BloodHound CE: Map Active Directory Attack Paths to Domain Admin (2026)
Run SharpHound, read attack graphs, abuse ACL misconfigurations and Kerberoastable accounts — step-by-step path to Domain Admin in Active Directory.
12 articles
Run SharpHound, read attack graphs, abuse ACL misconfigurations and Kerberoastable accounts — step-by-step path to Domain Admin in Active Directory.
A complete purple team walkthrough of Active Directory attack chains — from initial foothold through Kerberoasting, DCSync, and Golden Tickets to full domain compromise, with detection rules for every technique.
Active Directory Certificate Services is installed in most enterprise networks — and almost always misconfigured. Here's how attackers exploit ESC1 through ESC8 with Certipy, and how to detect and stop them.
The most dangerous defenders understand how attackers think. The best red teamers understand what defenders see. Here's why the divide between offense and defense is killing your security program.
DCSync abuses Active Directory replication to pull every password hash from a domain controller without touching it. Here's how the attack works, what it leaves in your logs, and how to build detections that catch it.
MFA is no longer enough to protect Microsoft Entra ID accounts. Attackers steal tokens, register their own devices, and bypass Conditional Access — without ever touching a password. Here's the full attack chain and how to detect it.
Microsoft is officially deprecating NTLM — yet CVE-2025-24054 was actively exploited days after patching, and the Coercion → Relay → ADCS → Domain Admin chain still works in most enterprise environments. Here's the full 2026 kill chain and how to detect it.
A practitioner's guide to PtH and PtT attacks: how they work, what tools attackers use, what evidence they leave behind, and how to build detections with Sigma and Wazuh.
A step-by-step debrief of a real-world red team engagement — from passive OSINT through AiTM phishing, EDR evasion, and ADCS exploitation to full domain compromise. What worked, what didn't, and what would have stopped us.
Shadow Credentials abuse msDS-KeyCredentialLink via DACL misconfiguration to add a rogue certificate, authenticate via PKINIT, and extract NT hashes — no password required.
A structured guide to Active Directory attack techniques — from BloodHound enumeration through Kerberoasting, LSASS dumping, ADCS abuse, and Shadow Credentials to Entra ID pivot. Every technique with detection coverage.
A comprehensive analysis of Kerberoasting — how it works at the protocol level, detection opportunities, and hardening strategies for Active Directory environments.