In nuclear physics, half-life measures decay. In Active Directory, it measures how long Microsoft keeps insecure defaults for backwards compatibility. Spoiler: decades. Welcome to the time capsule... it's a little dusty.
Microsoft and 3Com announce LAN Manager (LanMan) as a network operating system for OS/2, with 1.0 shipping to OEMs in 1988. Its authentication protocol introduces the LM hash—a password storage mechanism designed for convenience, not security. The LM hash algorithm: convert the password to uppercase, pad or truncate to exactly 14 characters, split into two 7-character halves, and use each half as an independent DES key to encrypt a fixed constant ("KGS!@#$%"). The result is two 8-byte blocks concatenated into a 16-byte hash. This design has catastrophic security implications that would haunt Windows authentication for the next 30+ years.
According to Don Hacherl, one of AD's original developers, the oldest traceable code started at 3Com in 1988-1989 as an incomplete X.500-ish directory with custom protocols, built on C-Tree database under 16-bit OS/2. In 1990, the code moved to Microsoft as part of a deal when 3Com abandoned network software efforts. The LAN Manager group planned to include it in LanMan 3.0, porting it to JET Blue (ESE) with an X/Open XDS API RPC front end. In early 1991, Jim Allchin cancelled LanMan 3.0 and its directory project, creating the Cairo project instead. The Exchange email group then picked up the DS code, ported it to Windows NT, added MAPI RPC, query engine, KCC, modifiable schema, and the link table. This shipped as the DSA in Exchange 4.0 (1996). The week after Exchange 4.0 shipped, two developers copied the DS sources and moved to the Windows group—where it was rechristened "Active Directory."
Kerberos development began at MIT as part of Project Athena in the mid-1980s, creating a network authentication protocol based on symmetric-key cryptography and a trusted third party (the Key Distribution Center). After versions 1–3 remained internal, Kerberos v4 saw wide deployment in the late 1980s. Kerberos v5—addressing v4's limitations including support for multiple encryption types, cross-realm authentication, and forwardable/proxiable tickets—was published as RFC 1510 in September 1993. Microsoft would later adopt Kerberos v5 as the default authentication protocol for Active Directory in Windows 2000, using the RC4-HMAC encryption type to maintain compatibility with NT hashes.
Windows NT 3.1 introduced NTLMv1 (NT LAN Manager version 1) authentication protocol, replacing the earlier LAN Manager. NTLMv1 stores passwords as unsalted MD4 hashes (the "NT hash"), a 16-byte value vulnerable to rainbow tables and pass-the-hash attacks. The challenge-response mechanism uses DES: the 16-byte NT hash is split into three parts (7 bytes + 7 bytes + 2 bytes), with the third part padded with 5 null bytes to reach 7 bytes. Each 7-byte segment becomes a 56-bit DES key that encrypts the server's 8-byte challenge.
Paul Ashton posted to NTBugtraq the theory and exploit code for "Pass the Hash"—a modified Samba SMB client that accepts LM hashes instead of cleartext passwords to authenticate to Windows NT systems. This foundational technique would influence Windows security for decades.
Microsoft introduces NTLMv2 with Windows NT 4.0 Service Pack 4, replacing NTLMv1's weak DES-based challenge-response with HMAC-MD5 and adding a variable-length client challenge with timestamps to mitigate replay attacks. NTLMv2 was a significant cryptographic improvement—but Microsoft shipped it as an option, not a default. The LmCompatibilityLevel registry key controlled which protocol clients and servers used, and it defaulted to 0 (send LM and NTLM responses). It would take a full decade—until Windows Vista and Server 2008—before NTLMv2 became the default authentication level for even new clients.
The Melissa virus emerges on March 26, 1999—a Word macro virus that hijacked Microsoft Outlook to email itself to the first 50 addresses in victims' address books. Created by David Lee Smith, it became the fastest-spreading infection at the time, causing an estimated $80 million in damages and prompting the FBI to create its Cyber Division.
Active Directory debuts as Microsoft's first true enterprise directory service, replacing Windows NT Domain architecture. Released to manufacturing December 15, 1999; retail release February 17, 2000. Kerberos v5 becomes the default authentication protocol, but NTLM remains fully supported for backward compatibility—and Windows 2000 defaults LmCompatibilityLevel to 0 ("Send LM & NTLM responses"), meaning clients still send both LM and NTLMv1 responses even though NTLMv2 is available. Windows 2000 uses RC4-HMAC as the default Kerberos encryption type—chosen because it uses the same NT hash as NTLM, enabling seamless NT4 domain upgrades without password resets.
Sir Dystic of Cult of the Dead Cow (cDc) releases SMBRelay and SMBRelay2—tools that capture and relay SMB authentication, enabling man-in-the-middle attacks against Windows systems. This marked the beginning of NTLM relay attacks.
Impacket—originally developed by Alberto Solino at Core Security Technologies (now maintained by Fortra)—is a collection of Python classes for working with network protocols that became foundational to AD security tooling. Scripts like secretsdump.py, ntlmrelayx.py, GetUserSPNs.py, and psexec.py are used in virtually every AD pentest.
Microsoft introduces constrained delegation via S4U2Self and S4U2Proxy Kerberos extensions to limit delegation abuse. LmCompatibilityLevel default raised from 0 to 2—dropping LM responses (the weakest protocol) but still defaulting to NTLMv1, not NTLMv2. NTLMv2 had been available since NT 4.0 SP4 (1998) but remained opt-in. Cross-forest trust capabilities expanded attack surface.
CVE-2003-0352—RPC DCOM buffer overflow on port 135/TCP. Patch released July 16, Blaster worm hit August 11 (26 days later). Hundreds of thousands infected. Microsoft took the unusual step of emailing ALL customers warning of the vulnerability.
CVE-2003-0533—LSASS buffer overflow. Patch released April 13, Sasser worm hit April 30 (only 17 days!). Major impact on airlines, hospitals, and businesses globally. Delta Air Lines cancelled flights; British Coastguard systems went down.
Active Directory Federation Services debuts in Windows Server 2003 R2 (released December 6, 2005), enabling Single Sign-On and claims-based authentication across organizational boundaries. ADFS security hinges on the token signing certificate private key—a weakness exploited in 2020's Golden SAML attacks.
Windows Vista and Server 2008 clients finally default LmCompatibilityLevel to 3 ("Send NTLMv2 response only"), making NTLMv2 the default—a full decade after it shipped in NT 4.0 SP4. However, this change only applies to Vista/2008 machines themselves. Legacy clients still present in the same environment (Windows XP, Server 2003) continue to default to NTLMv1, meaning mixed environments remained vulnerable to downgrade attacks. AES128/AES256 encryption support added for Kerberos. Read-Only Domain Controllers (RODCs) introduced for branch offices. RC4 remains the default Kerberos encryption type when msDS-SupportedEncryptionTypes is unset—planting the seed for Kerberoasting.
Hernan Ochoa publishes the Pass-the-Hash Toolkit—the first implementation of pass-the-hash for the Windows platform itself (previous implementations used modified Samba clients). This tool later evolved into Windows Credentials Editor (WCE) and inspired the creation of Mimikatz.
CVE-2008-4250—Critical RPC vulnerability in Server service allowing remote code execution. The Conficker worm exploited this flaw, infecting an estimated 9-15 million systems globally. One of the largest botnet infections in history.
Hernan Ochoa releases Windows Credentials Editor at RootedCon, evolving from the Pass-the-Hash Toolkit. WCE was the first tool that could dump in-memory credentials without running code inside LSASS—a capability that fundamentally changed Windows credential theft.
Benjamin Delpy releases Mimikatz publicly after Microsoft dismissed his 2011 disclosure of the WDigest credential storage vulnerability. Mimikatz would become one of the most influential security tools ever created, used in nearly every major breach and red team operation.
Emilien Giraul and Chris Campbell publish research on Group Policy Preferences (GPP) password storage. GPP stored local admin passwords in SYSVOL using AES-256 encryption—but Microsoft published the decryption key in MSDN documentation, making all GPP-stored passwords trivially recoverable by any domain user.
Laurent Gaffie releases Responder v1—a tool that poisons LLMNR, NBT-NS, and MDNS responses to capture password hashes on the network. Responder became a standard tool for internal network penetration testing.
Microsoft launches Azure Active Directory as a cloud-native identity service for Office 365. Organizations begin the complex journey of hybrid identity—running parallel systems across on-premises AD and cloud. Azure AD Connect's sync service account (MSOL_*) gets DCSync-equivalent privileges by default in Express installation.
Introduction of the Protected Users security group and Resource-Based Constrained Delegation (RBCD). Protected Users prevents credential caching, disables NTLM/DES/RC4, and restricts delegation—but requires manual enrollment.
Will Schroeder (@harmj0y) develops PowerView as part of PowerSploit—a PowerShell toolkit for Active Directory enumeration that enabled easy domain reconnaissance. PowerView became foundational to BloodHound's data collection and modern AD attack methodology. Formally integrated into PowerSploit v3.0.0 in 2016.
Benjamin Delpy and Skip Duckwall present "Abusing Microsoft Kerberos Sorry You Guys Don't Get It" at Black Hat 2014, introducing Golden Tickets and pass-the-ticket. Tim Medin presents Kerberoasting at DerbyCon. These presentations revolutionized AD offensive security.
Critical Kerberos vulnerability (CVE-2014-6324) allowing any domain user to forge a Privilege Attribute Certificate and elevate to Domain Admin. Worse than Golden Ticket because no KRBTGT hash needed. Exploit tools released publicly.
Microsoft LAPS (Local Administrator Password Solution) released as a separate downloadable tool. Automatically generates, rotates, and stores unique local admin passwords in AD, finally addressing the decades-old problem of shared local admin passwords enabling lateral movement.
Vincent Le Toux and Benjamin Delpy add DCSync to Mimikatz—allowing attackers to remotely extract password hashes from domain controllers using Microsoft's official replication APIs (MS-DRSR). No malware needed on the DC. DCSync represented a strategic shift in AD attacks.
Marcello Salvati (byt3bl33d3r) releases CrackMapExec v1.0.0—a post-exploitation tool that became legendary in the AD security community. CME combined credential testing, command execution, and lateral movement into a single powerful framework that became a standard part of every pentester's toolkit.
BloodHound released at DEF CON 24 by Andy Robbins, Rohan Vazarkar, and Will Schroeder. Using graph theory to reveal hidden attack paths in Active Directory, BloodHound revolutionized both offensive and defensive AD security.
Windows Defender Credential Guard introduced, using virtualization-based security (VBS) to protect credentials in isolated memory. Prevents pass-the-hash and pass-the-ticket attacks—but requires specific hardware and is NOT enabled by default.
CVE-2017-0144—SMBv1 vulnerability weaponized after NSA exploit "EternalBlue" was leaked by Shadow Brokers. WannaCry (May 12, $4B damages) and NotPetya (June 27, $10B damages) caused unprecedented global destruction.
Vincent Le Toux and Benjamin Delpy present DCShadow at BlueHat IL 2018. This attack allows attackers with DA credentials to register a rogue domain controller and replicate malicious objects—bypassing most SIEM logging.
Will Schroeder releases Rubeus as part of GhostPack—a C# port and expansion of Kekeo's Kerberos functionality. Rubeus became the go-to tool for Kerberos attacks including AS-REP roasting, Kerberoasting, ticket manipulation, and delegation abuse.
Elad Shamir (@elad_shamir) publishes "Wagging the Dog," demonstrating that RBCD combined with S4U2Self/S4U2Proxy creates devastating attack chains—even against Protected Users members. MachineAccountQuota exploitation becomes standard technique.
BlueKeep—a wormable RDP vulnerability (CVSS 9.8) affecting Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. Microsoft took the rare step of issuing patches for out-of-support Windows XP and Server 2003.
Secura researcher Tom Tervoort discovers CVE-2020-1472 "Zerologon"—allowing any attacker with network access to a DC to become Domain Admin in approximately 3 seconds. No credentials required. CVSS 10.0.
The SolarWinds supply chain attack (SUNBURST/NOBELIUM) reveals nation-state use of "Golden SAML" techniques. Attackers who compromise ADFS token signing certificates can forge authentication for any federated user—bypassing MFA.
Elad Shamir (@elad_shamir) publishes "Shadow Credentials," demonstrating how attackers with write access to msDS-KeyCredentialLink can add a malicious public key credential and authenticate via PKINIT Key Trust—bypassing passwords entirely. Works on both USER and COMPUTER accounts, and survives password resets.
PrintNightmare—critical Print Spooler RCE vulnerability allowing authenticated users to execute code as SYSTEM on any Windows host with Print Spooler running, including Domain Controllers. Exploit code leaked before patches were available.
PetitPotam authentication coercion released. Combined with SpecterOps' "Certified Pre-Owned" ADCS research (ESC1-ESC8), coercion + NTLM relay to ADCS = instant Domain Admin.
CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion) combine to create another "any domain user to Domain Admin" attack. Nicknamed "noPac," exploitation takes seconds.
KrbRelayUp released by Dec0ne, combining Kerberos relay with RBCD to achieve local privilege escalation on domain-joined systems—from regular user to SYSTEM without touching the network.
Microsoft finally addresses RC4 downgrade attacks with KB5021131 (CVE-2022-37966). DCs now return tickets using the HIGHEST encryption the account supports, ignoring client downgrade requests. New accounts prefer AES. However, RC4 remains ENABLED for backward compatibility with accounts that only have RC4 keys.
NetExec (nxc) released as the community-maintained successor to CrackMapExec after byt3bl33d3r archived the original repository. Continues active development of the CME codebase.
Akamai researcher Yuval Gordon discloses "BadSuccessor"—a privilege escalation vulnerability in Windows Server 2025's delegated Managed Service Account (dMSA) feature. Any user with CreateChild on an OU can escalate to Domain Admin. In 91% of environments tested, non-admin users had required permissions.
Microsoft's most security-focused AD release. NTLMv1 is fully removed from the codebase. RC4 encryption disabled by default, SMB signing mandatory, LDAP signing and channel binding enforced by default, and Credential Guard enabled by default on systems with supported hardware. Delegated Managed Service Accounts (dMSAs) introduced. NTLMv2 remains enabled for backward compatibility—full NTLM deprecation (disabling NTLMv2 by default) is planned for the next major Windows Server release.