When an attacker has gotten initial access inside an environment, the adversary will endeavor to lift privileges inside the network. Adversaries ordinarily have the objective of getting Active Directory Domain Administrator privileges, or, in simple words, complete control over the Active Directory domain.  

Network shares give plentiful freedom to an assailant to elevate privileges within a network. For instance, in a past red team assessment, CrowdStrike recognized an unprotected network share that contained a writable IIS webroot. This permitted CrowdStrike to write a web shell to the webroot as a standard domain user and along these lines acquire code execution as the IIS process proprietor on the webserver. 

Adversaries will hope to elevate their privileges inside a network by compromising the credentials of privileged accounts. It is normal for service accounts to be conceded administrative privileges to different hosts in an Active Directory environment. Kerberoasting is an assault technique that endeavors to acquire plaintext passwords from service account Kerberos tickets. One approach to assign service accounts is through an attribute called a service principal name (SPN), which attaches a service to a user account. 

Although plaintext and hashed credentials might be stored inside the memory of processes like LSASS, most current endpoint detection and response (EDR) solutions intensely monitor and forestall credential access through these processes. An alternative method for credential access exists when services are arranged to run under a client account. Passwords for these accounts can be extracted by any local administrator. 

Misconfiguration 5: Aged Accounts 

As an attacker, aged accounts or accounts with no password expiration policy make ideal targets for adversaries hoping to keep up long haul admittance to an environment. Aged accounts infer to an attacker that password rotation for the client account is either very troublesome or not executed for a specific explanation, for example, shared access among multiple users. 

Misconfiguration 6: Passwords, Passwords, Passwords 

While other misconfigurations permit adversaries to acquire unapproved admittance to network resources and hosts utilizing a solitary compromised account, credential related assaults compromise additional accounts that might be utilized to further an adversary’s actions on objectives. Three routes normally utilized by attackers are distinguishing plaintext passwords, frail passwords with deficient lockout periods, and password reuse. 

Assailants target legacy systems because of the unpatched critical vulnerabilities that affect them. EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708) are favorite vulnerabilities that are focused on legacy systems as successful exploitation brings about code execution with regards to the system account, giving the assailant complete control of the vulnerable system.