Full Domain Takeover Paths
Combining multiple techniques to achieve Domain Admin with persistence.
Attack Chain
- AS-REP roast a low-privileged user
- Kerberoast service accounts and pivot to server
- Abuse RBCD to impersonate privileged user
- DCSync to extract secrets, establish persistence
Persistence
- Golden Ticket (KRBTGT rotation plan)
- AdminSDHolder ACLs
- GPO-based backdoors