Image: network security server room blue lighting enterprise
—
Active Directory is the identity backbone of most enterprise networks — and the most reliably abused system in modern intrusions. If you look at the post-exploitation phase of virtually any significant breach in the past decade, AD compromise is either the mechanism or the destination. Understanding why requires understanding both how AD was designed and how those design decisions create attack paths that are genuinely difficult to close.
This is not a penetration testing tutorial. It’s a defender’s map: here’s how attackers move through AD, here’s what they’re after, here’s what detection looks like.
Why Active Directory Is the Target
AD holds the keys. Domain controllers store the NTDS.dit file — the database of all user accounts, groups, password hashes, and Kerberos secrets for the domain. Compromising a domain controller gives an attacker the ability to create accounts, modify permissions, access any system in the domain, and establish persistence that survives most incident response activities.
The path to domain controller is rarely a single step. It’s a chain of privilege escalations and lateral movements, each step building on access gained from the previous one. This is the “attack path” concept — and understanding these chains is the most important thing a defender can do.
Credential-Based Attack Paths
Pass-the-Hash (PtH). Windows NTLM authentication doesn’t require knowing a plaintext password — it requires the NT hash of the password. An attacker who extracts a hash from memory (using Mimikatz or similar tools against LSASS) can authenticate as that user to any system that accepts NTLM without ever cracking the hash.
The scope of PtH depends entirely on where that hash is valid. A standard domain user’s hash is only useful for systems that user has access to. A domain admin’s hash — extracted from a server that admin logged into — provides lateral movement to any system in the domain. This is why privileged accounts logging into non-privileged systems is such a significant risk: it exposes high-value credentials to compromise on lower-security systems.
Detection: Windows Event ID 4624 with Logon Type 3 (network logon) using NTLM authentication where Kerberos would be expected. Lateral movement via PtH leaves a signature — NTLM authentication sourced from a workstation to a server, correlating with unusual source-destination pairs.
Kerberoasting. Any authenticated domain user can request Kerberos service tickets for service accounts (accounts with a Service Principal Name set). These tickets are encrypted with the service account’s password hash. Offline, they can be cracked — and service accounts often have weak passwords that were set years ago and never rotated.
The attack is silent: a valid authentication request indistinguishable from normal Kerberos traffic. Detection relies on behavioral analysis — a user requesting a large number of service tickets in a short time period — or specific tooling like Microsoft Defender for Identity which baselinesservice ticket requests per user.
AS-REP Roasting. Similar concept, different target: user accounts configured with “Do not require Kerberos pre-authentication” allow an unauthenticated attacker to request authentication data for that account from any domain controller. This data can be cracked offline. Accounts with this flag set are typically service accounts or legacy configurations. Auditing for this flag across all accounts is a quick defensive win.
Privilege Escalation Paths
ACL Abuse. Active Directory object permissions (Access Control Lists) are enormously complex and almost universally misconfigured. Specific permission combinations allow lower-privileged users to escalate to higher privilege without exploiting any software vulnerability — just using legitimate AD features incorrectly configured.
The most exploitable ACL misconfigurations:
- GenericAll / GenericWrite on a user object: Can reset that user’s password or modify their attributes, including setting an SPN for Kerberoasting
- WriteDACL on an object: Can modify the object’s permissions, granting yourself any access you want
- WriteOwner on an object: Can take ownership, then modify permissions
- GenericWrite on a group: Can add yourself or others to that group
- DCSync rights (GetChanges + GetChangesAll on the domain): Can replicate all AD data, including all password hashes, without touching a domain controller
BloodHound (the open source version) is the tool that made AD attack path analysis accessible — it graphs these ACL relationships and shows the shortest path from any account to Domain Admin. Running BloodHound against your own environment is one of the highest-ROI defensive exercises available. If attackers run it (and they do), you should see what they see first.
Detection: ACL abuse is difficult to detect in real-time because the operations use legitimate AD functions. BloodHound Enterprise (the commercial version) provides continuous path analysis and alerting. Without it, periodic manual review of high-value object ACLs and auditing of AD permission changes (Event ID 5136) provides partial coverage.
DCSync. An account with the right ACL permissions on the domain object (GetChanges and GetChangesAll) can mimic domain controller replication behavior, requesting all password hashes from an actual DC without touching the DC directly. The extraction looks like legitimate replication traffic.
This is the endgame credential extraction technique — Mimikatz’s lsadump::dcsync implements it. Detection: Event ID 4662 with the right GUID filters on domain controller objects. Microsoft Defender for Identity detects this specifically.
Lateral Movement Techniques
Pass-the-Ticket. Kerberos tickets cached on a system can be extracted and used on other systems. Unlike PtH (which abuses NTLM), Pass-the-Ticket abuses Kerberos. Golden tickets and Silver tickets are the advanced variants:
- Golden ticket: Forged using the KRBTGT account hash. Valid for any service in the domain for any user. Survives password resets unless the KRBTGT hash is rotated (twice — once doesn’t invalidate existing tickets). The gold standard of AD persistence.
- Silver ticket: Forged for a specific service using that service’s account hash. Less powerful than a Golden ticket but harder to detect because it doesn’t touch domain controllers.
Detection of Golden tickets: Event IDs 4769 and 4768 anomalies — tickets with unusual lifetimes, tickets issued for non-existent users, tickets with encryption type mismatches. Microsoft Defender for Identity has specific detections for this.
Lateral movement via WMI/WinRM/SMB. Once an attacker has valid credentials or a hash, they need to execute on remote systems. The standard mechanisms: wmic, psexec-style SMB execution, WinRM (via evil-winrm or legitimate tools), and RDP. Each has a distinct event ID signature and process lineage.
Process creation from remote connections (Logon Type 3 leading to process creation) with Event ID 4688 in the source context, combined with unusual parent-child process relationships on the target system, is the behavioral signature to hunt.
Domain Persistence
Once Domain Admin is achieved, attackers aim for persistence that survives password resets and partial incident response. The mechanisms:
AdminSDHolder abuse. AdminSDHolder is an AD container that controls the permissions of high-privilege accounts. Every 60 minutes, a process (SDProp) propagates AdminSDHolder’s permissions to all protected accounts. An attacker with permissions to modify AdminSDHolder can grant persistent access that re-applies automatically — surviving manual ACL corrections on individual accounts.
Detection: Monitor for modifications to the AdminSDHolder object (Event ID 5136 on that specific object).
SID History injection. User objects have a SID History attribute, originally intended to preserve access during domain migrations. An attacker with KRBTGT hash access can inject any SID — including the Domain Admins SID — into a normal user’s SID History, giving that user domain admin access through what looks like a normal account. Detection requires monitoring SID History changes (Event ID 4765/4766) and flagging non-migration contexts.
DSRM account. Every domain controller has a local administrator account accessible in Directory Services Restore Mode. This account’s password is rarely rotated. If an attacker knows it, they have persistent local admin on every DC — a backdoor that survives full domain compromise remediation that doesn’t explicitly address DSRM.
The Defensive Priority Stack
You can’t fix everything in AD at once. Prioritize in this order:
- Eliminate privileged account exposure. Domain admins should not log into workstations or member servers. Use dedicated privileged access workstations. This prevents credential exposure that enables the most common attack chains.
- Run BloodHound. Find your attack paths before attackers do. The tool is free. The SharpHound collector takes minutes to run. The paths it reveals typically include at least a few surprises in any real environment.
- Audit accounts with Kerberoastable and AS-REP-roastable configurations. These are PowerShell one-liners:
# Kerberoastable accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# AS-REP Roastable
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth
Any non-service account in either list is a misconfiguration.
- Rotate the KRBTGT account hash. Twice, with a gap between rotations. This invalidates any existing Golden tickets. Schedule this semi-annually.
- Deploy Microsoft Defender for Identity (MDI). If you’re in a Microsoft environment, MDI provides the most comprehensive AD-specific detection available. It covers DCSync, Golden ticket, Kerberoasting, lateral movement, and dozens of other techniques with high fidelity. The per-user cost is low relative to the detection coverage.
- Establish AD audit logging baselines. Event IDs 4624, 4625, 4662, 4768, 4769, 4776, 5136, 7045 at minimum. Forward to a SIEM. Alert on anomalies relative to baseline.
The Attacker’s Perspective
The most useful mental model for AD defense is to think like an attacker with BloodHound open. From any compromised account, what’s the shortest path to Domain Admin? If that path is three hops through misconfigured ACLs on a service account, that’s a three-step remediation problem. If it’s two hops through a Kerberoastable account with a weak password, that’s a password policy and account hygiene problem.
Every path BloodHound shows is a path an attacker will find and use. Work through them systematically, starting with the shortest ones.
AD Security Deep Dive: Active Directory security resources on Amazon — Sean Metcalf’s work and the associated AD security books are the definitive practitioner references for understanding and defending AD attack paths.
Active Directory attacks work because the platform is complex, configurations drift over time, and visibility into AD security posture requires deliberate investment. The good news is that the tools for both attacking and defending are mature and largely free. The practitioners who understand both sides are consistently better at both.