The Cyber Threat Perspective·Jun 11, 2026·28m·Episode #184

Episode 184 | Active Directory Isn't Dead. It's Just Undefended.

Show notes

Think Active Directory is dead? Think again. According to Microsoft data, 86% of organizational workloads still touch Active Directory, and nearly 20% of organizations don't expect to reach a hybrid state for 10-20+ years. In this episode, Brad and Spencer break down why AD attack paths remain one of the most critical threats in enterprise environments and what defenders can do about it right now.

Spencer also previews his ContinuumCon workshop "Killing AD Attack Paths Once and For All" where he demonstrates how authentication policies and silos can eliminate an entire class of lateral movement attacks built into Windows and Active Directory.

In this episode:

- Why Active Directory is still alive, well, and heavily targeted
- What an Active Directory attack path is and how attackers use them
- The four prerequisites attackers need to abuse AD attack paths
- Real-world examples: Kerberos ticket theft, SCCM abuse, certificate misconfigurations, and misconfigured permissions
- Tools defenders should know: Bloodhound, PingCastle, Purple Knight, Locksmith, and ADelegator
- How to prioritize remediations based on ease of exploitation vs. impact
- Why retesting is the most overlooked step in any remediation cycle

Resources mentioned:

- Spencer's ContinuumCon Workshop (Fri. June 12, 10:30am PT / 1:30pm ET): https://continuumcon.com/schedule/
- Hybrid Identity Protection Podcast (Semperis): https://www.semperis.com/hybrid-identity-protection-podcast/
- Bloodhound CE: https://github.com/SpecterOps/BloodHound
- PingCastle: https://www.pingcastle.com
- Purple Knight: https://www.purple-knight.com
- Locksmith: https://github.com/TrimarcJake/Locksmith
- offsec.blog | securit360.com

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

← Previous

Episode 183 | OWASP Top 10 Part 2: Security Misconfigurations That Get You Hacked

Think Active Directory is dead? Think again. According to Microsoft data, 86% of organizational workloads still touch Active Directory, and nearly 20% of organizations don't expect to reach a hybrid state for 10-20+ years. In this episode, Brad and Spencer break down why AD attack paths remain one of the most critical threats in enterprise environments and what defenders can do about it right now. Spencer also previews his ContinuumCon workshop "Killing AD Attack Paths Once and For All" where he demonstrates how authentication policies and silos can eliminate an entire class of lateral movement attacks built into Windows and Active Directory. In this episode: - Why Active Directory is still alive, well, and heavily targeted - What an Active Directory attack path is and how attackers use them - The four prerequisites attackers need to abuse AD attack paths - Real-world examples: Kerberos ticket theft, SCCM abuse, certificate misconfigurations, and misconfigured permissions - Tools defenders should know: Bloodhound, PingCastle, Purple Knight, Locksmith, and ADelegator - How to prioritize remediations based on ease of exploitation vs. impact - Why retesting is the most overlooked step in any remediation cycle Resources mentioned: - Spencer's ContinuumCon Workshop (Fri. June 12, 10:30am PT / 1:30pm ET): https://continuumcon.com/schedule/ - Hybrid Identity Protection Podcast (Semperis): https://www.semperis.com/hybrid-identity-protection-podcast/ - Bloodhound CE: https://github.com/SpecterOps/BloodHound - PingCastle: https://www.pingcastle.com - Purple Knight: https://www.purple-knight.com - Locksmith: https://github.com/TrimarcJake/Locksmith - offsec.blog | securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here .