Introduction: Why Active Directory Is the Ultimate Target
Active Directory (AD) is the central nervous system of most enterprise environments. It governs authentication, authorization, identity management, and access control across users, systems, and applications. When Active Directory is compromised, attackers often gain complete control of the organization.
Modern attackers rarely rely on single exploits. Instead, they chain misconfigurations, weak credentials, legacy protocols, and poor visibility to move laterally and escalate privileges until they reach Domain Admin or full domain compromise.
This article breaks down the Top 10 Active Directory attack methods every security professional—blue team, red team, or architect—must understand. For each technique, we’ll examine:
- ✅ How the attack works
- ✅ Why it succeeds in real environments
- ✅ The security impact
- ✅ Practical mitigation strategies
1. Kerberoasting
Overview
Kerberoasting targets service accounts that use Kerberos authentication. Any authenticated domain user can request service tickets (TGS tickets) for Service Principal Names (SPNs).
How the Attack Works
- Attacker enumerates SPNs in the domain
- Requests Kerberos service tickets
- Extracts encrypted ticket hashes
- Performs offline brute-force or dictionary attacks
Because this cracking happens offline, it does not trigger account lockouts or alerts.
Why It Works
- Service account passwords are often long‑lived
- Passwords are often weak or never rotated
- Kerberos encryption allows offline cracking
Impact
- Compromise of service accounts
- Often leads to privilege escalation
- Possible lateral movement to domain controllers
Mitigation
- Use Group Managed Service Accounts (gMSA)
- Enforce long, complex passwords for service accounts
- Monitor for abnormal TGS requests
- Rotate service account credentials regularly
2. Password Spraying
Overview
Password spraying attempts a single common password (e.g., Welcome@123) against many user accounts.
How the Attack Works
- Attacker enumerates valid usernames
- Attempts one password across thousands of users
- Avoids account lockouts by spacing attempts
Why It Works
- Shared passwords across users
- Weak password policies
- Lack of MFA on internal services
Impact
- Stealthy compromise of multiple accounts
- Initial beachhead for further AD attacks
Mitigation
- Enforce strong password policies
- Deploy multi-factor authentication
- Monitor for authentication attempts across many users
3. LLMNR / NBT-NS Poisoning
Overview
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are legacy protocols used for name resolution on Windows networks.
How the Attack Works
- A system broadcasts a request for a hostname
- Attacker responds pretending to be the destination
- Victim sends NTLM authentication to attacker
Why It Works
- Enabled by default in many environments
- Older protocol fallback behavior
- Lack of network segmentation
Impact
- NTLM hash capture
- Credential relay attacks
- Lateral movement
Mitigation
- Disable LLMNR and NBT-NS
- Enforce SMB signing
- Move to DNS-only name resolution
- Monitor for suspicious NBNS traffic
4. Pass-the-Hash (PtH)
Overview
Pass-the-Hash allows attackers to authenticate using NTLM password hashes without knowing the plaintext password.
How the Attack Works
- Attacker extracts NTLM hashes from memory or disk
- Reuses the hash to authenticate to other systems
- Moves laterally across the domain
Why It Works
- NTLM authentication allows hash reuse
- Credentials often reused across systems
- Poor credential hygiene
Impact
- Rapid lateral movement
- Domain-wide compromise using one hash
Mitigation
- Disable NTLM where possible
- Enable Credential Guard
- Use Restricted Admin Mode
- Enforce unique local admin passwords (LAPS)
5. Default Credentials
Overview
Default credentials remain one of the most overlooked attack vectors.
How the Attack Works
- Attackers scan servers, appliances, and services
- Test vendor default credentials
- Gain immediate access
Why It Works
- Poor system hardening
- Forgotten appliances or test systems
- Shadow IT
Impact
- Immediate system compromise
- Often includes privileged accounts
Mitigation
- Enforce baseline hardening
- Audit all systems for default credentials
- Remove unused accounts
6. Hard‑coded Credentials
Overview
Hard-coded credentials are plaintext passwords embedded in scripts, apps, or configuration files.
How the Attack Works
- Attacker scans scripts, repositories, or SYSVOL
- Extracts stored credentials
- Uses them for lateral access
Why It Works
- Legacy scripts
- Poor secure coding practices
- Credentials stored for automation convenience
Impact
- Silent credential theft
- Often includes elevated accounts
Mitigation
- Use secure credential vaults
- Scan code repositories
- Never store plaintext passwords
7. Privilege Escalation via AD Misconfigurations
Overview
Privilege escalation abuses AD object permissions and misconfigurations.
Common Issues
- Unconstrained delegation
- Weak ACLs on OUs or GPOs
- Excessive permissions (WriteDACL, GenericAll)
Impact
- Standard user → Domain Admin
- Persistence across the domain
Mitigation
- Regular AD permission audits
- Least privilege enforcement
- Remove legacy delegations
8. LDAP Reconnaissance
Overview
LDAP is used to query AD objects. Attackers abuse LDAP to map out the environment.
What Attackers Enumerate
- Users and groups
- Admin accounts
- Service accounts
- Trust relationships
Why It Works
- LDAP read access is widely available
- Minimal logging by default
Impact
- Precision targeting of high-value assets
- Enables attack path planning
Mitigation
- Enable LDAP logging
- Monitor unusual query volumes
- Reduce excessive read permissions
9. BloodHound Reconnaissance
Overview
BloodHound uses graph theory to visualize AD relationships and identify attack paths.
How It Works
- Collects AD data
- Maps relationships between users, groups, and permissions
- Automatically identifies privilege escalation paths
Impact
- Reveals hidden paths to Domain Admin
- Exposes years of accumulated misconfigurations
Mitigation
- Treat BloodHound findings as security debt
- Regularly audit relationships
- Remove unnecessary privileges
10. NTDS.dit Extraction
Overview
NTDS.dit is the Active Directory database, containing all user password hashes.
How the Attack Works
- Attacker gains Domain Controller access
- Extracts NTDS.dit using backup or shadow copy techniques
- Performs offline password cracking
Impact
- Full domain credential compromise
- Total organizational takeover
Mitigation
- Tiered administration model
- Monitor DC access rigorously
- Protect backup and shadow copy access
- Enforce EDR on Domain Controllers
Final Thoughts: Defense Starts with Understanding
Active Directory attacks succeed not because they are advanced, but because they exploit legacy design, accumulated misconfigurations, and weak operational discipline.
Effective defense requires:
- Continuous monitoring
- Regular AD security assessments
- Addressing misconfigurations, not just alerts
💬 Which of these attack vectors is the most difficult to mitigate in your environment—and why?