Active Directory (AD) is still the identity backbone of most enterprises, and almost every serious intrusion ends up going through it. The protocols it relies on — Kerberos, NTLM, LDAP — were designed in an era when "inside the network" meant "trusted", and attackers have spent twenty years building polished tooling (Rubeus, Mimikatz, Impacket, BloodHound) to abuse that assumption. Understanding the most common AD attack paths, and the handful of controls that genuinely disrupt them, is one of the highest-impact things a Windows-focused security team can do.
The protocols attackers care about
A few primitives appear in almost every AD attack.
- Kerberos tickets – TGTs (Ticket Granting Tickets) prove who you are; TGSs (Service Tickets) prove which services you may access. Both are encrypted with keys derived from passwords or service account hashes.
- NTLM authentication – A challenge-response scheme still enabled in most environments for legacy compatibility. Its hashes can be relayed and cracked.
- LDAP – Used to query AD objects. Most environments allow any authenticated user to read huge amounts of information about users, groups, computers, GPOs, and ACLs.
- Group Policy and SYSVOL – Centralised configuration; mistakes here (GPP passwords, weak ACLs) often hand over the domain.
BloodHound's success comes from turning these readable LDAP relationships into a graph of "who can ultimately become Domain Admin", which is exactly how attackers think.
Common attack paths
Most real-world AD compromises chain a few of these together.
- Kerberoasting – Any authenticated user can request a TGS for any service account with a Service Principal Name (SPN). The ticket is encrypted with the service account's password hash; the attacker takes it offline and cracks weak passwords. Service accounts with
Domain Adminsrights and a 10-character password are an instant win. - AS-REP roasting – Accounts with "Do not require Kerberos pre-authentication" set will return an AS-REP encrypted with the user's password hash to any anonymous requester. Offline cracking gives the password.
- NTLM relay and coercion – Tools like PetitPotam, PrinterBug, or DFSCoerce force a target server to authenticate to an attacker-controlled host. The relayed NTLM auth can then be sent to LDAP, AD CS, or SMB to escalate (e.g. ESC8 against vulnerable certificate templates).
- DCSync – With the "Replicating Directory Changes" permission (held by Domain Admins and sometimes accidentally delegated), an attacker can ask a DC to replicate password hashes — including KRBTGT and the admin accounts — and synthesise tickets from there.
- Golden and Silver tickets – With the KRBTGT hash, an attacker forges valid TGTs ("Golden Tickets") for any user, any group membership, for up to 10 years. Silver Tickets do the same for individual service accounts using their NTLM hashes.
- Constrained and unconstrained delegation abuse – Misconfigured delegation lets a compromised host impersonate other users to specific or arbitrary services, often leading directly to DA.
- AD CS abuse (ESC1–ESC11) – Vulnerable certificate templates allow attackers to enrol certificates as arbitrary users, including domain controllers, effectively becoming them.
The pattern is the same: low-privileged foothold → enumerate with BloodHound → find a misconfiguration or weak credential → escalate to Domain Admin.
Tiering: the single highest-impact control
Microsoft's Enterprise Access Model (and the older "tier model") is the foundational defence. The idea is simple: never expose high-privilege credentials to lower-trust systems.
- Tier 0 – Identity assets: domain controllers, AD CS, ADFS, Entra Connect, PAM tooling, backup of any of these. Only Tier 0 admins log in here, only from Tier 0 workstations.
- Tier 1 – Servers and business applications. Tier 1 admins manage them, never Tier 0 accounts.
- Tier 2 – End-user workstations and helpdesk.
The rule is one-way: high tiers can administer low ones, low tiers can never authenticate up. The moment a Domain Admin logs into a normal workstation to "quickly fix something", that workstation is now Tier 0 and any local compromise gives away the kingdom. Enforcing tiering with separate accounts, Privileged Access Workstations (PAWs), and authentication silos / Protected Users group breaks the most common escalation paths cold.
Hardening that actually moves the needle
Beyond tiering, a focused checklist disrupts the techniques above.
- Strong, unique passwords for service accounts – At least 25 characters; better still, use Group Managed Service Accounts (gMSAs) so the password is machine-managed and 240 characters long. This alone neutralises most Kerberoasting.
- Disable Kerberos pre-auth exceptions – Audit and remove "Do not require pre-authentication" from user accounts.
- LAPS / Windows LAPS – Unique, rotated local administrator passwords on every workstation and server. Stops lateral movement via reused local admin hashes (Pass-the-Hash).
- Disable NTLM where possible – Or at least require SMB signing, LDAP signing, and channel binding (EPA) on DCs, AD CS, and Exchange. Audit and remove vulnerable certificate templates (ESC1, ESC4, ESC8).
- Protect KRBTGT – Rotate the KRBTGT password twice on a regular schedule (and after any suspected compromise). Doing it twice invalidates all existing Golden Tickets.
- Constrain delegation – Replace unconstrained delegation with resource-based constrained delegation; review delegation settings regularly.
- Tier 0 isolation – Block internet access from DCs, restrict who can log in interactively, and apply the Protected Users group to all admins.
- Tooling discipline – Use tools like PingCastle, Purple Knight, or BloodHound (defensively) to find paths to DA before attackers do.
Detection: what to log and what to alert on
AD attacks leave traces if you collect the right logs. Ship security event logs from all DCs, all member servers, and ideally workstations into a SIEM, with retention measured in months.
- Kerberoasting – Event 4769 (Kerberos service ticket request) with unusual encryption type (RC4 / 0x17) for an account that almost never logs in, or in bulk from a single user.
- AS-REP roasting – Event 4768 with pre-auth not required, especially in bursts.
- DCSync – Event 4662 with the GUIDs for "Replicating Directory Changes" / "All" from a non-DC, non-replication account.
- Golden / forged tickets – Tickets with anomalous lifetimes, missing PAC fields, or referencing accounts that no longer exist. Microsoft Defender for Identity (MDI) and similar UEBA tools catch many of these patterns automatically.
- NTLM relay / coercion – Spikes in NTLM authentications targeting AD CS or LDAP, or authentications from machine accounts to systems they should never touch.
- Suspicious group changes – Adds to
Domain Admins,Enterprise Admins,Schema Admins,Cert Publishers, or any group withAdminCount=1.
Pair detections with a clear playbook: rotate KRBTGT, force resets of affected service accounts, revoke certificates, and review tier boundaries. AD compromise is rarely subtle once you know what to look for — the work is in collecting the logs and writing the rules before you need them.