Active Directory Attacks Basics: How Hackers Exploit AD (Beginner Guide)

Learn the fundamentals of Active Directory attacks and how hackers exploit AD environments. This beginner-friendly guide explains attack paths, credential theft, lateral movement, and techniques like Kerberoasting, Pass-the-Hash, and Golden Ticket attacks.

Active Directory Attacks Explained – IlmBytesTech
Cybersecurity · Active Directory

Active Directory Attacks
Basics Explained

IlmBytesTech Beginner to Intermediate 10 min read CYB-222 Series

Every large organization runs Active Directory. Every attacker knows it. Understanding how AD gets attacked is the first step to defending it — and yourself.

Atif Memon
// Written by
Atif Memon
Cybersecurity Analyst & Tech Writer

Writing about Linux, networking, and security. I share tutorials and lab walkthroughs that explain why each step matters, not just what to type.

ilmbytestech.com x.com/ilmbytestech threads.net/ilmbytestech gravatar.com/atifmem
// 01

What Are Active Directory Attacks?

Active Directory (AD) is Microsoft’s centralized system that manages users, computers, passwords, and permissions across a corporate network. Think of it as the main keyring for every door in a building — one system controls who gets in, where they can go, and what they can do.

An Active Directory attack is any technique an attacker uses to exploit weaknesses in that system — to steal credentials, escalate privileges, move through a network, or ultimately take over the entire domain.

Why do attackers target Active Directory?

AD is everywhere. Over 90% of Fortune 1000 companies use Active Directory. If an attacker can compromise AD, they don’t just own one machine — they own the entire network: every server, every workstation, every user account.

⚠ Maximum Risk

Compromising Active Directory means achieving Domain Dominance — the highest level of privilege in a Windows environment. An attacker at this level can create accounts, reset passwords, read encrypted data, disable security tools, and maintain persistent access indefinitely.

// 02

How Attackers Think: The Attack Lifecycle

Attackers don’t just “hack in” at once. They follow a deliberate, multi-stage process. Understanding this lifecycle helps you see where defenses should go.

Each stage builds on the previous one. An attacker who only reaches Stage 2 is dangerous. An attacker who reaches Stage 5 owns your entire organization.

💡 Key Insight

Attackers rarely make noise. Each step is slow and deliberate — sometimes taking days or weeks. This is called low-and-slow attack methodology, designed to stay under detection thresholds.

// 03

The Most Common Active Directory Attacks

Below are the six attacks you will hear about in every blue team briefing, red team report, and cybersecurity certification. Learn these and you understand the core of AD offense.

// 04

Kerberoasting

What is it?
Target: Service Accounts

Kerberoasting is an attack against Kerberos — the authentication protocol Windows uses to verify identities. Every service in a domain (SQL Server, web server, backup agents) has a Service Principal Name (SPN). Any domain user can request a Kerberos service ticket for any SPN.

How it works

The ticket is encrypted with the service account’s password hash. The attacker requests the ticket, saves it locally, and cracks it offline at their own pace — no lockout risk, no alerts from the network.

hashcat -m 13100 ticket.hash wordlist.txt
Real-World Impact
High Risk

Service accounts often have elevated privileges — sometimes Domain Admin. If the password is weak (which they often are, since humans rarely rotate service account passwords), the attacker gains a powerful account silently.

Why it’s so common

No special privileges needed to run it. Any low-level domain user can kick it off. Tools like Rubeus and Impacket automate it in seconds.

GetUserSPNs.py domain/user -request
// 05

Pass-the-Hash (PtH)

What is it?
Target: NTLM Auth

In Windows, passwords are stored as NTLM hashes. Normally you need the plaintext password to log in. But Windows also accepts the hash directly to authenticate — a design flaw that’s been exploited for decades.

How it works

The attacker steals an NTLM hash (from memory, a SAM database, or network captures), then uses it to authenticate without ever knowing the real password. No cracking required.

pth-winexe //192.168.1.10 -U user%hash cmd
Why It’s Dangerous
Lateral Movement

If the same local admin password is set across multiple machines (a common setup), one stolen hash unlocks dozens of systems. This is how attackers move laterally through a network rapidly.

Key tool

Mimikatz is the most notorious tool used for this. It can extract hashes directly from Windows memory (LSASS process) with administrator access.

mimikatz # sekurlsa::logonpasswords
🛡 Defense Note

Microsoft’s Protected Users security group and Credential Guard make Pass-the-Hash significantly harder in modern environments. But millions of legacy systems remain vulnerable.

// 06

Pass-the-Ticket (PtT)

What is it?
Target: Kerberos

Similar to Pass-the-Hash, but instead of using a password hash, the attacker steals an actual Kerberos Ticket Granting Ticket (TGT) from a compromised machine’s memory.

How it works

Kerberos tickets are stored in memory and have a default 10-hour lifetime. An attacker who extracts a TGT can inject it into their own session and impersonate the victim user on the network.

Rubeus.exe ptt /ticket:base64ticket
PtH vs PtT
Key Difference

Pass-the-Hash works against NTLM authentication. Pass-the-Ticket works against Kerberos authentication. Organizations disabling NTLM (good security practice) are still vulnerable to PtT.

The risk window

During the ticket’s 10-hour validity, the attacker has full impersonation capability. Even if the user changes their password, existing tickets remain valid until expiry.

klist — view cached Kerberos tickets
// 07

Password Spraying

What is it?
Target: All Users

Traditional brute-force tries many passwords against one account and triggers lockout. Password spraying flips this: it tries one common password against many accounts. Since each account only gets one attempt, no lockout is triggered.

How it works

The attacker compiles a list of usernames (easy to enumerate from AD or LinkedIn), then tries Summer2024! or Welcome1 against all of them. Even a 1% success rate in a 500-user org means 5 compromised accounts.

Spray-AD -Userlist users.txt -Password Summer2024!
Why It Works
Human Factor

Password policies often force users to use patterns: CompanyName1!, Season+Year+Symbol. Attackers know these patterns and build targeted wordlists. It’s not about technical complexity — it’s about human predictability.

Most common sprayed passwords

Password1, Welcome1, Summer2024!, CompanyName1, January2024, P@ssword1 — all meet standard complexity requirements but are trivially guessable.

rockyou.txt → 14 million real passwords
// 08

Golden Ticket Attack

⚠ Most Dangerous Attack

This is the endgame. A Golden Ticket gives an attacker persistent, unlimited access to any resource in the domain — even after all passwords are reset.

What is it?
Target: KRBTGT Account

Kerberos issues tickets signed with the KRBTGT account’s hash — a special Domain Controller account. If an attacker obtains that hash, they can forge valid Kerberos tickets for any user, including Domain Admins that don’t exist.

How it works

With the KRBTGT hash (obtained after reaching domain controller), Mimikatz generates a “Golden Ticket” — a fully forged TGT accepted as legitimate by every system in the domain.

mimikatz # kerberos::golden /user:admin /domain:corp.local /sid:S-1-5… /krbtgt:hash
Why It’s Persistent
Nearly Impossible to Remove

Even if you detect the breach and reset every user password in the domain, the Golden Ticket remains valid. The KRBTGT hash must be rotated twice to invalidate forged tickets — and many organizations don’t know how or when this happened.

Default ticket lifetime

Golden Tickets can be set with 10-year validity. An attacker who forged a ticket in 2022 might still be active in 2032 if the KRBTGT hash was never rotated.

Default forged ticket: 10 years validity
// 09

LSASS Dumping

What is it?
Target: Memory

LSASS (Local Security Authority Subsystem Service) is a Windows process that handles authentication. It keeps credential material in memory — password hashes, Kerberos tickets, sometimes even plaintext credentials — for currently logged-in users.

How it works

With admin rights, an attacker dumps the LSASS process memory to a file, then extracts credentials offline using Mimikatz or similar tools. One dump can yield dozens of user credentials.

procdump.exe -ma lsass.exe lsass.dmp
Why It’s a Goldmine
Credential Cache

If a Domain Admin recently logged into a compromised machine, their credentials are in LSASS memory. One LSASS dump on the right machine can immediately yield domain admin credentials without any further exploitation.

Windows Defender flag

Modern Windows/EDR tools detect common LSASS dump techniques. Attackers continuously develop new evasion methods to dump memory without triggering alerts.

Credential Guard blocks plaintext extraction
// 10

Real-World Attack Scenario

Let’s walk through how these attacks chain together in a real intrusion. This is how it actually happens — not movie hacking, but methodical exploitation.

// Scenario: Corporate Network Takeover
  • 1
    Phishing Email: An employee receives a convincing email with a malicious attachment. They open it. A reverse shell connects to the attacker’s server. The attacker now has a foothold — as a regular user.
  • 2
    Enumeration: From the initial foothold, the attacker queries Active Directory for all users, groups, and computers. They discover 4 accounts with SPNs set — potential Kerberoasting targets.
  • 3
    Kerberoasting: The attacker requests Kerberos tickets for all SPN accounts and saves them locally. Offline cracking with Hashcat recovers the password for the SQL service account in under 2 hours — it’s Sqlserver2019!.
  • 4
    Privilege Escalation: The SQL service account is a local admin on the database server. The attacker logs in and dumps LSASS memory. Inside: a Domain Admin’s NTLM hash from a recent login session.
  • 5
    Pass-the-Hash: Using the Domain Admin’s hash, the attacker authenticates to the Domain Controller — without ever knowing the password. They now have Domain Admin privileges.
  • 6
    Golden Ticket: On the Domain Controller, the attacker dumps the KRBTGT hash and forges a Golden Ticket with 10-year validity. Even if the breach is detected and all passwords reset — the attacker retains persistent access.

Total time from phishing email to Domain Admin: under 6 hours. This is not theoretical — this is a documented attack pattern used in real incidents.

// 11

Why Active Directory Attacks Are Dangerous

🔑
Full Network Control
Every server, workstation, and service account is reachable. The attacker controls your entire infrastructure.
📁
Total Data Theft
Domain admin access means unrestricted access to file shares, databases, emails, and encrypted drives.
👻
Ghost Persistence
Golden Tickets and backdoor accounts can survive password resets, giving attackers long-term, silent access.
Active Directory is often called the “keys to the kingdom” — because whoever controls AD controls everything.
// Security industry consensus

The 2020 SolarWinds breach, the Colonial Pipeline attack, and dozens of major ransomware incidents all involved Active Directory compromise at their core. This is not a niche topic — it is the central battleground of enterprise security.

// 12

Basic Prevention: Beginner-Friendly Guide

You don’t need to be an expert to understand the defenses. These are the foundational controls that block or slow down every attack covered in this article.

  • Enforce strong, unique passwords + MFA
    Defeats password spraying and significantly slows Kerberoasting offline cracking. MFA stops PtH in its tracks when properly configured.
  • Apply least-privilege access
    No one should be a Domain Admin unless absolutely necessary. Service accounts should have minimal permissions — not Domain Admin. Limits blast radius of any compromise.
  • Enable Protected Users group and Credential Guard
    Places high-privilege users in a protected group that prevents NTLM authentication and plaintext credential caching — neutering PtH and LSASS dumping.
  • Rotate the KRBTGT account password regularly
    Rotated twice, it invalidates all Golden Tickets. Many organizations never rotate it. This single action closes the most dangerous persistent access technique.
  • Monitor for Kerberoasting indicators
    Unusual bulk requests for TGS tickets — especially from non-admin accounts — are a red flag. SIEM tools can alert on Event ID 4769 with RC4 encryption.
  • Segment the network and tier your admin accounts
    Admin accounts used on workstations should never be the same accounts used on Domain Controllers. Tiered administration prevents hash reuse across the network.
✅ Quick Win

Review all service accounts in your AD. How many have Domain Admin rights? How old are their passwords? Cleaning this up alone eliminates the most common Kerberoasting attack path in most environments.

Atif Memon
// About the Author
Atif Memon
Cybersecurity Analyst & Linux Systems Administrator

I run IlmBytesTech, a blog covering cybersecurity and Linux. If this article helped you, explore more on the site or connect on socials.

ilmbytestech.com x.com/ilmbytestech threads.net/ilmbytestech gravatar.com/atifmem
active directory kerberoasting pass-the-hash golden ticket cybersecurity basics linux+ cyb-222
IlmBytesTech · ilmbytestech.com

Leave a Reply

Your email address will not be published. Required fields are marked *