Raxis Principal Penetration Tester Andrew Trexler just published a piece on our blog about what to do after popping Domain Admin. Our team accomplishes this on most internal network and cloud penetration tests and on most red team engagements. Pentesters & in-the-weeds IT folks know that getting DA is a big deal, but that on its own doesn’t show our clients the damage that can be done by an attacker who gets DA. It’s our job to clearly show the risks.

Andrew’s write-up hits on something we don’t discuss enough in our field: what happens after the win. Too many pentesters treat DA like a finish line when it’s really just the starting gun for the actual value demonstration phase.

The NTDS Dump: Not Always a Cakewalk

Andrew mentions that secretsdump works 99% of the time for pulling NTDS.dit, and he’s not wrong. For those rare edge cases, Andrew points us to one of his past blog posts showing how to use Evil-WinRM to get NTDS manually.

Cracking those hashes and reporting on weak passwords and common patterns helps the customer understand policy and configuration changes that would lock down their environment.

Bloodhound: The Gift That Keeps on Giving

Andrew highlights how easy Bloodhound makes enumerating accounts, desktops, and other domain objects, allowing pentesters to map out more attack paths and highlighting possible misconfigurations.

Especially on internal network engagements, pentester want to discover and report as many gaps as possible so that the customer can remediate them. Bloodhound makes covering the entire network much easier.

User Addition: Testing Both Persistence and Detection

I love that Andrew uses Shawn Spencer and Gus as his test accounts. We’ve got a running joke in the office about themed persistence accounts. I’ve seen everything from Fight Club characters to obscure Star Trek references in DA groups.

The real value here is exactly what Andrew calls out: detection capability testing. If we can add users to Domain Admins without triggering a SIEM alert or SOC response, that’s an important finding.

Golden Tickets: The Persistence That Keeps on Giving

Making golden tickets is a stealthier way to obtain persistence on a domain using the krbtgt user’s password hash to allow Kerberos to sign and create Kerberos tickets. With that hash, a pentester can use this method to create tickets for any user on the domain.

Let me hammer home Andrew’s post-attack guidance. When we demonstrate a golden ticket attack, the krbtgt password needs to be reset twice. Here’s why: the account maintains a password history of two to ensure domain controller replication doesn’t break. You’ll want to hand the client exact remediation steps, including the double password reset requirement and a recommended waiting period between to prevent authentication issues with other domain controllers.

Share Enumeration: Translating Technical to Business Impact

Andrew’s final point about exploring network shares is often gold when debriefing non-technical management teams. Finding PII, credentials, or sensitive financial data in shares transforms “we got DA” into “here’s exactly what an attacker steals next.”

We typically include screenshots and sanitized samples in our reports. Executive leadership understands the risk when you show them their company’s financials or customer databases sitting in an unprotected share, accessible after a single privilege escalation.

The Bigger Picture

Andrew’s guide is focused on providing penetration test clients value. Getting DA is exciting, but our job is to demonstrate real-world impact and give clients actionable intelligence to improve their security posture.