TL;DR: Active Directory pentesting is the highest-leverage skill in Indian offensive security in 2026. Over 90% of Indian enterprises run on AD, and breaking into Domain Admin from a foothold remains the single most common red team objective. This guide walks the complete 2026 AD attack kill chain — recon, enumeration, credential theft, Kerberos abuse, ADCS exploitation, lateral movement, persistence, and pivoting across forests — with the exact tools and techniques used by professional Indian red teams.

If you are a pentester in India in 2026 and you cannot chain a full Active Directory compromise, you are not a pentester — you are a web app scanner with a fancy title. AD is where the real money, real risk, and real skill sit. Every BFSI breach, every Indian MNC ransomware incident, every state-sponsored APT report in the last three years has traced through Active Directory.

This is the guide we wish we’d had when starting. Written by Macksofy Trainings‘ red team instructors — all OSCP, CRTO, and OSEP certified — it compresses hundreds of engagement hours into a single reference.

Why Active Directory Is the Prize

Active Directory is the identity and access control backbone of nearly every mid-size to enterprise Windows network. In India specifically:

• All top-10 BFSI groups run on-prem or hybrid AD with Azure AD / Entra ID
• Government ministries, PSUs, and state-level departments rely on AD for single sign-on
• Manufacturing, pharma, logistics, and retail MNC India branches all run AD forests
• Hybrid cloud setups keep AD as the authentication ground truth

Breaking AD means access to email, file shares, databases, finance systems, HR systems, payment gateways, and source code repositories. No other single skill gives an attacker — or a red teamer — as much leverage.

The MITRE ATT&CK Enterprise Matrix catalogues 100+ AD-related techniques. Real red team engagements chain 5-15 of these in sequence. This guide covers the ones you will actually need.

The 2026 AD Attack Kill Chain

Every real AD compromise follows the same seven-phase pattern:

1. External recon — OSINT to find domain names, employees, external services
2. Initial access — phishing, exposed service exploitation, VPN credential stuffing
3. Internal recon — map the domain, find misconfigurations
4. Credential access — steal, dump, or crack credentials
5. Privilege escalation — local → domain user → privileged user → Domain Admin
6. Lateral movement — hop across machines using stolen credentials
7. Persistence and exfiltration — maintain access, extract data, pivot to other forests

The infographic below visualises the full chain with tools mapped to each stage.

Phase 1: External Reconnaissance

Before touching the target network, gather OSINT. The more you know, the fewer shots you need.

• Domain enumeration: amass enum, subfinder, crt.sh, Hunter.io, DNSDumpster
• Employee harvesting: LinkedIn + theHarvester + linkedin2username
• Email format discovery: hunter.io, phonebook.cz, leaked-credential dumps (DeHashed, Snusbase)
• External service enumeration: Shodan, Censys — look for exposed RDP, Outlook Web Access, VPN portals, Citrix StoreFront
• Tech stack fingerprinting: BuiltWith, Wappalyzer

From a list of employees + an email format, you can generate thousands of valid credentials to test via password spraying or credential stuffing.

Phase 2: Initial Access

The most common entry vectors into Indian enterprise AD in 2026:

Password spraying against OWA / VPN / Azure

Use MSOLSpray or CrackMapExec against Azure AD, or FireProx-routed spraying against on-prem Outlook Web Access. Standard 2026 seasonal passwords that still work surprisingly often: Welcome@2026, Summer@2026!, <CompanyName>@123. Keep it slow — 1 password per user per 30 minutes to avoid lockout triggers.

Phishing payloads

HTML smuggling, ISO/IMG containers with LNK + signed loader, OneNote payloads (until Microsoft hardened in mid-2024). For CRTO-style engagements, Cobalt Strike stageless beacons in malleable C2 profile. For OSCP-level practice, a simple macro-less HTA payload still opens 30% of Indian SMB environments.

Exploitable external-facing services

Still regularly working in 2026: Exchange Server unpatched (ProxyShell / ProxyNotShell leftovers), exposed Apache Log4j, Citrix NetScaler CVEs (CVE-2023-4966 Citrix Bleed still present at several Indian banks in 2024 audits).

Phase 3: Internal Reconnaissance

Once you have a foothold (even a low-priv user context), the next step is domain mapping.

BloodHound + SharpHound

BloodHound is the single most important tool in modern AD pentesting. It ingests session, group, ACL, and computer data from SharpHound (or BloodHound.py, or RustHound) and renders attack paths from any user to Domain Admin as a graph.

Typical first queries:

• Shortest paths from Domain Users to Domain Admins
• Kerberoastable accounts with Domain Admin privileges
• AS-REP roastable accounts
• Accounts with DCSync rights
• Unconstrained delegation machines
• ACL abuse paths (GenericAll, WriteDACL, ForceChangePassword)

Beyond BloodHound

• SharpView / PowerView — PowerShell-based AD enumeration
• ADRecon — generates a full AD report
• Snaffler — hunts SMB shares for interesting files (connection strings, secrets, scripts)
• ldapsearch / ldapdomaindump — LDAP queries from Linux
• certipy — enumerate AD CS certificate templates

Phase 4: Credential Access

Credentials = the currency of AD compromise. Collect them at every stage.

Kerberoasting

Any domain user can request Kerberos service tickets (TGS) for accounts with a Service Principal Name (SPN). Those tickets are encrypted with the service account’s NTLM hash and can be cracked offline with Hashcat (mode 13100).

# From Linux
GetUserSPNs.py -dc-ip 10.10.10.10 CORP.LOCAL/username:password -request

# From Windows
Rubeus.exe kerberoast /outfile:hashes.txt
hashcat -m 13100 hashes.txt wordlist.txt --rules=OneRuleToRuleThemAll.rule

Service accounts commonly use weak or reused passwords. Kerberoasting yields Domain Admin in roughly 30% of our engagements.

AS-REP Roasting

Users with the DONT_REQ_PREAUTH flag set let any attacker request their AS-REP ticket, which contains a hash encrypted with the user’s password. Crackable offline (Hashcat mode 18200). Less common than Kerberoasting but free wins when you find one.

LSASS dumping

On any compromised machine where you have local admin, dump LSASS memory to extract plaintext passwords, NTLM hashes, and Kerberos tickets:

• procdump.exe -ma lsass.exe lsass.dmp (Microsoft-signed, AV-friendly)
• comsvcs.dll via PowerShell minidump (LOLBin)
• Mimikatz offline against the dump
• pypykatz for cross-platform parsing

DPAPI secrets

Windows stores browser-saved passwords, WiFi keys, and RDP credentials encrypted with DPAPI. Once you have a user’s master key (via SYSTEM access or DCSync), you can decrypt offline with Mimikatz dpapi::masterkey.

NTDS.dit extraction

The holy grail. NTDS.dit on a Domain Controller contains every user’s NTLM hash. Extract via:

• impacket-secretsdump with DCSync rights
• Volume shadow copy + esedbtools
• ntdsutil IFM snapshot

Phase 5: Privilege Escalation in AD

Local to Local Admin

• winPEAS, PrivescCheck, SharpUp — automated hunting
• Unquoted service paths, weak service permissions
• SeImpersonatePrivilege abuse (Juicy Potato, Rogue Potato, PrintSpoofer, GodPotato)
• Vulnerable drivers (BYOVD in 2026 still a reality)

Domain User to Privileged Domain User

• Kerberoasting → crack service account password
• ACL abuse (GenericAll on user → reset password, or on group → add self)
• RBCD (Resource-Based Constrained Delegation) — if you have write access to a computer’s ms-DS-AllowedToActOnBehalfOfOtherIdentity
• Credential dumping from group member machines

Domain User to Domain Admin

• DCSync attack — if you have the right (usually enabled for certain service accounts or high-priv groups)
• DCShadow — register rogue DC to inject arbitrary changes
• Golden Ticket — forge TGTs using the krbtgt hash
• Silver Ticket — forge TGS for specific services
• ADCS attacks (covered in next section)

Active Directory Certificate Services Attacks (ESC1-ESC13)

AD CS is the most exploited AD component in 2025-2026. The original SpecterOps “Certified Pre-Owned” research by Will Schroeder and Lee Christensen defined ESC1-ESC8. Additional techniques (ESC9-ESC13) have emerged since.

The key attacker tools are certify.exe (Windows) and certipy (Linux).

ESC1

Misconfigured certificate template allows a low-priv user to request a certificate specifying any subject — including Domain Admin. Request the cert, then authenticate as DA via PKINIT.

ESC8 (PetitPotam + AD CS web endpoints)

NTLM relay from a coerced Domain Controller to an AD CS web endpoint. Results in a DC certificate → TGT → full domain compromise. This chain alone takes dozens of Indian organizations from zero-to-DA in minutes during red team engagements.

Run certipy find on every engagement. If any ESC is vulnerable, ADCS is the fastest path to DA.

Phase 6: Lateral Movement

Once you have a usable credential or ticket, move laterally to reach high-value targets.

• Pass-the-Hash (PtH): Authenticate using an NTLM hash without cracking — Mimikatz, CrackMapExec --hash, impacket-psexec, impacket-wmiexec
• Pass-the-Ticket (PtT): Use a captured Kerberos ticket (.kirbi or .ccache) — Rubeus ptt, klist, impacket with KRB5CCNAME
• Over-Pass-the-Hash: Convert NTLM hash into a full Kerberos TGT — Rubeus asktgt
• WMI / WinRM / SSH / RDP / SMB exec — choose the noisiest/quietest based on detection goals
• DCOM and COM hijacking — Invoke-DCOM for stealth

Good OPSEC: blend with normal admin traffic, use native Windows tooling (PsExec, PSRemoting), avoid tool signatures your client’s EDR is tuned to catch.

Phase 7: Persistence and Forest Pivoting

Domain persistence

• Golden Ticket — forge TGTs that last 10 years
• Skeleton key — patch LSASS on DC to accept a master password for every user
• SID history injection — inject high-priv SIDs into your user
• AdminSDHolder abuse — modify the AdminSDHolder ACL to auto-restore your privileges every hour
• ACL-based persistence — backdoor a specific object (e.g. give yourself DCSync rights on the domain root)

Cross-forest pivoting

• Trust enumeration — nltest /domain_trusts, BloodHound trust edges
• Golden ticket with cross-forest SID history
• ADCS trust abuse (ESC10 / ESC14)
• Azure AD Connect compromise → hybrid cloud takeover

Azure AD / Entra ID in Hybrid Environments

Most Indian enterprises in 2026 are hybrid. Attack paths commonly extend from on-prem AD into Entra ID via:

• Azure AD Connect sync account compromise
• Seamless SSO misconfiguration
• Primary Refresh Token (PRT) extraction from hybrid-joined endpoints
• Conditional Access bypass via device code flow abuse
• Application and service principal permission abuse

Tools: AADInternals, ROADtools, TokenTactics, BARK.

What Indian Blue Teams Should Watch

We train red AND blue teams. If you’re on defence, the detections that matter most:

• Kerberos TGS requests for high-privilege SPNs — Event ID 4769 with RC4 encryption (Kerberoasting signal)
• LSASS access from non-standard processes — Sysmon Event 10
• DCSync — Event 4662 on the DC with specific GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
• Certificate requests with unusual templates or subjects — Event 4886/4887
• Unusual service account logons from non-standard hosts
• New DC replication sources
• Snaffler-like SMB share scanning patterns

Our SOC Analyst training programme covers building these detections in Splunk, Sentinel, and Wazuh.

The Modern AD Red Team Toolkit (2026)

Most of these are free and open-source. Cobalt Strike requires a commercial licence (~$7,500/year) — CRTO includes a student licence during the lab period, which is one of its biggest value drivers.

Career Path: AD-Focused Red Team in India

Indian enterprises pay premium salaries for engineers who can chain full AD compromises. Career progression typically:

1. Junior Pentester (₹5-8 LPA) — OSCP + basic AD skills
2. Mid Penetration Tester (₹10-15 LPA) — strong AD, some cloud
3. Red Team Operator (₹16-24 LPA) — CRTO, Cobalt Strike, full AD kill chain
4. Senior Red Team Consultant (₹22-35 LPA) — OSEP + CRTO, multi-forest, custom tradecraft
5. Red Team Lead / Principal (₹35-60+ LPA) — OSCE3, CRTL, infrastructure design

See our full Cybersecurity Jobs in Mumbai 2026 guide for role-specific hiring contacts and salary data.

Training with Macksofy

Our red team training stack maps directly to this kill chain:

• OSCP bootcamp — foundation; hands-on AD basics
• CRTO mentorship — deep Cobalt Strike + full AD attack chains
• ADCS workshop — ESC1 through ESC13 walkthroughs
• Custom red team lab — 4-domain, multi-forest practice environment
• 1-on-1 exam coaching for OSCP, CRTO, OSEP, CRTL

Reach out via our contact page for the next Mumbai / Pune / Bangalore batch.

Frequently Asked Questions

How long does it take to learn Active Directory pentesting properly?

For someone with OSCP-level offensive fundamentals: 3-6 months of 10-15 hours per week. Without any pentest background: 9-18 months, starting with general Windows admin skills, then OSCP, then AD specialisation.

What prerequisites should I have before diving into AD attacks?

Comfortable with Windows command line and PowerShell, solid networking fundamentals (especially Kerberos, NTLM, LDAP, SMB), Linux basics for attacker tooling, and at minimum OSCP-level privilege escalation and exploitation skills. Without these, you will struggle to reason about why AD attacks work.

Which tool do I learn first — BloodHound or Mimikatz?

BloodHound. Without a mental model of AD relationships, Mimikatz output is just text. BloodHound teaches you what to steal and why it matters. Mimikatz is the harvester; BloodHound is the map.

Is Cobalt Strike necessary for AD red teaming in 2026?

Not necessary, but dominant. Most Indian BFSI and Big 4 red teams run Cobalt Strike. Open-source alternatives (Sliver, Havoc, Mythic) are production-quality and increasingly common. Learn both the concepts (malleable C2, post-ex modules, lateral movement BOFs) and at least one C2 framework deeply.

Can I practise AD attacks legally and safely?

Yes. Build your own lab with GOAD (Game of Active Directory), HackTheBox Pro Labs (Dante, RastaLabs, Cybernetics), TryHackMe’s Throwback / Wreath networks, or Macksofy’s internal multi-domain lab for students. Never practise on a real corporate network without written authorization.

How do I stay current with AD attack techniques?

Follow SpecterOps, TrustedSec, Red Team Village, and the r/redteamsec subreddit. Read primary research on Medium, Posts Specterops, PaperMill. Attend BSides India, Nullcon, HITB. Do 1 hour of reading per week — AD techniques evolve fast.

What’s the difference between AD pentesting and red teaming?

AD pentesting focuses on finding and reporting vulnerabilities in AD — comprehensive, noisy, time-boxed. Red teaming focuses on achieving specific objectives (domain dominance, data theft, goal assets) while evading detection — stealthy, long-duration, adversary-simulating. Both use the same core AD attack techniques; the difference is mission and OPSEC.

Final Word

Active Directory is unforgiving, fascinating, and career-defining. The 2026 Indian offensive security market pays a significant premium for engineers who can demonstrably chain a full AD compromise — and significantly less for those who stopped at web pentest. Invest the months. Build the lab. Pass OSCP. Earn CRTO. Read the research. Practice until chaining Kerberoasting → ADCS → DCSync is muscle memory.

The defenders are getting sharper. The attackers are getting cleverer. Stay on the cutting edge — or become obsolete.

Want to train for enterprise AD red team roles with experienced operators? Contact Macksofy Trainings — our OSCP + CRTO + OSEP certified instructors have placed 300+ Indian professionals into senior offensive-security roles since 2019.

Authoritative references

• MITRE ATT&CK Enterprise Matrix
• BloodHound Community Edition
• Certified Pre-Owned (ADCS research)
• The Hacker Recipes — AD Attack Encyclopaedia
• Sean Metcalf — AD Security blog
• Red Team Recipe
• GOAD — Game of Active Directory
• CERT-In — Indian Computer Emergency Response Team

Yasir Arafat

Yasir Arafat is the founder of Macksofy Trainings and a practicing cybersecurity strategist focused on offensive security training, SOC operations, and India-specific cybersecurity career development. Yasir has built Macksofy's EC-Council Accredited Training Center in Mumbai and its branches in Hyderabad, Dubai, and Toronto, growing the institute into one of India's leading certification partners for OSCP, CEH v13, CPENT, and SOC-200 programs. He writes and reviews training curriculum, mentors students through certification exams, and advises corporate clients on security-team hiring and upskilling. Contact: yasir@macksofy.com.

See Full Bio

Yasir Arafat

Yasir Arafat is the founder of Macksofy Trainings and a practicing cybersecurity strategist focused on offensive security training, SOC operations, and India-specific cybersecurity career development. Yasir has built Macksofy's EC-Council Accredited Training Center in Mumbai and its branches in Hyderabad, Dubai, and Toronto, growing the institute into one of India's leading certification partners for OSCP, CEH v13, CPENT, and SOC-200 programs. He writes and reviews training curriculum, mentors students through certification exams, and advises corporate clients on security-team hiring and upskilling. Contact: yasir@macksofy.com.