AD Security Timeline
A chronological journey through the most significant events in Active Directory security, from its release in 2000 to the modern era of identity-based attacks and cloud identity.
Active Directory Released
Microsoft ships Active Directory with Windows 2000 Server, establishing the dominant enterprise directory service for the next two decades.
Forest Trusts Introduced
Windows Server 2003 adds forest trusts and AD-integrated DNS application partitions, expanding cross-organization identity federation capabilities.
Read-Only Domain Controllers
Windows Server 2008 introduces RODCs for branch offices and the AD Recycle Bin for accidental deletion recovery.
Pass-the-Hash Research Published
Security researchers formalize the Pass-the-Hash attack technique, demonstrating that NTLM hashes alone are sufficient for lateral movement without knowing plaintext passwords.
Mimikatz Released
Benjamin Delpy releases Mimikatz, a tool capable of extracting plaintext passwords, NTLM hashes, and Kerberos tickets from Windows memory, fundamentally changing the AD threat landscape.
Azure Active Directory Reaches General Availability
Microsoft launches Azure Active Directory (later renamed Microsoft Entra ID in 2023) as a cloud identity service, beginning the hybrid identity era.
Kerberoasting Presented
Tim Medin presents the Kerberoasting technique at DerbyCon, showing how any domain user can request and crack service ticket hashes offline to recover service account passwords.
MS14-068: Kerberos Privilege Escalation
Microsoft patches a critical Kerberos vulnerability (CVE-2014-6324) that allows any domain user to forge a PAC and escalate to Domain Admin.
DCSync Attack Documented
Benjamin Delpy and Vincent Le Toux add the DCSync feature to Mimikatz, allowing attackers with Replicating Directory Changes rights to replicate credentials from a DC without ever touching NTDS.dit.
Golden Ticket & Silver Ticket Widely Adopted
The Golden Ticket (forged TGT using KRBTGT hash) and Silver Ticket (forged TGS using service hash) attacks become standard tools in adversary playbooks.
BloodHound Released
Rohan Vazarkar, Andy Robbins, and Will Schroeder release BloodHound at DEF CON 24, using graph theory to map attack paths in Active Directory at scale.
NotPetya Devastates Global Enterprises
The NotPetya wiper malware spreads via EternalBlue and credential harvesting, leveraging Active Directory to propagate across networks and causing over $10 billion in damages.
Unconstrained Delegation Abuse Highlighted
Researchers demonstrate how unconstrained Kerberos delegation on servers can be abused to capture TGTs from any user who authenticates, including domain controllers via the printer bug.
Zerologon (CVE-2020-1472)
The Zerologon vulnerability allows an unauthenticated attacker to instantly compromise any domain controller by exploiting a flaw in the Netlogon protocol's cryptographic implementation.
AD Certificate Services Attacks (ESC1-ESC8)
Will Schroeder and Lee Christensen publish "Certified Pre-Owned," revealing eight classes of AD CS misconfigurations that enable privilege escalation and domain persistence.
sAMAccountName Spoofing (CVE-2021-42278/42287)
Microsoft patches two vulnerabilities in November 2021 that the noPac exploit chain combines to allow any domain user to impersonate a domain controller and achieve Domain Admin in seconds.
Diamond Ticket Technique Documented
Charlie Clark (TrustedSec) formalizes the Diamond Ticket technique -- modifying the PAC of a legitimately issued TGT using the KRBTGT hash -- making forged tickets significantly harder to detect than traditional Golden Tickets.
BloodHound Community Edition Released
SpecterOps releases BloodHound Community Edition with a modern graph database backend and improved UI, making AD attack-path analysis more accessible than ever.
Microsoft Pushes Entra ID and Passwordless
Microsoft accelerates deprecation of legacy protocols and promotes Entra ID, passkeys, and phishing-resistant MFA as the path forward from on-premises AD.
AD CS ESC9-ESC16 Vulnerabilities Disclosed
Researchers expand the AD CS attack surface beyond the original ESC1-ESC8, documenting ESC9 through ESC16 -- new certificate template and CA misconfigurations that enable privilege escalation and domain persistence.
BloodHound Community Edition v8 Released
SpecterOps releases BloodHound Community Edition v8 with expanded Entra ID attack path analysis, Azure resource mapping, and improved AD CS edge detection, bridging on-prem and cloud identity graph analysis.
Microsoft Enterprise Access Model (EAM) Replaces ESAE
Microsoft officially pushes the Enterprise Access Model as the successor to the retired ESAE (Enhanced Security Admin Environment) architecture, extending tiered administration to cover Entra ID, Azure resources, and hybrid environments.