Detection Engineering

What Is Active Directory Security? Attacks and Defenses

14 min read·Updated June 2026·lateral MovementActive DirectoryCredential-theftBlue TeamCCDL1 RelevantCCDL2 Relevant

Compromise one domain controller and you own every account, every machine, and every file share it authenticates. That is why almost every hands-on-keyboard intrusion ends up in Active Directory, and why securing it is less about a single setting than about denying an attacker the chain of small wins that leads from one phished laptop to Domain Admin.

Active Directory (AD) runs authentication and authorization for most enterprise Windows estates. It decides who you are and what you can touch. An attacker who lands on any domain-joined host is already inside the trust boundary AD enforces, and from there the goal is almost always the same: harvest credentials, escalate, and reach the accounts that control the directory itself. The defenses that matter are the ones that make each step in that progression noisy, slow, or impossible.

This guide covers why AD is the prime target, the attack paths blue teams see most often, the hardening controls that break them, and how the two map against each other. It is written for SOC analysts, threat hunters, and DFIR responders who have to spot the attack mid-progression and stop it before it reaches Tier 0.

What is Active Directory security?

Active Directory security is the set of controls, monitoring, and architecture choices that protect the AD directory service from credential theft, privilege escalation, and the takeover of the accounts and systems that govern the domain. It spans the configuration of the directory itself, the protocols it authenticates with (Kerberos and NTLM), the admin model that grants access to it, and the telemetry that catches abuse.

AD is a high-value target for a structural reason: it is the single source of truth for identity across the estate. A Windows domain controller (DC) holds the password hashes for every account in NTDS.dit, brokers every Kerberos ticket, and enforces Group Policy on every joined machine. Control the DC and you control authentication itself. Even short of full DC compromise, AD hands an attacker a map of the entire organization, every user, group, computer, trust relationship, and service account, queryable over LDAP by any authenticated user.

That last point is the core of the problem. AD was designed for usability inside a trusted network: any domain user can enumerate most of the directory by default. An attacker who steals one set of low-privilege credentials does not start blind. They start with a full org chart and a list of every privileged account to hunt for. Securing AD means accepting that the attacker will get a foothold and that monitoring and hardening turn that foothold into a dead end rather than a launchpad.

Why attackers target Active Directory

Active Directory attack path

One foothold to Domain Admin

Privilege escalation through AD is a sequence. Each step is a chance to detect and break it.

01 FOOTHOLD

Standard user

Phishing, an exposed service, or stolen credentials land the attacker on one domain-joined host.

→

02 DISCOVERY

LDAP enumeration

Map privileged groups, service accounts, and trusts. BloodHound finds the shortest path.

→

03 CREDENTIAL ACCESS

Harvest hashes

Kerberoast SPNs, dump host memory, or abuse Kerberos for hashes and tickets.

→

04 LATERAL MOVEMENT

Pass-the-Hash

Replay stolen credentials host to host until one a privileged account has touched.

→

05 DOMAIN DOMINANCE

DCSync + Golden Ticket

Reach a Domain Admin or the DC, dump KRBTGT, and forge persistence that survives a reset.

MITRE T1003.006

Defender · break the sequence Tiering, least privilege, LAPS, and disabled legacy protocols turn each step into a dead end. Monitoring catches the steps that still get through before they reach Tier 0.

The objective behind most AD attacks is privilege: get from a normal user to an account that administers the domain, because that account can read every secret, push code to every endpoint, and disable the controls meant to stop it.

The path there is rarely a single exploit. It is a sequence:

Initial foothold. A phishing payload, an exposed service, or stolen credentials put the attacker on one domain-joined host as a standard user.
Discovery. They query AD over LDAP to map privileged groups, service accounts, and trust relationships. Tools like BloodHound turn that data into the shortest path to Domain Admin.
Credential access. They harvest hashes, tickets, or cleartext passwords from the host's memory, the local SAM, or by abusing Kerberos.
Lateral movement. They reuse stolen credentials to authenticate to the next host, repeating until they land on one a privileged account has touched.
Domain dominance. They reach a Domain Admin or the DC itself, then establish persistence that survives a password reset.

Each step is an opportunity to detect and break the sequence. The attacks below map onto those steps, and the defenses that follow are placed to interrupt them.

Common Active Directory attack paths

The techniques an attacker uses against AD are well-catalogued. Most abuse the way Kerberos and NTLM were designed rather than a patchable bug, which is why hardening and monitoring matter more than any single update. The IDs below are MITRE ATT&CK technique identifiers, verified current.

Kerberoasting (T1558.003). Any authenticated user can request a Kerberos service ticket (TGS) for any account that has a Service Principal Name (SPN). Part of that ticket is encrypted with the service account's password hash. The attacker requests tickets for service accounts, extracts them, and cracks them offline at their own pace. Service accounts often have weak, non-expiring passwords and high privilege, which makes them the prize. Kerberoasting needs no elevated rights to start, only a valid domain account.

AS-REP Roasting (T1558.004). A variant that targets accounts with Kerberos pre-authentication disabled. For those accounts, an attacker can request an authentication response (AS-REP) without proving who they are, then crack the encrypted portion offline. It is Kerberoasting without even needing valid credentials for the target, only the knowledge that pre-auth is off.

Golden Ticket (T1558.001) and Silver Ticket (T1558.002). Once an attacker has the password hash of the KRBTGT account (the account that signs all Kerberos tickets), they can forge a Golden Ticket: a Ticket-Granting Ticket for any user, any group, valid for as long as they choose. It is total, durable domain control that survives user password resets. A Silver Ticket is narrower, a forged service ticket using a single service account's hash, granting access to that one service without ever talking to the DC.

DCSync (T1003.006). An attacker with rights to replicate directory data (normally only DCs have these) abuses the directory replication protocol to ask a DC to hand over password hashes, including KRBTGT, without ever logging into the DC or touching NTDS.dit on disk. It is the clean way to dump the entire domain's credentials, and it is a common precursor to a Golden Ticket.

Pass-the-Hash (T1550.002). NTLM authentication proves identity with a password hash, not the password itself. An attacker who steals an NTLM hash from a host's memory can authenticate as that user without ever cracking it, by passing the hash directly. This is the engine of lateral movement across a Windows estate: steal a hash here, replay it there.

NTLM relay. Rather than crack or pass a hash, the attacker positions themselves in the middle of an NTLM authentication and relays it to another system, authenticating as the victim in real time. Coercion techniques that force a machine to authenticate to attacker-controlled infrastructure feed this. NTLM's lack of mutual authentication is the underlying weakness, which is why moving off NTLM toward Kerberos closes the door.

The reason these matter to a defender: most of them produce telemetry. A burst of TGS requests, a logon with a hash from an unexpected host, a replication request from a non-DC account, these are detectable events if you are collecting the right logs.

Active Directory attacks and defenses

The defenses below are not one-to-one patches. Each control raises the cost of one or more attacks, and a hardened AD stacks them so an attacker who clears one still trips another.

Attack (MITRE ATT&CK ID)	What it abuses	Primary defenses
Kerberoasting (T1558.003)	TGS tickets encrypted with service-account hashes	Group Managed Service Accounts (gMSA) with long random passwords, AES encryption, monitor for abnormal TGS request volume (Event 4769)
AS-REP Roasting (T1558.004)	Accounts with Kerberos pre-auth disabled	Require pre-authentication on all accounts, strong passwords, alert on pre-auth-disabled accounts
Golden Ticket (T1558.001)	Forged TGT signed with the KRBTGT hash	Rotate KRBTGT twice, protect Tier 0, detect tickets with anomalous lifetimes
Silver Ticket (T1558.002)	Forged service ticket from a service-account hash	gMSA, AES, monitor service logons that skip the DC
DCSync (T1003.006)	Directory replication rights abused to pull hashes	Restrict replication rights to DCs only, alert on replication from non-DC accounts (Event 4662)
Pass-the-Hash (T1550.002)	NTLM hash reused without the password	Tiered admin model, LAPS for local admin, deny privileged accounts from logging into lower-tier hosts
NTLM relay	NTLM lacking mutual authentication	Disable NTLM where possible, SMB and LDAP signing, Extended Protection for Authentication

How to harden Active Directory

The controls that actually move the needle fall into a handful of categories. None is a product you buy once. Each is a discipline you maintain.

Tier the administration model. The single most effective architectural control is to stop privileged accounts from exposing their credentials on machines an attacker can reach. Microsoft's tiered model splits assets into Tier 0 (the DCs, the AD database, and anything that controls identity), Tier 1 (servers and applications), and Tier 2 (workstations). The hard rule: a Tier 0 account never logs into a Tier 1 or Tier 2 machine, because a single Pass-the-Hash from a compromised workstation should never reach a Domain Admin. Microsoft's current guidance frames this inside the broader Enterprise Access Model, which extends the same containment logic to cloud and hybrid identity, but the Tier 0 boundary remains the heart of it. Pair it with Privileged Access Workstations (PAWs): dedicated, hardened machines used only for administering Tier 0, never for email or browsing.

Enforce least privilege. Most domains accumulate privilege like sediment. Audit the membership of Domain Admins, Enterprise Admins, and every group with rights over Tier 0, and cut it to the few accounts that genuinely need it. Service accounts are the worst offenders: they collect Domain Admin rights "to make it work" and then sit with a weak password for years. Move them to Group Managed Service Accounts, which carry long (240-byte) machine-managed passwords that AD rotates automatically and that no human ever knows.

Manage local admin passwords with LAPS. A shared local administrator password across every workstation is a free Pass-the-Hash highway: steal it once, own them all. Windows LAPS (built into Windows and current Windows Server, the replacement for the deprecated standalone Microsoft LAPS) sets a unique, random local admin password on each machine and rotates it, storing it in AD or Entra ID. It does not stop the initial theft, but it stops one stolen hash from unlocking the rest of the estate.

Disable legacy protocols. NTLM, and especially NTLMv1, underpins relay and Pass-the-Hash attacks. Audit where NTLM is still used, then restrict or disable it in favor of Kerberos. The relationship between the two protocols is worth understanding, because the move off the weaker one closes whole attack classes; see NTLM vs. Kerberos. Enforce SMB signing and LDAP signing and channel binding to defeat relay even where some NTLM remains. Disable legacy ciphers (RC4 for Kerberos) so that roasted tickets are far harder to crack.

Rotate the KRBTGT account. The KRBTGT password hash is what signs every Kerberos ticket, and it is what a Golden Ticket forges. If a compromise is suspected, reset KRBTGT twice (the account keeps two key versions, so a single reset leaves the old key valid). This is the only action that actually invalidates an attacker's forged Golden Tickets.

Monitor the directory. Hardening reduces the attack surface; monitoring catches what gets through. The high-value Windows Security events: 4769 (Kerberos service ticket requested, watch for roasting bursts and RC4 tickets), 4768 (TGT requested), 4662 (directory access, the DCSync signal when paired with replication GUIDs), 4624/4625 (logons and failures, watch for hash reuse patterns), and 7045 (service install, a common persistence move). Feed these into a SIEM, baseline normal behavior, and alert on the anomalies. AD attacks are loud if you are listening on the right channel. They map directly onto MITRE ATT&CK, which gives each technique a detectable behavior to hunt for.

The order matters less than the layering. Tiering and least privilege shrink the blast radius; LAPS and gMSA remove the easy credential wins; disabling legacy protocols closes the relay paths; and monitoring turns whatever slips through into an alert before it reaches Tier 0.

Active Directory security checklist

A practical baseline, in rough priority order:

Inventory and minimize membership of Domain Admins, Enterprise Admins, and all Tier 0 groups.
Implement the tiered admin model; forbid Tier 0 logons on lower-tier hosts.
Deploy Privileged Access Workstations for Tier 0 administration.
Roll out Windows LAPS for unique local admin passwords on every host.
Convert service accounts to Group Managed Service Accounts; kill weak SPN passwords.
Require Kerberos pre-authentication on every account.
Restrict directory replication rights to domain controllers only.
Audit and disable NTLM where possible; enforce SMB and LDAP signing.
Disable RC4 for Kerberos; require AES.
Centralize AD security logs in a SIEM and alert on events 4769, 4662, 4624/4625, 7045.
Rotate KRBTGT on a schedule, and twice on suspected compromise.

The bottom line

Active Directory is the prize at the end of nearly every serious intrusion because it is the one system that controls all the others. The attacks against it, Kerberoasting, AS-REP roasting, Golden and Silver Tickets, DCSync, Pass-the-Hash, and NTLM relay, mostly abuse how Kerberos and NTLM were designed, not a bug you can patch away. That makes AD security a layering problem: tier the admin model so a workstation compromise cannot reach a Domain Admin, strip privilege down to what is needed, remove the easy credential wins with LAPS and gMSA, retire the legacy protocols that feed relay and hash reuse, and monitor the directory so the techniques that still get through surface as alerts. Done together, those controls turn AD from a single point of failure into a sequence of dead ends. The way to make it instinctive is to work real intrusions and watch the attack progress across the directory, then decide where you would have broken it.

Frequently asked questions

What is Active Directory security?

Active Directory security is the set of controls, monitoring, and architecture choices that protect the AD directory service from credential theft, privilege escalation, and takeover of the accounts that govern a Windows domain. It covers the directory configuration, the Kerberos and NTLM protocols, the privileged-access model, and the telemetry that detects abuse.

Why do attackers target Active Directory?

Because AD is the single source of identity for the whole estate. A domain controller holds every account's password hash and brokers every authentication, so compromising it grants control of every user, machine, and file share. Even a low-privilege foothold lets an attacker enumerate the entire directory over LDAP and plan a path to Domain Admin.

What is the most common Active Directory attack?

Kerberoasting is among the most common because any authenticated user can launch it with no special privileges. The attacker requests service tickets for accounts with a Service Principal Name, then cracks the password hashes offline. Pass-the-Hash and DCSync are also frequent, the first for lateral movement and the second for dumping domain credentials.

What is a Golden Ticket attack?

A Golden Ticket is a forged Kerberos Ticket-Granting Ticket created using the stolen password hash of the KRBTGT account. Because KRBTGT signs all tickets, the forgery grants the attacker any identity and privilege in the domain, for as long as they choose, surviving normal password resets. Resetting the KRBTGT account twice is the only way to invalidate existing Golden Tickets.

How do you secure Active Directory against Pass-the-Hash?

Pass-the-Hash relies on reusing a stolen NTLM hash to authenticate elsewhere. The defenses are a tiered admin model that keeps privileged accounts off lower-tier hosts, LAPS to ensure no two machines share a local admin password, disabling NTLM in favor of Kerberos, and restricting where privileged credentials can log in at all.

What is LAPS and why does it matter?

LAPS (Local Administrator Password Solution) sets a unique, random local administrator password on each Windows machine and rotates it automatically, storing it in AD or Entra ID. It matters because a single shared local admin password lets one stolen hash unlock every machine on the network. Windows LAPS, built into Windows, is the current version; the standalone Microsoft LAPS is deprecated.