Overview

Active Directory (AD), formally known as Active Directory Domain Services (AD DS), is the central system administrators use to manage enterprise environments. Through AD, administrators control operating systems, applications, users, computers, and access to sensitive data across the organization.

From a red team perspective, this centralized control is exactly what makes Active Directory such an attractive target.

Why Active Directory Is a High-Value Target

Active Directory stores critical information about the entire environment. It keeps structured records of:

• Users
• Groups
• Computers
• Services
• Permissions and access relationships

Each of these elements is stored as an object. If an attacker can compromise or abuse even a small number of these objects, it may be possible to gain extensive — or even complete — control over the organization’s infrastructure.

In many real-world breaches, attackers do not immediately target servers or databases. Instead, they focus on Active Directory, because it acts as the brain of the Windows domain.

Domains and Domain Names

The first step in setting up Active Directory is creating a domain, such as example.com. This domain becomes the security boundary for authentication and authorization.

Within the domain, administrators create and manage objects such as:

• User accounts
• Computer accounts
• Groups

To keep large environments manageable, these objects are usually organized into Organizational Units (OUs). OUs help administrators apply policies, delegate permissions, and maintain structure.

Objects and Attributes

Every object in Active Directory has a set of attributes, which vary depending on the object type.

For example, a user object may include attributes such as:

• First name
• Last name
• Username
• Email address
• Phone number
• Job title

From an attacker’s perspective, these attributes are valuable. They provide insight into naming conventions, organizational roles, and potential targets for lateral movement or privilege escalation.

Domain Controllers and Authentication

Active Directory relies on multiple components and services to function correctly. One of the most critical is the Domain Controller (DC).

When a user attempts to log in to the domain, their system sends an authentication request to a Domain Controller. The DC verifies whether:

• The user exists
• The credentials are valid
• The user is allowed to log in

Because Domain Controllers handle authentication and authorization, they are among the most sensitive systems in any Windows environment.

Groups and Privileges

Objects in Active Directory can be assigned to groups, which simplifies permission management. For example, a group may be granted access to a specific file server share, and all members inherit that access automatically.

Attackers often focus on high-privilege groups, especially:

• Domain Admins
• Enterprise Admins
• Administrators

Members of the Domain Admins group are the most powerful objects in the domain. If an attacker compromises a single Domain Admin account, they effectively gain full control over the entire domain.

The Goal of Enumeration

In Active Directory attacks, enumeration is not just about listing users or computers. The real goal is to:

• Build a detailed map of the domain
• Visualize trust relationships and permissions
• Identify potential attack paths

This domain map helps attackers understand where they are, what they can access, and where they should move next.

Foothold First, Privilege Later

A common mistake among beginners is assuming that the main objective is to quickly become a Domain Admin. In reality, maintaining a stable foothold is often more important.

If an attacker can compromise multiple users with similar access levels, losing one account does not mean losing access to the domain. Persistence and redundancy matter.

Privilege Escalation Is Not Always Direct

Not all valuable accounts are members of Domain Admins.

Some accounts — especially service accounts — may not appear highly privileged at first glance. However, they often have:

• Local administrator access on servers
• Permissions to manage services or applications
• Access to sensitive resources

These accounts are frequently overlooked but can be powerful stepping stones.

Critical business data does not always require Domain Admin access. Sensitive information may reside on:

• File servers
• Database servers
• Application servers

In many scenarios, accessing these systems is more valuable than owning the entire domain. From an attacker’s perspective, Domain Admin is a means to an end — not always the end itself.

Assume the following scenario:

• The target domain is example.com
• We have obtained valid credentials for a low-privilege domain user through phishing
• This user has RDP access to their own Windows workstation

Our objective is to start from this limited position and enumerate the domain.

Expanding Access Through Iterative Enumeration

From the compromised user’s system, we begin enumerating:

• Domain users
• Groups and memberships
• Computers
• Access rights and sessions

If we gain access to another user or machine, we repeat the enumeration process from this new standpoint.

This repetition is critical. Even if the new access level appears similar, administrators may have assigned:

• Special permissions
• Additional group memberships
• Unique access based on job role

Each new vantage point can reveal previously hidden attack paths.