Search Pass4Sure

cybersecurity

Active Directory Attacks for Cybersecurity Cert Exams: The Concepts You Must Know

Active Directory attacks tested on OSCP, OSEP, CRTO, PNPT, CEH, CISSP and CISM, with mitigations, tools, and a four-week lab plan.

·Published April 16, 2026 ·✓ Fact-checked
11 min read·575 views
Active Directory Attacks for Cybersecurity Cert Exams: The Concepts You Must Know

What Active Directory attacks appear most often on cybersecurity cert exams?

Kerberoasting, AS-REP roasting, NTLM relay, DCSync, Pass-the-Hash, and Golden Ticket attacks dominate the OSCP, OSEP, CRTO, PNPT, and CEH practical components. Each maps to a specific misconfiguration or protocol weakness, and each has a defender-side mitigation candidates are expected to know. The CISSP and CISM cover the same techniques at a conceptual level, focused on detection and response rather than execution.

If there is a single technical area that touches more cybersecurity certifications than any other, it is Active Directory attack and defence. The 40-point Active Directory chain on the modern OSCP, the entire OSEP exam, the practical components of CEH, PNPT, CRTO, and eCPPT, and conceptual items on CISSP, CISM, and Security+ all assume a working understanding of the same dozen attack primitives. The reason is straightforward: the 2017 NotPetya outbreak, the 2020 SolarWinds compromise, and the recurring ransomware operator playbooks documented by Mandiant and CrowdStrike all rely on the same Active Directory attack chain. This guide walks through the attacks every certification candidate must understand and the defences certification rubrics expect you to recommend.

Why Active Directory still matters in 2026

Despite a decade of cloud migration, Active Directory remains the central identity store for roughly 90 percent of Fortune 500 enterprises, often hybridised with Azure AD / Microsoft Entra ID. The on-premises AD domain still issues the Kerberos tickets, manages the Group Policy Objects (GPOs), and stores the password hashes that ransomware operators target on day one of an intrusion.

Active Directory -- a directory service implementation by Microsoft that authenticates users and authorises access to resources within a Windows domain. AD stores objects (users, computers, groups) in a hierarchical database called the NTDS.dit file on every Domain Controller.

Domain Controller (DC) -- a server that hosts a writable copy of the AD database and answers authentication requests using the Kerberos and NTLM protocols. Compromising a single DC typically yields the entire domain.

The Verizon Data Breach Investigations Report has consistently identified credential abuse and lateral movement via AD as the top attack pattern in enterprise environments since 2019. Certification exams reflect that reality, and the techniques tested in 2026 are essentially the same techniques observed in real intrusions.

"If you understand Kerberos, you understand 80 percent of every modern enterprise compromise. The protocol is older than most of the attackers exploiting it, and it shows. Defenders who treat Kerberos as a black box will keep losing to attackers who don't." -- Sean Metcalf, founder of Trimarc Security and author of AdSecurity.org

The six attacks every cert candidate must know

Memorising the names is not sufficient. The exam will test whether you can recognise the conditions that enable each attack, execute it (in practical exams), and recommend the corresponding defence (in management exams).

Attack Pre-condition Detection signal Mitigation
Kerberoasting Service account with SPN and weak password Event ID 4769 with RC4 encryption Long passwords, gMSA, AES-only
AS-REP roasting User with Kerberos pre-authentication disabled Event ID 4768 without pre-auth flag Enable pre-authentication
NTLM relay NTLM authentication permitted without signing SMB or LDAP relay attempts LDAP signing, SMB signing, EPA
DCSync Account with Replicating Directory Changes rights DRSUAPI replication from non-DC Restrict replication permissions
Pass-the-Hash NTLM hash captured Logon Type 9, abnormal logon paths Credential Guard, LSA protection
Golden Ticket KRBTGT hash compromise Tickets with abnormal lifetimes Twice-rotate KRBTGT, monitor TGT

Each row deserves a paragraph of explanation, but the table compresses the relationships in a form the exam will frequently echo.

Kerberoasting in detail

Kerberoasting exploits the fact that any authenticated domain user can request a service ticket for any Service Principal Name (SPN) in the domain. The service ticket is encrypted with the service account's NTLM hash (or AES key). The attacker captures the ticket offline and brute-forces the password hash without ever talking to the Domain Controller again. Tim Medin introduced the attack at DerbyCon 2014, and it remains one of the most reliably exploitable AD weaknesses in 2026.

The defender-side mitigation that the exam expects is twofold. First, replace service accounts with Group Managed Service Accounts (gMSAs), which use 240-character random passwords automatically rotated by AD. Second, configure service accounts to use AES-256 encryption only, which makes offline cracking exponentially harder than the legacy RC4 default.

DCSync in detail

DCSync abuses the Directory Replication Service (DRS) Remote Protocol to request password hash replication from a Domain Controller. Any account holding the Replicating Directory Changes and Replicating Directory Changes All extended rights can perform the attack from anywhere on the network. The technique was popularised by Benjamin Delpy's mimikatz tool and is used in essentially every modern AD compromise.

The detection signal is non-obvious: legitimate DC-to-DC replication uses the same DRSUAPI protocol, so the only reliable telemetry is whether the replication request originates from a non-DC IP address. Microsoft's Defender for Identity product alerts on this pattern by default, but the exam will test whether you can articulate the underlying signal independent of any specific tool.

The intermediate attacks that show up on advanced exams

OSEP, CRTO, and the GIAC GPEN and GXPN exams add a second layer of techniques that build on the basic six.

  • Unconstrained delegation abuse -- a server configured for unconstrained delegation will store Kerberos TGTs for any user who connects to it. Compromise of such a server combined with a coerced authentication (e.g., via PrintBug or PetitPotam) yields domain admin tickets.
  • Constrained delegation abuse -- when a server is permitted to delegate to specific services, an attacker who controls the server can request tickets impersonating any user to those services using the Service for User to Self (S4U2Self) and Service for User to Proxy (S4U2Proxy) extensions.
  • Resource-Based Constrained Delegation (RBCD) -- the modern form, configurable per object. Attackers who can write to a computer object's msDS-AllowedToActOnBehalfOfOtherIdentity attribute can configure RBCD to themselves and pivot to local administrator on the target.
  • ADCS exploitation (ESC1 through ESC15) -- the Active Directory Certificate Services vulnerability classes documented by Will Schroeder and Lee Christensen in their 2021 Certified Pre-Owned paper. ESC1, ESC8, and ESC11 are the most commonly seen on certification exams.
  • Cross-forest trust abuse -- when a forest trust permits SID History migration, an attacker with domain admin in one forest can craft Golden Tickets that are honoured in the trusting forest, escalating across what should be an organisational trust boundary.

"Active Directory Certificate Services is the gift that keeps giving. Every penetration tester I've trained in the past three years has found at least one ESC1 misconfiguration in a customer environment. The pattern is almost universal." -- Andy Robbins, co-creator of BloodHound and Principal Product Architect at SpecterOps

Tools you must know fluently

The certification exams that test AD attacks expect tool fluency. The following are non-negotiable.

  1. BloodHound and SharpHound. Graph-based AD enumeration and attack path discovery. Run SharpHound -c All to collect, then visualise in BloodHound to surface shortest paths to Domain Admin.
  2. Impacket. Python toolkit covering secretsdump.py, GetUserSPNs.py, GetNPUsers.py, psexec.py, wmiexec.py, and ntlmrelayx.py. The de facto standard for cross-platform AD attack tooling.
  3. Mimikatz. Windows-native credential extraction tool. Even with Defender detection, the tool's offline use against memory dumps and NTDS.dit files remains essential.
  4. Rubeus. A C# Kerberos toolkit that handles ticket requesting, S4U abuse, and Pass-the-Ticket scenarios with cleaner output than Impacket.
  5. CrackMapExec / NetExec. The 2024-renamed nxc tool that combines SMB, WinRM, MSSQL, and LDAP enumeration into a single command-line.
  6. Certipy. The modern ADCS attack tool that replaced the legacy Certify utility. Supports all 15 ESC classes documented to date.

A typical OSEP-style attack chain

The exam scenario typically begins with low-privilege foothold on a domain-joined workstation. The chain that scores points looks like this:

  1. Run PowerView or SharpHound to enumerate the domain. Identify reachable hosts, shares, and group memberships.
  2. Identify Kerberoastable accounts with GetUserSPNs.py and crack the hashes offline with hashcat mode 13100.
  3. If a service account has admin rights on a target server, pivot via psexec.py or wmiexec.py.
  4. Dump local SAM hashes from the new host with secretsdump.py.
  5. Identify any cached domain administrator credentials. If found, validate with crackmapexec smb against a Domain Controller.
  6. With domain admin credentials, perform DCSync via secretsdump.py -just-dc to obtain the KRBTGT hash.
  7. Generate a Golden Ticket with Rubeus golden /user:Administrator /krbtgt:<hash> /domain:<dom> /sid:<sid> for persistence.
  8. Document every step with screenshots showing both the command and the resulting privilege.

Defender-side knowledge for management certifications

CISSP, CISM, and the management portions of CCSP test the same attack concepts but ask you to recommend mitigations rather than execute attacks. The mitigations that appear most often on these exams:

  • Tiered administration model. Microsoft's deprecated ESAE and current Enterprise Access Model segments administrative accounts into Tier 0 (DCs and identity infrastructure), Tier 1 (servers), and Tier 2 (workstations). Tier 0 admins must never log on to Tier 1 or 2 systems.
  • Privileged Access Workstations (PAWs). Hardened workstations used exclusively for administrative tasks. PAWs cannot browse the internet or read email and are isolated from corporate network resources.
  • Just-in-Time and Just-Enough-Administration. Role-based access elevated only when needed, often via Microsoft's Privileged Identity Management (PIM) in Entra ID.
  • LAPS (Local Administrator Password Solution). Randomises local administrator passwords on every domain-joined machine, preventing lateral movement via shared local admin credentials.
  • Credential Guard and LSA Protection. Hardware-isolated credential storage that mitigates Mimikatz-style memory dumping.

The 2020 SolarWinds compromise illustrates why these mitigations matter. The attackers used Golden SAML (the Azure AD equivalent of Golden Ticket) after compromising the on-premises ADFS signing certificate, and then accessed cloud resources without ever needing to compromise individual cloud accounts. The chain depended on flat administrative privileges across on-premises and cloud, which a tiered model would have blocked.

A four-week AD attack mastery plan

The plan assumes 8 to 10 hours per week and access to a personal lab. The single best free lab is GOAD (Game of Active Directory), maintained by Mayfly at Orange Cyberdefense.

  1. Week 1. Build GOAD on local hypervisor (VMware Workstation or VirtualBox). Run BloodHound against the lab. Practise Kerberoasting and AS-REP roasting end to end.
  2. Week 2. Practise NTLM relay attacks using ntlmrelayx.py. Configure a vulnerable host and successfully relay credentials to LDAP and SMB targets. Read the Microsoft KB5005413 advisory on PetitPotam mitigations.
  3. Week 3. ADCS attacks. Configure ADCS in the lab with vulnerable templates. Exploit ESC1, ESC8, and ESC11 using Certipy. Document each attack with a screenshot of the obtained certificate and the resulting authentication.
  4. Week 4. Cross-forest and persistence. Set up a forest trust in the lab. Practise Golden Ticket forging with Rubeus and mimikatz. Practise persistence via DSRM password reset and AdminSDHolder modification.

A senior offensive security consultant, Spencer Alessi, who has led red-team engagements at multiple Fortune 100 companies, has written that the four-week investment in GOAD produces more durable AD attack fluency than any commercial training course. The lab is free, the techniques are realistic, and the investigation process generates the kind of mistakes that turn into deep understanding.

How AD attack content differs across certifications

The same attack primitive shows up across certifications but the depth of testing varies significantly. Knowing the depth required by your target exam allows efficient study allocation.

Certification Depth required Format
Security+ Conceptual recognition only Multiple choice
CEH Tool-name recognition, basic execution Multiple choice plus optional practical
OSCP Full execution of the basic six attacks 24-hour practical
OSEP Execution under EDR pressure, advanced techniques 48-hour practical
CRTO Cobalt Strike-driven full chain Practical
GIAC GPEN Conceptual depth plus tool fluency Open-book proctored
CISSP Architectural and mitigation reasoning CAT
CISM Risk-management framing, executive narrative Linear

A candidate preparing for OSCP can ignore the CISM-level executive framing entirely and focus on tool fluency. A candidate preparing for CISM should not bother memorising Rubeus command flags but should be able to articulate why a tiered administration model reduces the blast radius of a Kerberoasting attack. Match the depth of your study to the depth of your exam.

Final note on detection-side knowledge

Even on offensive certifications, basic detection-side knowledge pays back. Recognising Event ID 4769 with RC4 encryption as the canonical Kerberoasting indicator, Event ID 4768 without pre-authentication as the AS-REP roasting indicator, and DRSUAPI replication from a non-DC source as the DCSync indicator helps you reason about the trade-offs of each attack and write better reports. The 2017 NotPetya outbreak and the 2020 SolarWinds compromise both included detection failures that a well-trained defender would have caught earlier, and the gap between offensive capability and defensive comprehension is precisely where senior practitioners distinguish themselves from junior ones. Build both sides of the skill simultaneously and you will outperform peers who specialise in only one.

The cybersecurity industry has slowly recognised that the offensive and defensive sides of Active Directory are inseparable. Microsoft's Defender for Identity product, CrowdStrike's Falcon Identity Threat Protection, and IBM's QRadar SIEM all consume the same Event ID telemetry that defenders learn to read in GIAC GCIH and GIAC GCIA preparation, while the attack patterns those tools surface come directly from the OSCP and OSEP curriculum. Candidates who study both sides in parallel discover that the same hour spent reading mimikatz source code teaches them what Defender for Identity is actually detecting, and the resulting detection-engineering insight is one of the most valuable things any cybersecurity practitioner can develop early in their career.

See also: OSCP exam strategy, OSCP buffer overflow module 2026, Burp Suite mastery for OSCP, SOC analyst certifications ranking.

References

  1. Microsoft. Securing Privileged Access Reference Material. Microsoft Learn, 2024.
  2. Metcalf, Sean. Active Directory Security Resources. AdSecurity.org, 2024.
  3. Schroeder, Will and Christensen, Lee. Certified Pre-Owned: Abusing Active Directory Certificate Services. SpecterOps, 2021.
  4. MITRE Corporation. MITRE ATT&CK Enterprise Matrix - Credential Access and Lateral Movement. MITRE, 2024.
  5. NIST Special Publication 800-63B. Digital Identity Guidelines: Authentication and Lifecycle Management. National Institute of Standards and Technology, 2017.
  6. Verizon. 2024 Data Breach Investigations Report. Verizon Business, 2024.
  7. Medin, Tim. Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades. DerbyCon, 2014.

Tags

Active Directory OSEP cybersecurity certifications

Share this article

Continue Reading