[01]

Active Directory Overview: Enterprise Identity Backbone

Role of Active Directory in Enterprise Environments

Active Directory is the central identity and access management system in nearly all enterprise Windows environments. AD functions as the authoritative directory for user identities, computer accounts, group memberships, and resource access policies across distributed infrastructure.

🏢 AD as the Identity Perimeter

Rather than defending individual systems, organizations protect the identity layer itself. AD controls who has access to what resources, where authentication occurs, how trust relationships form between systems. When AD is compromised, the identity perimeter collapses and attackers gain trusted access to all domain-joined infrastructure.

📊 Core AD Functions

Centralized Authentication: Users and services authenticate once to AD; credentials verified against domain controllers. Authorization & Access Control: Group policies enforce security configurations; group memberships determine resource access. Account & Resource Management: Thousands of user accounts, computer objects, and security groups centrally managed and replicated across domain controllers.

🎯 Why AD Becomes High-Value Target

AD compromise grants attackers legitimate credentials, domain administrator privileges, persistence across all systems, and trusted access indistinguishable from authorized activity. A single compromised domain admin account provides access equivalent to complete network compromise. Organizations depend entirely on AD security to protect infrastructure integrity.

Enterprise Dependency & Attack Impact

Most enterprise security incidents involve Active Directory compromise at some point. Attackers prioritize AD exploitation because successful domain compromise is final—blue teams cannot easily detect or prevent post-compromise activity when attackers possess legitimate credentials.

🔓 Successful AD Compromise Enables

  • Lateral movement to all domain-joined systems
  • Data access through domain file shares
  • Service account compromise for persistence
  • Privilege escalation to domain administrator
  • Long-term persistence through backdoored accounts
  • Credential harvesting for future campaigns

🛡️ Why Defenders Prioritize AD

  • Single failure point for entire identity system
  • Attackers inherently trusted once authenticated
  • Credential compromise enables undetectable activity
  • Domain admin accounts provide ultimate access
  • Service accounts represent persistent backdoors
  • Most breach investigations trace to AD compromise

📈 Industry Reality

Security research consistently shows AD compromise is present in 70%+ of investigated enterprise breaches. Organizations without robust AD security controls face critical risk of undetected compromise, lateral movement, and persistent attacker access.

[02]

Core Active Directory Components (Conceptual Foundation)

Domain, Forest, and Trust Structure

AD hierarchy provides scalable identity management across large organizations. Understanding structure is essential for identifying attack paths and privilege escalation vectors.

🏗️ Domain Architecture

Domain: Fundamental AD unit containing user accounts, computer objects, and group policies. Single domain can contain thousands of objects. Multiple domains replicate independently; each has its own domain controllers. Forest: Collection of domains sharing common schema and global catalog. Domains in forest trust each other automatically; administrators can manage cross-domain access. Organizational Units (OUs): Container objects organizing users and computers; group policies applied at OU level to manage configurations.

🔗 Trust Relationships

Implicit Trusts: Domains within same forest automatically trust each other. Explicit Trusts: Organizations create trusts between separate forests to enable cross-organization authentication. Trust Implications: Trust relationships create attack paths; compromising one domain can lead to trust compromise and cross-domain privilege escalation. Understanding trust topology is critical for attack surface mapping.

Domain Controllers

Replicated servers hosting AD copy; authenticate users, apply group policies, replicate changes

Global Catalog

Indexes all objects forest-wide; enables cross-domain searches and authentication

LDAP/Kerberos

Protocols used for authentication and directory queries; primary attack targets

Authentication & Authorization Concepts

AD authentication and authorization mechanisms directly relate to exploitation techniques. Understanding these flows reveals where attackers intercept credentials or forge authentication tokens.

🔐 Kerberos Authentication Protocol

AD uses Kerberos for network authentication (not NTLM). Kerberos issues tickets allowing services to authenticate users without passwords. Key components: Key Distribution Center (KDC) runs on domain controllers, issues tickets to authenticated users. Ticket-Granting Ticket (TGT): User receives after successful authentication; used to request service tickets. Service Ticket: Allows access to specific service; includes user identity and permissions. Understanding Kerberos flow is essential for Kerberoasting and other ticket-based attacks.

👥 Group Membership & Authorization

Security Groups: Control resource access; membership determines what users can access. Domain Admins Group: Members have admin rights on all domain-joined computers. Enterprise Admins: Control entire forest; highest privilege level. Privilege Escalation Target: Attackers seek group membership providing elevated privileges. Understanding group structure reveals privilege escalation paths.

🔓 Account Types as Exploit Targets

User Accounts: Belong to humans; most common attack targets. Service Accounts: Run services with persistent permissions; high-value targets for persistence. Computer Accounts: Represent systems in domain; compromised computer accounts enable lateral movement. Admin Accounts: Elevated privileges; most dangerous when compromised.

🔑 Conceptual Foundation

These AD components form the foundation for understanding attack surfaces. Attackers exploit group membership relationships, forge Kerberos tickets, abuse trust relationships, and compromise service accounts. Later modules dive into specific exploitation techniques targeting these components.

[03]

Active Directory Attack Surface: Misconfigurations & Privilege Paths

Common AD Misconfigurations Creating Exploitation Paths

Most AD compromise stems not from sophisticated zero-day exploits but from common misconfigurations that attackers abuse to escalate privileges and move laterally.

⚠️ Weak Service Account Management

Issue: Service accounts often have excessive permissions, unchanged passwords, or credentials stored plaintext. Exploitation: Attackers compromise service account credentials, gain service-level access. Service accounts often run with high privileges, enabling privilege escalation. Impact: Single compromised service account provides persistence and access to all systems service manages.

⚠️ Excessive Group Memberships

Issue: Users placed in high-privilege groups unnecessarily; domain admins membership distributed too widely. Exploitation: Attackers compromise any domain admin group member to gain full domain access. Impact: Compromise of single low-priority user account provides domain admin privileges if member of admin group.

⚠️ Trust Relationship Misconfigurations

Issue: Cross-domain or cross-forest trusts created without understanding security implications. Exploitation: Attackers abuse trusts to escalate from compromised domain to trusted domain. Trust path compromise allows forest-wide privilege escalation. Impact: Single domain compromise can lead to forest compromise through trust abuse.

⚠️ Disabled Security Controls

Issue: Kerberos pre-authentication disabled, NTLM downgrade allowed, audit logging disabled. Exploitation: Attackers exploit disabled controls for offline attacks (AS-REP roasting), protocol downgrade attacks, undetected activity. Impact: Security features designed to prevent attacks become ineffective.

Privilege Relationships & Trust Paths

AD privilege escalation typically doesn't occur through direct privilege assignment but through abuse of legitimate privilege relationships.

🎯 Privilege Escalation Patterns

  • Delegation: Admin delegates tasks to lower-privilege accounts; delegates can leverage delegated rights for escalation
  • Service Tickets: Kerberos allows attackers to forge tickets if service credentials compromised
  • ACL Abuse: Misconfigured Access Control Lists allow low-privilege users to modify high-privilege objects
  • Resource-Based Delegation: Services delegate authentication to other services; creates escalation chains

🌐 Cross-Domain Attack Paths

  • Trust Chain Abuse: Compromise one domain, exploit trust to access trusted domains
  • Forest Compromise: Compromise child domain, escalate to forest root through trust
  • Cross-Forest Trusts: Explicit trusts between forests create escalation opportunities
  • Trust Direction Abuse: Compromise trusted domain, abuse trust direction for access
Attack Complexity

Many attacks leverage legitimate privilege relationships rather than exploiting vulnerabilities

Detection Difficulty

Attackers using legitimate privilege relationships blend with normal administrative activity

Escalation Chains

Multiple privilege relationships link together to form paths to domain admin

⚡ Key Insight

AD attack surface doesn't emerge from missing patches or zero-day vulnerabilities. Instead, attacks leverage legitimate AD features and misconfigured permissions. Organizations must understand their own AD privilege relationships to identify where attackers can escalate privileges.

[04]

Enterprise Security Perspective: Defense Awareness

How Attackers Map AD Environment

Understanding attacker reconnaissance helps defenders identify what information is exposed and what AD details should be protected.

🗺️ Domain Structure Discovery

Attackers use LDAP queries to enumerate domain structure: users, groups, computers, organizational units, trust relationships. This reconnaissance is difficult to detect—LDAP queries appear as legitimate domain user activity. AD itself provides information attackers use for privilege escalation path mapping.

🗺️ Privilege Relationship Mapping

Attackers identify high-value targets: domain admins, service accounts with high privileges, users with sensitive access. Tools analyze group memberships, group policies, and delegation relationships. Publicly available AD scanning tools automate this reconnaissance. Organizations struggle to detect reconnaissance because enumeration leverages legitimate AD features.

🗺️ Escalation Path Analysis

Attackers build "attack paths"—chains of privilege relationships leading from compromised account to domain admin. Graph analysis tools identify shortest paths to domain compromise. Many organizations don't understand their own attack paths; sophisticated attackers often do.

Why Defenders Prioritize AD Protection

Understanding defender perspectives helps red teams recognize what protections organizations implement and what detection capabilities are deployed.

🛡️ Identity as the New Perimeter

Traditional network perimeters fail; attackers already inside networks. Identity becomes the security perimeter—defenders assume compromise at the network layer and focus on identity. AD security directly determines organizational security posture. Organizations shift from "keep attackers out" to "prevent attackers from moving laterally once inside" through identity controls.

🛡️ Detection & Response Priority

Defenders deploy monitoring specifically targeting AD abuse: anomalous LDAP queries, unusual ticket requests, suspicious group membership changes, privilege escalation attempts. Security teams understand that AD compromise represents breach conclusion—by the time AD is compromised, attackers have achieved persistence and detection becomes secondary.

🛡️ Principle of Least Privilege

Mature organizations implement least privilege access: users receive minimal permissions, privileged accounts isolated, admin activities monitored intensively. This architectural approach limits blast radius if specific account compromised. Organizations practicing least privilege significantly complicate attacker escalation paths.

🤝 Red Team Value Proposition

Red team exercises identify whether defender AD protections actually work. Red teams demonstrate privilege escalation paths defenders thought they blocked, showcase reconnaissance data available to attackers, and test detection capabilities. This feedback enables organizations to strengthen identity security before actual compromise occurs.

[05]

External Learning Resources & Trusted Documentation

Recommended Resources for Further Learning

The following resources provide authoritative information on Active Directory architecture, security, and best practices. These materials support deeper understanding of AD concepts covered in this module.

📚 Microsoft Official Documentation

Active Directory Domain Services Overview: Microsoft's official AD architecture documentation covers fundamental concepts, domain structure, trust relationships, and security considerations. Microsoft AD DS Documentation | Kerberos Protocol Reference: Technical specifications for Kerberos authentication protocol used by AD. Microsoft Kerberos Documentation

📚 Industry Best Practices & Security Guidelines

NIST Cybersecurity Framework: NIST provides identity management and access control guidance. NIST Computer Security Resource Center | CIS Controls: Center for Internet Security publishes Critical Security Controls including AD hardening recommendations. CIS Controls

📚 Security Research & Attack Surface Resources

Active Directory Attack Surface Analysis: Technical research on AD vulnerabilities and attack patterns. Pluralsight AD Resources | SANS Security Research: SANS provides AD attack and defense whitepapers. SANS Institute

📚 Hands-On Learning Environments

Proxmox & Virtual Lab Setup: Organizations should establish secure lab environments replicating production AD for testing and learning. Proxmox Documentation | TryHackMe: Interactive platforms providing AD environment access for authorized security professionals. TryHackMe

⚠️ Resource Quality Note

All referenced resources are from established, authoritative sources. When learning about AD security, rely on official documentation, academic research, and reputable security organizations. Avoid unverified sources that may contain inaccurate information about attack techniques.

🎓

Verified Certificate Notice

Complete all 3 modules of this course to unlock your

Verified Cyber Security Certificate

with unique ID and QR verification

Module 1 ✓ | Module 2 → | Module 3 → | 33% COMPLETE

Next: CREDENTIAL ABUSE & PRIVILEGE ESCALATION