ADscan / field notes
Active Directory, from the inside
Operator-grade writing on Active Directory security. Attack paths and technique for practitioners, compliance and board evidence for security leaders.
Start here
Active Directory Pentesting: Complete Operator Guide (2026)
Complete Active Directory pentesting methodology. From unauthenticated recon to Domain Admin. Covers enumeration, Kerberos attacks, ADCS, attack paths, credential harvesting, and reporting.
Read →For security leaders
Compliance, board evidence, and the business case for AD security.
How to Make the Business Case for an AD Security Audit (Without Technical Jargon)
The 4 arguments that work with a CFO to approve an Active Directory security audit budget. No technical jargon. Includes a 5-minute conversation script.
DORA and Active Directory: Security Obligations for Financial Entities
What DORA requires from financial entities about Active Directory security. Concrete controls, required evidence, and how to audit before the supervisor asks.
For practitioners
Enumeration, Kerberos, ADCS, and the full path to Domain Admin.
80% of the Active Directories We Tested Had a Live Path to Domain Admin
Four attack-path patterns repeat across almost every Active Directory: ACL abuse, Kerberoasting, ADCS misconfiguration, and delegation abuse. None of them is a CVE. That is why the vulnerability scanner does not see them and the annual pentest is a photo, not a film.
NTLMv1 on a DC: Guaranteed Domain Compromise with Rainbow Tables
How to capture an NTLMv1 hash from a Domain Controller via coercion, recover the NT hash using Mandiant's public rainbow tables (8.6TB), and run a full DCSync. Verified attack chain, <12h on consumer hardware.
LSASS Dump Bypassing Defender: WerFaultSecure PPL Bypass (2026)
9 methods tested against Defender with PPL active. Why the original WSASS loader fails and the exact bit that fixes it. ADscan's custom build, Defender sig VirTool:Win32/LsassDump.B, and catch intelligence.
Patch Diffing CVE-2026-41089: Locating the Netlogon Bug in 4 Hours Without a Public PoC
Walkthrough of how to bindiff a Patch Tuesday Windows CVE end-to-end, from MSU acquisition to function-level bug identification. CVE-2026-41089 (Netlogon pre-auth RCE) as the running example. Methodology, tooling, and the honest limits of trigger development without weeks of exploit engineering.
AD Attack Paths: Map and Exploit with BloodHound (2026)
How to use BloodHound Community Edition to map Active Directory attack paths, find the shortest route to Domain Admin, and execute paths with ADscan.
Active Directory Initial Access Without Credentials: 6-Step Operator Workflow
How to get a foothold in an AD environment starting from zero — no credentials, no prior access. Uses LinkedIn OSINT, Kerbrute, and password spraying. Verified workflow from real engagements.
ADCS ESC1 Exploitation: From Low-Priv User to Domain Admin
Step-by-step ADCS ESC1 exploitation. How misconfigured certificate templates let any domain user request a DA certificate. Detection and remediation included.
ADCS ESC8: NTLM Relay to Active Directory Certificate Services
How ADCS ESC8 lets attackers relay NTLM authentication to the AD CS web enrollment endpoint to obtain domain controller certificates and compromise the domain.
AS-REP Roasting Active Directory: Operator Guide (2026)
How AS-REP Roasting works, how to find accounts with Kerberos pre-auth disabled, extract hashes, crack offline, and what ADscan automates. Practical guide.
Best Wordlists for Active Directory Hash Cracking (2026 Benchmarks)
Ranked wordlists for cracking NTLM hashes from AD engagements. Real crack rates from weakpass.com. rockyou.txt is Rank C. Here's what actually works.
DCSync Attack: How It Works, How to Execute, and How to Detect It
DCSync mimics DC replication to dump all AD password hashes without touching LSASS. How to find DCSync rights, execute the attack, and detect it in your environment.
Kerberoasting Active Directory: Complete Operator Guide (2026)
How Kerberoasting works, how to find roastable accounts, extract TGS tickets, crack offline with hashcat, and what ADscan does differently. Practical guide for AD pentesters.
OneRuleToRuleThemStill: The Hashcat Rule Upgrade Most Pentesters Are Missing
In 2023, the creator of OneRuleToRuleThemAll published a faster, cleaner version. Most pentesters are still using the old one. Here's why it matters and how to switch.
The tool
Everything in these guides, automated
ADscan maps every path an attacker could take to total control of your Active Directory, continuously, and maps it to your compliance framework.