Attacks on Active Directory: Tools, Vulnerabilities, and Modern Defense Techniques

Active Directory (AD) is the invisible command center of corporate infrastructure. It unifies user accounts, permissions, policies, and authentication processes into a single system. When everything operates normally, users don’t even notice AD’s presence. However, a single misconfiguration or an overlooked parameter can compromise the security of the entire domain.

Today, attacks targeting Active Directory have moved far beyond professional pentesting and become a standard part of cybercriminal toolkits. Automated tools can scan networks, steal hashes, and visually map privilege escalation paths. Therefore, the key responsibility of a modern administrator is not just installing patches but having deep knowledge of Kerberos mechanisms, delegation policies, and weak ACL configurations.

Weapons of Attackers: The Most Popular Tools

Mimikatz and Rubeus — the duo that “unlocks” Kerberos

Mimikatz is part of almost every cyberattack scenario. It extracts plaintext credentials from LSASS, creates golden and silver tickets, and enables Pass-the-Hash attacks.
Rubeus is optimized for cleaner and stealthier Kerberoasting and AS-REP Roasting attacks.

BloodHound and SharpHound — the privilege graph

SharpHound collects information about SPNs, groups, objects, and permissions in the domain. BloodHound converts these into a powerful visual graph that reveals privilege escalation paths in seconds. It serves as a mirror not only for attackers but also for defenders.

Impacket and CrackMapExec — deep interaction with Windows services

The Impacket library provides powerful scripts such as secretsdump, ntlmrelayx, and wmiexec. CrackMapExec acts as an automation “combine,” enabling mass host enumeration, exploitation, and relay attacks with a single command.

PowerView and ADRecon — PowerShell-based reconnaissance

PowerView identifies permissions, delegation, service accounts, and trust relationships.
ADRecon collects full domain configuration and presents it in an auditor-friendly report format.

Vulnerabilities: the Most Dangerous “Open Doors” in AD

Kerberos misconfigurations

  • Kerberoasting — allows offline cracking of passwords for accounts with SPNs.
  • AS-REP Roasting — enables extraction of hashes from accounts that do not require pre-authentication.

Weak ACLs and misconfigured delegation

Helpdesk or service groups may unintentionally receive excessive privileges.
With incorrect Resource-Based Constrained Delegation (RBCD) settings, attackers can forge tickets for any SPN.

Legacy protocols and outdated hashes

If SMBv1, LM, or NetNTLMv1 remain enabled, lateral movement becomes much easier.
Old printers or service servers frequently introduce these risks.

DNSAdmins vulnerability

Members of the DNSAdmins group can load custom DLLs via the DNS server and execute code as SYSTEM on the domain controller — a threat often overlooked.

Attack Path: The Road to Domain Admin

  1. Reconnaissance
    Using SharpHound to map SPNs, groups, ACLs, and trust relationships.
  2. Credential extraction
    Extracting LSASS session data, NTLM hashes, and Kerberos tickets via Mimikatz.
  3. Privilege escalation
    Obtaining all domain hashes with DCSync or modifying ACLs invisibly using DCShadow.
  4. Persistence
    Malicious GPOs, SIDHistory manipulation, scheduled tasks, and other backdoor methods.

Multi-Layer Defense: Practical Recommendations

1. Tiered administration and least-privilege principle

Segment the environment into three tiers:

  • Tier 0 — Domain Controllers, PKI
  • Tier 1 — Servers
  • Tier 2 — Workstations

Each tier must have dedicated admin accounts and isolated network segments.

2. Modern authentication policies

  • Enable LDAP signing and Channel Binding.
  • Fully block LM and NetNTLMv1.
  • Use gMSA for service accounts.

3. An unpatched AD is a vulnerable AD

Monitor Microsoft’s monthly Kerberos, NTLM, and LSASS-related CVEs.
Vulnerabilities affecting PAC validation (e.g., CVE-2024-20677) require top priority.

4. Monitoring and network analytics

  • Critical Windows Events: 4662, 4742, 4720, 4728
  • Sysmon EventID 11 for suspicious DLL loads
  • Zeek/Suricata for SMB relay detection and Kerberos anomalies

5. Just-in-Time (JIT) administrative privileges

Admins should receive elevated privileges only temporarily (e.g., 30 minutes), after which permissions are automatically removed.

6. Network segmentation

Restrict SMB, RPC, and DNS transfers.
Implement clear VLAN boundaries.
Manage local administrator passwords using LAPS.

If an Attack Is Underway

  • Detection: Kerberos event 65535 indicates forged TGTs; large flows of 4768 suggest roasting attempts.
  • Containment: Isolate compromised DCs; perform a two-stage KRBTGT reset.
  • Cleanup: Verify AdminSDHolder, SIDHistory, and GPO integrity.
  • Recovery: Restore from a clean System State, rebuild trust relationships, and renew certificates.

Active Directory is the foundation of modern corporate identity systems. As networks grow, security requirements increase — and attackers never miss the opportunity to exploit the smallest mistake.

While you cannot eliminate all vulnerabilities, you can significantly reduce attack surface by implementing proper segmentation, strict policies, modern authentication, continuous monitoring, and automated analysis.

The strongest advantage of an Active Directory administrator is configuring the system to “speak” through logs, alerts, and analytical reports. Otherwise, a single exploit can turn a quiet Friday evening into a long and painful forensic investigation.