Windows Domains

Picture yourself administering a small business network with only five computers and five employees. In such a tiny network, you will probably be able to configure each computer separately without a problem. You will manually log into each computer, create users for whoever will use them, and make specific configurations for each employee's accounts. If a user's computer stops working, you will probably go to their place and fix the computer on-site.

While this sounds like a very relaxed lifestyle, let's suppose your business suddenly grows and now has 157 computers and 320 different users located across four different offices. Would you still be able to manage each computer as a separate entity, manually configure policies for each of the users across the network and provide on-site support for everyone? The answer is most likely no.

To overcome these limitations, we can use a Windows domain. Simply put, a Windows domain is a group of users and computers under the administration of a given business. The main idea behind a domain is to centralise the administration of common components of a Windows computer network in a single repository called Active Directory (AD). The server that runs the Active Directory services is known as a Domain Controller (DC).

The main advantages of having a configured Windows domain are:

Centralised identity management: All users across the network can be configured from Active Directory with minimum effort.
Managing security policies: You can configure security policies directly from Active Directory and apply them to users and computers across the network as needed.

A Real-World Example

If this sounds a bit confusing, chances are that you have already interacted with a Windows domain at some point in your school, university or work.

In school/university networks, you will often be provided with a username and password that you can use on any of the computers available on campus. Your credentials are valid for all machines because whenever you input them on a machine, it will forward the authentication process back to the Active Directory, where your credentials will be checked. Thanks to Active Directory, your credentials don't need to exist in each machine and are available throughout the network.

Active Directory is also the component that allows your school/university to restrict you from accessing the control panel on your school/university machines. Policies will usually be deployed throughout the network so that you don't have administrative privileges over those computers.

Welcome to THM Inc.

During this task, we'll assume the role of the new IT admin at THM Inc. As our first task, we have been asked to review the current domain "THM.local" and do some additional configurations. You will have administrative credentials over a pre-configured Domain Controller (DC) to do the tasks.

Be sure to click the Start Machine button below now, as you'll use the same machine for all tasks. This should open a machine in your browser.

Windows Domains

Active Directory

Managing Users

Managing Computers

Group Policies

Authentication Methods

Trees, Forests and Trusts

OSINT & Phishing

NTLM Authenticated Services

LDAP Bind Credentials

Authentication Relays

Microsoft Deployment Toolkit (MDT)

Configuration Files

Conclusion

Credential Injection

Microsoft Management Console

Enumeration through Command Prompt

Enumeration through PowerShell

BloodHound

Conclusion

Moving Through the Network

Spawning Processes Remotely

Moving Laterally Using WMI

Use of Alternate Authentication Material

Abusing User Behaviour

Port Forwarding

Conclusion

Exploiting Permission Delegation

Exploiting Kerberos Delegation

Exploiting Automated Relays

Exploiting AD Users

Exploiting GPOs

Exploiting Certificates

Exploiting Domain Trusts

Persistence through Credentials

Persistence through Tickets

Persistence through Certificates

Persistence through SID History

Persitence through Group Membership

Persistence through ACLs

Persistence through GPOs

Conclusion

Credential Access

Local Windows Credentials

Local Security Authority Subsystem Service (LSASS)

Windows Credential Manager

Domain Controller

Local Administrator Password Solution (LAPS)

Other Attacks

Conclusion

Windows Domains

A Real-World Example

Welcome to THM Inc.