During the Summer of 2024, I had a talk at Troopers called “A Decade of Active Directory Attacks:
What We’ve Learned & What’s Next” (Slides & Video) where I focused on the key milestones of Active Directory security (history). This article covers my “decade of Active Directory attacks” in some detail which was correlated with public information and GitHub release information. This Active Directory security history article breaks down the notable attacks into a timeline starting with Active Directory’s release in 2000 and continuing until the present day in late 2025.
If you are interested in the history of Active Directory, this is the article for you.
If you have anything to add or update on the History of Active Directory Security, please email me: sean[@]adsecurity[dot]org.
“Baby Steps” (2000 – 2009)
We start with a time period I call “Baby Steps” (2000 – 2009). This is where some of the key attack capability still in use today was developed.
April, 1997: Paul Ashton posted to NTBugtraq about “‘Pass the Hash’ with Modified SMB Client” leveraging the username and LanMan hash against Windows NT.
February 17, 2000: Active Directory released as part of Windows 2000 (RTM was December 5, 1999 while retail release was February 17, 2000).
March, 2001: Sir Dystic of Cult of the Dead Cow (cDc) releases SMBRelay and SMBRelay2.
2007: NBNSpoof tool created by Robert Wesley McGrew (LLMNR/NBT-NS).
July 2008: Hernan Ochoa publishes the “Pass-the-Hash Toolkit“ (later called WCE and was the inspiration for Mimikatz).
“The Wonder Years” (2010 – 2014)
The next time period I call “The Wonder Years” (2010 – 2014) which is where some key Active Directory attack elements are created.
March 2010: Windows Credentials Editor (WCE) & RootedCon presentation by Hernan Ochoa. WCE was the first tool that provided capability to dump in-memory credentials without running code inside of LSASS. ID: S0005
May 2011: First version of the Mimikatz tool released by Benjamin Delpy. ID: S0002
ADSecurity Unofficial Guide to Mimikatz (no longer updated)
2012: Exploiting Windows 2008 Group Policy Preferences by Emilien Giraul. ID: T1552.006
May 2012: Chris Campbell’s post on GPP Passwords. ID: T1552.006
ADSecurity article on Group Policy Preference Passwords
October 2012: Responder v1 tool released by Laurent Gaffie. Responder was a tool that leveraged LLMNR and Netbios protocol weaknesses enabling password hash capture on the network. ID: S0174
October 2013: Invoke-Mimikatz PowerShell version of Mimikatz released by Joe Bialek. This PowerShell script leverages reflective DLL injection in order to load Mimikatz in PowerShell.
August 2014: “Abusing Microsoft Kerberos sorry you guys don’t get it” Black Hat presentation by Benjamin Delpy & Skip Duckwell which covered Golden Tickets (ID: T1558.001), Overpass-the-hash, and Pass-the-ticket (ID: T1550.003) techniques. This talk caused a revolutionary shift in offensive capability.
ADSecurity article on Golden Ticket attack
September 2014: PAC Validation, The 20 Minute Rule and Exceptions (BHUSA 2014 part deux) blog post about Silver Tickets (ID: T1558.002) by Skip Duckwell.
ADSecurity article on Silver Tickets
September 2014: Kerberoast released by Tim Medin at DerbyCon. ID: T1558.003
Kerberoasting is still successfully used against Active Directory environments along with Password Spraying.
ADSecurity article on Kerberoast attack
December 2014: PowerView tool released by Will Schroeder. This enabled easy Active Directory reconnaissance using PowerShell.
The Golden Years (2015 – 2019)
Following the “Wonder Years” is the time period I call “The Golden Years” (2015 – 2019) where most of the attacks came from.
2015: DSInternals tool released by Michael Grafnetter. This PowerShell module combines a number of useful attack tools.
2015: Kekeo tool released by Benjamin Delpy. This was Benjamin’s tool to play around with Kerberos.
2015: PowerSploit toolset released by Matt Graeber. ID: S0194
ADSecurity article on PowerShell attack tool detection
May 2015: Impacket tool released by Alberto Solino (asolino). ID: S0357
Impacket grew to be one of the key attack tools against Active Directory.
May 2015: Method to Detect Golden Tickets by Sean Metcalf. First detection of Golden Tickets based on event log anomalies that were later removed in Mimikatz.
August 2015: PowerShell Empire released by Will Schroeder & Justin Warner. ID: S0363
This PowerShell attack platform combined a number of useful tools including recon and exploitation.
August 2015: DCSync update to Mimikatz by Vincent Le Toux & Benjamin Delpy. ID: T1003.006
DCSync represented a strategic shift where getting on Domain Controllers to capture password hashes was no longer necessary.
ADSecurity article on DCSync capability & detection
August 2015: Black Hat 2015 presentation by Sean Metcalf: Unconstrained Delegation risks &
ADSecurity articles: Golden Tickets more powerful & Active Directory Persistence using AdminSDHolder.
September 2015: CrackMapExec v1.0.0 tool released by Marcello aka byt3bl33d3r. ID: S0488
CrackMapExec combined useful attack tools in to a single tool.
September 2015: DerbyCon 2015 presentation by Sean Metcalf: Attacking Directory Services Restore Mode (DSRM). This presentation disclosed the fact that the DSRM account on Domain Controllers is actually the local Administrator (RID 500) account and that is possible to pass the hash for this account (discovered with Benjamin Delpy).
December 2015: Attacking Group Managed Service Accounts (GMSAs) by Michael Grafnetter.
This article describes some ways to take advantage of GMSAs.
ADSecurity article on attacking GMSAs.
August 2016: Bloodhound tool released at DEFCON 23 originally written by Will Schroeder, Rohan Vazarkar, & Andy Robbins. ID: S0521
Bloodhound grew from an attack tool into a tool for both Red and Blue teams mapping out attack paths and identifying key items that can resolve multiple issues.
January 2017: PingCastle 2.4.0.1 released. PingCastle scans for Active Directory security issues and provides steps to resolve them.
February 2017: Detect Kerberoasting with no false positives by Sean Metcalf.
May 2017: DNS Admin to Domain Admin by Shay Ber.
ADSecurity article on this
May 2017: Death Star python script released by byt3bl33d3r
This Python script provides a one-step identification to Domain Admin.
May 2017: Ntlmrelayx tool released by Fox-IT
August 2017: ACE up the Sleeve Black Hat 2017 presentation by Andy Robbins and Will Schroeder which covered 5 primary items: A Hidden DCSync Backdoor, AdminSDHolder, Exploitation, Exchange Strikes Back, and Abusing GPOs.
September 2017: Sharphound tool release
Sharphound was the C# port replacing the PowerShell ingester with tons of speed and efficiency updates.
2018: Ldapdomaindump tool released by Dirk-jan Molema
January 2018: ADSecurity article describing how to attack Read-Only Domain Controllers (RODCs).
February 2018: Bloodhound.py tool released by Dirk-jan Molema (Python based Bloodhound ingester)
July 2018: GhostPack released as a collection of C# ports of popular PowerShell tools and collects these tools together
August 2018: DCShadow attack by Vincent Le Toux & Benjamin Delpy. ID: T1207
The DCShadow attack mapped out how to create a temporaery “Domain Controller”, use it to make changes to Active Directory, and subsequently make this temporary DC disappear.
September 2018: Rubeus tool released by Will Schroeder (port of Kekeo and added to GhostPack). ID: S1071
October 2018: “Printer Bug” AD priv esc talk at DerbyCon by Will Schroeder, Lee Christensen, & Matt Nelson
ADSecurity article on this
January 2019: PrivExchange tool released by Dirk-jan Molema
January 2019: Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory by Elad Shamir
“The Third Age” (2020 – Present)
We are currently in what I refer to as the “Third Age” which is mostly refinements of existing techniques and tools with some notable novel techniques thrown in for good measure.
August 2020: The Art of the Honeypot Account article published that describes how best to configure Active Directory honeypot accounts.
December 2020: Adalanche tool released by Lars Karlslund.
March 2021: Purple Knight released.
April 2021: RemotePotato0 tool released by Antonio Cocomazzi & article by Antonio Cocomazzi and Andrea Pierini.
July 2021: PetitPotam tool released. PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw.
August 2021: Certified Pre-Owned (ADCS Attacks) Black Hat talk by Will Schroeder & Lee Christensen (ESC 1 to ESC7). Whitepaper download.
August 2021: Certify ADCS tool released by Will Schroeder & Lee Christensen (in GhostPack).
October 2021: Kerberos Relay Attack by James Forshaw.
October 2021: Certipy tool released by Oliver Lyak (ly4k) – Python port of the Certify tool.
November 2021: “Is This My Domain Controller” Black Hat talk by Sagi Sheinfeld (@sagish1233), Eyal Karni (@eyal_karni), & Yaron Zinar (@YaronZi).
April 2022: KrbRelayUp tool released by Dec0ne.
July 2023: Locksmith Active Directory Certificate Services (ADCS) issue scan & fix tool released by Jake Hildreth.
August 2023: Bloodhound Community Edition (CE) released.
October 2023: CrackMapExec continues as NetExec (nxc).
May 2025: BadSuccessor technique disclosed which takes advantage of Delegated Managed Service Account (dMSA) account weaknesses.
August 2025: Bloodhound OpenGraph released.
September 2025: Active Directory password spraying detection published.
Note: If you want to use content from this page, please credit Sean Metcalf and link back to this page.
That’s my list of notable techniques and tools.
If you have anything to add or update on the History of Active Directory Security, please email me: sean[@]adsecurity[dot]org.
Recent Comments