Active Directory Attack Methodology
Systematic techniques for compromising Active Directory environments including enumeration, lateral movement, and domain dominance.
Continue your mission
Systematic techniques for compromising Active Directory environments including enumeration, lateral movement, and domain dominance.
# Active Directory Attack Methodology
Active Directory attack methodology refers to the ordered sequence of techniques adversaries apply to enumerate, exploit, and control Windows domain environments from an initial foothold to full domain compromise. AD was designed to centralize authentication and authorization across enterprise networks, solving the problem of managing thousands of user accounts, computer objects, and access policies from a single authoritative directory. That centralization is also its greatest vulnerability: one directory controls everything. Attackers who understand AD's internal protocols, trust relationships, and delegation models can move from a single compromised workstation to total organizational control without ever exploiting a software vulnerability in the traditional sense. Most AD attacks abuse legitimate features, not bugs.
---
Active Directory attack methodology is the structured discipline of mapping, exploiting, and persisting within Microsoft Active Directory Domain Services (AD DS) environments. It spans the full attack lifecycle: from the first moment an adversary gains a toehold on a domain-joined host, through enumeration and privilege escalation, to domain dominance and long-term persistence.
This is distinct from general Windows exploitation. A Windows exploitation technique might target a vulnerable service or unpatched kernel. AD attack methodology targets the directory itself: its objects, attributes, delegations, trust relationships, and Kerberos implementation. An attacker may never exploit a single CVE during an AD compromise. Instead, they abuse legitimate administrative protocols and misconfigured permissions that the domain has accumulated over years of normal IT operations.
AD attack methodology also differs from cloud identity attacks, though the two increasingly intersect. Azure Active Directory (now Microsoft Entra ID) shares conceptual similarities but operates on a different protocol stack. On-premises AD runs Kerberos and LDAP. Azure AD runs OAuth 2.0 and SAML. Hybrid environments create attack paths that span both, but core AD methodology focuses on the on-premises Kerberos-based architecture.
Subtypes of AD attack methodology include:
What AD attack methodology is NOT: it is not a single tool, not limited to external attackers, and not a red-team-only concern. Insider threats and compromised service accounts follow the same paths.
---
AD attack methodology follows a reliable progression that security teams can anticipate and instrument. Each phase builds on the last.
Phase 1: Initial Access and Domain Context
The attacker begins outside the domain perimeter or with a low-privileged user account, often obtained through phishing, credential stuffing, or exploitation of an internet-facing application. The first goal is simply confirming domain membership and identifying the domain name, domain controllers, and domain functional level. Tools like nltest, net group, and raw LDAP queries achieve this with no special privileges. Even an unauthenticated LDAP bind against a domain controller returns significant object data in default configurations.
Phase 2: Enumeration
With domain credentials, the attacker maps the environment systematically. BloodHound, paired with its data collection agent SharpHound, ingests LDAP data and Windows API calls to construct a graph database of all users, groups, computers, GPOs, and ACL relationships. The attacker then queries this graph for shortest paths to Domain Admins. In most mature enterprise environments, BloodHound surfaces attack paths in minutes: a service account has GenericWrite over a group that nests into Domain Admins, or an IT workstation runs under an account with unconstrained delegation.
PowerView, part of the PowerSploit framework, provides granular enumeration of specific objects: Get-DomainUser, Get-DomainComputer, Find-LocalAdminAccess. The last command iterates through domain computers and tests whether the current user holds local administrator rights, identifying lateral movement opportunities without generating unusual network traffic.
Phase 3: Credential Extraction
Kerberoasting is the most commonly observed AD attack technique in real incident response engagements. Any authenticated domain user can request a Kerberos service ticket (TGS) for any account registered with a Service Principal Name (SPN). The ticket is encrypted with the service account's NTLM hash. The attacker requests the ticket, exports it offline, and submits it to hashcat or John the Ripper. Service accounts frequently run with passwords set years ago, sometimes never rotated, and often below 20 characters. Crack rates are high.
AS-REP Roasting targets accounts with Kerberos pre-authentication disabled, a legacy setting sometimes applied to service accounts or problem users. The attacker requests an AS-REP without authenticating; the KDC returns data encrypted with the account's hash. Offline cracking follows the same pattern as Kerberoasting.
LSASS credential dumping extracts plaintext passwords (in older environments) and NTLM hashes from memory on Windows hosts where Credential Guard is not enforced. Mimikatz's sekurlsa::logonpasswords is the canonical example, though modern endpoint detection products flag it aggressively. Attackers now use alternatives like Nanodump, direct LSASS memory reading via task manager dumps, or custom loaders that reflectively load credential extraction code.
DCSync is a post-privilege-escalation technique. The attacker, holding an account with Replicating Directory Changes and Replicating Directory Changes All permissions (typically Domain Admins or accounts explicitly delegated these rights), sends DS-Replication-Get-Changes requests to a domain controller. The DC responds with credential material for any account in the directory, including the krbtgt account. This requires no direct access to the DC itself, operating entirely over standard replication RPC calls.
Phase 4: Lateral Movement
Pass-the-Hash sends an NTLM hash rather than a plaintext password to authenticate against remote services. Pass-the-Ticket injects a Kerberos ticket directly into a logon session using Mimikatz's kerberos::ptt, enabling access to services that require Kerberos authentication. Neither technique requires the attacker to crack a credential.
Overpass-the-Hash converts an NTLM hash into a full Kerberos TGT, enabling Kerberos-based lateral movement from a hash.
Phase 5: Persistence and Dominance
A Golden Ticket is a forged Kerberos TGT signed with the krbtgt account's NTLM hash. Because every domain controller trusts tickets signed by krbtgt, a Golden Ticket grants access to any service in the domain, as any user, for up to 10 years by default. Rotating the krbtgt password twice (the standard remediation) invalidates all existing Golden Tickets but requires careful coordination to avoid service disruptions.
A Silver Ticket is a forged TGS encrypted with a specific service account's hash rather than krbtgt. It is more limited but harder to detect because it never touches a domain controller during use.
Concrete Scenario: Retail Organization Compromise
A penetration test against a 4,000-seat retail organization began with a phishing email that delivered a macro-enabled document to an accounts payable clerk. The macro executed a PowerShell cradle that loaded a Cobalt Strike beacon. BloodHound enumeration identified that the clerk's account had GenericWrite over a distribution group. That group was nested inside a security group. That security group had local administrator rights on an HR workstation through a GPO. The HR workstation had an interactive logon session from a domain admin performing a password reset. LSASS dumping on that workstation yielded the domain admin's NTLM hash. DCSync followed. Total time from initial access to full domain compromise: four hours, forty minutes. No CVEs were exploited at any stage.
---
Active Directory is the identity backbone for an estimated 90 percent of Fortune 1000 organizations and the majority of global enterprises across all sectors. When an adversary achieves domain dominance, they do not merely control one system: they control the authentication infrastructure for every domain-joined asset in the organization. Domain admin access allows an attacker to push malicious Group Policy Objects to every workstation, read every file share, access every mailbox through Exchange integration, and extract credential material for every account in the directory including service accounts that connect to ERP systems, databases, and payment processors.
The ransomware deployment model depends entirely on AD compromise. Ransomware operators who achieve domain admin rights can deploy encryption payloads through Group Policy in minutes, across thousands of endpoints simultaneously. This is not a theoretical concern. The 2021 attack on Ireland's Health Service Executive (HSE) followed exactly this path: initial access through a phishing email, weeks of AD enumeration and lateral movement, domain compromise, and then Conti ransomware deployed via GPO. The HSE attack disrupted healthcare delivery across an entire country for weeks and cost an estimated 100 million euros in remediation.
A persistent misconception is that perimeter security or endpoint detection alone is sufficient to prevent AD compromise. Neither is true. Once an attacker has valid domain credentials, most AD enumeration traffic is indistinguishable from normal administrative activity. LDAP queries, Kerberos ticket requests, and SMB connections are the background noise of every Windows enterprise network. Detection requires specific instrumentation of AD audit logs, Kerberos event IDs (4769 for TGS requests, 4768 for TGT requests, 4662 for directory object access), and behavioral baselines that identify anomalous account behavior.
A second misconception: AD attack methodology only applies to external attackers. Insider threats, whether malicious employees or compromised contractors, follow identical paths. A disgruntled system administrator already holds the keys. A compromised vendor account with broad AD permissions is a domain compromise waiting to happen.
Without structured understanding of AD attack methodology, security teams cannot write meaningful detection rules, cannot prioritize remediation of misconfigurations, and cannot conduct realistic purple team exercises. Defenders who do not know how BloodHound constructs attack paths cannot know which ACL misconfigurations to fix first.
---
CDA approaches Active Directory attack methodology through the Planetary Defense Model (PDM), mapping it across two primary domains: Identity and Access Threat (IAT) and Vulnerability Surface Discovery (VSD). The IAT domain addresses how identity systems are attacked and defended. The VSD domain addresses how attack surface is identified, measured, and reduced before adversaries can map it themselves.
CDA's governing methodology is Zero Possession Architecture (ZPA): "Trust nothing. Possess nothing. Verify everything." ZPA applied to AD environments means that no credential should persist long enough to be stolen, no account should hold standing privileges, and no trust relationship should exist without continuous verification.
In practice, CDA applies ZPA to AD through several operational principles. First, privileged accounts should not exist as permanent objects with standing membership in Domain Admins or equivalent groups. Just-in-time privileged access, enforced through Microsoft's Privileged Identity Management or equivalent tooling, eliminates the attack target. An attacker who dumps credentials from LSASS should find accounts with no current group memberships that grant domain-level rights.
Second, service accounts with SPNs (the targets of Kerberoasting) should be replaced with Group Managed Service Accounts (gMSAs) wherever possible. gMSAs rotate their own passwords automatically on a schedule defined by Active Directory, producing 120-character randomized passwords that are computationally infeasible to crack offline even if a service ticket is captured.
Third, CDA's VSD domain methodology requires continuous attack path analysis rather than point-in-time assessments. BloodHound Enterprise or equivalent continuous graph analysis identifies new attack paths as AD changes: every new user added to a group, every new ACL delegated, every new computer joined to the domain creates potential new paths. CDA treats attack path reduction as an ongoing operational function, not a periodic audit.
Fourth, CDA specifically addresses the detection gap. AD audit logging at the domain controller level must capture Kerberos events, LDAP queries, and replication requests. CDA recommends shipping these logs to a SIEM with specific detection rules for DCSync (event ID 4662 with specific GUIDs), Kerberoasting at scale (multiple 4769 events for RC4-encrypted tickets from a single source), and unusual AdminSDHolder modifications (event ID 5136).
CDA's differentiation is operational specificity: not "implement least privilege" as a principle, but a defined program for eliminating standing access, replacing vulnerable account types, and instrumenting the specific event IDs that surface AD attacks.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.