AD-Attack-Defense: The Kill Chain Map for Active Directory Security Operations
Hook
Over 4,800 security professionals rely on a repository that contains zero lines of executable code. AD-Attack-Defense proves that sometimes the most valuable tool in your arsenal is simply knowing where to look.
Context
Active Directory security exists in a perpetual arms race. Red teams discover new privilege escalation paths through Kerberos delegation flaws, ADCS certificate abuse, or sAMAccountName spoofing. Blue teams scramble to detect these techniques, often learning about attacks only after compromise. The information exists—scattered across security blogs, conference talks, whitepapers, and researcher Twitter threads—but no single source maps the complete attack lifecycle from initial reconnaissance to domain persistence.
AD-Attack-Defense emerged to solve this fragmentation problem. Rather than building another offensive security tool, infosecn1nja created a structured knowledge base that organizes Active Directory attack techniques and defensive countermeasures along the kill chain framework. It aggregates expertise from leading researchers like Sean Metcalf (ADSecurity), Will Schroeder (harmj0y), and SpecterOps into categorized reference material covering Discovery, Privilege Escalation, Defense Evasion, Credential Dumping, Lateral Movement, and Persistence. For security teams, it functions as both a threat intelligence briefing and defensive playbook.
Technical Insight
The repository’s architecture follows the kill chain methodology, mapping attacker progression through Active Directory environments. Each phase contains curated links to primary source material—blog posts demonstrating exploitation techniques paired with detection guidance and mitigation strategies.
The Discovery phase exemplifies this dual perspective. Under “SPN Scanning,” the repository links to Sean Metcalf’s research on service discovery without network port scanning, which reveals how attackers enumerate service accounts by querying Active Directory for Service Principal Names. The technique is notable for generating only LDAP queries to domain controllers rather than network traffic to target hosts, making it difficult to detect through network-based monitoring.
The Privilege Escalation section demonstrates the repository’s focus on modern post-exploitation tradecraft. It covers recent vulnerabilities like Zerologon (CVE-2020-1472), which exploited Netlogon cryptography, and PetitPotam, an NTLM relay technique abusing the MS-EFSRPC protocol. The repository also links to SpecterOps research on Active Directory Certificate Services (ADCS) abuse, a significant attack surface that became widely recognized in 2021.
The Credential Dumping phase links to techniques for extracting credentials from LSASS memory, DCSync attacks that mimic domain controller replication, and Kerberoasting attacks against service accounts. The repository references tools like Mimikatz, Rubeus, and Impacket while also pointing to defensive detection strategies.
Under Discovery, the “User Hunting” section covers research on derivative local admin discovery and administrative relationship mapping across domains. The repository links to Will Schroeder’s work on these topics and references BloodHound for automated analysis.
The Lateral Movement section documents techniques including DCOM-based execution, Windows Remote Management abuse, and pass-the-ticket attacks using Kerberos TGTs. Each category includes references to both offensive techniques and detection methodologies.
Gotcha
AD-Attack-Defense is fundamentally a link aggregator, not operational tooling. The repository contains no executable code—you cannot clone it and immediately begin testing Active Directory security. It points to external tools and research, but you must acquire and configure those separately. For practitioners seeking ready-to-run attack frameworks, this creates friction—you’re always one click away from the actual implementation.
Link rot presents an ongoing challenge. The repository links to external blog posts, some hosted on personal sites that may disappear or migrate. GitHub repositories referenced may be archived or deleted. This is the inherent risk of curated knowledge bases versus self-contained documentation.
The repository also lacks hands-on learning environments. It doesn’t provide lab configurations, vulnerable AD setups, or practice exercises. Platforms like HackTheBox, TryHackMe, or GOAD (Game of Active Directory) offer practical training environments where you can apply these concepts. AD-Attack-Defense serves better as reference material and research index rather than a standalone learning resource. You need existing AD security knowledge to extract maximum value—beginners may struggle to contextualize the linked research without foundational understanding of Kerberos authentication, NTLM protocols, and AD object permissions.
Verdict
Use AD-Attack-Defense if you’re a penetration tester planning Active Directory assessments and need comprehensive attack surface coverage, a security architect designing detection and prevention controls for AD environments, or a threat intelligence analyst tracking post-exploitation tradecraft evolution. It excels as a structured index preventing blind spots—you won’t miss critical attack vectors like ADCS abuse or delegation attacks because they’re systematically cataloged in one location. Use it as pre-engagement research material or when building security requirements. Skip it if you need executable tooling, automated testing frameworks, or beginner-friendly tutorials with step-by-step instructions. This is a curated reference index for AD security research, not an operational toolkit. If you’re new to Active Directory security, start with hands-on platforms that provide vulnerable lab environments, then return to AD-Attack-Defense as a reference to deepen your understanding of the attack and defense landscape.
