⚠ Beta — Site Under Active Development
Contact
⚠ Caution: Digestible Security Content

A Complete
Active Directory Security Resource

From fundamentals to advanced fission. Active Directory doesn't have to be radioactive and encased in six feet of concrete. With the right knowledge, it can be properly understood, secured, and defended. However, history has not been kind...leading to continued meltdowns.

The Fallout
AD is TOXIC

T

Targeted

Active Directory is a prime target for ransomware gangs and nation-state actors.

O

Omnipresent

Ubiquitous across enterprise environments. It's going nowhere.

X

Complex

Hidden attack paths through permissions and delegations. Tools like BloodHound help visualize what native tools historically have not.

I

Isolated

Knowledge scattered across talks, whitepapers, and blog posts. No single comprehensive resource exists.

C

Core Infrastructure

Active Directory serves as the foundational infrastructure of enterprise identity and access management. It controls authentication, authorization, and access to virtually every resource in the modern enterprise environment, making its security posture critical to overall organizational security.

Work in Progress

Overwhelmed? Don't know where to start?

We've distilled years of research into a condensed, essential learning path.

Coming Soon →

Comprehensive Coverage

History

Active Directory History

Trace AD from its Windows NT Domain origins through Windows 2000's launch to modern hybrid environments. Understanding its evolution from simple directory service to complex identity infrastructure reveals why many attack techniques exploit decades-old design decisions. Key milestones include major security vulnerabilities, the rise of public attack research (2014-present), and the shift toward Azure AD/Entra ID integration.

 Foundation

AD Fundamentals

Master the core architecture: forests, domains, organizational units, domain controllers, and FSMO roles. Understand security principals, SIDs, Group Policy Objects, trust relationships, LDAP structure, and directory schema. Essential foundation before tackling offensive or defensive techniques.

 Authentication

Authentication Protocols

Deep dive into Kerberos (TGT, TGS, service tickets, PAC validation), NTLM (v1 vs v2), LDAP/LDAPS authentication, PKINIT certificate-based auth, and modern authentication integrations like SAML. Understanding these protocols is critical for both attack and defense.

 Basic Attacks

Foundational Attacks

Essential techniques every security professional must master: Kerberoasting and AS-REP Roasting for credential extraction, Pass-the-Hash and Pass-the-Ticket for lateral movement, DCSync for domain replication abuse, and Golden/Silver Ticket attacks for persistence. These are the building blocks of AD exploitation.

 Coercion

Coercion & Relay Attacks

Force authentication from high-value targets using PrinterBug, PetitPotam, and DFSCoerce, then relay captured authentication to ADCS web endpoints or LDAP/LDAPS for privilege escalation. Includes WebClient coercion techniques and WebDAV abuse for optimal attack chains.

 Delegation

Delegation Abuse

Exploit delegation configurations (Unconstrained, Constrained, and Resource-Based Constrained Delegation) for privilege escalation. Covers Shadow Credentials attacks via Key Trust abuse, S4U2Self/S4U2Proxy mechanics, and cross-domain delegation exploitation for lateral movement.

 Certificates

AD Certificate Services (ADCS)

Exploit ADCS misconfigurations for domain takeover. Covers ESC1-ESC16 techniques including misconfigured certificate templates, enrollment agent abuse, vulnerable access controls, NTLM relay to HTTP endpoints, and the September 2025 strong certificate binding enforcement deadline.

 Permissions & Policy

ACL & Group Policy Abuse

Leverage ACL misconfigurations (GenericAll, GenericWrite, WriteDACL, ForceChangePassword) and Group Policy exploitation (GPO modification, scheduled tasks, SYSVOL credential mining) for privilege escalation and persistence. Includes AdminSDHolder backdoor techniques and DACL-based persistence mechanisms.
Work in Progress Advanced

Latest Attack Techniques

Cutting-edge research and recent CVEs: NTLM LDAP auth bypass (CVE-2025-54918), MSSQL privilege escalation (CVE-2025-49758), ADCS to HTTPS WSUS (CVE-2025-33073), Kerberos relay via CNAME abuse, Azure AD/Entra ID hybrid attacks, forest trust exploitation, SID history injection, and Bronze Bit techniques.

Defense

Defense & Detection

Build resilient AD infrastructure through tiered administration models, Privileged Access Workstations (PAWs), LAPS deployment, just-in-time access controls, Protected Users group configuration, detection engineering strategies, and BloodHound-informed defensive hardening.
Work in Progress Cloud Identity

Entra ID Fundamentals

Master Microsoft's cloud identity platform (formerly Azure AD): tenant architecture, user and group management, authentication methods, Conditional Access policies, Privileged Identity Management (PIM), and hybrid identity with Azure AD Connect. Essential foundation for modern identity security.

Work in Progress M365

Microsoft 365 Security

Secure the Microsoft 365 ecosystem: Exchange Online protection, SharePoint/OneDrive security, Teams governance, Defender for Office 365, Data Loss Prevention (DLP), sensitivity labels, and compliance features. Understand how M365 integrates with Entra ID and on-premises AD in hybrid environments.

Work in Progress Tooling

Essential Tooling

Master the critical offensive and defensive tools: BloodHound for attack path analysis, Mimikatz for credential extraction, Rubeus for Kerberos attacks, Impacket for protocol implementations, Certify/Certipy for ADCS auditing, and PowerView/SharpView for domain enumeration and reconnaissance.

Work in Progress Hands-On

Hands-On Labs

Practice in controlled environments using purpose-built vulnerable labs like GOAD (Game of Active Directory) and VulnAD. Learn to build your own AD testing environment, walk through realistic attack scenarios, complete CTF-style challenges, and develop blue team detection capabilities.

Learn from the Masters

Work in Progress Chain Reaction

Critical Mass: Primary Sources

Direct links to the most trusted and authoritative sources. No summaries, no interpretations—the original research, official documentation, and foundational texts that fuel everything else. Once absorbed, each piece triggers the next in an unstoppable chain reaction of understanding.

Sean Metcalf

ADSecurity.org

A leading expert on Active Directory security and enterprise identity architecture. His research and guidance on hardening, misconfigurations, and defensive strategy have shaped how organizations secure AD today.

Visit ADSecurity.org →
SpecterOps Team

BloodHound & Research

Creators of BloodHound. Will Schroeder, Lee Christensen, Rohan Vazarkar, and team have published groundbreaking research on attack paths, ADCS, and delegation abuse.

Visit SpecterOps Blog →
Dirk-jan Mollema

NTLM Relay & Coercion

Deep research on NTLM relay attacks, coercion techniques, and Azure AD exploitation. Author of multiple critical offensive security tools.

Visit dirkjanm.io →
Elad Shamir

Shadow Credentials & RBCD

Pioneered Shadow Credentials and Resource-Based Constrained Delegation attacks. His research fundamentally changed how we think about AD takeover.

Visit SpecterOps Posts →
Benjamin Delpy

Mimikatz Creator

Created the most influential credential extraction tool in security history. Demonstrated fundamental weaknesses in Windows authentication that persist today.

Legendary Contributor
Microsoft Security

Official Documentation

Official documentation, security advisories, and best practices. Read the manual—it contains critical information attackers know and defenders often ignore.

Visit Microsoft Security →
Latest News CVE-2026-25177 — AD DS privilege escalation via Unicode SPN/UPN manipulation (CVSS 8.8). Patch DCs ASAP.