At SynerComm's Fall IT Summit 2018 we presented a talk about the top 5 attacks used to compromise a Domain Administrator account. As a short recap, the top five are the following:
- Permissive Global Group Access + mimikatz - This is the classic case where a Domain Administrator logs into a machine where Domain Users group is a local administrator. Any user on the network can then log into the machine and extract the administrator's password from memory. 
- LLMNR and NBT-NS Poisoning - LLMNR and NBT-NS can be used to hijack the NTLMv2 hash for users who mistype the name of an SMB share of HTTP address. 
- SYSVOL Passwords + Leaked AES Keys - Although this vulnerability came out years ago, many companies still have cpassword fields in their SYSVOL XML files that can be decrypted using the Microsoft leaked AES key. 
- Kerberoasting - Due to Microsoft’s implementation of the Kerberos protocol, any domain account can get the krb5tgt hash for a domain user used as a service. Strong passwords must be enforced on these accounts. 
- DC Backups - If the backup file of a domain controller is discovered on a share that is not properly secured it is trivial to extract the NTDS.dit database and pull all the NTLM hashes for the domain. 
The AssureIT team put together a list of tools to help you check for these vulnerabilities in your network. The presentation file and the self-audit kit can be found here:
 
      
      
    
  
  
    
    
     
  
  
    
    
     
  
  
    
    
     
  
  
    
    
     
  
  
    
    
     
  
  
    
    
     
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
  
  
    
    
     
      
      
    
  
  
    
    
     
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
     
      
      
    
  
  
    
    
    