Active Directory Users & Groups: A Beginner’s Guide for Pentesters and Red Teamers

Active Directory Users & Groups: A Beginner’s Guide for Pentesters and Red Teamers

Active Directory (AD) is the backbone of Windows networks, and users and groups are at the heart of how it manages access and permissions. For beginners in pentesting and red teaming, understanding how users and groups work is essential for finding vulnerabilities, escalating privileges, and taking control of a network.

This guide will explain:

• What users and groups are.
• How attackers exploit them.
• Practical techniques to test and secure AD environments.

1. What Are Users and Groups in Active Directory?

Users

Users are accounts that represent people or services in an AD environment. Examples:

• Standard Users: Regular accounts for employees (e.g., john.doe).
• Service Accounts: Used by applications or services (e.g., SQL_Service).
• Administrative Accounts: Privileged accounts with special permissions (e.g., Domain Admins).

Groups

Groups are collections of users or other groups. They make it easier to manage permissions for multiple users at once. Examples:

• Security Groups: Used to assign permissions (e.g., "Finance_RW" for read/write access to finance files).
• Distribution Groups: Used for email lists (less relevant for attacks).
• Built-in Groups: Predefined groups with special roles, like Domain Admins (full control over the domain) or Account Operators (can manage user accounts).

2. Why Are Users and Groups Important for Attackers?

Attackers target users and groups because:

• Credentials: Stealing passwords or hashes lets attackers impersonate users.
• Privilege Escalation: Adding yourself to a privileged group (e.g., Domain Admins) gives you more control.
• Persistence: Creating hidden users or groups ensures attackers can return later.
• Lateral Movement: Moving between systems by abusing group memberships.

3. Key Concepts for Beginners

A. Group Scopes

Groups in AD have different scopes that define where they can be used:

1. Domain Local Groups: Used within a single domain. Can include users and groups from any domain.
2. Global Groups: Used across the entire forest. Can only include users and groups from the same domain.
3. Universal Groups: Used across the entire forest. Can include users and groups from any domain.

B. Nested Groups

Groups can contain other groups. For example:

• UserA is a member of GroupB.
• GroupB is a member of Domain Admins.
• Therefore, UserA has the same permissions as Domain Admins.

This is called group nesting, and it’s a common way attackers escalate privileges.

4. How Attackers Exploit Users and Groups

A. Credential Harvesting

Attackers steal passwords or hashes to impersonate users. Common techniques:

1. Phishing: Trick users into revealing their passwords.
2. LSASS Dumping: Extract credentials from memory using tools like Mimikatz:

1. NTLM Relay: Intercept and relay NTLM authentication to capture hashes.

B. Privilege Escalation

Attackers add themselves to privileged groups to gain more control. For example:

net group "Domain Admins" attacker_user /add /domain          

This command adds attacker_user to the Domain Admins group.

C. Kerberoasting

Attackers target service accounts with Service Principal Names (SPNs). They request service tickets, extract their hashes, and crack them offline:

GetUserSPNs.py -dc-ip <DC_IP> <domain>/<user> -outputfile hashes.txt  
hashcat -m 13100 hashes.txt rockyou.txt          

D. ACL Abuse

Attackers exploit misconfigured Access Control Lists (ACLs) to grant themselves permissions. For example:

Add-DomainObjectAcl -TargetIdentity "DC=marvel,DC=local" -PrincipalIdentity attacker_user -Rights All          

This command gives attacker_user full control over the domain.

5. Tools for Enumerating and Exploiting Users and Groups

Tool Use Case Command Example PowerView Enumerate users and groups Get-NetUser -Domain marvel.local BloodHound Visualize group relationships Invoke-BloodHound -CollectionMethod All Impacket Kerberoasting, DCSync secretsdump.py -just-dc <domain>/<user> Mimikatz Credential dumping, Golden Tickets lsadump::dcsync /domain:marvel.local /user:krbtgt

6. Defensive Tips for Blue Teams

• Least Privilege: Only give users the permissions they need.
• Monitor Group Changes: Alert when users are added to privileged groups.
• Secure Service Accounts: Use Managed Service Accounts (gMSAs).
• Regular Audits: Review nested groups and ACLs with tools like AD ACL Scanner.

7. Real-World Attack Scenario

1. Initial Access: Phish a user in the VPN_Users group.
2. Enumeration: Use PowerView to find nested memberships (e.g., VPN_Users → Helpdesk_Admins).
3. Privilege Escalation: Abuse Helpdesk_Admins rights to reset a service account’s password.
4. Lateral Movement: Use the service account to exploit a Domain Controller via DCSync.

Key Takeaways

• Users and groups are low-hanging fruit for attackers.
• Always check nested groups and ACLs for escalation paths.
• Defenders: Assume breach and limit group privileges.

Further Resources

• MITRE ATT&CK: Account Discovery (T1087)
• BloodHound: Mapping the Attack Path

Tools to Try

• PowerView
• ADExplorer

Disclaimer: Use these techniques ethically and only on systems you own or have permission to test.

Got questions or war stories? Share them below! 👇

#ActiveDirectory #Pentesting #RedTeam #Cybersecurity #PrivilegeEscalation