Chapter 17 Further Reading

Active Directory Attacks

Essential References

HackTricks - Active Directory Methodology https://book.hacktricks.xyz/windows-hardening/active-directory-methodology The most comprehensive online reference for AD attack techniques, covering enumeration, credential attacks, delegation, AD CS, and domain dominance. Updated regularly with new techniques.

The Hacker Recipes https://www.thehacker.recipes/ad/ An excellent structured reference for AD attacks organized by technique category, with practical commands for both Windows and Linux tooling.

ired.team - Active Directory Notes https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse Practical notes and experiments covering Kerberos abuse, delegation attacks, and AD persistence mechanisms.

SpecterOps Blog https://posts.specterops.io/ The primary source for cutting-edge AD security research, including BloodHound updates, AD CS attacks, and new attack technique disclosures.

Foundational Research Papers

"Certified Pre-Owned: Abusing Active Directory Certificate Services" by Will Schroeder and Lee Christensen (SpecterOps, 2021) https://specterops.io/assets/resources/Certified_Pre-Owned.pdf The seminal research paper on AD CS attacks. Required reading for anyone working in AD security.

"An ACE Up the Sleeve" by Andy Robbins and Will Schroeder (SpecterOps) Detailed analysis of Active Directory ACL-based attack paths and how BloodHound identifies them.

"Attacking and Defending Active Directory" by Sean Metcalf https://adsecurity.org/ Sean Metcalf's AD Security blog is one of the most authoritative sources for AD attack and defense knowledge.

Tools

BloodHound https://github.com/BloodHoundAD/BloodHound The graph-based AD attack path analysis tool. Essential for both offense and defense.

Impacket https://github.com/fortra/impacket Python collection of networking tools and protocols for AD interactions, including secretsdump, GetUserSPNs, getTGT, psexec, and many more.

Rubeus https://github.com/GhostPack/Rubeus C# toolset for Kerberos interaction and abuse, including Kerberoasting, AS-REP Roasting, ticket manipulation, and delegation attacks.

Certipy https://github.com/ly4k/Certipy Python tool for AD CS enumeration and exploitation. Supports ESC1 through ESC8 and certificate-based authentication.

CrackMapExec / NetExec https://github.com/Pennyw0rth/NetExec Swiss army knife for pentesting AD networks. Supports SMB, WinRM, LDAP, SSH, MSSQL, and more.

Mimikatz https://github.com/gentilkiwi/mimikatz The legendary Windows credential extraction tool by Benjamin Delpy. Essential for credential dumping, Golden Ticket, Silver Ticket, DCSync, and more.

PowerView (PowerSploit) https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 PowerShell-based AD enumeration framework for domain, user, group, ACL, and trust enumeration.

ADRecon https://github.com/adrecon/ADRecon Comprehensive AD enumeration and reporting tool that generates Excel reports.

PingCastle https://www.pingcastle.com/ AD security assessment tool that generates a risk score and detailed findings. Excellent for defensive assessments.

Books

"Active Directory Attacks and Defenses" by Nikhil Mittal Published by Packt. Covers AD attack techniques from an ethical hacking perspective with practical lab exercises.

"Pentesting Active Directory and Windows-based Infrastructure" by Denis Isakov (No Starch Press, 2025) Modern coverage of AD penetration testing techniques, including AD CS attacks and modern tooling.

"The Hacker Playbook 3" by Peter Kim Includes chapters on AD attacks with practical engagement scenarios. A good complement to certification study.

"Windows Security Internals" by James Forshaw (No Starch Press, 2024) Deep dive into Windows security mechanisms underlying AD authentication and authorization.

Conference Talks (Video)

"Attacking and Defending Active Directory" by Sean Metcalf (multiple conference versions) Comprehensive overview of AD security from both offensive and defensive perspectives.

"Attacking Kerberos: Kicking the Guard Dog of Hades" by Tim Medin (DerbyCon 2014) The original Kerberoasting talk that introduced the technique to the security community.

"The Unintended Risks of Trusting Active Directory" by Lee Christensen and Will Schroeder (various conferences) Covers delegation attacks, ACL abuse, and trust exploitation.

"Certified Pre-Owned" by Will Schroeder and Lee Christensen (Black Hat USA 2021) The AD CS attack research presentation.

Practice Environments

GOAD (Game of Active Directory) https://github.com/Orange-Cyberdefense/GOAD Multi-domain vulnerable AD lab with realistic configurations. The most comprehensive AD practice environment available.

Vulnerable-AD https://github.com/WazeHell/vulnerable-AD PowerShell script that creates a vulnerable AD environment with common misconfigurations.

DetectionLab https://github.com/clong/DetectionLab AD lab with logging, SIEM, and detection capabilities for purple team exercises.

BadBlood https://github.com/davidprowe/BadBlood Fills a test AD environment with realistic but intentionally vulnerable data.

TryHackMe - Attacking Kerberos https://tryhackme.com/room/attackingkerberos Guided room covering Kerberoasting, AS-REP Roasting, and other Kerberos attacks.

HackTheBox - AD Machines and Pro Labs https://www.hackthebox.com/ Multiple AD-focused machines and the "Offshore" and "RastaLabs" pro labs for advanced AD practice.

Defensive Resources

Microsoft: Securing Privileged Access https://learn.microsoft.com/en-us/security/privileged-access-workstations/ Microsoft's official guidance on tiered administration and Privileged Access Workstations.

Microsoft Defender for Identity https://learn.microsoft.com/en-us/defender-for-identity/ Cloud-based AD security monitoring that detects reconnaissance, credential compromise, lateral movement, and domain dominance attempts.

Purple Knight by Semperis https://www.semperis.com/purple-knight/ Free AD security assessment tool with comprehensive checks against known attack techniques.

CIS Benchmarks for Active Directory https://www.cisecurity.org/benchmark Hardening guidance for AD domain controllers and group policy configurations.

AD Security Best Practices by Sean Metcalf https://adsecurity.org/?page_id=4031 Comprehensive AD hardening recommendations from one of the foremost AD security experts.