Recon

Goal

Our first goal in enumeration is to map domain objects (users, groups, computers) and their relationships. These relationships often reveal attack paths. Rather than immediately searching for Domain Admin access, it's better to establish a foothold by compromising other users with similar or slightly elevated permissions. This protects us if the original account is disabled or its password reset. Some ways of achieving this are:

Service Accounts: These often have more privileges than regular users and are prime targets for privilege escalation, even if they aren't Domain Admins.
Credential Caching: When users log into domain-joined machines, their credentials may be cached locally. Stealing these credentials can allow attackers to escalate privileges.
Crown Jewels: Critical resources (e.g., databases, file shares) often don't require Domain Admin access to reach. Compromising the right user might be enough.
Chained Compromise: Instead of jumping directly to Domain Admin, attackers often escalate step-by-step by compromising multiple increasingly privileged accounts.

SPNs

Service accounts run applications under the operating system and often have elevated privileges. These can be built-in accounts like LocalSystem, LocalService, and NetworkService, or domain user accounts used for more complex services.

A Service Principal Name (SPN) links a service to the account running it. Enumerating SPNs reveals information about services and their ports, helping identify targets without needing a full port scan.

Managed Service Accounts (MSAs), introduced in Windows Server 2008 R2, offer secure service operations with automatic password management. However, MSAs don’t support multi-server services like SQL or Exchange. To solve this, Group Managed Service Accounts (gMSAs) were introduced in Server 2012, allowing use across multiple machines. Because gMSAs require domain controllers running Server 2012 or later, some environments still use MSAs.

SPNs can be enumerate with .

Manual

See net.exe and PowerView sections for enumerating domain information.

PreviousAccess Controls NextGroups

Last updated 23 days ago

Was this helpful?

Goal

Service Accounts: These often have more privileges than regular users and are prime targets for privilege escalation, even if they aren't Domain Admins.

Credential Caching: When users log into domain-joined machines, their credentials may be cached locally. Stealing these credentials can allow attackers to escalate privileges.

Crown Jewels: Critical resources (e.g., databases, file shares) often don't require Domain Admin access to reach. Compromising the right user might be enough.

Chained Compromise: Instead of jumping directly to Domain Admin, attackers often escalate step-by-step by compromising multiple increasingly privileged accounts.

SPNs

SPNs can be enumerate with .