500+ Red Teaming and Active Directory Interview Questions

500+ Red Teaming and Active Directory Interview Questions free download

Master Red Teaming and Active Directory Pentesting with 500+ MCQs covering Interviews and Real World Scenarios.

Red Teaming & Active Directory Exploitation Course Guide

Red Teaming and Active Directory exploitation are among the most in-demand cybersecurity skills in modern enterprise environments. This course is designed to help you crack Red Teaming and Active Directory interview questions with confidence through a targeted MCQ-based format that mimics real-world red team scenarios.

You will gain deep, hands-on knowledge of Active Directory internals, enumeration, attack paths, privilege escalation techniques, and persistence strategies through carefully crafted multiple-choice questions. This course is not just about definitions—it's about understanding how attackers think, how they move laterally, and how to break modern enterprise defenses.

I. Active Directory Pentesting Fundamentals

Difficulty Level: Easy to Medium

1. Core AD Concepts for Pentesting

MCQ Count: 10-15

Topics:

• FSMO Roles (PDC Emulator, RID Master, Infrastructure Master, Schema Master, Domain Naming Master)

• Global Catalog

• Schema

• Trusts (Transitive, Non-Transitive, One-Way, Two-Way)

• SPNs

Subtopics:

• How FSMO roles are relevant for privilege escalation and persistence (e.g., Compromising PDC Emulator for password resets)

• Impact of schema modifications from an attacker's perspective

• Leveraging trust relationships for lateral movement between domains/forests

• Understanding SPNs for Kerberoasting and constrained/unconstrained delegation attacks

2. Essential AD Authentication Protocols (Offensive Lens)

MCQ Count: 15-20

Topics:

• Kerberos (TGT, TGS, Service Ticket)

• NTLM (v1, v2)

• LM/NTLM Hashing

Subtopics:

• Deep dive into Kerberos ticket flow and how it's manipulated for PtT, Golden Ticket, Silver Ticket

• NTLM weaknesses (responder attacks, NTLM relay)

• Understanding the different hash formats and their cracking implications

• The role of the KRBTGT account in Golden Tickets

3. AD Tools for Offensive Operations (Foundational)

MCQ Count: 10-15

Topics:

• Mimikatz (core modules: sekurlsa logonpasswords, kerberos golden, lsadump)

• BloodHound (data ingestion, basic graph analysis)

• Impacket suite (psexec, smbclient, getnpusers, gettgt)

Subtopics:

• Installation and basic usage of these tools

• Interpreting Mimikatz output for credential extraction

• Generating and understanding basic BloodHound attack paths

• Using Impacket scripts for fundamental lateral movement and enumeration

II. Active Directory Reconnaissance & Enumeration (Offensive)

Difficulty Level: Medium

1. Internal Network Footprinting for AD

MCQ Count: 10-15

Topics:

• DNS enumeration (zone transfers, dnsrecon, dnspython)

• Network scanning for AD services (LDAP, Kerberos, SMB)

• Identifying domain controllers

Subtopics:

• Leveraging DNS for subdomain discovery and identifying internal domain structures

• Port scanning specific to AD services (e.g., 389, 636, 88, 445, 3389)

• Techniques to reliably identify all domain controllers in a network segment

2. Advanced User and Group Enumeration

MCQ Count: 15-20

Topics:

• LDAP queries (using ldapsearch, ldp exe, PowerShell's Get-AD* cmdlets)

• ADrecon

• Powerview ps1 (user/group functions)

• enum4linux

Subtopics:

• Crafting specific LDAP filters to find privileged users, accounts with specific attributes (e.g., dontReqPreauth), or users in specific OUs

• Efficiently enumerating group memberships, including nested groups

• Identifying users with common or weak password patterns through enumeration

3. Service Principal Name (SPN) Enumeration & Analysis

MCQ Count: 10-15

Topics:

• setspn -Q

• Get-ADComputer -Properties servicePrincipalName

• Get-ADUser -Properties servicePrincipalName

• PowerView's Get-NetServicePrincipalName

Subtopics:

• Understanding how SPNs are registered and their format

• Identifying SPNs for Kerberoasting targets (accounts with UserPrincipalNames or ServicePrincipalNames)

• Differentiating between legitimate and potentially vulnerable SPN registrations

4. Active Directory Object Access Control List (ACL) Enumeration

MCQ Count: 15-20

Topics:

• BloodHound (ACL analysis)

• PowerView's Get-DomainACL

• Get-ADACL

• ACLs for AD objects (DACLs, SACLs)

Subtopics:

• Identifying dangerous ACLs that grant excessive permissions (e.g., GenericAll, GenericWrite, WriteDACL, WriteOwner, AllExtendedRights)

• Understanding the common misconfigurations that lead to exploitable ACLs

• Mapping out potential attack paths using ACLs with BloodHound

5. GPO and AD Domain/Forest Trust Enumeration

MCQ Count: 10-15

Topics:

• Get-GPO

• Get-ADTrust

• nltest /domain_trusts

Subtopics:

• Identifying GPOs that might contain sensitive information (e.g., passwords in SYSVOL, restricted groups)

• Analyzing GPOs for security settings that can be leveraged (e.g., insecure delegated permissions on GPOs)

• Mapping trust relationships and understanding their directionality and transitivity for cross-domain lateral movement

III. Active Directory Attack Techniques (Deep Dive)

Difficulty Level: Hard

1. Credential Theft & Extraction

MCQ Count: 25-30

Topics:

• Mimikatz (LSASS dump, sekurlsa logonpasswords, lsa cache, dcsync)

• Ntds dit extraction (Volume Shadow Copy, esentutl exe)

• Kerberoasting

• AS-REPRoasting

• Responder (LLMNR/NBT-NS poisoning, HTTP/SMB relay)

Subtopics:

• Detailed step-by-step process of performing LSASS dumps and extracting credentials

• Understanding the mechanics of dcsync and its requirements

• The process of identifying Kerberoasting targets, extracting TGS-REPs, and offline cracking

• Automating AS-REPRoasting and its limitations

• Setting up and using Responder for various credential relay and capture scenarios

2. Lateral Movement Techniques

MCQ Count: 25-30

Topics:

• Pass-the-Hash (PtH)

• Pass-the-Ticket (PtT)

• Overpass-the-Hash

• PsExec (and its variants/alternatives)

• WMI (wmiexec, Invoke-WMIExec)

• SMB (smbexec)

• WinRM (winrmexec, Invoke-WinRM)

• DCOM

• Remote Desktop Protocol (RDP)

Subtopics:

• Detailed execution flow and differences between PtH, PtT, and Overpass-the-Hash

• Understanding the various methods of remote command execution in AD (e.g., psexec services, WMI event subscriptions, WinRM sessions)

• Chaining lateral movement techniques for deeper access

• Evading detection during lateral movement

3. Privilege Escalation in AD

MCQ Count: 30-35

Topics:

• Unconstrained Delegation abuse

• Constrained Delegation (S4U2self, S4U2proxy) abuse

• Golden Ticket

• Silver Ticket

• AdminSDHolder/AdminCount

• GPO abuse (Restricted Groups, Startup Scripts, GPP CPasswords)

• ACL-based privilege escalation (e.g., GenericAll, WriteDACL, WriteOwner)

• Printer Spooler (PrintNightmare, PetitPotam)

• DCsync via delegated permissions

Subtopics:

• Identifying and exploiting vulnerable delegation settings

• Crafting and utilizing Golden Tickets (KRBTGT hash) for full domain compromise

• Generating and using Silver Tickets for specific service access

• Finding and leveraging misconfigured GPOs for privilege escalation

• Detailed walkthroughs of ACL abuse paths using BloodHound

• Understanding and exploiting PrintNightmare and PetitPotam for NTLM relay or privilege escalation

4. Persistence Mechanisms

MCQ Count: 20-25

Topics:

• Skeleton Key

• Golden Ticket renewal

• Silver Ticket re-generation

• AdminSDHolder/SDPROP modification

• Service Accounts (modifying servicePrincipalName, userAccountControl)

• Scheduled Tasks

• GPO modification (e.g., UserLogonScript, ComputerStartupScript)

• DCSync via WriteDACL on domain object

• Domain Controller compromise backdoors

Subtopics:

• Methods for establishing long-term, stealthy access within the AD environment

• Understanding the detection challenges for each persistence method

• Techniques for creating and maintaining covert backdoors

• Abusing legitimate AD features for persistence

5. Data Exfiltration & Impact

MCQ Count: 10-15

Topics:

• DCSync (full ntds dit replica)

• lsass exe dump

• Targeted data exfiltration (specific user hashes, certificates, sensitive files)

Subtopics:

• Methods to extract the entire ntds dit database remotely or locally

• Techniques for obtaining credentials from lsass exe dumps

• Identifying and exfiltrating critical information (e.g., password policies, security principals, sensitive user data)

IV. Red Teaming Operations in AD Environment

Difficulty Level: Medium to Hard

1. C2 Infrastructure for AD Pentesting

MCQ Count: 10-15

Topics:

• Domain Fronting

• HTTP/S C2

• DNS C2

• SMB C2

• Payload staging

• Redirectors

Subtopics:

• Designing resilient C2 infrastructure for AD engagements

• Configuring various C2 channels for stealth and evasion

• Techniques for staging payloads effectively in an AD environment

2. Evasion & Stealth in AD

MCQ Count: 20-25

Topics:

• Living Off The Land (LotL) binaries (certutil exe, bitsadmin exe, powershell exe, runas exe)

• Process injection

• Reflective DLL loading

• Unhooking

• AMSI bypasses

• AppLocker bypasses

• Defender for Endpoint/AV evasion

• Custom malware development

Subtopics:

• Using built-in Windows tools to perform malicious actions without introducing new executables

• Techniques to evade endpoint detection and response (EDR) solutions

• Developing custom tools and payloads for specific AD attack scenarios

• Understanding common AMSI/AppLocker bypasses

3. OpSec Considerations for AD Pentesting

MCQ Count: 10-15

Topics:

• Operational Security planning

• Quiet hours

• Anti-forensics (timestamp modification, log cleaning)

• Avoiding noisy techniques

Subtopics:

• Planning operations to minimize detection risk

• Techniques for cleaning up traces after an attack (e.g., event logs, command history)

• Balancing aggressive exploitation with stealth

4. Scoping & Rules of Engagement (RoE) for AD Pentesting

MCQ Count: 5-10

Topics:

• Defining clear objectives (e.g., Domain Admin, specific data exfiltration)

• Identifying critical assets

• Handling sensitive data

• Communication protocols

• Red/blue teaming interaction

Subtopics:

• Importance of well-defined RoE for AD engagements

• Managing the scope to avoid unintended impact

• Communication strategies with the client and blue team

5. Reporting for AD Pentesting Engagements

MCQ Count: 5-10

Topics:

• Attack narrative

• Detailed steps to reproduce

• Impact analysis

• Specific remediation recommendations for AD vulnerabilities

• Post-engagement debriefing

Subtopics:

• Crafting clear and actionable reports for AD security weaknesses

• Providing practical remediation steps for AD misconfigurations and vulnerabilities

• Effectively communicating technical findings to both technical and non-technical stakeholders

Course Summary

This comprehensive course covers all critical aspects of Red Teaming and Active Directory exploitation, from fundamental concepts to advanced attack techniques. The MCQ-based format ensures practical knowledge that can be immediately applied in real-world scenarios.

Total Estimated MCQ Count: 240-340 questions across all modules

The course emphasizes hands-on understanding of tools, techniques, and methodologies used by professional red teams to assess and exploit Active Directory environments effectively.