{"id":4706,"date":"2025-10-04T20:03:00","date_gmt":"2025-10-05T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4706"},"modified":"2025-10-07T11:24:01","modified_gmt":"2025-10-07T15:24:01","slug":"active-directory-security-history","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4706","title":{"rendered":"The History of Active Directory Security"},"content":{"rendered":"\n

During the Summer of 2024, I had a talk at Troopers <\/a>called “A Decade of Active Directory Attacks:
What We’ve Learned & What’s Next<\/span>” (Slides <\/a>& Video<\/a>) where I focused on the key milestones of Active Directory security (history). This article covers my “decade of Active Directory attacks” in some detail which was correlated with public information and GitHub release information. This Active Directory security history article breaks down the notable attacks into a timeline starting with Active Directory’s release in 2000 and continuing until the present day in late 2025.
If you are interested in the history of Active<\/a> Directory, this is the article <\/a>for you.

If you have anything to add or update on the History of Active Directory Security, please email me: sean[@]adsecurity[dot]org.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\u201cBaby Steps\u201d (2000 \u2013 2009)<\/strong><\/h2>\n\n\n\n

We start with a time period I call \u201cBaby Steps\u201d (2000 \u2013 2009). This is where some of the key attack capability still in use today was developed.<\/p>\n\n\n\n

April,<\/strong> 1997<\/strong>: Paul Ashton posted to NTBugtraq about \u201c‘Pass the Hash’ with Modified SMB Client<\/a>\u201d leveraging the username and LanMan hash against Windows NT.<\/p>\n\n\n\n

February 17, 2000<\/strong>: Active Directory<\/a> released as part of Windows 2000<\/a> (RTM was December 5, 1999 while retail release was February 17, 2000). <\/p>\n\n\n\n

March, 2001<\/strong>: Sir Dystic of Cult of the Dead Cow (cDc)<\/a> releases SMBRelay and SMBRelay2<\/a>.<\/p>\n\n\n\n

2007<\/strong>: NBNSpoof tool <\/a>created by Robert Wesley McGrew (LLMNR\/NBT-NS).<\/p>\n\n\n\n

July 2008<\/strong>: Hernan Ochoa publishes the “Pass-the-Hash Toolkit\u201c <\/a>(later called WCE and was the inspiration for Mimikatz).<\/p>\n\n\n\n\n\n\n\n

“The Wonder Years” (2010 – 2014) <\/strong><\/h2>\n\n\n\n

The next time period I call “The Wonder Years” (2010 – 2014) which is where some key Active Directory attack elements are created.<\/p>\n\n\n\n

March 2010:<\/strong> Windows Credentials Editor (WCE)<\/a> & RootedCon presentation <\/a>by Hernan Ochoa. WCE was the first tool that provided capability to dump in-memory credentials without running code inside of LSASS. ID: S0005<\/a><\/p>\n\n\n\n

May 2011<\/strong>: First version of the Mimikatz<\/a> tool released by Benjamin Delpy<\/a>. ID: S0002<\/a>
ADSecurity Unofficial Guide to Mimikatz<\/a> (no longer updated)<\/p>\n\n\n\n

2012<\/strong>: Exploiting Windows 2008 Group Policy Preferences <\/a>by Emilien Giraul. ID: T1552.006<\/a><\/p>\n\n\n\n

May 2012<\/strong>: Chris Campbell<\/a>\u2019s post on GPP Passwords<\/a>. ID: T1552.006<\/a>
ADSecurity article on Group Policy Preference Passwords<\/a><\/p>\n\n\n\n

October 2012<\/strong>: Responder v1<\/a> tool released by Laurent Gaffie. Responder was a tool that leveraged LLMNR and Netbios protocol weaknesses enabling password hash capture on the network. ID: S0174<\/a><\/p>\n\n\n\n

October 2013<\/strong>: Invoke-Mimikatz<\/a> PowerShell version of Mimikatz released by Joe Bialek. This PowerShell script leverages reflective DLL injection<\/a> in order to load Mimikatz in PowerShell.<\/p>\n\n\n\n

August 2014<\/strong>: \u201cAbusing Microsoft Kerberos sorry you guys don\u2019t get it<\/a>\u201d Black Hat presentation by Benjamin Delpy<\/a> & Skip Duckwell<\/a> which covered Golden Tickets (ID: T1558.001<\/a>), Overpass-the-hash, and Pass-the-ticket (ID: T1550.003<\/a>) techniques. This talk caused a revolutionary shift in offensive capability.
ADSecurity article on Golden Ticket attack<\/a><\/p>\n\n\n\n

September 2014<\/strong>: PAC Validation, The 20 Minute Rule and Exceptions (BHUSA 2014 part deux) <\/a>blog post about Silver Tickets (ID: T1558.002<\/a>) by Skip Duckwell<\/a>.
ADSecurity article on Silver Tickets<\/a><\/p>\n\n\n\n

September 2014<\/strong>: Kerberoast<\/a> released by Tim Medin<\/a> at DerbyCon<\/a>. ID: T1558.003<\/a>
Kerberoasting is still successfully used against Active Directory environments along with Password Spraying.
ADSecurity article on Kerberoast attack<\/a><\/p>\n\n\n\n

December 2014<\/strong>: PowerView<\/a> tool released by Will Schroeder<\/a>. This enabled easy Active Directory reconnaissance using PowerShell. <\/p>\n\n\n\n

<\/p>\n\n\n\n

The Golden Years (2015 – 2019)<\/strong><\/h2>\n\n\n\n

Following the “Wonder Years” is the time period I call “The Golden Years” (2015 – 2019) where most of the attacks came from.<\/p>\n\n\n\n

2015<\/strong>: DSInternals<\/a> tool released<\/a> by Michael Grafnetter<\/a>. This PowerShell module combines a number of useful attack tools.<\/p>\n\n\n\n

2015<\/strong>: Kekeo<\/a> tool released by Benjamin Delpy<\/a>. This was Benjamin’s tool to play around with Kerberos.<\/p>\n\n\n\n

2015<\/strong>: PowerSploit toolset<\/a> released by Matt Graeber. ID: S0194<\/a>
ADSecurity article on PowerShell attack tool detection<\/a><\/p>\n\n\n\n

May 2015<\/strong>: Impacket<\/a> tool released by Alberto Solino<\/a> (asolino). ID: S0357<\/a>
Impacket grew to be one of the key attack tools against Active Directory.<\/p>\n\n\n\n

May 2015<\/strong>: Method to Detect Golden Tickets<\/a> by Sean Metcalf<\/a>. First detection of Golden Tickets based on event log anomalies that were later removed in Mimikatz.<\/p>\n\n\n\n

August<\/strong> 2015<\/strong>: PowerShell Empire <\/a>released by Will Schroeder<\/a> & Justin Warner<\/a>. ID: S0363<\/a>
This PowerShell attack platform combined a number of useful tools including recon and exploitation.<\/p>\n\n\n\n

August 2015<\/strong>:\u00a0 DCSync update<\/a> to Mimikatz by Vincent Le Toux<\/a> & Benjamin Delpy<\/a>. ID: T1003.006<\/a>
DCSync represented a strategic shift where getting on Domain Controllers to capture password hashes was no longer necessary.
ADSecurity article on DCSync capability & detection<\/a><\/p>\n\n\n\n

August 2015<\/strong>: Black Hat 2015 presentation by Sean Metcalf<\/a>:  Unconstrained Delegation risks <\/a>&
ADSecurity articles: Golden Tickets more powerful<\/a> & Active Directory Persistence using AdminSDHolder<\/a>.<\/p>\n\n\n\n

September 2015<\/strong>: CrackMapExec v1.0.0 <\/a>tool released by Marcello aka byt3bl33d3r<\/a>. ID: S0488<\/a>
CrackMapExec combined useful attack tools in to a single tool.<\/p>\n\n\n\n

September 2015<\/strong>: DerbyCon 2015 presentation <\/a>by Sean Metcalf<\/a>: Attacking Directory Services Restore Mode (DSRM)<\/a>. This presentation disclosed the fact that the DSRM account on Domain Controllers is actually the local Administrator (RID 500) account and that is possible to pass the hash for this account (discovered with Benjamin Delpy<\/a>).<\/p>\n\n\n\n

December 2015<\/strong>: Attacking\u00a0 Group Managed Service Accounts (GMSAs) <\/a>by Michael Grafnetter<\/a>.
This article describes some ways to take advantage of GMSAs.
ADSecurity article on attacking GMSAs<\/a>.<\/p>\n\n\n\n

August 2016<\/strong>: Bloodhound<\/a> tool released at DEFCON 23<\/a> originally written by Will Schroeder<\/a>, Rohan Vazarkar<\/a>, & Andy Robbins<\/a>. ID: S0521<\/a>
Bloodhound grew from an attack tool into a tool for both Red and Blue teams mapping out attack paths and identifying key items that can resolve multiple issues.<\/p>\n\n\n\n

January 2017<\/strong>: PingCastle 2.4.0.1<\/a>\u00a0released. PingCastle <\/a>scans for Active Directory security issues and provides steps to resolve them.<\/p>\n\n\n\n

February 2017<\/strong>: Detect Kerberoasting <\/a>with no false positives by Sean Metcalf<\/a>.<\/p>\n\n\n\n

May 2017<\/strong>: DNS Admin to Domain Admin<\/a> by Shay Ber.
ADSecurity article on this<\/a>

May 2017<\/strong>: Death Star<\/a> python script <\/a>released by byt3bl33d3r<\/a>
This Python script provides a one-step identification to Domain Admin.<\/p>\n\n\n\n

May 2017<\/strong>: Ntlmrelayx<\/a> tool released by Fox-IT<\/p>\n\n\n\n

August 2017<\/strong>: ACE up the Sleeve Black Hat 2017 presentation <\/a>by Andy Robbins<\/a> and Will Schroeder<\/a> which covered 5 primary items: A Hidden DCSync Backdoor, AdminSDHolder, Exploitation, Exchange Strikes Back, and Abusing GPOs.<\/p>\n\n\n\n

September 2017<\/strong>: Sharphound<\/a> tool release
Sharphound was the C# port replacing the PowerShell ingester with tons of speed and efficiency updates.<\/p>\n\n\n\n

2018<\/strong>: Ldapdomaindump<\/a> tool released by Dirk-jan Molema<\/a><\/p>\n\n\n\n

January 2018<\/strong>: ADSecurity article<\/a> describing how to attack Read-Only Domain Controllers (RODCs).<\/p>\n\n\n\n

February 2018<\/strong>: Bloodhound.py <\/a>tool released by Dirk-jan Molema<\/a> (Python based Bloodhound ingester)<\/p>\n\n\n\n

July 2018<\/strong>: GhostPack<\/a> released\u00a0 as a collection of C# ports of popular PowerShell tools and collects these tools together

August 2018<\/strong>: DCShadow attack <\/a>by Vincent Le Toux<\/a> & Benjamin Delpy<\/a>. ID: T1207<\/a>
The DCShadow attack mapped out how to create a temporaery “Domain Controller”, use it to make changes to Active Directory, and subsequently make this temporary DC disappear.<\/p>\n\n\n\n

September 2018<\/strong>: Rubeus<\/a> tool released by Will Schroeder<\/a> (port of Kekeo <\/a>and added to GhostPack<\/a>). ID: S1071<\/a><\/p>\n\n\n\n

October 2018<\/strong>: \u201cPrinter Bug\u201d AD priv esc talk at DerbyCon <\/a>by Will Schroeder<\/a>, Lee Christensen<\/a>, & Matt Nelson<\/a>
ADSecurity article on this<\/a><\/p>\n\n\n\n

January 2019<\/strong>: PrivExchange<\/a> tool released by Dirk-jan Molema<\/a><\/p>\n\n\n\n

January 2019<\/strong>: Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory<\/a> by Elad Shamir<\/a>
<\/p>\n\n\n\n

\u201cThe Third Age\u201d (2020 \u2013 Present)<\/strong><\/h2>\n\n\n\n

We are currently in what I refer to as the “Third Age” which is mostly refinements of existing techniques and tools with some notable novel techniques thrown in for good measure.<\/p>\n\n\n\n

August 2020<\/strong>: The Art of the Honeypot Account article published<\/a> that describes how best to configure Active Directory honeypot accounts.<\/p>\n\n\n\n

December 2020<\/strong>: Adalanche<\/a> tool released by Lars Karlslund<\/a>.<\/p>\n\n\n\n

March 2021<\/strong>: Purple Knight<\/a> released.<\/p>\n\n\n\n

April 2021<\/strong>: RemotePotato0<\/a> tool released by Antonio Cocomazzi & article<\/a> by Antonio Cocomazzi and Andrea Pierini.<\/p>\n\n\n\n

July 2021<\/strong>: PetitPotam<\/a> tool released. PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw<\/em>.<\/p>\n\n\n\n

August 2021<\/strong>: Certified Pre-Owned<\/a> (ADCS Attacks) Black Hat talk by Will Schroeder<\/a> & Lee Christensen<\/a> (ESC 1 to ESC7). Whitepaper download<\/a>.<\/p>\n\n\n\n

August 2021<\/strong>: Certify<\/a> ADCS tool released by Will Schroeder<\/a> & Lee Christensen<\/a> (in GhostPack<\/a>).<\/p>\n\n\n\n

October 2021<\/strong>: Kerberos Relay Attack <\/a>by James Forshaw<\/a>.<\/p>\n\n\n\n

October 2021<\/strong>: Certipy<\/a> tool released by Oliver Lyak (ly4k)<\/a> – Python port of the Certify tool.<\/p>\n\n\n\n

November 2021<\/strong>: \u201cIs This My Domain Controller<\/a>\u201d Black Hat talk by Sagi Sheinfeld (@sagish1233<\/a>), Eyal Karni (@eyal_karni<\/a>), & Yaron Zinar (@YaronZi<\/a>).<\/p>\n\n\n\n

April 2022<\/strong>: KrbRelayUp tool released <\/a>by Dec0ne<\/a>.<\/p>\n\n\n\n

July 2023<\/strong>: Locksmith <\/a>Active Directory Certificate Services (ADCS) issue scan & fix tool released<\/a> by Jake Hildreth.<\/p>\n\n\n\n

August 2023<\/strong>: Bloodhound Community Edition (CE)<\/a> released.<\/p>\n\n\n\n

October 2023<\/strong>: CrackMapExec continues as NetExec<\/a> (nxc).<\/p>\n\n\n\n

May 2025<\/strong>: BadSuccessor technique disclosed<\/a> which takes advantage of Delegated Managed Service Account (dMSA) <\/a>account weaknesses.<\/p>\n\n\n\n

August 2025<\/strong>: Bloodhound OpenGraph<\/a> released.<\/p>\n\n\n\n

September 2025<\/strong>: Active Directory password spraying detection published<\/a>.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Note: If you want to use content from this page, please credit Sean Metcalf and link back to this page.<\/em>

That’s my list of notable techniques and tools.
If you have anything to add or update on the History of Active Directory Security, please email me: sean[@]adsecurity[dot]org.<\/p>\n","protected":false},"excerpt":{"rendered":"

During the Summer of 2024, I had a talk at Troopers called “A Decade of Active Directory Attacks:What We’ve Learned & What’s Next” (Slides & Video) where I focused on the key milestones of Active Directory security (history). This article covers my “decade of Active Directory attacks” in some detail which was correlated with public … <\/p>\n

Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,2],"tags":[1512,1497,1518,1523,1498,1529,1173,1515,1509,1530,1522,1524,1525,1507,1516,598,1510,602,590,725,765,1508,1531,1464,601,673,1136,1526,1527,1514,1528,207,599,1501,1511,1503,1504,44,1521,1532,954,1506,232,696,1483,1519,1520,1032,1517,1513,1505,1499,1500,513,1502],"class_list":["post-4706","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-technical-reference","tag-aceupthesleeve","tag-activedirectorysecurityhistory","tag-adalanche","tag-adcsattacks","tag-adsecurityhistory","tag-badsuccessor","tag-bloodhound","tag-bloodhound-py","tag-bloodhoundce","tag-bloodhoungopengraph","tag-certifiedpre-owned","tag-certify","tag-certipy","tag-crackmapexec","tag-dcshadow","tag-dcsync","tag-dnsadmintodomainadmin","tag-dsinternals","tag-dsrm","tag-exploitinggrouppolicypreferences","tag-goldentickets","tag-groupmanagedserviceaccounts","tag-historyofactivedirectorysecurity","tag-honeypot","tag-impacket","tag-kerberoast","tag-kerberoasting","tag-kerberosrelay","tag-krbrelayup","tag-ldapdomaindump","tag-locksmith","tag-mimikatz","tag-mimikatzdcsync","tag-nbnspoof","tag-ntlmrelayx","tag-overpass-the-hash","tag-pass-the-ticket","tag-passthehash","tag-petitpotam","tag-pingcastle","tag-powershell-empire","tag-powershellattackdetection","tag-powersploit","tag-powerview","tag-printerbug","tag-purpleknight","tag-remotepotato","tag-responder","tag-rubeus","tag-sharphound","tag-silvertickets","tag-smbrelay","tag-smbrelay2","tag-wce","tag-windowscredentialeditor","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4706"}],"version-history":[{"count":33,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4706\/revisions"}],"predecessor-version":[{"id":4773,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4706\/revisions\/4773"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}