Professional & Enterprise

How Hackers Hack Active Directory — and How to Protect Yourself

How attackers compromise Active Directory domains — kerberoasting, DCSync, golden tickets — and defender controls that matter.

What attackers want from Active Directory

Active Directory (AD) is the identity backbone of essentially every enterprise Windows environment. Compromising AD grants access to every domain-joined user, computer, and service — the endgame of most enterprise ransomware campaigns runs through AD. Attackers do not need to compromise every system individually once domain admin is achieved; they own everything transitively.

The threat landscape is well-characterised and the attack playbook is mature. Initial access (typically via phishing, RDP compromise, or exposed service) → user-level foothold → credential harvesting via LSASS, Kerberoasting, AS-REP Roasting → privilege escalation via misconfigured ACLs, unconstrained delegation, or ADCS vulnerabilities → domain admin → ransomware deployment, data exfiltration, or persistent implantation via Golden Tickets and DCSync. Each link in this chain has well-documented detections and defences; the gap is consistent defensive discipline across the whole environment.

This page is written for IT and security teams managing AD at any scale. The attack techniques have been public knowledge for a decade (Mimikatz, BloodHound, Impacket, Rubeus are all open-source); the defences are also well-documented. Organisations that continue to suffer AD-based ransomware incidents in 2026 typically have well-known defensive gaps rather than sophisticated attacks against them.

How attackers actually do it

Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.

Kerberoasting

Any authenticated domain user can request Kerberos service tickets for SPN-registered service accounts. The tickets are encrypted with the service account's password hash — offline-crackable if the password is weak. Service accounts with weak passwords and high privileges are the frequent payoff target.

AS-REP Roasting

Accounts with "Do not require Kerberos preauthentication" enabled leak AS-REP responses that can be cracked offline. Usually affects legacy accounts; still widely present in enterprise environments from accumulated configuration drift.

LSASS memory extraction (Mimikatz and variants)

Attackers with local admin on any endpoint extract cached credentials, Kerberos tickets, and NTLM hashes from lsass.exe memory. Credentials of any user who has authenticated to that endpoint are exposed. Lateral movement via Pass-the-Hash and Pass-the-Ticket follows.

DCSync attacks

Any account with directory-replication permissions (Replicating Directory Changes) can request password-hash data directly from a domain controller via the legitimate replication protocol. Mimikatz and Impacket both automate this. Grants access to every password hash in the domain, including krbtgt — enabling Golden Ticket attacks.

Golden Ticket and Silver Ticket attacks

With the krbtgt account hash (obtained via DCSync or other means), attackers forge Kerberos TGTs that grant access to any service in the domain for any user. Persists through password changes for most accounts; only rotating krbtgt itself invalidates existing golden tickets. Silver tickets are similar but scoped to individual services using service-account hashes.

ADCS (Active Directory Certificate Services) vulnerabilities

ESC1-ESC16 vulnerability classes documented by SpecterOps (Certified Pre-Owned research). Misconfigured certificate templates allow low-privilege users to request certificates as high-privilege accounts, enabling privilege escalation to domain admin in many environments. Widely present in enterprise ADCS deployments.

BloodHound-guided attack path discovery

Attackers enumerate AD with BloodHound/SharpHound, identifying attack paths from current foothold to domain admin. Cypher queries reveal exploitable ACL misconfigurations, nested group memberships, Kerberos delegation issues. Defensive use of BloodHound is equally valuable for finding and closing these paths.

Unconstrained and constrained delegation abuse

Misconfigured Kerberos delegation allows compromised systems to impersonate arbitrary users to other services. Unconstrained delegation is particularly dangerous; constrained delegation with "Any authentication protocol" (protocol transition) enables similar attacks. Legacy deployments retain dangerous delegation configurations frequently.

How to recognise compromise

Signs that your active directory may have been compromised:

Event 4769 anomalies — unusual service-ticket request patterns

Kerberoasting activity produces distinctive 4769 event patterns: many service-ticket requests in short time windows, requests for unusual services, requests using weak encryption (RC4 instead of AES). SIEM rules for this pattern are standard detection.

LSASS access from unexpected processes

Mimikatz-style LSASS access generates distinctive Sysmon Event ID 10 entries. Process-access chains to lsass.exe from non-standard parent processes warrant investigation. Microsoft Defender for Endpoint detects most variants by default.

DCSync events on domain controllers

Event 4662 with replication permissions being exercised by accounts that should not have them = active DCSync attack. Requires auditing of directory access to detect; not enabled by default in many environments.

Golden Ticket indicators in Kerberos event logs

Event 4624 Type 3 with odd TGT characteristics (unusual encryption type, unexpected account lifetimes, anomalous PAC structure). Harder to detect than the preceding DCSync that creates the Golden Ticket.

Unexpected changes to privileged groups

Domain Admins, Enterprise Admins, Schema Admins, DCSync-capable groups — any changes to membership outside of approved change management = potential compromise. Event 4728/4732/4756 monitoring is essential.

Unusual new Kerberos Constrained Delegation configurations

Attackers adding delegation to compromised accounts for persistence or privilege escalation. Event 4742 for modifications to msDS-AllowedToDelegateTo or msDS-AllowedToActOnBehalfOfOtherIdentity.

What actually protects you

Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.

Tiered administrative model

Microsoft's PAW (Privileged Access Workstation) and enterprise tier model: separate tiers for domain admins (Tier 0), server admins (Tier 1), workstation admins (Tier 2). Tier 0 accounts only log into Tier 0 systems; never workstations or user systems where LSASS extraction could capture their credentials. Most single most important AD defensive practice.

Credential Guard and LSA Protection on all endpoints

Windows Credential Guard (virtualisation-based credential protection) prevents LSASS credential extraction on supported endpoints. RunAsPPL (LSA Protection) as a secondary defence. Enable across the environment; Microsoft Defender for Endpoint baseline policies make deployment straightforward.

Aggressive password policy for service accounts

Service accounts should use Group Managed Service Accounts (gMSAs) with 128-character auto-rotated passwords where possible. Where not possible, 30+ character complex passwords rotated regularly. Weak service-account passwords are the direct payoff target of Kerberoasting; strong passwords defeat the attack even if tickets are obtained.

Disable legacy authentication and cryptography

Remove RC4 Kerberos encryption support in favour of AES only. Disable NTLMv1. Consider moving to NTLM disabled entirely for modern environments. Legacy cryptographic support enables downgrade attacks and faster offline cracking.

Regular BloodHound assessments of the environment

Run SharpHound collection against your own AD periodically (quarterly minimum). Analyse attack paths in BloodHound. Fix discovered issues — misconfigured ACLs, nested-group surprises, unexpected privilege paths. Defensive BloodHound is the counter to offensive BloodHound — use the same tool.

Audit and restrict Kerberos delegation configurations

Inventory all constrained and unconstrained delegation. Remove unconstrained delegation wherever possible (almost always unnecessary in modern deployments). Review constrained delegation targets — remove obsolete ones. Replace with resource-based constrained delegation where applicable (more secure model).

ADCS hardening against ESC-class vulnerabilities

Review certificate templates with Certify or similar tools. Disable or restrict ESC-vulnerable configurations. Limit enrolment to expected principals. Remove unnecessary EKU options. Address the specific ESC patterns documented by SpecterOps; most environments have multiple fixable issues.

Regular krbtgt password rotation

krbtgt password rotation twice (not once — must be done in sequence to force re-keying) invalidates outstanding Golden Tickets. Annual rotation at minimum; after any suspected compromise, emergency rotation. Microsoft provides tools to automate the double-rotation correctly.

Tiered account scheme — separate admin and user accounts

Never use the same account for email/browsing and for domain administration. Admin accounts should be explicitly created for admin use, not synced to cloud email, not used for general browsing. Essential for containing phishing and endpoint compromise impact.

SIEM with AD-specific detection rules

Splunk, Microsoft Sentinel, Elastic Security — all have AD-specific detection content. Kerberoasting detection, DCSync detection, privileged group changes, Golden Ticket indicators. Without SIEM capability, many AD attacks produce ample log evidence that never gets reviewed.

🚨 If You've Been Compromised

Recovery steps in priority order

Isolate compromised systems while preserving forensics. Disconnect from network without shutting down — preserves RAM contents and running processes for incident investigation.
Engage professional incident response. AD-level incidents are beyond most internal teams; Mandiant, CrowdStrike, Unit 42, Kroll all have dedicated AD forensics capability. Do not attempt to clean up without expert help — missing attacker persistence in AD is functionally permanent compromise.
Treat the incident as domain-wide until proven otherwise. AD footprint of attacker activity can be extensive and subtle. Assume full tenant compromise; validate scope downward with forensics, not upward from the initial discovery.
Double-rotate krbtgt password. Standard recovery step after confirmed or strongly suspected DCSync/Golden Ticket compromise. Must be executed twice with appropriate timing; invalidates outstanding Golden Tickets.
Force password reset for all users and reset service account credentials. Domain-wide password reset is disruptive but necessary after confirmed compromise. Service accounts need special handling — sequence resets to avoid service outages.
Rebuild compromised Tier 0 systems from clean media. Domain controllers, if compromised at OS level, should be rebuilt rather than cleaned. Forest-recovery procedures from Microsoft are the formal reference for severe DC compromise.
Review and remediate attack paths identified during incident. Misconfigured ACLs, delegation issues, ADCS templates, privileged-group memberships — root causes that enabled the compromise need fixing, not just the immediate attacker presence removed.
Implement architectural improvements as part of recovery. Tiered administrative model, Credential Guard deployment, ADCS hardening, BloodHound-guided path remediation. Post-incident is the organisational moment to make these investments; defer and the next incident looks identical.
Notify regulatory bodies and affected parties as required. GDPR, CCPA, sector-specific regulators. AD compromise frequently meets notification thresholds for personal data exposure.

👥 For Organisations & Defenders

AD security programme maturity

For organisations building out AD security, the maturity curve runs: (Level 1) Basic hygiene — strong passwords, MFA for admins, domain controllers patched, basic logging enabled; (Level 2) Tiered administrative model, Credential Guard deployed, LAPS for local admin passwords, SIEM with AD detection rules, regular password rotation for service accounts; (Level 3) Microsoft Defender for Identity (or equivalent), proactive BloodHound assessments, ADCS hardening complete, automated detection and response playbooks; (Level 4) Red-team testing of AD defences regularly, integration with broader security posture management, measured metrics on Tier 0 access, continuous attack-path remediation. Most organisations should target Level 2 minimum; any organisation with meaningful cyber exposure should aim for Level 3.

The realistic threat against AD is ransomware. Ransomware operators run the Kerberoasting / DCSync / Golden Ticket playbook routinely; their success rate reflects the defensive maturity of target environments. Cyber insurance increasingly requires evidence of AD hardening (Tier 0 isolation, MFA for admins, Defender for Identity or equivalent) before offering or renewing coverage. The regulatory environment is trending toward expecting AD security as table stakes for enterprise security programmes.

Operational practices distinguishing mature from immature programmes: documented Tier 0 inventory with explicit policy, regular BloodHound assessment with tracked remediation, quarterly krbtgt rotation (double-rotation done correctly), incident-response runbooks specifically for AD compromise, tabletop exercises on Golden Ticket and DCSync scenarios, measured metrics on privileged account count and dormant-account hygiene. Tools exist; operational discipline is the gap.

Frequently Asked Questions

Not fundamentally — but the complexity and accumulated legacy of typical enterprise AD deployments creates substantial attack surface. AD is secureable; organisations with mature security programmes (Microsoft's own internal practices, mature financial institutions, dedicated government networks) run AD with robust defences. The "AD is insecure" perception reflects typical-deployment reality rather than platform limits.

Tiered administrative model — separate accounts for domain administration that never log into non-admin systems. This single practice defeats the LSASS credential extraction attack chain that underpins most AD compromises. Compared with other defensive investments, the ROI is unusually favourable. Not the only necessary control, but the foundational one.

BloodHound is a graph-based attack-path analysis tool originally built for red-team AD reconnaissance. Defensive use is equally valuable — run SharpHound collection against your own environment, analyse attack paths, fix discovered issues. SpecterOps also offers BloodHound Enterprise as a commercial product for ongoing defensive use. Essential tooling for any organisation serious about AD security.

Depends on service-account password strength. Weak service-account passwords (under 15 characters, common words, predictable patterns) crack offline within hours to days of ticket capture. Strong service-account passwords (30+ characters, random) resist offline cracking. gMSAs with 128-character auto-rotated passwords are functionally uncrackable offline. Kerberoasting is devastating against weak service accounts; ineffective against properly-protected ones. Password strength is the decisive factor.

Azure AD (rebranded to Microsoft Entra ID) is Microsoft's cloud identity service, used by Microsoft 365 and most cloud applications. It is architecturally different from on-premises AD — flatter, cloud-native, different protocols (SAML, OIDC, OAuth vs Kerberos). Hybrid AD (both on-prem and Azure AD) is common and creates combined attack surface. Azure AD has its own security model (Conditional Access, Identity Protection) which is more modern than on-prem AD. Migration to Azure AD (cloud-first identity) is the strategic direction for most organisations; on-prem AD will persist as legacy for years but investment should favour cloud-first.

Microsoft's specific AD-monitoring product — deploys sensors on domain controllers to detect Kerberoasting, DCSync, Golden Ticket, credential theft, and related AD-specific attack patterns. Functionally similar to tools from CrowdStrike (Falcon Identity), SentinelOne (Ranger AD), and others. Essentially required for any meaningful AD security posture; the specific vendor choice matters less than having the capability.

For some organisations — yes. Cloud-native startups often deploy purely with Azure AD / Okta / similar without on-prem AD. Organisations heavily invested in Windows Server infrastructure face longer migration paths. For most enterprises, complete AD elimination is a multi-year journey; incremental reduction (cloud-first for new applications, gradual migration of existing) is more realistic. The long-term direction is unambiguously toward cloud identity; planning should reflect that.

DC-specific hardening: Server Core installation (smaller attack surface), dedicated hardware or isolated VMs (not on general-purpose virtualisation), network isolation (DC network separate from general network), aggressive patching (DCs on shortest patching SLA), restrictive firewall policies (only required protocols exposed), dedicated Tier 0 management, regular backup validation including offline copies. DCs are among the highest-value targets; invest proportionally in protecting them.

Forged Kerberos TGT granting attacker access to any service as any user in the domain, achieved by compromising the krbtgt account hash (via DCSync or domain admin access). Worth being worried about — Golden Tickets persist through password changes of other accounts and provide essentially permanent backdoor access until krbtgt is rotated. Defensive priorities: prevent the DCSync that creates the ticket, monitor for Golden Ticket usage indicators, rotate krbtgt regularly and after any suspected compromise. Detection is harder than prevention; prevention priorities higher.

For any organisation with Tier 0 administration needs and meaningful threat exposure — yes. PAW (Privileged Access Workstation) is a specific architecture separating privileged administration from everyday computing. Administrators use a dedicated workstation for admin tasks; that workstation is locked down specifically for that purpose. Investment in PAW is moderate (hardware, admin-experience change, operational integration) but security benefit is substantial. Microsoft publishes detailed PAW deployment guidance.

Mr Elite Founder, SecurityElites.com · Penetration Tester · Educator

Active Directory security is a specific discipline, not a subset of general IT security. The attack playbook is mature, the tooling is public, and the defensive practices are documented — but most enterprises still treat AD as infrastructure rather than as a primary security concern. Ransomware operators exploit that gap consistently. If you manage AD, the investment in Tier 0 isolation, Credential Guard deployment, regular BloodHound assessment, ADCS hardening, and SIEM with AD detection rules pays off against actual threats your organisation faces. The work is not glamorous; it is not zero-day research or nation-state defence. It is systematic application of well-known controls to well-known attack surface. That work is what separates organisations that weather ransomware attempts from organisations that end up on incident-response call sheets.