Module 1 · Why AD Is Fragile by Design 🔒

Active Directory, released in 2000, was designed for enterprises whose primary threat was external attackers with no internal foothold. The default configurations trusted every authenticated user with broad read access, tolerated legacy protocols, and built in backwards compatibility with NT-era workstations. Every one of those decisions is now a privilege escalation path. This module explains why AD remains consistently the fastest-cracking internal target in 2026, not because it’s buggy, but because its defaults accumulated risk for two decades.

Why this happens

AD’s design principle was operational convenience for administrators. Any authenticated user can enumerate the entire directory — user objects, group memberships, organizational units, group policy objects, computer accounts, trusts. The idea: admins needed to find things. The reality: attackers need exactly the same visibility.

Backwards compatibility preserved NTLM, RC4 Kerberos encryption, LM hashes for legacy apps, SMBv1, anonymous LDAP queries. Each generation of Windows Server added new features but rarely deprecated old ones. A domain built in 2005 and upgraded through every release carries 20 years of accumulated defaults.

Inherent risk classes

• Authenticated-read-everything: Any user → full directory enumeration (BloodHound data collection).
• NTLM alongside Kerberos: NTLM relay still works on most networks.
• Service accounts with SPNs: Kerberoastable. Often ancient passwords.
• Computer account privilege: Domain Computers group defaults include computer accounts. Any computer compromise = directory read.
• Machine account quota (ms-DS-MachineAccountQuota = 10 by default): Any authenticated user can add 10 new computer accounts. Enables multiple attack paths.
• Group Policy Preferences cPassword (until 2014 patch): Passwords in SYSVOL encrypted with hardcoded AES key. Still present in SYSVOL of domains that never cleaned up.
• Trust relationships with implicit SID filtering: Cross-forest trusts often misconfigured.
• Print Spooler running on DCs: PrinterBug (CVE-2021-34527 family) enables coercing DC to authenticate to attacker — leading to delegation abuse.

Fast compromise pattern

# Step 1: Get any domain user credentials (phishing, Responder, password spray)
# Step 2: Enumerate + identify attack paths
bloodhound-python -u alice -p Password1 -d corp.local -c All
# Import to BloodHound GUI; query "Shortest Path to Domain Admins"

# Step 3: Execute the identified path
# Typical: Kerberoast service accounts, crack, reuse,
# OR: find over-privileged group with your user,
# OR: ACL abuse (WriteDacl on sensitive group),
# OR: DCSync from a DCSync-enabled account

# Step 4: DCSync for krbtgt → Golden Ticket forever
secretsdump.py -just-dc-user krbtgt CORP/compromised@dc.corp.local
# Output: krbtgt NT hash — domain compromise complete

Average time from “domain user” to “Domain Admin” on a typical un-hardened AD: 4-8 hours in a pentest engagement. Mature environments (Tier model, LAPS, Protected Users, PAW) push this to days or defeat it entirely.

Real-world incidents rooted in AD defaults

• NotPetya (2017): After EternalBlue lateral movement, Mimikatz + PtH + NTDS.dit extraction achieved domain compromise in under an hour across Maersk, Merck, Mondelez. AD defaults made each step trivial.
• Every ransomware gang 2021-2026: Conti, LockBit, BlackCat, Akira — all published playbooks feature AD enumeration → ACL abuse / Kerberoast / ADCS → DA → ransomware deployment. AD compromise is the universal prerequisite.
• Solorigate / SUNSPOT (2020-2021): SolarWinds build server compromise → lateral movement → Golden SAML (Entra variant of Golden Ticket) forging tokens for cloud access.

What we find in every AD audit

• Users in Domain Admins who don’t need to be (legacy accounts, generic admin accounts)
• Service accounts with SPN + never-rotated passwords
• Anonymous LDAP bind permitted
• NTLM not restricted via Network security: Restrict NTLM GPOs
• SMB signing not required
• Print Spooler running on DCs
• Unconstrained delegation on non-DC servers
• MachineAccountQuota default (10)
• No LAPS deployment
• DSRM password never set or legacy
• krbtgt account password never rotated (enables 10-year Golden Tickets if ever compromised)

Defensive mindset: Tier Model

Microsoft’s tiering model is the foundational hardening pattern:

TIER 0: Identity core — DCs, ADFS, Entra Connect, PKI
         Accessed ONLY from Tier 0 PAWs
         Credentials never touch Tier 1/2

TIER 1: Servers, business apps, infrastructure
         Accessed from Tier 1 PAWs
         Separate admin accounts from Tier 0

TIER 2: User endpoints, workstations
         End users + helpdesk here
         Cannot directly touch Tier 1/0

Cross-tier access goes through jump hosts. Credentials don’t flow downward (Tier 0 admin creds never cached on Tier 1/2 systems). This single architectural pattern defeats most real-world AD attacks because it eliminates the credential cache harvesting that underpins lateral movement.

Mindset takeaway

AD is not broken — it’s configured for an era when endpoint compromise was rare. Your security is the delta between “default install” and “hardened per Microsoft guidance.” The delta is substantial. The rest of this track walks specific attack classes (BloodHound, ACL abuse, GPP, ADCS, trusts, delegation, hybrid AD) with a consistent lens: this works because AD trusts by default, and the defender’s job is to remove trust where it isn’t needed.

For pentesters: enumeration first, exploitation second. BloodHound reveals paths you wouldn’t find manually. For defenders: if you can’t run BloodHound against your own domain and find the attack paths, attackers will find them for you.