Overview
On 11/06/2026, I attended an Active Directory security workshop organized by Acen and HOWEST Hogeschool West-Vlaanderen.
The session covered both offensive and defensive aspects of Active Directory security, focusing on how real-world attack paths are constructed and how common misconfigurations can be exploited in enterprise environments.
The morning focused on theory, while the afternoon was dedicated to a hands-on lab environment called Mushroom Kingdom, where we simulated a full attack chain from initial access to domain compromise.
Topics Covered
The theoretical part of the workshop included:
- Kerberos authentication and abuse scenarios
- Credential-based attacks (NTLM, password reuse, hashes)
- BloodHound attack path mapping
- Privilege escalation techniques in Windows environments
- Ticket-based attacks (Kerberoasting, Pass-the-Hash, Pass-the-Ticket)
- Active Directory Certificate Services (AD CS) misconfigurations
This helped connect AD internals with real attacker behaviour in enterprise environments.
Mushroom Kingdom Lab
The lab simulated a small enterprise Active Directory environment:
- Domain Controller
- Member server
- Workstation with low-privileged user access
The goal was full domain compromise starting from a basic user account.
Initial Access & Privilege Escalation
The first foothold came from a low-privileged workstation user.
Enumeration revealed an unquoted service path vulnerability in a misconfigured Windows service. Because the service path was not properly quoted and write permissions existed in a parent directory, it was possible to hijack execution and escalate privileges to SYSTEM.
After exploitation, a fresh session was required to properly apply the new local administrator group membership.
Credential Access
With local admin access, LSASS memory was accessed to extract credentials from active sessions.
This revealed a domain user session, allowing pass-the-hash authentication instead of password cracking.
At this point, the key concept is separation between:
- Local identity
- Domain authentication
Even if your local privileges increase, domain access depends entirely on valid credentials or tokens.
Enumeration
Using SharpHound and BloodHound, the domain was mapped.
The graph revealed:
- Kerberoastable accounts
- Privileged session paths
- Delegation misconfigurations
- Active Domain Admin sessions on member servers
This step was essential to identify the shortest attack path instead of guessing.
Lateral Movement
Multiple techniques were used:
- Accessing SMB shares containing scripts and credentials
- Kerberoasting service accounts and cracking tickets offline
- Using machine account access for data discovery
These paths led to service credential recovery and access to a member server.
Domain Compromise
On the member server, LSASS dumping revealed a Domain Admin NTLM hash.
Using pass-the-hash techniques, full domain administrator access was obtained.
A DCSync attack was then used to replicate domain credentials, including krbtgt.
This enabled the creation of a Golden Ticket, providing persistent domain access.
Key Takeaways
This lab showed how small misconfigurations chain into full domain compromise.
Important defensive lessons:
- Proper service path configuration
- LSASS protection (Credential Guard)
- Monitoring privileged sessions
- Hardening SMB shares
- Detecting DCSync activity
- Regular krbtgt rotation
Conclusion
The Mushroom Kingdom lab clearly demonstrates that Active Directory security is about attack chains, not single vulnerabilities.
Understanding how each step connects is critical for both offensive and defensive security work.