It’s time to explain the final step in the post-exploitation and privilege-escalation phase of an internal network penetration test (INTP). That, of course, is to take complete control of the enterprise network by gaining domain admin privileges in Active Directory. Domain admin users can log in to any machine on the network, provided the machine is managed through Active Directory. If an attacker manages to gain domain admin privileges on an enterprise network, the outcome could be catastrophic for the business. If it’s not clear why, think about the number of business-critical systems that are managed and operated by computer systems joined to the domain:
- Payroll and accounting
- Human resources
- Shipping and receiving
- IT and networking
- Research and development
- Sales and marketing
You get the idea. Name a function in the business, and it is likely managed by people who use computer systems that are joined to an Active Directory domain. Therefore, as pentesters, we can conclude that our simulated cyber-attack can’t get much worse than gaining domain admin privileges on our client’s network.