going

misconfigured permissions. That's going to lead to a certificate abuse. We're

going to have some ability to modify a certificate template in active directory certificate services and then we're going to use that to elevate to do domain admin and log into a domain controller and own the whole thing.

I love that. So there's three parts basically right?

There's three parts. There's the control path, there's the certificate abuse, and then the elevation to domain admin to own the whole domain.

So I know some of you don't want to watch the whole thing. You just want to go to straight hacking. So I've put timestamps below if you want to jump ahead. Take it away. Awesome. So, one of

ahead. Take it away. Awesome. So, one of the first tools I use to find these control paths is called Adeleig. And

Adeleig is an active directory delegation management tool. So, what's

cool about this is it only shows you the non-default delegations. So, you can

non-default delegations. So, you can find interesting things by going to index view by and trustees and just this is this is just a certain way to sort the view. So, it looks very easy.

the view. So, it looks very easy.

Sorry, I'm I'm I'm a bit slow, right?

So, this software is it part of Windows or do you download it from somewhere?

So, this is a free tool you can download on GitHub. Yeah. And it's great. And

on GitHub. Yeah. And it's great. And

it's, like I said, it's an active directory delegation management tool.

Nice.

So, we can open this up. We connect it to our domain. As long as you run this on a domain computer, you can open it right up. And when you log in, you can

right up. And when you log in, you can kind of sort through this and look for dangerous delegations. And kind of what

dangerous delegations. And kind of what we're looking for is unsafe users or unsafe groups and unsafe permissions. So

one example is where domain users has this permission called write all properties on this security group called template managers and we can imagine what template managers might be able to

do manage templates. So this is a dangerous permission. Uh so this is the

dangerous permission. Uh so this is the kind of control path or attack path that we're looking for in active directory.

So I'm going to ask I know we're going to get these comments right. This

software you had to run on a domain controller.

This software you can run on any domain joined computer.

Oh so it doesn't have to be a controller. Sorry, a domain controller.

controller. Sorry, a domain controller.

It can just be any workstation or something that's connected to the domain.

Any workstation connected to the domain.

What's great is you don't need any admin rights to run this. As long as you have a user that can read Active Directory, you can run this.

How do I get the software on the computer? Somehow I've had to compromise

computer? Somehow I've had to compromise the computer or it's I'm in I I have internal access somehow so I can install the software. Right.

the software. Right.

Exactly. So from an attacker perspective, what an attacker might do is fish a user, get them to click on some sort of link and and now they have malware or an implant running on their

computer. Then they would kind of bring

computer. Then they would kind of bring that tooling into the environment. In a

lot of cases, like with ransomware, they're using RMM tools, right? Like a

terra and any desk and a lot of those things. So thread actors might download

things. So thread actors might download their tools through that connection and then use that. Now, I'm not necessarily seeing attackers use Adele egg specifically, but they're using this

methodology to find unsafe users and unsafe permissions to attack the environment. Yeah. But the reason I like

environment. Yeah. But the reason I like this is because it's really convenient for IT admins to find it, right?

IT admins aren't going to run like these crazy offensive tools.

They just want to run something and be able to see it. And this is a really convenient way to do that.

That's great.

So, the next tool that I want to showcase is something called Net Tools.

Net Tools is a self-proclaimed Swiss Army knife for CIS admins. And you can see here like there's a whole bunch of stuff that you can do with this. I'm

just going to show one thing and I'm going to show how to find those permissions, those dangerous permissions that we just looked at with this. So,

you open up Net Tools. Again, this is a free tool. This one isn't on GitHub, but

free tool. This one isn't on GitHub, but you can go to the Net Tools website and download this. And you connect it uh on

download this. And you connect it uh on any domain join system that has a regular lowprivilege user that can read Active Directory. You connect and then

Active Directory. You connect and then you go to assign trustees and you click go.

And this shows you a whole bunch of trustees. But what's cool is you can

trustees. But what's cool is you can right click on these and you go to find assignments.

Yep.

And then you can see this template manager's permission is right there.

Super easy and convenient to use. And we

can see they have full control.

Okay. Not great, right?

Not great. Not great in this scenario.

So you are basically probing the domain for bad permissions.

Exactly. We're looking for uh the user that we have compromised or a group that that user is in. We're looking for where there are any permissions that might give us an edge somewhere else or allow

us to pivot or elevate our privileges somewhere that you know using the permissions that we currently have.

And this kind of stuff is happening all the time in the in the wild all the time. This is you know I call this insecure domain ACL's insecure domain permissions. This is one of the

domain permissions. This is one of the most prevalent issues that I find on internal pentest.

Yes. Yeah. So, I mean, you've been testing for 5 years. Is is it a lot of it internal AD hacking?

I only do internal and it's kind of funny. I was doing some analysis in the

funny. I was doing some analysis in the last year. I've done over a thousand

last year. I've done over a thousand hours of internal pentesting. Just in

2025. In the last 5 years or so, I've pentested like 130 plus organizations of all different sizes and industries.

So, I'm curious percentage maybe give us a percentage. Is it 50%, 75%, 99%? How

a percentage. Is it 50%, 75%, 99%? How

much how many of them can you actually hack?

In terms of getting domain admin access, it's actually gone down over the last few years. We're getting we're seeing it

few years. We're getting we're seeing it less and less and less. It's still a significant portion because of these issues. And that's why I picked some of

issues. And that's why I picked some of these for this lab is insecure permissions is very prevalent. These

certificate abuse issues are very prevalent. Um, and these are some of the

prevalent. Um, and these are some of the most common issues that I find. So, it's

going down, but it's still quite significant. So now what we're going to

significant. So now what we're going to do is we're going to look we have we know we have permission insecure permissions right we have an abuse on template managers we know we can control that security group

so now we need to know okay what can this template managers do we can obviously assume by the name that we can manage the templates but one of the nice ways to find misconfigured certificate

template issues is using a tool called locksmith locksmith is another free tool you can get this one on GitHub created by a guy named Jake Hilddrth uh it's a super great tool but it's an active

director certificate services auditing tool and it finds all these misconfigured certificate templates and ADCS issues. So what we're going to do

ADCS issues. So what we're going to do here is we can run invoke locksmith and I like running this with mode zero. It

shows it right to the screen and when we run this we see that there's no ADCs issues found which is interesting right because we just saw that we have control over template managers. Now, I point

this out to say that just because we have some sort of insecure permissions and just because the tooling output says there's no issues doesn't mean there actually is no issues. All right, I'm going to clear the screen and run the

next command. So now we're going to take

next command. So now we're going to take a look at the template manager group and we can see that the there's one member and it's IT admin. So we know that that group is probably being used somewhere.

So because we have full control, full control means we can do pretty much anything to that security group which also means we can add users to that group. So, we're just going to add our

group. So, we're just going to add our our user, who is Susie, who who we've compromised. Susie in accounting is like

compromised. Susie in accounting is like the persona that I like to use on the internet. And so, we've added her to the

internet. And so, we've added her to the group using ADRs tools. It's just built into Windows and you can install it. And

then we're going to check the group membership again. We see Suzie's a

membership again. We see Suzie's a member of that group. Like, great.

Awesome. Now, we're going to go and look for a certificate template that we can abuse. So, we're going to use certify.

abuse. So, we're going to use certify.

Now, I have on the screen here, it says certify one and certify two. Here

there's two different versions of certify. This is another free tool you

certify. This is another free tool you can get on GitHub. This is an offensive tool. Like this is a pentester tool and

tool. Like this is a pentester tool and there's two different versions. Like I

said, the folks who created it super awesome. They were just released a new

awesome. They were just released a new version just recently. So that's why there's two. The second one just makes

there's two. The second one just makes it a little bit easier to use the certificate. So we're going to run

certificate. So we're going to run certify and we're going to show all the permissions of all of the certificate templates that are in the environment.

And we're going to see one here web server 2026. And we're going to see a

server 2026. And we're going to see a couple things here. We're going to look and see, okay, it's set for server authentication.

And it we can see in the enrollment permissions that template managers can enroll. So we know that Susie can now

enroll. So we know that Susie can now enroll in this template. But in order to abuse this, there's a couple of conditions that need to be met. And this

is something called ESC1 and ESC4. So

the issue that we have currently, it's called ESC4 by its common, you know, nomenclature. That just means we have

nomenclature. That just means we have modify permissions on this template. In

order to abuse this to say elevate to domain admin, we need to modify this just slightly so that we can request a certificate template as a domain admin.

So essentially, we're going to impersonate a domain admin. So in order to do that, there's a couple things.

One, we need to the ability to supply an alternate SAN or a subject alternative name. And this is where we're getting

name. And this is where we're getting into the weeds. So this goes for it.

So in order to abuse this template, we need to change it so we can supply an alternate sand. So a subject alternative

alternate sand. So a subject alternative name. We need it set for client

name. We need it set for client authentication and we need to make sure there's just no manager approval or any other flags that are set on the template that would prevent it. So we can see here we have

prevent it. So we can see here we have server authentication, we can enroll, but we're missing that subject alternative name uh flag on the template. So because template managers

template. So because template managers has permissions to modify this template, we can just modify it ourselves. So,

we're going to go ahead and we're going to add the supply subject and the client off uh flags to this certificate template.

And when we do that, we can show the permissions again. And it'll show us the

permissions again. And it'll show us the settings on the template. And we can see enrolly supply subject. We can see client authentication and we can see template managers is there. We can

enroll. Great. So, now we have all the conditions for ESC1. So just to recap quick, we went from insecure permissions with this control path, changing the certificate template to now we can abuse

a template to impersonate any user in the domain. So we're going to pick on

the domain. So we're going to pick on the IT admin here because why not? He's

a domain admin.

Exactly. Right.

So we're going to run certify 2. Certify

is the new version and the new version just makes it easier. You don't have to run the open SSL command to convert the cert certificate file to a B 64 blob.

Certify 2 does it for you automatically.

So we run certify 2. Now this command is requesting a certificate template essentially on behalf of the IT admin.

We're using the IT admin's UPN or the username in the SAN field. So the cert the subject alternative name. And

because you can authenticate to the domain and to Keraros with certificates, we can use a certificate to authenticate as a domain admin.

Well done. Well done.

So we're going to take this blob. We're

going to remove the line brakes and we're going to throw it into another tool called Rubius. Rubius is a Keraros uh attack tool. Essentially, this is another offensive security tool you can get on GitHub. Another great tool, but

essentially allows you to do certain things with Keraros like requesting tickets using certificates. So, that's

what we're going to do here. We're going

to request a certificate as the IT admin and then we're going to authenticate as that IT admin to the domain controller.

Well done. So we can see ticket successfully imported and we can do a lot of fun stuff after this. But just as a proof of concept, we can show that we now have access to our domain

controller. And just to add insult to

controller. And just to add insult to injury, we can connect with my favorite one of my favorite tools for lateral movement which is PS remoting to connect to the domain controller. And you know

just to prove who we are, we are IT admin. We are a member of domain admins

admin. We are a member of domain admins now on the domain controller.

Wow, dude. And that took, if I hadn't interrupted you, 5 10 minutes maybe.

What's crazy too is you can automate that because you can automate the searching for it, the abuse of it. And

this is one of the most dangerous attacks in that I see in internal pentesting.

Yeah. I was just going to ask you. So

this is this is real. This is what you're seeing out there in the wild.

Yeah. This is probably one of the most common internal pentest findings that I see. And it's very dangerous because

see. And it's very dangerous because it's one of those things you don't necessarily you don't necessarily find it until you go looking for it. Now,

just to show we've modified that template, we can run locksmith again and we can see there's our vulnerable template that we modified to be an EC1.

So, locksmith is a great tool. It's one

of the ones I use to find all these issues, but it's very prevalent in a lot of environments, particularly because ADCS is something that's stood up by IT admins and then that person who created

it left or an MSP set it up. There's a

lot of technical debt that's involved with this and a lot of these issues just get missed.

Okay, Spencer, so I'm slow. So, just to recap, you got access to a user's computer. Let's say like Susie is the

computer. Let's say like Susie is the user. That user is just a standard user.

user. That user is just a standard user.

Doesn't have any serious permissions.

Exactly. and then just give us the rundown of like what you did.

Yeah, so it's kind of an assume breach approach where we compromised Suz's workstation. We looked for misconfigured

workstation. We looked for misconfigured permissions in the environments, insecure permissions, particularly write all properties on this template manager security group. This template manager

security group. This template manager security group can manage templates and it can modify the properties of all these different templates. So we

identified a template. We changed the template permissions to be able to impersonate a domain admin via the ESC1 attack and then we carried out the ESC1 attack to impersonate a domain admin.

And then we use that certificate to authenticate and then from that point we are essentially the IT admin. We're

impersonating them. We can log into the domain controller. We can authenticate

domain controller. We can authenticate as them and do whatever we want essentially as that IT admin. So when

you're doing the pentest, are you making a lot of noise or is a lot of this just like standard tools so it won't be picked up?

Yeah. So the certified tool, Rubious, they're very uh detectable now. They

have a lot of signatures, a lot of EDR and antivirus products are going to pick those up. But what thread actors are

those up. But what thread actors are doing too is they are tunneling or you know proxying their tools into the environment sometimes too through like a C2 tool. So the tools that thread actors

C2 tool. So the tools that thread actors are using are not necessarily always running on the endpoint. For us for internal pen testing, just out of convenience, a lot of times we do run them on the endpoint, but thread actors will many times proxy them in. So you

don't actually see it. You just see the network traffic. So that does make it

network traffic. So that does make it much more difficult to identify. But

there are products like identity security products that are getting better at picking up these certificate abuse attacks. So, Defender for Identity

abuse attacks. So, Defender for Identity or Microsoft uh identity, those kinds of tools that are looking for those certificate abuse attacks and relaying attacks and pass the hash, pass the

ticket kind of things are getting detected. So, those two tools definitely

detected. So, those two tools definitely will get detected if you run them on an endpoint.

Okay, Spencer. So, I love this. I'm

watching this video. Let's say I want to become like you. What do I do?

So, uh I get this question often of of people who are blue teamers and they're like, "Oh, this pentesting stuff is cool. like I want to do it. My first

cool. like I want to do it. My first

advice and this is kind of like counterintuitive I guess but make sure that you enjoy the all the aspects of pentesting because one of the things I tell people is part of a pentesting job

is you know 10% of it is actually doing the hacking and the fun stuff. There's

client work, there's administrative stuff, you have to manage your schedule and manage your workload. So there's

quite a bit that goes into pentesting than just the AD and the hacking side of things. So that's the first thing that

things. So that's the first thing that people don't necessarily realize when you're getting into pentest.

The boring part that they don't want to know about.

Exactly. So that part isn't fun. The

hacking and all that stuff is super fun and researching. So if you do are

and researching. So if you do are interested in this field, my recommendation is to try different things. particular if you don't know

things. particular if you don't know what type of pentesting you want to do.

Maybe you like AD hacking, maybe you like web or API. Use platforms like Try Hackme and Hack the Box and all the platforms out there to kind of taste the different types of security and

pentesting that you like. And usually if you're into it, one will kind of stand out to you. you you'll kind of gravitate towards one and then you just go all in on that one and learn everything you can and follow

people um on the internet who are doing that thing and surround yourself in the community with people that are are practicing that specific type of pentesting. So those are the two best

pentesting. So those are the two best advices pieces of advice I have for people that want to get into the industry to try different things, taste it and then follow people in the community and interact with them and see

what they're doing. So try hackme hack the box taste see what I enjoy. Let's

say I really want to do AD hacking um Windows type hacking. Do you have any recommendations when it comes to like certifications that I should get? Is it

OCP? Is it something from TCM? Is it

something from someone else? Yeah. You

know how do I become like you? Cuz it's

like okay this is really interesting.

Absolutely. I think one of my favorites and a certification that I took early on was PNPT by TCM. I think it's super great. It's very practical and what I

great. It's very practical and what I like about it is it's a 5-day exam. So,

it's not like a rush. You have you can take your time and you can fail and you can make mistakes. You still have a lot of time to go through it. It's very

practical. They start you with an external and then it turns into an internal and then you're hacking AD and then eventually getting domain admin and kind of the same thing we showed here where you're compromising the domain and

then what's really cool is you do a debrief after. So, that's kind of like a

debrief after. So, that's kind of like a real pentesting job. You might start with an external. You might find initial access, compromise the domain, and then you have to actually talk to the client

and describe to them what you found and why it's an issue and the impact of it.

So, PMPT is super great. I think it's very practical obviously in the name.

Um, another one that's really good for Windows, if you go to like the next step is CRTO, okay, by zero point security.

That one's a little bit more redteamer like assume breach focused. You're using

uh a C2 product and you're kind of getting more in the weeds. It's very

much more technical. But those two, like if you want to hack AD and do an AD pentest and internal pentesting, those are two of my favorite to kind of really kind of understand the topics and get a

good foundational base of of knowledge to go forward with.

Can I go straight to that or do I need like 5 years or like you were you've been doing this for many many years. Do

I need a lot of CIS admin experience first?

So for PNBT, uh I would have some IT experience like you have to know your way around a computer. Um, but I don't think uh you need a ton of experience to get started in PNPT. For CRTO, that's

definitely an intermediary, right? I

would take that after you've got some experience with some other searchs like PNPT and then kind of jump into that.

So, we're at zero trust world. A lot of the people here are probably blue teamers rather than red teamers. So, you

find this stuff, you give them some scary report and then they're like pulling their hair out saying, "Okay, what do we do?" So, how do you like prioritize or recommend that they prioritize certain things? Have you got any advice for blue teamers? So, it's a

great question. Uh, obviously the issue

great question. Uh, obviously the issue that I showed today is like very critical, right? This would be a

critical, right? This would be a critical in the report and there'd be a lot of details around that, but my advice is in the report you're going to have a certain severity for findings.

Critical high, medium, low, and obviously most of the time the criticals are going to be the most important ones, but you have to also consider your environment, right? And you have to

environment, right? And you have to consider there might be some push back for a lot of these changes particularly if you're a bigger organization bigger IT team you might have infrastructure team uh infrastructure team that's

managing VMware and your hypervisors and stuff and if you go change your certificate templates they might break and then the infrastructure team might be mad at you and never trust you again. So my advice

is to coordinate and especially if you're larger teams, coordinate with those other teams. Get them involved in the decision-m process and don't do it in a silo by your own by yourself in a

vacuum. So that's my advice is help

vacuum. So that's my advice is help bring people in who have expertise in those issues that were found and figure out a plan that makes sense to move forward and and figure out how to prioritize that by including people in

the process.

Okay. I'm an introvert. I like to hack.

I don't like to talk so much to people.

Do I have to overcome that to become a pentester? Because I'm assuming you have

pentester? Because I'm assuming you have to deal with people.

If you want to be a consultant, uh yes, I think absolutely it's part of the job.

U you manage a workload, you email clients, you interface with them often.

Now, if you want to be a pentester like internally like maybe on an internal red team somewhere and you're just doing that, that would probably be more realistic where you just do your hacking thing and you don't have to like talk to

a lot of people. But I think any job you have to talk to people at some extent.

So yeah, I mean I I I think it's important to highlight that technical skills are really important, but you have to have some soft skills as well, right? That's that's the number one

right? That's that's the number one thing we see with these pentest reports is there's a lot of these technical findings. The CIOS and the CISOs come

findings. The CIOS and the CISOs come into the meeting, you're like, okay, but what does this actually mean? Right?

Like somebody has to get access to the environment first. They've got to do all

environment first. They've got to do all these things that you did to abuse this.

And we're like, yes, in the grand scheme of things, right? They have to get access. They have to do a certain thing.

access. They have to do a certain thing.

So we try to bring it up a level to the board to the executive level to say what is the actual risk of this what is the impact to the organization what does it mean in terms of downtime and money loss

to the organization cuz the CIOS the CFOs that's what they care about right if I lose money if I if my neck is on the line it I need to know that or if it's just these silly little vulnerabilities like

I can you know you guys go off and you do them so they need to figure out how much they got to be involved in that process so real build versus YouTube. In the

real world, I'm assuming most organizations are using Windows, so there's a lot of opportunities to do Windows hacking. Absolutely. Actually,

Windows hacking. Absolutely. Actually,

uh Cliff Fischer, who used to work at Microsoft, was just on another podcast, the hybrid identity podcast, and he showed a slide. I put this on social media, but he showed a slide showing

like how many organizations are ADON versus hybrid AD Entra. 50% still have their workload in AD. And what was also interesting was that he showed a graphic

that said how many organizations that have AD will get to 50/50 hybrid AD onrem in the next 10 20 years. 20%.

Oh wow.

20% will get to 50% hybrid in the next 20 years. So AD, this a joke I say like

20 years. So AD, this a joke I say like long live AD, right? Everybody says AD is dead. It's going away. I'm a I'm a

is dead. It's going away. I'm a I'm a hold out, right? I'm like I hope it never goes away. I don't think it will.

uh active directory is alive and well and to your point yeah a lot of organizations still run Windows still have on-prem costs are getting expensive for cloud as compute goes up and it gets

more and more inexpensive so people are even coming back to onrem so very much so fantastic demo love this Spencer how can people learn from you can they reach out to you and perhaps LinkedIn or is it

just your YouTube channel where where the places that they can follow you absolutely I appreciate you having me on this has been super fun uh so I'm at I'm at techpense pretty much on all platforms forms XM most active uh but

LinkedIn you can just follow me uh on LinkedIn uh connect with me there send me a DM if you're getting into pentesting I'm more than happy to answer questions for folks of like helping and stuff like that so it's Spencer Allessie

on LinkedIn but otherwise it's Tech Spence uh pretty much anywhere else axe YouTube and all that thanks so much thank you David I appreciate