Cracking the Basics of Active Directory | Cyber Codex

f you’re aiming to red team Windows Networks, Active Directory (AD) isn’t just a topic — it’s the battleground.

Check it out

What is Active Directory?

Active Directory (AD) is Microsoft’s Directory service for Windows domain networks. Think of it as the digital master key to managing users, computers, and resources across an organization. It connects everything into a cohesive forest of domains, with each domain acting as a realm of control.

Core Components of AD:

• Domain Controllers

• Forests, Trees, and Domains

• Users & Groups

• Trusts & Policies

• Domain Services

Why do Comapnies Use Active Directory?

It centralized control. With a single login, employees can access their files and workstations anywhere on the network. For admins, it means pushing policies, managing security, and monitoring users — all from one pane of glass.

AD is scalable, efficient, and secure (well, until you show up with a PowerView payload).

Physical Active Directory: Hardware Meets Hierarchy

At its core, AD starts with Domain Controllers (DCs). These are Windows Servers that host:

• The AD DS Data Store (NTDS.dit) contains all directory data and password hashes.

• Authentication & Authorization services

• Replication duties to sync with other DCs.

Every machine and user in an AD environment ultimately answers to a domain controller.

Forests, Trees, and Domains: Organizing the Chaos

The Forest is the highest-level container — a collection of Trees (which are hierarchical domain structures).

• Domains: Logical groupings of objects like users and computers

• OUs (Organizational Units): Sub-contrainers to organize and apply policies

• Trusts: Let users access resources across domains

• Schema: Blueprint for object creation rules

Users & Groups: The Heartbeat of AD

Users:

• Domain Admins — The god tier users

• Services Accounts — For services like SQL

• Local Admins — Admins on local machines only

• Domain Users — Everyday employees

Groups:

• Security Groups: Control access to resources

• Distribution Groups: Email-based grouping (meh for attackers, but useful)

Fun fact: Default groups like Domain Computers, Enterprise Admins, and Cert Publishers often reveal key attack paths.

Trusts & Policies: The Social Contracts of AD

Trusts enable cross-domain access. Two Types:

• Directional: One-way trust

• Transitive: Expands across domains like a social web

Policies dictate behavior:

• Disable Defender across all machines?

• Enforce SMB signing?

It’s all controlled via Group Policy Objects (GPOs).

AD Domain Services & Authentication

Key default services provided by AD:

• LDAP: Communication between apps & directory

• Certificate Services: Manage public key certs

• DNS, LLMNR, NBT-NS: Name resolution services

Authentication Protocols:

• Kerberos: Uses ticket-based auth (TGT, STs)

• NTLM: Legacy, but still present. Encrypted challenge-response.

These are juicy targets for lateral movement and privilege escalation.

Active Directory in the Cloud

Welcome to Azure AD — the cloud-native, SaaS-backed cousin of on-prem AD. It brings better defaults for security, but introduces some new terminology and technologies. Here’s a quick comparison:

• LDAP in Windows AD is replaced with REST APIs in Azure AD

• NTLM becomes OAuth/SAML

• Kerberos shifts to OpenID

• The concept of Domain and Forests changes to Tenants

• Trusts are replaced with Guest access mechanisms

Cloud ADs are more secure out of the box, but still vulnerable. Time to evolve your attacks, ninja-style.

Hands-On Lab

For this lab, I used TryHackMe's Active Directory Basics.

Active Directory BasicsTryHackMe

Now that we have talked about Active Direcotry and understand the theory of it, let’s take a hands-on look. I recommend having basic knowledge in PowerShell before trying this lab. We’ll be taking a look at the internals of Active Directory by using PowerShell commands to view machines, computers, users, and groups.

Lab Setup

1. Deploy the machine and Attackerbox

2. SSH or RDP into the machine

Credentials:

Username: Administrator

Password: passwrod123@

Domain: CONTROLLER.local

PowerView Setup

1. cd Downloads — navigate to the directory PowerView is in

2. powershell -ep bypass — load a PowerShell shell with execution policy bypassed.

3. ..\PowerView.ps1 — import the PowerView module

Lab Overview

I will help you with a few commands; the rest is up to you. Use the PowerView CheatSheet by HarmJ0Y and explore the domain like a pro.

Example Commands:

Get-NetComputer -fulldata | select operatingsystem
Get-NetUser | select cn

Remote Access (Optional):

xfreerdp /u:Administrator /p:'password123@' /v:10.10.252.212 /size:90%

Command Walkthrough:

cd Downloads

powershell -ep bypass

..\PowerView.ps1

Check OS versions:

Get-NetComputer -fulldata | select operatingsystem

Output will include:

• Windows Server 2019 Standard

• Windows 10 Enterprise Evaluation

Check user list:

Get-NetUser | select cn

Look for second Admin name: Admin2

Enumerate Groups:

Get-NetGroup -GroupName *

Spot the group with a capital “V”: Hyper-V Admnistrators

Alternative:

net localgroup

Find SPN users with elevated privileges:

Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}

You’ll discover the SQL Service user with the password in the description:

Finally, dive deep with full user data:

Get-ADUser -identity SQLService -properties *

Check the PasswordLastSet field: 5/13/2020 8:26:58 PM

Now you’re on your own — go explore, enumerate, and understand how attackers see the network.

Conclusion

Active Directory is everywhere — from SMBs to Fortune 500s. If you’re serious about cybersecurity, mastering AD is non-negotiable.