Active Directory is the identity backbone of most Windows networks, and the path attackers take through it is well-worn: enumerate the directory, harvest or crack credentials, abuse over-broad permissions, and chain it all up to Domain Admin. This section breaks each step into a plain-language explainer with the real technical names a defender needs to recognise. Start with the foundations, then follow the attack chain.
Topics
- What is Active Directory?: domains, Domain Controllers, Kerberos, NTLM, and why AD is the first target.
- AD Enumeration and BloodHound: mapping users, permissions, and the shortest path to Domain Admin.
- Kerberoasting: cracking service-account passwords from a Kerberos ticket, with no privileges.
- AS-REP Roasting: cracking accounts that skip Kerberos pre-authentication.
- NTLM Relay and Pass-the-Hash: why a stolen hash is as good as a password, and how relay works.
- ACL and Delegation Abuse: when GenericAll, WriteDACL, and Kerberos delegation become attack paths.
- AD CS Attacks (ESC1 to ESC8): how certificate misconfigurations lead to Domain Admin and persistence.
- DCSync, Golden and Silver Tickets: the end-game attacks and total domain compromise.
Key terms explained
Plain-language definitions of the names that come up across these attacks. Each page covers what the term is, the attack it enables, and how to defend.
Kerberos and tickets
- What is a Kerberos ticket (TGT and TGS)?
- What is the KRBTGT account?
- What is a Service Principal Name (SPN)?
- What is a Golden Ticket?
- What is a Silver Ticket?
- What is Pass-the-Ticket?
Credentials and lateral movement
- What is LSASS?
- What is Mimikatz?
- What is Pass-the-Hash?
- What is NTDS.dit?
- What is DS-Replication-Get-Changes?
Recon, permissions and delegation
- What is BloodHound?
- What is a Domain Controller?
- What is RBCD?
- What is unconstrained delegation?
- What is SYSVOL and GPP passwords?
AD Certificate Services (ESC series)
- What is ESC1?
- What is ESC2?
- What is ESC3?
- What is ESC4?
- What is ESC5?
- What is ESC6?
- What is ESC7?
- What is ESC8?
Defenses
How to read this section
The articles are ordered the way a real attack unfolds.
- Foundations first: what AD is and how Kerberos and NTLM work.
- Reconnaissance next: enumeration and BloodHound, the map every attacker draws.
- Credential attacks: Kerberoasting, AS-REP Roasting, and the NTLM hash and relay attacks.
- Permission and trust abuse: ACL and delegation paths, and AD Certificate Services.
- The end-game: DCSync and ticket forgery, which mark full compromise.
Each explainer ends with how a penetration test surfaces that specific weakness in your own environment.