Reconnaissance
In every campaign, whether conducted by an advanced persistent threat or a disciplined red team, the first step is reconnaissance. Lockheed-Martin’s original kill chain model, published in 2011, placed reconnaissance at the head of the sequence for good reason: before an attacker can lay hands on the crown jewels, they must first know where those jewels lie. In the Active Directory ecosystem, reconnaissance begins long before a malicious packet ever crosses the corporate firewall. Adversaries scrape LinkedIn and other professional networks for names, roles, and organizational charts. They examine public records, job postings, and even cached email headers in paste sites to discern naming conventions and email patterns. Each fragment of metadata contributes to a clearer picture of the domain’s structure, providing attackers with a working map before they ever set foot inside.
Once an attacker has established a foothold—often through phishing, a compromised VPN credential, or an exposed service—the reconnaissance turns inward. Now the goal shifts from merely knowing who works where to mapping the labyrinth of Active Directory trusts, organizational units, and group memberships. Tools such as BloodHound or PowerView are staples in this stage, but the skilled operator knows that the most effective recon is not always the loudest. Executing endless LDAP queries will set off alarms in a well-defended network; instead, the art lies in leveraging “living off the land” techniques, issuing queries that blend into legitimate administrator behavior, and collecting data over days or weeks rather than minutes.
Persistence is not yet the priority here, but the groundwork is being laid. Every username harvested, every ACL misconfiguration spotted, represents a possible entry point to be revisited later. Stealth is paramount, because discovery at this stage can derail the entire campaign. The attacker is not yet wielding exploits or cracking hashes; they are, in the metaphor of Lockheed’s framework, still circling the target, studying it with patience. It is reconnaissance that transforms a blind attacker into a hunter with a map, and it is here that the kill chain quietly begins.
Weaponization
If reconnaissance is the art of quiet observation, weaponization is where intent crystallizes into capability. In the original Lockheed-Martin kill chain, this was the stage where an adversary matched a delivery mechanism with a tailored exploit. For red teamers working against Active Directory, the principle is the same: intelligence gathered during reconnaissance guides the crafting of precise tools designed to slip past defenses and land in the heart of the enterprise.
A phishing campaign, for instance, may be armed not with a generic payload but with an Office document that reflects the company’s branding, internal jargon, and the cadence of its daily operations. The weaponization lies not only in the malicious macro embedded within but in the plausibility of the ruse. The better the recon, the sharper the weapon. Sometimes the “weapon” is not even malware at all but a carefully timed password spray that leverages the most common variations of seasonal phrases or corporate slogans—choices deduced from public-facing communication.
Red team operators also draw upon an arsenal of binaries and scripts designed to appear legitimate. These so-called “living off the land” binaries, or LOLbins, include tools like rundll32 or regsvr32, which are trusted by the operating system and unlikely to trigger immediate suspicion. Wrapping a payload within these native executables reduces the attack’s forensic footprint. More sophisticated campaigns might involve crafting Kerberos ticket-forging tools or precompiled stagers that can tunnel command-and-control traffic through HTTPS in a way indistinguishable from legitimate browsing.
Stealth is woven in at every level. Where possible, payloads are signed to masquerade as sanctioned software, scripts are obfuscated to evade signature detection, and delivery mechanisms are tuned to exploit natural rhythms of business communication. Persistence begins to enter the picture here—not in the sense of permanent footholds but in designing payloads that can establish communication channels capable of re-engaging even if the initial compromise is unstable. A weaponized macro that calls home over an encrypted channel, for instance, provides both delivery and a resilient path for follow-up exploitation.
In short, weaponization in Active Directory campaigns is about transforming reconnaissance into a practical, covert, and tailored instrument of intrusion. It is not a blunt hammer swung at every surface, but a scalpel sharpened to fit the anatomy of the network it seeks to cut into. The chain is tightening, and the next link—delivery—brings the weapon into contact with the target.
Delivery
Weaponization is meaningless until the blade is carried to its mark, and this is the role of delivery. In the Lockheed-Martin model, delivery referred to the transmission of the malicious payload into the victim’s environment, whether by email attachment, drive-by exploit, or removable media. In the Active Directory context, delivery is where theory becomes reality, and the operator’s creativity is tested against the vigilance of defenders.
Phishing remains the most common method. A carefully crafted message, disguised as a meeting invite or an urgent IT notice, carries a poisoned attachment or a link to a malicious portal. When reconnaissance has revealed the cadence of corporate communication, the phish can be indistinguishable from the real thing. Other times, delivery takes advantage of technical vulnerabilities exposed at the network edge: an unpatched VPN appliance, an Outlook Web Access portal susceptible to credential stuffing, or an RDP service left open to the internet. Each offers a vector for transmitting the weaponized code or for leveraging stolen credentials to establish an initial foothold.
What distinguishes a red team delivery phase from a smash-and-grab intrusion is the emphasis on subtlety. The phish is not blasted to the entire workforce but aimed with surgical precision at one or two carefully chosen users—contractors, for example, whose machines are less tightly monitored, or employees in departments unlikely to raise immediate alarm. Delivery is paced and timed, often aligning with business hours so that a callback blends seamlessly into normal network traffic. In more advanced operations, delivery may piggyback on legitimate cloud infrastructure: a payload hosted in OneDrive, a command-and-control channel disguised as Slack API traffic. To the casual eye of a security operations center, nothing appears out of place.
Persistence is not yet the central goal, but every successful delivery carries with it the seeds of long-term access. A malicious attachment that installs a lightweight stager ensures that even if the user closes the document, the operator retains a thread of control. A VPN login gained by password spraying can be used not only to explore but also to create new persistence mechanisms once deeper into the network.
Delivery is the moment of crossing the threshold, the decisive point where all the intelligence and preparation come to bear. It is here that the operator slips a hand past the perimeter and establishes the first trace of presence within the domain. What follows—exploitation—will determine whether that presence remains a fleeting echo or blossoms into a durable foothold.
Exploitation / Initial Access
Delivery sets the trap, but exploitation is the snap of the spring. In the Lockheed-Martin model, this phase represents the moment when malicious code executes or stolen credentials are put into play, converting potential access into real control. In an Active Directory environment, exploitation is often quiet, almost invisible, because the most effective operators rely less on exotic exploits and more on predictable human and system behavior.
The classic example is the execution of a malicious macro in a delivered document. With a single click on “Enable Content,” the user unwittingly launches a PowerShell stager that reaches out to an attacker-controlled server, pulling in a lightweight implant. Other times, exploitation may hinge on abusing built-in features of Windows itself: rundll32 launching a payload hidden in memory, regsvr32 registering a malicious script, or even WMI invoked to spawn processes under the radar of many monitoring solutions. These techniques succeed because they do not appear foreign to the operating system—they are indistinguishable from the activities of administrators and support staff.
Credential-based exploitation is equally powerful. A successful password spray or phishing capture may allow the attacker to log directly into a VPN, Outlook Web Access, or Citrix environment. No exploit code, no malware—just the use of valid credentials. To defenders, this activity looks like a legitimate user making a legitimate connection. Here stealth and exploitation merge seamlessly, because there is nothing overtly malicious to detect. The network is breached not through broken code but through the predictable flaws of human memory and password hygiene.
Persistence begins to surface here as a priority. Once initial code is running or credentials are valid, the operator seeks to ensure that a simple reboot or a password reset does not sever the lifeline. Scheduled tasks can be planted under innocuous names, registry run keys can be adjusted, or WMI event subscriptions established so that every system startup silently reignites the attacker’s beacon. These measures ensure that exploitation is not a single point in time but an ongoing state of compromise.
This stage marks the true beachhead in the Active Directory kill chain. Reconnaissance and delivery might have involved weeks of patience, but exploitation is the point at which the operator first steps inside the walls. Whether through malicious code, trusted binaries, or stolen credentials, the door has opened. The challenge now is to hold it ajar long enough to strengthen the position, which leads naturally into the installation phase—where access is consolidated and quietly woven into the fabric of the network.
Installation (Foothold and Persistence)
Exploitation gets you through the door; installation ensures the door cannot be closed behind you. In Lockheed-Martin’s original schema, this stage marks the establishment of a foothold within the target environment—an anchor point from which the adversary can return at will. In Active Directory campaigns, installation is the delicate work of embedding persistence without drawing the gaze of defenders who are trained to look for anomalies.
At its simplest, installation might involve dropping a backdoor executable into a hidden directory, or planting a scheduled task under a name that resembles a routine Windows update. But the more refined operator knows that the surest persistence does not come from adding new binaries but from weaving malicious functionality into the normal workings of the system. Registry run keys can be modified so that a beacon starts silently each time the machine boots. WMI event subscriptions can be registered to trigger payloads in response to seemingly ordinary system events, hiding persistence inside the very mechanisms administrators rely upon to automate legitimate processes.
On domain-joined machines, installation also means leveraging the trust relationships inherent to Active Directory. Once a user account is compromised, red teamers may create hidden local administrators, burying them in obscure organizational units or groups unlikely to be audited. Service accounts with elevated privileges can be manipulated so that they carry attacker-controlled tasks, and if conditions permit, password hashes or Kerberos tickets can be cached for later replay. At this stage, persistence begins to evolve from the tactical—surviving a reboot—to the strategic: ensuring that even if one entry point is closed, others remain accessible.
Stealth remains the watchword. The best persistence is not simply durable but quiet. A scheduled task named “Update Helper” attracts less scrutiny than one labeled “Backdoor,” just as a registry key buried among dozens of legitimate entries can remain invisible for months. The art lies in building redundancy without excess: too many implants, too many artifacts, and the defenders will notice. A single well-hidden mechanism, carefully chosen, can guarantee survival far longer than a scattershot approach.
By the time installation is complete, the attacker’s presence has shifted from transient to entrenched. The beachhead is fortified. The next concern is no longer whether access will survive the next system reboot, but how to communicate reliably with the outside world. That brings us to the next phase in the chain: command and control, the heartbeat of the operation.
Command and Control
Every foothold, no matter how carefully placed, is inert without a channel through which to speak. Command and control—C2—is the circulatory system of an intrusion, allowing an operator outside the network to breathe life into the code planted inside. In the Lockheed-Martin model, this phase described the establishment of communications between compromised hosts and an attacker’s infrastructure. In Active Directory operations, the challenge is not only to connect but to connect invisibly, moving instructions and data without betraying the presence of an intruder.
The simplest forms of C2 may involve a beacon that checks in at fixed intervals to an external server over HTTP or HTTPS. But predictable beacons are loud, and defenders have grown skilled at spotting the regular heartbeat of malware. Red teams therefore build jitter into their communications, varying timing so that the pattern disappears into the noise of ordinary web traffic. The channels themselves are disguised: HTTPS over port 443 is indistinguishable from legitimate browsing, while DNS tunneling can turn innocuous-looking name resolution requests into a covert conversation. More advanced teams lean on legitimate cloud platforms—hiding traffic inside Microsoft OneDrive, Slack APIs, or even Google Sheets—so that outbound connections appear to lead only to widely trusted services.
The goal is always camouflage. Every organization expects its endpoints to talk to the outside world, and C2 succeeds when that talking looks utterly banal. Encryption ensures that even if traffic is intercepted, its contents are opaque. Domain fronting, once common, allowed malicious traffic to masquerade under the banner of legitimate hostnames. Even when defenders scrutinize logs, the operator’s communications blend seamlessly with the chatter of ordinary business.
Persistence is layered here as well. Redundant channels are prepared so that if one server is discovered and blocked, another can quietly take its place. Some implants are designed to fall back to peer-to-peer communication across the internal network, turning compromised hosts into relays when direct connections fail. Others adopt a hibernation mode, lying dormant until activated by a specific trigger, thus reducing their exposure to detection during routine monitoring.
By the end of this phase, the attacker is no longer a transient presence scraping at the edges of the network. They are a participant, issuing commands, moving data, and shaping their operations in real time. With reliable communications in place, the final sequence of the kill chain begins: the march from low-level compromise to full domain dominance, where persistence and stealth are elevated into an art form and the operator’s true objectives are brought within reach.
Actions on Objectives: The Path to Domain Admin
With command and control established, the campaign turns from survival to conquest. This is the phase where Lockheed-Martin’s framework speaks of “actions on objectives,” the culmination of the kill chain. In the Active Directory world, those objectives are almost always tied to privilege: the steady climb from a single compromised workstation toward the heights of Domain Admin. It is here that stealth and persistence converge most visibly, for every move risks discovery, and every gain must be secured against loss.
The journey begins with credentials. A red teamer harvesting the memory of a compromised machine may extract cached hashes, Kerberos tickets, or plaintext passwords lingering in LSASS. Mimikatz and its many descendants make this process almost routine. Kerberoasting, another favored technique, targets service accounts with weak passwords by requesting service tickets from the domain controller and then cracking them offline. Each credential recovered represents a new key, and each key opens a new door deeper into the network.
Privilege escalation follows naturally. Misconfigured delegation rights, vulnerable Group Policy Preferences storing passwords, or poorly secured service accounts often grant access well beyond what defenders realize. Token impersonation allows an attacker to “become” another user, inheriting their rights without ever touching their password. Persistence evolves here into something subtler: the operator begins not only to plant backdoors but also to accumulate living credentials, turning the very trust relationships of Active Directory into a ladder to climb.
Lateral movement is the rhythm of this climb. A stolen password may grant RDP access to a file server, where new credentials can be harvested. Pass-the-Hash or Pass-the-Ticket attacks let the operator traverse the domain without ever revealing a password in plaintext. Each step must be measured: too many failed logons, too much unusual traffic, and alarms will sound. Stealth is not optional; it is survival. Red teamers throttle their movements, mimic administrator working hours, and pivot with surgical precision rather than scattershot aggression.
At last comes domain dominance. This is achieved not merely by seizing a Domain Admin account but by mastering the mechanisms of Active Directory itself. Forged Kerberos tickets—the so-called Golden and Silver tickets—grant virtually unlimited access, persisting for years if left unchecked. DCSync attacks allow an operator to impersonate a domain controller and request password hashes for any account, including the KRBTGT account whose compromise is the crown jewel of the entire domain. With KRBTGT in hand, an adversary can generate tickets at will, an unbounded passport across the forest.
Persistence at this stage becomes almost philosophical. The operator is no longer satisfied with a single hidden task or registry key. Instead, they reshape the domain’s fabric: altering ACLs so that their accounts have hidden privileges, planting rogue administrators in obscure groups, or embedding malicious GPOs that guarantee reentry. These methods endure across reboots, across password resets, even across certain incident response measures. They transform what began as a single compromise into domain-wide control.
For the red team, achieving Domain Admin is the end of the exercise. For the adversary, it is only the beginning. With full privileges, intellectual property can be stolen, systems sabotaged, or ransomware deployed at scale. Yet whether in a live attack or a simulated one, the lesson is the same: at each link in the kill chain, from reconnaissance to domain dominance, opportunities for detection and disruption exist. The genius of the Lockheed-Martin model lies in showing defenders that the chain is fragile—break it early, and the crown remains secure.
Breaking the Chain
The Lockheed-Martin kill chain was conceived in an era when the term “APT” was just entering the vocabulary of defenders, yet its clarity endures. By envisioning an attack as a sequence of distinct phases, it reminds us that adversaries are not unstoppable forces but actors constrained by process. In the Active Directory environment, the stakes are higher than ever—nearly every enterprise relies on it as the backbone of authentication and authorization. To compromise AD is to compromise the organization itself.
For red teams, mapping their operations to the kill chain provides both discipline and narrative. Each phase—reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives—becomes a lens through which to evaluate stealth, persistence, and escalation. From the quiet scraping of LinkedIn profiles to the forging of Golden Tickets, the chain illustrates not only how access is gained but how it is nurtured into dominance.
For defenders, the model is a call to vigilance. At each stage, opportunities exist to detect and disrupt. Phishing lures can be filtered; anomalous LDAP queries can be flagged; irregular Kerberos ticket lifetimes can trigger alerts. Break the chain early, and the campaign collapses before it matures. Even in later stages, awareness of persistence mechanisms—such as rogue ACLs, WMI subscriptions, or KRBTGT abuse—can provide the leverage to uproot an attacker’s foothold.
The lesson is sobering but empowering. The red team kill chain in Active Directory shows how fragile trust can be, how a single compromised account can cascade into total domain dominance. But it also affirms that defense is not futile. An adversary’s success depends on completing the chain link by link; defenders need only sever it once.
The White Paper from Lockheed Martin:
Hutchins, Eric M., Michael J. Cloppert, and Rohan M. Amin. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2011. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
om tat sat
Member discussion: