AD Attacks & Tools Timeline

2021

The PrintNightmare vulnerability was released. This was a remote code execution flaw in the Windows Print Spooler that could be used to take over hosts in an AD environment. The Shadow Credentials attack was released which allows for low privileged users to impersonate other user and computer accounts if conditions are right, and can be used to escalate privileges in a domain. The noPac attack was released in mid-December of 2021 when much of the security world was focused on the Log4j vulnerabilities. This attack allows an attacker to gain full control over a domain from a standard domain user account if the right conditions exist.

2020

The ZeroLogon attack debuted late in 2020. This was a critical flaw that allowed an attacker to impersonate any unpatched domain controller in a network.

2019

harmj0y delivered the talk "Kerberoasting Revisited" at DerbyCon which laid out new approaches to Kerberoasting. Elad Shamir released a blog post outlining techniques for abusing resource-based constrained delegation (RBCD) in Active Directory. The company BC Security released Empire 3.0(now version 4) which was a re-release of the PowerShell Empire framework written in Python3 with many additions and changes.

2018

The "Printer Bug" bug was discovered by Lee Christensen and the SpoolSamplePoC tool was released which leverages this bug to coerce Windows hosts to authenticate to other machines via the MS-RPRN RPC interface. harmj0y released the Rubeus toolkitfor attacking Kerberos. Late in 2018 harmj0y also released the blog "Not A Security Boundary: Breaking Forest Trusts"which presented key research on performing attacks across forest trusts. The DCShadowattack technique was also released by Vincent LE TOUX and Benjamin Delpy at the Bluehat IL 2018 conference. The Ping Castletool was released by Vincent LE TOUX for performing security audits of Active Directory by looking for misconfigurations and other flaws that can raise the risk level of a domain and producing a report that can be used to identify ways to further harden the environment.

2017

The ASREPRoasttechnique was introduced for attacking user accounts that don't require Kerberos preauthentication. _wald0 and harmj0y delivered the pivotal talk on Active Directory ACL attacks "ACE Up the Sleeve"at Black Hat and DEF CON. harmj0y released his "A Guide to Attacking Domain Trusts"blog post on enumerating and attacking domain trusts.

2016

BloodHound was released as a game changing tool for visualizing attack paths in AD at DEF CON 24.

2015

2015 saw the release of some of the most impactful Active Directory tools of all time. The PowerShell Empire frameworkwas released. PowerView 2.0released as part of the (now deprecated) PowerToolsrepository, which was a part of the PowerShellEmpire GitHub account. The DCSync attack was first released by Benjamin Delpy and Vincent Le Toux as part of the mimikatztool. It has since been included in other tools. The first stable release of CrackMapExec ((v1.0.0)was introduced. Sean Metcalf gave a talk at Black Hat USA about the dangers of Kerberos Unconstrained Delegation and released an excellent blog poston the topic. The Impackettoolkit was also released in 2015. This is a collection of Python tools, many of which can be used to perform Active Directory attacks. It is still actively maintained as of January 2022 and is a key part of most every penetration tester's toolkit.

2014

Veil-PowerView first released. This project later became part of the PowerSploitframework as the (no longer supported) PowerView.ps1AD recon tool. The Kerberoasting attack was first presented at a conference by Tim Medinat SANS Hackfest 2014.

2013

The Respondertool was released by Laurent Gaffie. Responder is a tool used for poisoning LLMNR, NBT-NS, and MDNS on an Active Directory network. It can be used to obtain password hashes and also perform SMB Relay attacks (when combined with other tools) to move laterally and vertically in an AD environment. It has evolved considerably over the years and is still actively supported (with new features added) as of January 2022.

Domain Computers

Domain Users

Domain Group Information

Organizational Units (OUs)

Default Domain Policy

Functional Domain Levels

Password Policy

Group Policy Objects (GPOs)

Domain Trusts

Access Control Lists (ACLs)