DCSync doesn't require a foothold on a domain controller, just one account with the right to replicate directory data. Here's how to find who has those rights in your environment, remove what doesn't belong, and detect if someone is already using this technique against you.

AS-REP Roasting requires no domain credentials and leaves most environments completely exposed. Any attacker with network access to a Domain Controller can request an encrypted hash for any account with Kerberos pre-authentication disabled and crack it offline at their leisure. Here's how to find every vulnerable account in your environment, fix the ones that matter most, and detect if someone is already taking advantage.

Kerberoasting works entirely within normal Kerberos behavior, no elevated privileges, no lockouts, no alerts. Any domain user can request a service ticket for any SPN-enabled account and walk away with a crackable hash. In most environments I've reviewed, Kerberoastable accounts exist and nobody knows about it. Here's how to find them, fix them, and detect if someone is already taking advantage.

Active Directory trusts enable cross-domain access, but poorly secured trusts can turn one breach into a full forest compromise. Attackers exploit transitive trusts, foreign security principals, Kerberos delegation flaws, and legacy connections. Learn how to lock down trusts with SID filtering, selective authentication, audits, and KRBTGT rotation to stop lateral movement and protect your enterprise.

Active Directory functional levels control which features are available in your domain and forest, and running on outdated levels leaves security capabilities on the table. Here's what each level unlocks and why it matters for your environment.