avkodad
← journal

The 80/20 of Active Directory Security

·5 min read·active-directory·security assessment

Most AD environments have the same problems. Stale admin accounts, weak Kerberos configs, password reuse, ACL misconfigurations nobody remembers introducing. You can find the majority of these in a day or two with free tools and a single domain user account.

Mandiant's M-Trends 2026 highlights misconfigured Active Directory Certificate Services as a recurring path attackers use to create administrator accounts that bypass MFA. Across the environments I've personally assessed, I have seen exactly one AD + CS that I'd call genuinely well-configured, and a handful that were close. The rest was horrendous.

Methodology

Whitebox, from a domain-joined Windows host, using a standard domain user account. No special privileges.

That perspective matters. It's what an attacker has after one successful phish or one credential bought from an infostealer log. If a single low-privilege account can enumerate paths to Domain Admin, the rest of the kill chain is paperwork.

Most of the techniques and procedures below are documented in detail elsewhere. I'm not going to re-derive them. The references worth bookmarking:

Mayfly's AD attack-surface mindmap
Mayfly's AD mindmap, March 2025.

Tools

PingCastle is the main one. Scored health report on the domain. It highlights risky configurations, stale objects, trust relationships, dangerous defaults. Runs in minutes. Includes basic AD CS findings. Output is structured enough to hand to a sysadmin and to a CISO without rewriting it.

Purple Knight is the substitute when PingCastle isn't an option. Also surfaces basic certificate services findings. Run one or the other, not both. Overlap is high.

SharpHound collects the data BloodHound needs. From a standard user it maps group memberships, ACLs, sessions, and trust relationships. The interesting output is the shortest paths to Tier 0.

Rubeus for Kerberoasting, AS-REP roasting, checking for unconstrained delegation.

Snaffler is the well-known one, but it's loud and trivial to fingerprint. Custom PowerShell that walks shares looking for specific patterns like password, secret, connectionstring, .ps1, .config files in unexpected places accomplishes the same with less noise. Either way, you might find something.

Locksmith for certificate services. Overlaps partially with PingCastle and Purple Knight.

The password layer

Extract NTLM hashes locally from a test host, or remotely with proper authorization. Run them against rockyou.txt (~14 million entries) combined with a list generated by CeWL or by an LLM.

Locale matters more than people expect. English wordlists miss Sommar2024! and Stockholm2023. A Swedish-seeded list catches them in minutes.

If 30% of accounts crack against a standard list, the policy is broken regardless of what GPO says.

TTPs covered

Every tool above generates patterns. SharpHound makes thousands of LDAP queries in a specific shape. Rubeus requests Kerberos tickets for service accounts that nothing legitimate uses. Snaffler walks shares in a way no user does.

For the report and the SOC handoff, the MITRE ATT&CK mapping:

  • T1087.002: Account Discovery: Domain Account (SharpHound)
  • T1069.002: Permission Groups Discovery: Domain Groups (SharpHound)
  • T1482: Domain Trust Discovery (SharpHound, PingCastle)
  • T1558.003: Kerberoasting (Rubeus)
  • T1558.004: AS-REP Roasting (Rubeus)
  • T1135: Network Share Discovery (Snaffler, custom scripts)
  • T1552.001: Unsecured Credentials: Credentials in Files (Snaffler, custom)
  • T1110.002: Brute Force: Password Cracking (offline against extracted hashes)

Remediation: where time actually goes

The testing is fast. The fixing is not.

A lot of organizations don't own their AD in any meaningful sense. It's outsourced, offshored, or run by a team of two people who are already drowning. There's always a business case that requires an exception, and always a "we'll fix that in Q3" that's still open eighteen months later.

What works:

  1. Fix the lowest-effort, highest-impact findings first. The password in the description field. The unconstrained delegation on a forgotten server. The certificate template anyone can enrol against.
  2. Put detection for the techniques you just used. Even if the configuration doesn't get fixed for a year, you'll see someone else trying it.

Where LLMs actually help

The most useful place is downstream, after the engagement, when the SOC has a stack of audit logs, EDR telemetry, and SIEM alerts from the assessment activity.

Feed an advanced model the raw exports (4624/4625 logon events, 4769 TGS requests, LDAP audit logs, EDR process telemetry, Defender for Identity alert JSON) plus a copy of the engagement timeline. The model correlates one against the other and writes the incident up twice: once for the SOC, once for the business.

For the SOC

Dense and specific. Every claim cites the underlying telemetry:

  • TTP: T1558.003 (Kerberoasting) at 2024-11-12 14:33:27 UTC
  • Source: 10.20.4.117 (host WS-OPS-118, user svc-helpdesk)
  • Target SPNs: MSSQLSvc/sql-prod-01.corp.local:1433, HTTP/sharepoint.corp.local
  • Defender for Identity alert DfI-EID-2017 ("Suspicious Kerberos SPN request") fired at 14:33:30 UTC

For the business

Dense and outcome-framed:

  • Exposure: Payroll records (~5,800 employees) readable by any standard domain account.
  • Likelihood: High. No privileged access required.
  • Recommended solution: Enforce Kerberos Pre-Authentication and audit existing accounts.

Cadence

Every 6-12 months. More often if the org is going through heavy turnover. Findings repeat across runs. That's the point. You're tracking what came back.