Breaking Active Directory: A Real Kerberos Attack Chain – From SPN to Shell
Phase 1: Initial Foothold The attacker starts with a low-privileged domain user account (e.g., via phishing, credential stuffing, or an initial compromise). No admin rights are needed just a valid domain credential as this is the assumed breach scenario. With a foothold, the attacker can now interact with the Kerberos Key Distribution Center (KDC) on the domain controller. Phase 2:…