Last updated: April 29, 2026
The first step of every AD attack is enumeration. Before exploitation, before lateral movement, before privilege escalation — you map the terrain. AD’s fundamental design choice of “authenticated users read everything” means attackers and defenders enumerate with the same tools, seeing the same data. The difference is what they do with it.
Why enumeration works so well
AD’s LDAP schema is open by design. Any authenticated user can query for:
- All user objects (names, descriptions, email, employee IDs, last logon)
- All group memberships (including privileged groups)
- All computer objects (hostnames, operating systems, last logon)
- All OU structure
- All Group Policy Objects (name, links, CDN paths to SYSVOL)
- All ACLs on nearly every object
- All trust relationships to other forests
- All service principal names (attack target for Kerberoasting)
This information was intended for sysadmins. It is equally useful to anyone with any authenticated credential. And getting one authenticated credential is usually trivial (Responder, phishing, password spray).
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.