Reading width
Wide uses the full column for everything, text, diagrams, code, and exercises. Narrow keeps the standard reading width.
Text size
Scales the body text. Headings and code blocks keep their size.
In this section
The Most Common Paths to Active Directory Compromise
You already have the two halves you need for this sub. From the threats sub you know the stages an intrusion moves through, recon to credential access to escalation to dominance. From the attack-surface sub you know the domain is a graph of relationships an attacker walks. Put them together and a fair question follows: out of all the possible routes through that graph, which ones do attackers actually take? The answer is reassuringly small, and it is the map of this whole course.
Scenario
You compare two incident reports from different responders, different companies, different months. One is a manufacturer hit by ransomware, one is a services firm that found an intruder during an audit. You expect two different stories. Instead, stripped of the names, they read almost identically: a foothold on a workstation, a weak service account roasted and cracked, a misconfigured permission used to escalate, replication abused to pull the domain's secrets, and game over. Why would two unrelated attackers, with different goals, walk the same road? Because the road works, and that is the insight this sub is built on.
Attackers are not artists. They are pragmatic, and they reuse what is reliable. Across thousands of real intrusions a small set of paths has proven to work almost everywhere, so those are the paths that get walked, again and again. Learning them is not learning trivia; it is learning where to stand as a defender, because the roads an attacker is most likely to take are the roads you most need to watch.
Why the same paths repeat
Four things make a path popular with attackers, and the common AD routes have all four.
They are reliable: they work on a normal, default domain without any special conditions. They need no vulnerability, so a fully patched environment does not close them. They are present almost everywhere, because they exploit the same handful of misconfigurations that accumulate in nearly every domain. And they are quiet, looking enough like ordinary administration that they often pass unnoticed. A technique with all four properties is not a clever trick an attacker saves for a hard target; it is the default opening move.
There is an economic logic underneath. Attackers, especially ransomware crews, run at scale and want repeatable process, not bespoke craft. A path that works on most domains can be turned into a playbook, handed to a less skilled operator, and run again and again for profit. The same forces that standardize any business standardize intrusions, and the common AD paths are the standardized product.
This is also why defending against the common paths is the highest-value thing you can do. You will never close every theoretical route through the graph, but you do not have to. Shutting down the handful of reliable, everywhere-present roads removes the moves an attacker reaches for first, and forces them onto harder, louder ground where you have a better chance of catching them.
This is a genuinely encouraging idea, and worth holding onto. The attack surface can feel limitless, but the routes attackers actually use are not. A defender who methodically closes the common paths, strong service-account passwords, no privileged logons on workstations, tight delegation, watched replication, has shut the doors most intrusions walk through, without boiling the ocean. The job is large but finite, and the common paths tell you where to begin.
The path, step by step
Here is the canonical route, the one those two incident reports both described. Read it as a single story, because that is how it runs.
It begins with a foothold, usually one phished user on one workstation, with no special privilege. From there the attacker runs reconnaissance, querying the directory to map the graph: who is privileged, which service accounts are weak, where the paths lead. That step is quiet, because reading the directory is something every domain member is allowed to do.
What they are reading is exactly the graph from the last sub: group memberships, account properties, delegation settings, the relationships that form paths. Because the directory answers these queries for any authenticated user by design, reconnaissance rarely trips an alarm in the native logs. It is the quietest step in the whole intrusion, which is why the defense against it leans on reducing what the directory gives away rather than on catching the query.
Next comes credential access, and Kerberoasting is the classic opening. The attacker requests a service ticket for a weak service account, which arrives encrypted with that account's password, and cracks it offline at leisure. If an account has pre-authentication disabled, AS-REP roasting gets a crackable hash even faster. Either way, the attacker now holds a real credential they did not start with.
The reason this is so attractive is that the cracking happens offline, on the attacker's own hardware, with nothing sent back to the network. The only moment visible to a defender is the ticket request itself, and only if you know to look for the weak cipher that betrays it. A service account with a strong, rotated password survives the attempt; a weak one falls in minutes. That single difference, password quality on accounts most teams forget exist, decides whether this step works.
With a credential in hand, they move. Credential theft and replay covers the techniques, pass-the-hash and pass-the-ticket, that reuse a stolen secret without ever knowing the password, and that harvest the far more valuable credentials left behind on the machines they reach, especially a privileged credential an administrator exposed by logging into the wrong host.
That last point is worth dwelling on, because it is how a roasted low-value account becomes a domain-ending one. Credentials linger in memory on the machines where they were used. If a domain administrator ever logged into a workstation the attacker now controls, the administrator's credential is sitting there to be harvested and replayed. The attacker does not need to crack it; they reuse it directly. One careless privileged logon can be the entire distance from foothold to domain control.
Escalation is where a misconfiguration turns a decent foothold into a powerful one. This is the richest part of the surface: a delegation right abused, a service principal name written onto the wrong account, the Server 2025 dMSA successor link set to inherit a privileged account, or a permission that makes an ordinary user a shadow admin. Any one of these can hand over a tier-zero credential.
The variety here is the point. Escalation is not one technique but a family, and which one works depends on which misconfiguration a given domain happens to carry. That is why the escalation modules are the heaviest in the course: there are many distinct paths, each with its own evidence, and a defender has to recognize the whole family, because an attacker will try whichever one your domain left open.
Then dominance. With enough privilege, the attacker performs DCSync, abusing replication to pull the password hashes for the entire domain, including the krbtgt account. Holding krbtgt means they can forge a golden ticket and authenticate as anyone, forever, until that account is reset twice. At this point they control the directory completely, and impact, the ransomware or the theft, is just the final step.
It is worth understanding why dominance is so durable once reached. A forged golden ticket is signed with the krbtgt key, and that key changes only when the account's password is reset, twice, deliberately.
Until then the attacker can return as any user at will, which is why evicting them after a full compromise is so much harder than cleaning a single infected machine, and why real AD incident response includes that double reset. Reaching dominance is not the end of the attacker's interest; it is the start of their persistence.
The same destination by other roads
That is the canonical path, but it is not the only one, and a defender has to remember that the graph has many roads to the same place.
Active Directory Certificate Services, where it is present and unhardened, often offers a faster road than Kerberoasting: a misconfigured template can let an ordinary user request a certificate that authenticates as an administrator, escalating to tier zero in a single step. Shadow-admin permissions offer another, skipping credential cracking entirely by abusing a right someone was granted. And the hybrid seam offers a road outward rather than upward, carrying an on-prem compromise into the organization's Entra tenant where more lives every year.
Each of these roads shares the quiet property, which is why intrusions so often go undetected for weeks. None of the steps looks dramatic in isolation; each resembles something an administrator might legitimately do. The attacker's whole advantage is that the individual actions blend in, and the defender's whole task is to recognize the pattern they form. That recognition is a learnable skill, and building it is what the rest of the course is for.
The lesson for the defender is uncomfortable but clarifying: you have to defend every road, because the attacker only needs one. That is why the course works through them all rather than teaching a single chain, and why it ends with a capstone that ties them back together.
Anti-pattern
Chasing the exotic while the common roads stay open. It is tempting to focus defensive energy on the newest, most sophisticated technique in the headlines, and to feel prepared because you understand it. But the intrusion that actually hits you is overwhelmingly likely to be the boring, reliable path: a weak service account roasted, a careless privileged logon replayed, replication abused for DCSync. Defenders who secure the common roads first, and only then worry about the rare ones, stop far more real attacks than those who do the reverse.
These paths are the course
Look back at the steps and you are looking at the syllabus. Recon, credential access, credential replay, escalation, dominance, the AD CS route, and the hybrid pivot each become a module, taught the same way: what the attacker does, what it leaves in the evidence, how you detect and analyze it, and how the exposure is reduced. The capstone then runs the whole canonical path as one incident so you see the chain end to end, the way a real responder does.
That is the value of knowing the common paths before you start. You are not about to learn a random collection of attacks; you are about to learn the specific, finite set of roads that real intrusions take, in the order they take them, so that when you meet one in your own telemetry you recognize where you are on the map.
Seeing the map first also changes how you learn the parts. When you reach the Kerberoasting module, you will already know where it sits in the intrusion and what it leads to, so it is not an isolated trick but a step with a before and an after. Each technique lands as part of a story you already understand, which is far easier to remember, and far more useful in an investigation, than a list of unrelated attacks.
You now have the shape of the threat, the surface it moves through, and the paths it takes. The next sub asks the obvious follow-up: if these paths are this well known, why is securing Active Directory still so hard? The challenges, technical and organizational, are what stand between knowing the paths and actually closing them.