Microsoft Active Directory (AD) is widely used around the world as the cornerstone of digital identity and the primary means of authentication and authorisation for nearly a billion users.
Unfortunately, it’s exactly this ubiquity, along with its deep integration into critical business operations, that makes Active Directory an increasingly attractive target for sophisticated threat actors. In fact, about half of the organizations who rely on AD have experienced an attack against it in the last two years, contributing to a 2.75x increase in ransomware attacks year over year. Worse yet, attackers are becoming much more efficient, and with the growing influence of generative AI, their speed will only accelerate.
Understanding these attack vectors is crucial not just for technical teams (see our deep dive on the technical details here), but also for executive leadership responsible for managing organizational risk and security investment decisions. The business impact of a successful Active Directory compromise can be catastrophic, potentially affecting every system, service, and user within the enterprise ecosystem.
At NCC Group, our DFIR and Threat Intelligence teams have been tracking the latest AD attacks to learn how we can help you defend against these threats. Aside from some mode-specific prevention guidance for each one, we’ll also share some overarching prevention tips.
Here’s what we’ve learned:
Cool off Kerberoasting
With a 100% increase in attacks from 2022-2023, Kerberoasting has become one of the most prominent AD attack vectors—and also the hardest to detect.
In this attack, hackers exploit the Kerberos authentication protocol, steal service tickets and then decrypt those tickets offline. Once they’ve uncovered a viable password, they simply log back into your network with those credentials and then move about as they choose.
This attack is especially dangerous because service ticket requests are legitimate activities, which means they won’t appear to be malicious and can easily masquerade as completely normal. And, because a wide range of directory services and cloud platforms rely on Kerberos, a breach gives attackers unfettered access to a broad array of options to exploit.
Cool off your kerberoasting risk with these tips:
- Routinely audit service accounts and configure Kerberos for stronger encryption like AES256.
- Apply “Protected Users” Group status to high-value accounts for stronger encryption.
- Restrict service account delegation unless absolutely necessary. Unconstrained delegation is the default setting for any account with an SPN set.
Throw a Wrench in DCSync
Organizations typically have multiple Domain Controllers in place for redundancy or for managing local authentication and access policy. These DCs routinely synchronize credentials across the environment—which is where attackers strike. By infiltrating one DC and mimicking the synchronization, hackers can extract credentials, including password hashes, from other DCs without even accessing the target machine’s memory.
Like Kerberoasting, this looks like normal behavior, making it extremely hard to detect. But in an attack, the user object name is the hostname of a Domain Controller rather than the user object name.
Here’s how to thwart DCSync:
- Restrict replication permissions in AD. Limit permissions only to trusted admin accounts with high privileges like Domain and Enterprise Admins.
- Monitor for unusual replication, particularly the use of the DRSUAPI function, but be mindful that, even with detection rules, the results often include a lot of false positives.
- Audit high-privileged AD groups for unnecessary user accounts.
Take Aim at ADCS Abuse
Despite playing a vital role in identity management, the Active Directory Certificate Service is often overlooked in security audits. First thoroughly exposed as a vulnerability in 2022, ADCS abuse can take nearly two dozen forms, but all have one thing in common: they rely on misconfigurations.
Again, because ADCS abuse leverages legitimate functionalities, plus the fact that certificates can remain active for extended periods of time (unlike passwords), ADCS abuse can easily go undetected.
Here’s how to prevent it instead:
- Harden configuration across the service. Use hardening guides and robust testing to validate configuration before it goes into production.
- Conduct regular security assessments for added peace of mind.
- Limit permissions on certificate templates and disable any that are unused or vulnerable.
- Use role-based access control (RBAC) for certificate authority access and implement strong key protection.
- Monitor and audit certificate usage, reduce lifetime certificates and shorten renewal policies to minimize the window of abuse.
Put a Lid on LDAP Recon
Conducting LDAP recon gives attackers a complete “lay of the land”—think Google Maps’ turn-by-turn directions for your network. After gaining access to a low-privilege account, hackers then perform LDAP queries to map the entire network and plan their next move. They can see it all: users and groups, roles, every computer, server or other networked device, and even understand your access control lists and group policies.
Often one of the first steps in a more complex AD attack, automated tools like BloodHound and PowerView have made it even faster and more accessible. After finding high-value targets, hackers can then conduct precise, efficient attacks.
Prevent this nefarious recon by:
- Enforcing LDAP signing to prevent actors from intercepting/modifying LDAP traffic
- Configuring LDAP over SSL/TLS to encrypt traffic.
- Validating and sanitizing user inputs to prevent LDAP injection.
- Monitoring LDAP logs to detect and respond to any suspicious behavior.
Preempt Pass-the-hash/Pass-the-ticket
In a PTH or PTT attack, hackers exploit a fundamental flaw in Windows authentication, stealing a hashed version of a user’s password and using it to authenticate on the same network. Unlike other credential theft attacks, pass-the-hash does not require the actual password, bypassing the need for hash cracking. Instead, the stolen hash is directly used to establish a new authenticated session.
One of the reasons this is so dangerous is because of its potential persistence: the stolen hash remains valid until the compromise is discovered and it is removed. Meanwhile, hackers can run amok on your network.
Here’s how to put a stop to the risk:
- Monitor for suspicious behavior with security information and event management (SIEM) tools.
- Leverage network segmentation to limit lateral movement in the event of unauthorized access.
- Disable NTLM authentication and use more secure protocols like Kerberos (see our security tips highlighted around Kerberoasting above). NTLM will be deprecated by Microsoft in 2025 and no longer available for newly installed from 2026.
AD Protection Strategies
Stolen credentials have been implicated in 80% of breaches last year, which means organizations simply can’t afford to ignore AD security.
That means securing it requires a holistic approach. The complexity and interconnected nature of modern Active Directory environments demand a strategic response that combines technical controls, operational processes, and organizational awareness.
To effectively mitigate these risks, organizations should:
- Implement a least-privilege model across the AD environment, regularly reviewing and adjusting access rights.
- Enable multi-factor authentication
- Minimize privileges for service-level accounts and require long, complex passwords—at least 25 characters—to make brute force decryption more difficult.
- Establish robust identity governance processes, including automated monitoring of privileged access and configuration changes.
- Maintain an accurate inventory of AD assets and their relationships and treat this data as a critical security control.
- Deploy advanced detection capabilities focused on identity-based attacks and authentication anomalies. This may include monitoring, alerting, visualization and reactive capabilities to achieve observability and deep insights into the state of Active Directory use.
- Conduct regular assessments of your AD security posture, including attack simulation exercises.
- Patch, patch and patch. Microsoft is aware of these vulnerabilities and regularly issues updates to resolve them, but these only work if they’re applied.
- Educate users to be cautious of phishing attempts and social engineering to protect their credentials.
- Implement core IAM capabilities across Identity Governance and Administration (IGA), Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) to ensure you have both visibility and control over Active Directory.
Most importantly, organizations must recognize that AD security is not merely an IT issue but a fundamental business risk that requires executive-level attention and investment. As attack techniques evolve, maintaining the security of your AD environment is crucial to protecting your organization's operations, data, and reputation.
If you think you have been the subject of an attack don’t delay in seeking help, contact our highly skilled DFIR team, who can offer immediate assistance as well as incident readiness support. For more information about NCC Group’s tailored Digital Identity solutions, and how our team of experts can help bolster your AD posture, contact us today.