The Active Directory Attack-Path Playbook
After 200+ assessments, the same AD misconfigurations keep getting organizations breached. Get the attacker's playbook — and exactly how to shut each path.
- Kerberoasting. How service-account passwords get cracked offline — how to detect it, and how to fix it.
- Privileged-group sprawl & admin tiering. Why too many Domain Admins is the breach you haven't had yet — and the tiered model that fixes it.
- AD CS (ESC1) abuse. The certificate-template misconfiguration that hands an attacker a Domain Admin — detection and remediation included.
- Unconstrained delegation. The legacy setting that lets one compromised server become the whole domain.
- LLMNR / NTLM relay. How attackers grab and replay credentials off the wire — and the two settings that stop them.
- Legacy protocol hygiene. SMBv1, NTLMv1, and friends — what to rip out, plus a quick-wins hardening checklist. Each path includes how to detect and how to fix.
Send me the free PDF.
Enter your email and we'll send you the full playbook as a PDF — every attack path with detection guidance, fixes, and the quick-wins hardening checklist.
Double opt-in — confirm your email and the PDF is yours. We never share your address. See our privacy policy.
The attack paths we find on almost every engagement.
Active Directory runs the identity backbone of most organizations, and that makes it the prize every attacker is after. The uncomfortable truth from hundreds of red-team and penetration-testing engagements: domain compromise rarely needs a fancy exploit. It needs a misconfiguration that's been sitting there for years — a roastable service account, a delegation setting nobody remembers enabling, a certificate template with one box checked wrong. This playbook walks each path the way an attacker sees it, then hands you the defender's fix.
Kerberoasting & weak service accounts
Any domain user can request a service ticket for any account with an SPN and crack it offline at their leisure. We show you how to find your roastable accounts before an attacker does, why "service accounts" are so often the weakest passwords in the domain, and how Group Managed Service Accounts (gMSAs) and long random passwords take this path off the table entirely.
Privileged-group sprawl & admin tiering
Most environments have far more Domain Admins than they think — and admins logging into ordinary workstations where their credentials can be stolen. The playbook covers how to inventory effective privilege, why a tiered administration model (Tier 0/1/2) breaks the lateral-movement chain, and the practical first steps to get there without a multi-year project.
AD CS abuse (ESC1 and friends)
Active Directory Certificate Services is the gift that keeps on giving for attackers. A single over-permissive template (the classic ESC1) lets a low-privileged user enroll a certificate as anyone — including a Domain Admin. We explain the misconfiguration in plain terms, how to audit your templates, and the exact settings that close the most common escalation paths.
Unconstrained & over-broad delegation
Delegation lets a service act on a user's behalf — and when it's unconstrained, compromising that one server can mean capturing credentials for anyone who touches it, up to and including a Domain Controller. The guide shows how to find delegation across the domain, which forms are dangerous, and how to move to constrained or resource-based delegation safely.
LLMNR poisoning & NTLM relay
When name resolution falls back to LLMNR or NetBIOS, an attacker on the network can answer and harvest credentials — then relay them to systems that don't enforce signing. This is one of the fastest paths to a foothold in an unhardened environment. We cover disabling the fallback protocols, enforcing SMB and LDAP signing, and how to verify the fix actually took.
Legacy protocols & quick wins
SMBv1, NTLMv1, unsigned LDAP, and stale trust relationships are the long tail of AD risk. The playbook closes with a prioritized quick-wins checklist — the handful of changes that buy you the most resilience for the least effort, in the order we'd make them on a real engagement.
Want us to run these paths against your own environment? Red Hound's senior-led penetration testing and identity risk assessments are built on exactly this tradecraft — scoped for the mid-market, priced pay-as-you-go. Book a 30-minute call to talk through your AD.
Get the playbook. Shut the paths attackers count on.
Free PDF. Confirm your email and it's yours.