This timeline highlights significant Active Directory attack discoveries and tool releases, showcasing the evolving landscape of AD security. Note that this is not exhaustive, but represents key milestones.
Timeline Visualization
timeline
title Active Directory Attack Research Timeline (2013-2021)
section 2013
2013-10 : Responder (LLMNR/NBT-NS/MDNS poisoning)
section 2014
2014-00 : Veil-PowerView (PowerSploit precursor)
2014-00 : Kerberoasting (Tim Medin, SANS Hackfest)
section 2015
2015-00 : PowerShell Empire
2015-00 : PowerView 2.0
2015-00 : DCSync (mimikatz)
2015-00 : CrackMapExec (v1.0.0)
2015-00 : Kerberos Unconstrained Delegation (Sean Metcalf, Black Hat)
2015-00 : Impacket
section 2016
2016-00 : BloodHound (attack path visualization)
section 2017
2017-00 : ASREPRoast
2017-00 : ACE Up the Sleeve (AD ACL attacks, _wald0 & harmj0y)
2017-00 : A Guide to Attacking Domain Trusts (harmj0y)
section 2018
2018-00 : Printer Bug & SpoolSample (Lee Christensen)
2018-00 : Rubeus (Kerberos attacks, harmj0y)
2018-00 : Not A Security Boundary: Breaking Forest Trusts (harmj0y)
2018-00 : DCShadow (Vincent LE TOUX & Benjamin Delpy, Bluehat IL)
2018-00 : Ping Castle (AD security auditing)
section 2019
2019-00 : Kerberoasting Revisited (harmj0y, DerbyCon)
2019-00 : RBCD Abuse (Elad Shamir)
2019-00 : Empire 3.0 (Python3 rewrite)
section 2020
2020-00 : ZeroLogon
section 2021
2021-00 : PrintNightmare
2021-00 : Shadow Credentials
2021-12 : noPac
Key Attacks and Tools (Summary)
- 2013: Responder – Network protocol poisoning for credential harvesting and lateral movement.
- 2014: Veil-PowerView/PowerSploit – PowerShell-based Active Directory reconnaissance; Kerberoasting – exploiting weak Kerberos pre-authentication.
- 2015: PowerShell Empire, PowerView 2.0 – powerful post-exploitation frameworks; CrackMapExec – fast credential cracking; DCSync – unauthorized replication of domain credentials; Impacket – collection of Python-based AD attack tools.
- 2016: BloodHound – groundbreaking tool for visualizing and exploiting relationships within AD, dramatically improving attack path discovery.
- 2017: ASREPRoast, ACE Up the Sleeve, and A Guide to Attacking Domain Trusts – techniques to exploit vulnerabilities in Kerberos and Access Control Lists.
- 2018: Printer Bug and SpoolSample – exploiting vulnerabilities in the Windows Print Spooler; Rubeus – advanced Kerberos exploitation; DCShadow – creating a shadow domain controller; Ping Castle – automated AD security auditing.
- 2019: Kerberoasting Revisited, RBCD Abuse, Empire 3.0 – further advancements in existing techniques and framework improvements.
- 2020: ZeroLogon – highly critical vulnerability allowing domain controller compromise.
- 2021: PrintNightmare – remote code execution via the print spooler; Shadow Credentials – privilege escalation via compromised credentials; noPac – domain compromise from a standard user account (under specific conditions).
Conclusion
The evolution of Active Directory attack techniques and tools from 2013 to 2021 demonstrates a continuous arms race between attackers and defenders. While significant progress has been made in identifying and mitigating vulnerabilities, the complexity of Active Directory and the constant emergence of new attack vectors necessitate ongoing vigilance. The timeline highlights the crucial role of security researchers in uncovering vulnerabilities and the importance of readily available, well-maintained tools for both offensive and defensive security professionals. A deep understanding of Active Directory’s architecture, its associated protocols, and the constantly evolving threat landscape is vital for maintaining robust security posture in modern enterprise environments. The sheer number of significant attacks and tools showcased here underscores the need for proactive security measures and continuous monitoring to protect against increasingly sophisticated threats.