Active Directory is the identity backbone in more than 95% of midsize and large enterprises running a Microsoft stack. It is also the attack surface that red teamers spend the most time on, that OSCP and CRTO exams test most heavily, and that junior penetration testers are weakest in when they walk into their first interview.
The gap is not knowledge. Most practitioners know what Kerberoasting is. The gap is repetition: running the attack chain from enumeration to domain compromise in a live environment enough times that the sequence becomes automatic rather than something you have to consciously reconstruct.
This guide covers the core AD attack techniques, what each one exploits, and where to practise them today without building a local lab.
Why Is Active Directory Such a High-Value Target?
AD controls authentication and authorisation across an entire enterprise. Compromise it and you own the organisation's identity infrastructure: every user account, every group policy, every service account, every trust relationship. That is why domain admin is the objective of most red team engagements and why AD attack chains appear in almost every advanced penetration testing certification.
The attack chain follows a consistent pattern. Enumerate the environment. Harvest or crack credentials. Move laterally to high-value hosts. Escalate privileges through misconfigurations and delegation flaws. Compromise the domain. Establish persistence. Every technique below maps to a specific phase of that chain.
What Are the Core Active Directory Attack Techniques?
Enumeration with BloodHound
Before any attack, you need to understand the environment. BloodHound ingests data from SharpHound (a .NET collector run inside the domain) and visualises the entire AD graph: users, groups, computers, trusts, and most importantly, attack paths from a standard user to domain admin.
BloodHound does not exploit anything by itself. It shows you what to exploit. Run SharpHound, import the results into BloodHound, and use the pre-built queries to identify Kerberoastable accounts, AS-REP Roastable users, accounts with DCSync rights, and shortest paths to domain admin. The visual attack path graph is what makes BloodHound invaluable: you can see in seconds whether your current user has a path to a high-value target that manual enumeration would take hours to identify.
MITRE ATT&CK: T1087.002 (Account Discovery: Domain Account), T1615 (Group Policy Discovery)
Kerberoasting
Any domain user can request a Kerberos TGS ticket for any service account with a Service Principal Name (SPN) registered. The ticket is encrypted with the service account's NTLM hash. Kerberoasting extracts these tickets and cracks them offline.
Why it matters: service accounts are often misconfigured with weak passwords, do not have regular password rotation policies, and frequently have elevated privileges because they are used to run automated processes. A cracked service account hash that belongs to a domain admin or backup operator is a direct path to high privilege.
bash
# Rubeus one-liner: request all available TGS tickets
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Crack offline with Hashcat
hashcat -m 13100 hashes.txt wordlist.txt
Detection signal for defenders: Windows Event ID 4769 (Kerberos service ticket request) with RC4 encryption type (0x17) is the primary Kerberoasting indicator.
MITRE ATT&CK: T1558.003
AS-REP Roasting
Accounts with "Do not require Kerberos preauthentication" enabled can have their AS-REP response captured without sending any credentials. The AS-REP contains an encrypted section crackable offline in exactly the same way as Kerberoasting hashes.
Less common than Kerberoasting in well-configured environments, but highly effective when it hits: the accounts with this misconfiguration are often forgotten service or test accounts with elevated privileges.
bash
# Impacket: dump AS-REP hashes without credentials
python3 GetNPUsers.py target.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt
MITRE ATT&CK: T1558.004
Pass-the-Hash
When you recover NTLM hashes from memory (via Mimikatz or similar) or from SAM/NTDS dumps, Pass-the-Hash allows lateral movement to other systems without knowing the plaintext password. NTLM authentication accepts the hash directly.
bash
# Impacket psexec: authenticate with hash, not password
python3 psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@10.10.10.5
The goal is to find a hash that works on multiple systems. Local administrator accounts sharing the same password (and therefore the same hash) across many machines are the classic target.
MITRE ATT&CK: T1550.002
Lateral Movement via SMB and WMI
With valid credentials or hashes, lateral movement means moving from your current foothold to other machines in the network. SMB and WMI are the two most common mechanisms in enterprise environments because they are legitimate administrative protocols that blend with normal traffic.
NetExec (successor to CrackMapExec after 2024) is the standard tool for spray-and-check operations across subnets:
bash
# Check which hosts your current credentials work on
nxc smb 10.10.10.0/24 -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c
MITRE ATT&CK: T1021.002 (Remote Services: SMB/Windows Admin Shares)
DCSync
DCSync abuses the Directory Replication Service (DRS) protocol to simulate a domain controller requesting replication of password data. An account with Replicating Directory Changes All permissions (typically domain admins, enterprise admins, and accounts that have been granted these rights explicitly) can use DCSync to extract the NTLM hash of any account including KRBTGT.
bash
# Mimikatz: dump all domain hashes via DCSync
lsadump::dcsync /domain:target.local /all /csv
The KRBTGT hash enables Golden Ticket attacks: forging Kerberos tickets that grant access to any service in the domain for up to 10 years, persisting even if all user passwords are reset (unless KRBTGT is rotated twice).
MITRE ATT&CK: T1003.006
The Full Attack Chain at a Glance
| Technique | Phase | What it exploits | Primary tool | MITRE ATT&CK | Practise on TryHackMe |
|---|---|---|---|---|---|
| BloodHound enumeration | Enumeration | AD graph relationships and misconfigurations | BloodHound + SharpHound | T1087.002 | Jr Penetration Tester path |
| Kerberoasting | Credential access | Service accounts with weak passwords and SPNs | Rubeus / Impacket | T1558.003 | Jr Penetration Tester path |
| AS-REP Roasting | Credential access | Accounts with preauthentication disabled | Impacket GetNPUsers | T1558.004 | Jr Penetration Tester path |
| Pass-the-Hash | Lateral movement | NTLM authentication accepting hash directly | Impacket psexec / NetExec | T1550.002 | Jr Penetration Tester path |
| SMB / WMI lateral movement | Lateral movement | Valid credentials and shared local admin hashes | NetExec | T1021.002 | Jr Penetration Tester path |
| DCSync | Credential access / Domain compromise | Replication rights to extract all domain hashes | Mimikatz | T1003.006 | Red Teaming path |
Where Can You Practise These Attacks Today?
Building a local AD lab from scratch requires a Windows Server licence, multiple VMs, significant RAM, and hours of configuration. TryHackMe's Jr Penetration Tester path gives you a fully configured, multi-host AD lab environment in a browser with none of that overhead.
The path was completely rebuilt for 2026 and now includes a dedicated nine-room Active Directory module covering the full attack chain: AD basics and authentication, basic and authenticated enumeration, AD breaching, credential harvesting, and lateral movement between hosts. Every room puts you inside a live AD environment where you run the actual tools against actual targets. BloodHound, Rubeus, Impacket, Mimikatz: all pre-installed in the AttackBox, all working against real AD infrastructure.
Three capstone challenges at the end of the path test the full kill chain without guidance, mirroring the format of the OSCP and PT1 certification exams.
For practitioners who want to go deeper into red team tradecraft specifically: the Red Teaming path extends into C2 frameworks, OPSEC, host evasion, and advanced AD persistence techniques including Golden Tickets and ADCS abuse.
FAQ
What is a red team vs blue team exercise? A red team exercise is a simulated attack conducted by security professionals (the red team) against an organisation's systems with the goal of finding and exploiting weaknesses. A blue team is the organisation's defenders who monitor for and respond to those attacks. In a combined red vs blue exercise (sometimes called purple teaming), both teams work in parallel, with the red team sharing attack techniques in real time so the blue team can validate whether their detections catch them.
How do I start learning exploit development for beginners? Exploit development builds on top of solid foundations in C programming, assembly language, and how the stack and heap work at a low level. The right starting point is understanding buffer overflows: how memory is laid out, what happens when you overflow a buffer, and how that translates to control of the instruction pointer. TryHackMe's Jr Penetration Tester path includes buffer overflow preparation content that builds these fundamentals before moving into exploitation.
What are the best Windows security courses for learning AD attacks? For hands-on AD attack practice, TryHackMe's Jr Penetration Tester path is the most structured browser-based option, covering the full AD attack chain across nine dedicated rooms. For certification-focused preparation, the CRTO (Certified Red Team Operator) course from Zero-Point Security is the most directly relevant for advanced AD tradecraft including Cobalt Strike and ADCS. For OSCP preparation specifically, consistent lab time on AD machines with BloodHound, Rubeus, and Impacket is more valuable than any course.
Which MITRE ATT&CK techniques appear most in enterprise AD environments? Kerberoasting (T1558.003), Pass-the-Hash (T1550.002), and DCSync (T1003.006) are the three techniques that appear most consistently in real red team findings against enterprise AD environments. BloodHound-style enumeration via LDAP queries (T1087.002) is the discovery phase that precedes them. These four techniques, practised in sequence against a live AD environment, cover the core of what most junior red team interviews test for.
How long does it take to get comfortable with Active Directory attacks? With consistent, structured practice in a live lab environment, most practitioners develop working proficiency with the core AD attack chain in four to eight weeks. The key is repetition in an unguided environment: running the chain from initial enumeration to domain admin without a walkthrough telling you what to do next. TryHackMe's AD rooms provide the guided foundation; the capstone challenges and harder unguided rooms provide the unguided repetition.
Nick O'Grady