Top 5 Active Directory Attacks: Every Defender Must Understand

CyberDefender 8 mins0

Active Directory remains the backbone of authentication and authorization in most enterprise Windows environments. Its design prioritizes scalability and interoperability, but those same design decisions introduce attack paths that skilled adversaries routinely exploit.

Modern AD attacks rarely rely on exploits or malware. Instead, attackers abuse legitimate features—Kerberos tickets, replication rights, NTLM authentication, and misconfigured permissions—to escalate privileges silently.

This article examines five of the most dangerous and commonly abused Active Directory attacks, explaining their protocol mechanics, prerequisites, execution flow, and defensive implications.

1. Kerberoasting

Technical Overview

Kerberoasting exploits a fundamental property of Kerberos service authentication. When a user requests access to a service registered with a Service Principal Name (SPN), the Key Distribution Center (KDC) returns a service ticket (TGS) encrypted using the service account’s NTLM hash.

Crucially:

  • Any authenticated domain user can request these tickets
  • The encryption key is derived from the service account password
  • The ticket can be cracked offline, without interacting with the domain again

Attack Mechanics

  1. Attacker authenticates as any low-privilege user
  2. Queries Active Directory for accounts with SPNs
  3. Requests Kerberos service tickets for those SPNs
  4. Extracts the encrypted ticket from memory or disk
  5. Performs offline password cracking

Because cracking is offline, no domain lockouts or alerts are triggered.

Why It Works So Well

  • Service accounts often use long-lived passwords
  • Many are never rotated
  • Some have Domain Admin or delegated privileges
  • Kerberos was never designed to protect against offline cracking

Real-World Impact

A cracked service account password often results in:

  • Lateral movement
  • Privilege escalation
  • Persistence via scheduled tasks or services

Defensive Notes

  • Use Group Managed Service Accounts (gMSA)
  • Enforce long, random passwords
  • Monitor abnormal Kerberos TGS requests

2. Pass-the-Hash (PtH)

Technical Overview

Pass-the-Hash abuses the fact that NTLM authentication accepts password hashes as credentials. If an attacker obtains an NTLM hash, they can authenticate without knowing the plaintext password.

Attack Mechanics

  1. Attacker extracts NTLM hashes from memory (e.g., LSASS)
  2. Hash is reused to authenticate to another system
  3. Target system validates hash against domain controller
  4. Access is granted as if the user typed their password

Key Technical Insight

NTLM uses a challenge-response mechanism, but the response is derived directly from the hash. There is no cryptographic binding to the original system.

Why It’s Dangerous

  • Password changes do not invalidate cached hashes
  • Works across systems with identical local admin passwords
  • Extremely effective in flat networks

Typical Attack Chain

PtH is often used after Kerberoasting or credential dumping, enabling attackers to:

  • Move laterally
  • Access file servers
  • Reach domain controllers

Defensive Notes

  • Disable NTLM where possible
  • Enforce Credential Guard
  • Use unique local administrator passwords

3. Golden Ticket Attack

Technical Overview

A Golden Ticket attack allows an attacker to forge Kerberos Ticket Granting Tickets (TGTs) by compromising the KRBTGT account hash.

The KRBTGT account is the cryptographic root of trust for Kerberos in the domain.

Attack Mechanics

  1. Attacker obtains KRBTGT NTLM hash
  2. Creates a forged TGT with arbitrary privileges
  3. Injects ticket into session
  4. Authenticates as any user, including Domain Admin

What Makes It So Powerful

  • Tickets can be valid for years
  • No communication with domain controller required
  • Survives password changes for normal users

Persistence Aspect

Golden Tickets are one of the strongest persistence mechanisms in Active Directory:

  • Domain rebuild often required
  • Detection is extremely difficult

Defensive Notes

  • Rotate KRBTGT password twice
  • Monitor abnormal TGT lifetimes
  • Restrict domain controller access aggressively

4. DCSync Attack

Technical Overview

DCSync abuses the directory replication protocol used between domain controllers. If an account has replication privileges, it can request password hashes for any user, including Domain Admins.

Attack Mechanics

  1. Attacker compromises an account with replication rights
  2. Sends a replication request to a domain controller
  3. Domain controller responds with password hashes
  4. Attacker gains full credential database access

Why This Is Devastating

  • No malware required
  • Looks like legitimate replication traffic
  • Grants complete domain compromise

Common Misconfigurations

  • Excessive delegated privileges
  • Backup or monitoring accounts with replication rights
  • Over-permissioned service accounts

Defensive Notes

  • Audit replication permissions
  • Monitor for unauthorized replication requests
  • Limit who can act as a domain controller

5. AS-REP Roasting

Technical Overview

AS-REP Roasting targets users configured with “Do not require Kerberos preauthentication”. In such cases, the KDC returns an AS-REP encrypted with the user’s password hash without verifying identity first.

Attack Mechanics

  1. Attacker enumerates users without preauthentication
  2. Requests authentication data
  3. Receives encrypted AS-REP
  4. Cracks offline to recover password

Why It Still Happens

  • Legacy systems
  • Misconfigured service accounts
  • Poor understanding of Kerberos flags

Impact

  • Often yields real user passwords
  • Can compromise VPN or cloud-synced accounts
  • Enables initial foothold without credentials

Defensive Notes

  • Enforce Kerberos preauthentication
  • Monitor AS-REQ failures
  • Regularly audit user account flags

CyberDefender