Active Directory Attacks
Basics Explained
Every large organization runs Active Directory. Every attacker knows it. Understanding how AD gets attacked is the first step to defending it — and yourself.
What Are Active Directory Attacks?
Active Directory (AD) is Microsoft’s centralized system that manages users, computers, passwords, and permissions across a corporate network. Think of it as the main keyring for every door in a building — one system controls who gets in, where they can go, and what they can do.
An Active Directory attack is any technique an attacker uses to exploit weaknesses in that system — to steal credentials, escalate privileges, move through a network, or ultimately take over the entire domain.
Why do attackers target Active Directory?
AD is everywhere. Over 90% of Fortune 1000 companies use Active Directory. If an attacker can compromise AD, they don’t just own one machine — they own the entire network: every server, every workstation, every user account.
Compromising Active Directory means achieving Domain Dominance — the highest level of privilege in a Windows environment. An attacker at this level can create accounts, reset passwords, read encrypted data, disable security tools, and maintain persistent access indefinitely.
How Attackers Think: The Attack Lifecycle
Attackers don’t just “hack in” at once. They follow a deliberate, multi-stage process. Understanding this lifecycle helps you see where defenses should go.
Each stage builds on the previous one. An attacker who only reaches Stage 2 is dangerous. An attacker who reaches Stage 5 owns your entire organization.
Attackers rarely make noise. Each step is slow and deliberate — sometimes taking days or weeks. This is called low-and-slow attack methodology, designed to stay under detection thresholds.
The Most Common Active Directory Attacks
Below are the six attacks you will hear about in every blue team briefing, red team report, and cybersecurity certification. Learn these and you understand the core of AD offense.
Kerberoasting
Kerberoasting is an attack against Kerberos — the authentication protocol Windows uses to verify identities. Every service in a domain (SQL Server, web server, backup agents) has a Service Principal Name (SPN). Any domain user can request a Kerberos service ticket for any SPN.
How it works
The ticket is encrypted with the service account’s password hash. The attacker requests the ticket, saves it locally, and cracks it offline at their own pace — no lockout risk, no alerts from the network.
Service accounts often have elevated privileges — sometimes Domain Admin. If the password is weak (which they often are, since humans rarely rotate service account passwords), the attacker gains a powerful account silently.
Why it’s so common
No special privileges needed to run it. Any low-level domain user can kick it off. Tools like Rubeus and Impacket automate it in seconds.
Pass-the-Hash (PtH)
In Windows, passwords are stored as NTLM hashes. Normally you need the plaintext password to log in. But Windows also accepts the hash directly to authenticate — a design flaw that’s been exploited for decades.
How it works
The attacker steals an NTLM hash (from memory, a SAM database, or network captures), then uses it to authenticate without ever knowing the real password. No cracking required.
If the same local admin password is set across multiple machines (a common setup), one stolen hash unlocks dozens of systems. This is how attackers move laterally through a network rapidly.
Key tool
Mimikatz is the most notorious tool used for this. It can extract hashes directly from Windows memory (LSASS process) with administrator access.
Microsoft’s Protected Users security group and Credential Guard make Pass-the-Hash significantly harder in modern environments. But millions of legacy systems remain vulnerable.
Pass-the-Ticket (PtT)
Similar to Pass-the-Hash, but instead of using a password hash, the attacker steals an actual Kerberos Ticket Granting Ticket (TGT) from a compromised machine’s memory.
How it works
Kerberos tickets are stored in memory and have a default 10-hour lifetime. An attacker who extracts a TGT can inject it into their own session and impersonate the victim user on the network.
Pass-the-Hash works against NTLM authentication. Pass-the-Ticket works against Kerberos authentication. Organizations disabling NTLM (good security practice) are still vulnerable to PtT.
The risk window
During the ticket’s 10-hour validity, the attacker has full impersonation capability. Even if the user changes their password, existing tickets remain valid until expiry.
Password Spraying
Traditional brute-force tries many passwords against one account and triggers lockout. Password spraying flips this: it tries one common password against many accounts. Since each account only gets one attempt, no lockout is triggered.
How it works
The attacker compiles a list of usernames (easy to enumerate from AD or LinkedIn), then tries Summer2024! or Welcome1 against all of them. Even a 1% success rate in a 500-user org means 5 compromised accounts.
Password policies often force users to use patterns: CompanyName1!, Season+Year+Symbol. Attackers know these patterns and build targeted wordlists. It’s not about technical complexity — it’s about human predictability.
Most common sprayed passwords
Password1, Welcome1, Summer2024!, CompanyName1, January2024, P@ssword1 — all meet standard complexity requirements but are trivially guessable.
Golden Ticket Attack
This is the endgame. A Golden Ticket gives an attacker persistent, unlimited access to any resource in the domain — even after all passwords are reset.
Kerberos issues tickets signed with the KRBTGT account’s hash — a special Domain Controller account. If an attacker obtains that hash, they can forge valid Kerberos tickets for any user, including Domain Admins that don’t exist.
How it works
With the KRBTGT hash (obtained after reaching domain controller), Mimikatz generates a “Golden Ticket” — a fully forged TGT accepted as legitimate by every system in the domain.
Even if you detect the breach and reset every user password in the domain, the Golden Ticket remains valid. The KRBTGT hash must be rotated twice to invalidate forged tickets — and many organizations don’t know how or when this happened.
Default ticket lifetime
Golden Tickets can be set with 10-year validity. An attacker who forged a ticket in 2022 might still be active in 2032 if the KRBTGT hash was never rotated.
LSASS Dumping
LSASS (Local Security Authority Subsystem Service) is a Windows process that handles authentication. It keeps credential material in memory — password hashes, Kerberos tickets, sometimes even plaintext credentials — for currently logged-in users.
How it works
With admin rights, an attacker dumps the LSASS process memory to a file, then extracts credentials offline using Mimikatz or similar tools. One dump can yield dozens of user credentials.
If a Domain Admin recently logged into a compromised machine, their credentials are in LSASS memory. One LSASS dump on the right machine can immediately yield domain admin credentials without any further exploitation.
Windows Defender flag
Modern Windows/EDR tools detect common LSASS dump techniques. Attackers continuously develop new evasion methods to dump memory without triggering alerts.
Real-World Attack Scenario
Let’s walk through how these attacks chain together in a real intrusion. This is how it actually happens — not movie hacking, but methodical exploitation.
-
1Phishing Email: An employee receives a convincing email with a malicious attachment. They open it. A reverse shell connects to the attacker’s server. The attacker now has a foothold — as a regular user.
-
2Enumeration: From the initial foothold, the attacker queries Active Directory for all users, groups, and computers. They discover 4 accounts with SPNs set — potential Kerberoasting targets.
-
3Kerberoasting: The attacker requests Kerberos tickets for all SPN accounts and saves them locally. Offline cracking with Hashcat recovers the password for the SQL service account in under 2 hours — it’s
Sqlserver2019!. -
4Privilege Escalation: The SQL service account is a local admin on the database server. The attacker logs in and dumps LSASS memory. Inside: a Domain Admin’s NTLM hash from a recent login session.
-
5Pass-the-Hash: Using the Domain Admin’s hash, the attacker authenticates to the Domain Controller — without ever knowing the password. They now have Domain Admin privileges.
-
6Golden Ticket: On the Domain Controller, the attacker dumps the KRBTGT hash and forges a Golden Ticket with 10-year validity. Even if the breach is detected and all passwords reset — the attacker retains persistent access.
Total time from phishing email to Domain Admin: under 6 hours. This is not theoretical — this is a documented attack pattern used in real incidents.
Why Active Directory Attacks Are Dangerous
Active Directory is often called the “keys to the kingdom” — because whoever controls AD controls everything.// Security industry consensus
The 2020 SolarWinds breach, the Colonial Pipeline attack, and dozens of major ransomware incidents all involved Active Directory compromise at their core. This is not a niche topic — it is the central battleground of enterprise security.
Basic Prevention: Beginner-Friendly Guide
You don’t need to be an expert to understand the defenses. These are the foundational controls that block or slow down every attack covered in this article.
-
Enforce strong, unique passwords + MFA
Defeats password spraying and significantly slows Kerberoasting offline cracking. MFA stops PtH in its tracks when properly configured. -
Apply least-privilege access
No one should be a Domain Admin unless absolutely necessary. Service accounts should have minimal permissions — not Domain Admin. Limits blast radius of any compromise. -
Enable Protected Users group and Credential Guard
Places high-privilege users in a protected group that prevents NTLM authentication and plaintext credential caching — neutering PtH and LSASS dumping. -
Rotate the KRBTGT account password regularly
Rotated twice, it invalidates all Golden Tickets. Many organizations never rotate it. This single action closes the most dangerous persistent access technique. -
Monitor for Kerberoasting indicators
Unusual bulk requests for TGS tickets — especially from non-admin accounts — are a red flag. SIEM tools can alert on Event ID 4769 with RC4 encryption. -
Segment the network and tier your admin accounts
Admin accounts used on workstations should never be the same accounts used on Domain Controllers. Tiered administration prevents hash reuse across the network.
Review all service accounts in your AD. How many have Domain Admin rights? How old are their passwords? Cleaning this up alone eliminates the most common Kerberoasting attack path in most environments.