Active Directory Attack Surface

Active Directory (AD) is the identity backbone of most enterprises. It governs authentication, authorization, and policy for users, computers, and services. Because nearly every resource trusts AD, a single domain compromise often equals full network compromise.

From a red-team perspective, AD is attractive because trust is transitive and misconfigurations accumulate over years. Blue teams must understand the same surface to defend it.

• One forest can contain multiple domains linked by trusts.
• Domain Controllers (DCs) hold the authoritative copy of all secrets.
• Group Policy pushes configuration to every joined host.

To reason about attacks you must know the objects involved. AD stores everything as objects with attributes in a hierarchical LDAP database.

• Users and computers are security principals with SIDs.
• Groups grant rights transitively (nested membership).
• Organizational Units (OUs) structure objects and bind GPOs.
• krbtgt account holds the key that signs all Kerberos tickets.

The krbtgt account is the crown jewel: its hash enables Golden Ticket forgery.