During the Summer of 2024, I had a talk at Troopers called “A Decade of Active Directory Attacks:
What We’ve Learned & What’s Next” (Slides & Video). I focused on the key milestones of Active Directory security. This post covers this in some detail which was correlated with public information and GitHub release information. This article breaks down the notable attacks into a timeline.
If you are interested in the history of Active Directory, this is the article for you.
If you have anything to add or update, please email me: sean[@]adsecurity[dot]org.
“Baby Steps” (2000 – 2009)
We start with a time period I call “Baby Steps” (2000 – 2009). This is where some of the key attack capability still in use today was developed.
April, 1997: Paul Ashton posted to NTBugtraq about “‘Pass the Hash’ with Modified SMB Client” leveraging the username and LanMan hash against NT.
March, 2021: Sir Dystic of Cult of the Dead Cow (cDc) releases SMBRelay and SMBRelay2
2007: NBNSpoof tool created by Robert Wesley McGrew (LLMNR/NBT-NS)
July 2008: Hernan Ochoa publishes the “Pass-the-Hash Toolkit“ (later called WCE and was the inspiration for Mimikatz)
“The Wonder Years” (2010 – 2014)
The next time period I call “The Wonder Years” (2010 – 2014) which is where some key Active Directory attack elements are created.
March 2010: Windows Credentials Editor (WCE) & RootedCon presentation by Hernan Ochoa. WCE was the first tool that provided capability to dump in-memory credentials without running code inside of LSASS. ID: S0005
May 2011: First version of the Mimikatz tool released by Benjamin Delpy. ID: S0002
ADSecurity Unofficial Guide to Mimikatz (no longer updated)
2012: Exploiting Windows 2008 Group Policy Preferences by Emilien Giraul. ID: T1552.006
May 2012: Chris Campbell’s post on GPP Passwords. ID: T1552.006
ADSecurity article on Group Policy Preference Passwords
October 2012: Responder v1 tool released by Laurent Gaffie. Responder was a tool that leveraged LLMNR and Netbios protocol weaknesses enabling password hash capture on the network. ID: S0174
October 2013: Invoke-Mimikatz PowerShell version of Mimikatz released by Joe Bialek
August 2014: “Abusing Microsoft Kerberos sorry you guys don’t get it” Black Hat presentation by Benjamin Delpy & Skip Duckwell which covered Golden Tickets (ID: T1558.001), Overpass-the-hash, and Pass-the-ticket (ID: T1550.003) techniques.
Golden Ticket attack description
September 2014: PAC Validation, The 20 Minute Rule and Exceptions (BHUSA 2014 part deux) blog post about Silver Tickets (ID: T1558.002) by Skip Duckwell
ADSecurity article on Silver Tickets
September 2014: Kerberoast released by Tim Medin at DerbyCon. ID: T1558.003
Kerberoast attack description
December 2014: PowerView tool released by Will Schroeder
The Golden Years (2015 – 2019)
Following the “Wonder Years” is the time period I call “The Golden Years” (2015 – 2019) where most of the attacks came from.
2015: DSInternals tool released by Michael Grafnetter
2015: Kekeo tool released by Benjamin Delpy
2015: PowerSploit toolset released by Matt Graeber. ID: S0194
PowerShell attack tool detection
May 2015: Impacket tool released by Alberto Solino (asolino). ID: S0357
May 2015: Method to Detect Golden Tickets
August 2015: PowerShell Empire released by Will @Hrmj0y & Justin Warner. ID: S0363
August 2015: DCSync update to Mimikatz by Vincent Le Toux & Benjamin Delpy. ID: T1003.006
DCSync capability & detection
August 2015: Black Hat 2015 presentation by Sean Metcalf: Unconstrained Delegation &
Golden Tickets more powerful & Active Directory Persistence using AdminSDHolder
September 2015: CrackMapExec v1.0.0 tool released by Marcello aka byt3bl33d3r. ID: S0488
September 2015: DerbyCon 2015 presentation by Sean Metcalf: Attacking DSRM
December 2015: Attacking Group Managed Service Accounts (GMSAs) by Michael Grafnetter
August 2016: Bloodhound tool released at DEFCON 23 originally written by Will Schroeder, Rohan Vazarkar, & Andy Robbins. ID: S0521
February 2017: Detect Kerberoasting with No false positives
May 2017: DNSAdmin to Domain Admin by Shay Ber
ADSecurity article on this
May 2017: Death Star python script released by byt3bl33d3r
May 2017: Ntlmrelayx tool released by Fox-IT
August 2017: ACE up the Sleeve Black Hat 2017 presentation by Andy Robbins and Will Schroeder which covered 5 primary items: A Hidden DCSync Backdoor, AdminSDHolder, Exploitation, Exchange Strikes Back, and Abusing GPOs.
September 2017: Sharphound tool release
2018: Ldapdomaindump tool released by Dirk-jan Molema
February 2018: Bloodhound.py tool released by Dirk-jan Molema (Python based Bloodhound ingester)
July 2018: GhostPack released as a collection of C# ports of popular PowerShell tools and collects these tools together
August 2018: DCShadow attack by Vincent Le Toux & Benjamin Delpy. ID: T1207
September 2018: Rubeus tool released by Will Schroeder (port of Kekeo and added to GhostPack). ID: S1071
October 2018: “Printer Bug” AD priv esc talk at DerbyCon by Will Schroeder, Lee Christensen, & Matt Nelson
ADSecurity article on this
“The Third Age” (2020 – Present)
We are currently in what I refer to as the “Third Age” which is mostly refinements of existing techniques and tools with some notable novel techniques thrown in for good measure.
December 2020: Adalanche tool released by Lars Karlslund
April 2021: RemotePotato0 tool released by antonioCoco & article by Antonio Cocomazzi and Andrea Pierini
July 2021: PetitPotam tool released
August 2021: Certified Pre-Owned (ADCS Attacks) Black Hat talk by Will Schroeder & Lee Christensen
whitepaper download
August 2021: Certify ADCS tool released by Will Schroeder & Lee Christensen (in GhostPack)
October 2021: Kerberos Relay Attack by James Forshaw
October 2021: Certipy tool released by Oliver Lyak (ly4k) – Python port of the Certify tool
November 2021: “Is This My Domain Controller” Black Hat talk by Sagi Sheinfeld (@sagish1233), Eyal Karni (@eyal_karni), & Yaron Zinar (@YaronZi)
April 2022: KrbRelayUp tool released by Dec0ne
October 2023: CrackMapExec continues as NetExec (nxc)
That’s my list of notable techniques and tools. If you have anything to add or correct, please email me sean[@]adsecurity[dot]org.
Recent Comments