Microsoft’s Active Directory (AD)—released in 1999 as part of Windows 2000 Server Edition—is currently the most popular directory service for Windows domain networks. AD has evolved and matured over the years and is a central component of how many mid- to large-size Windows-based organizations manage their users, computers, and other resources.
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
Given the ubiquity of AD and the critical role it plays in network authentication and authorization, it has become one of the main attack vectors that bad actors can use to try to gain unauthorized access to an organization’s network resources. Like all other IT security risks, it’s important for IT and security leaders to understand what form AD attacks can take and how to defend against them. The risks for AD security breaches are the same for other cyber-attacks, including data theft, system disruption, and doing significant damage to an organization’s reputation.
Common Active Directory Attack Methods
While there are many AD attack methods that attackers can use, the five listed here are among the most common. For each attack listed below, we’ll describe and define what the attack is, how it’s executed, and then provide some tips and suggestions on how you can defend against it.
Bloodhound Recon
Named after the BloodHound tool—which now also has a more powerful commercial, enterprise product named BloodHound Enterprise published by Spector Ops Inc.—this attack relies on using the BloodHound tool to analyze a target AD environment. According to the BloodHound Community product page, “BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory, Entra and Azure environment.”
While BloodHound is unequivocally produced and promoted by the developer with good intentions, it’s also true that the tool can be used by bad actors to scope out potential vulnerabilities in an AD network. The Bloodhound product page says it better than I could: “Attackers can use BloodHound to easily identify highly complex Attack Paths that would otherwise be impossible to identify quickly, and defenders can use BloodHound to identify and eliminate those same Attack Paths.”
So how do you defend against a malicious actor using BloodHound to snoop around your AD network? You can start by using BloodHound yourself to see what some of the vulnerabilities in your AD network are, which should help you identify which users have needlessly elevated account permissions. As a corollary, using BloodHound can help you craft more effective privileged account management practices as well.
Kerberoasting
Kerberos is one of the primary authentication protocols used in an AD environment, and Kerberos authentication is based on using tickets that are employed to ask for and grant access to services. The “Kerberoasting” attack seeks to exploit the Kerberos authentication protocol by obtaining encrypted Kerberos service tickets to gain access to network account passwords.
According to Nick Lucas from the Ravenswood Technology Group, Kerberoasting takes place following the acquisition of valid domain credentials. Attackers can use a tool to coerce a domain controller to provide a ticket that contains encrypted passwords. “This provides the threat actor with the password hash of this privileged account, which they are then able to crack the password with brute force due to the weakness of the password,” writes Lucas. “This allows the attackers lateral movement using these newly gathered elevated privileges.”
Lucas has written a blog post—Protecting Your Active Directory from Kerberoasting Attacks—that provides more detailed information about defending against Kerberoasting, suggesting in his blog post to rotate Kerberos Ticket-Granting Ticket (KRBTGT) passwords annually, remove SPNs assigned to privileged accounts, ensure that Kerberos pre-authentication is required for all accounts in the directory, and audit for use of RC4 ticket encryption types and ensure accounts have AES128/256 enabled. He also suggests using strong passwords for privileged service accounts (and rotating them annually), as well as migrating privileged service accounts to Group Managed Service Accounts (gMSA) when applicable.
Pass the Hash Attack
Another common AD attack is known as a pass-the-hash (PtH) attack. In a PtH attack, a bad actor uses stolen hash values to authenticate as the victim, even without knowing the victim’s original plaintext password.
“Authentication systems generate and store hashes of passwords instead of storing the actual passwords,” writes Josh Goben of the Ravenswood Technology Group. “During an authentication request, the entered password is hashed and compared with the stored hash; if they match, the user is authenticated.”
According to Goben, attackers prefer to obtain and use hashes that use NTLM (New Technology Lan Manager) authentication, an older protocol that has largely been supplanted by Kerberos authentication. That said, NTLM is still relied upon by many applications, making it unrealistic to remove completely.
“A successful PtH attack involves two main steps,” writes Goben. “First, password hashes for local or domain accounts are harvested, and then those harvested hashes are authenticated on a matching user account.”
Eliminating legacy protocols like NTLM from your environment are an important step towards protecting yourself from PtH attacks. Requiring Kerberos for sensitive accounts and systems can further strengthen your defenses.
Password Spraying
Another common AD attack is called password spraying. In practice, password spraying is true to the words that describe it: an attacker runs a brute-force batch of commonly used passwords across many user accounts simultaneously. This differs from traditional brute-force attacks, which commonly focus on attempting to breach a single account with a large number of passwords.
Password Spraying is a common cyberattack, with Microsoft reporting as recently as April 2025 that bad actors were using this attack method to breach accounts of Microsoft Azure customers in the educational sector. One common tool used to carry out these attacks is AzureChecker.exe, which Microsoft describes as a “…a Command Line Interface (CLI) tool that is being used by a wide range of threat actors.”
When it comes to tools and techniques to defend against password spraying attacks, Brian Desmond of the Ravenswood Technology Group suggests that Entra ID (formerly known as Azure Active Directory) can help.
“Although password spray is difficult to detect as a single entity, mass scale identity platforms such as Entra ID have much larger data sets that make these patterns detectable,” writes Desmond. “Microsoft does exactly this and curates password spray attack data in multiple forms for Entra ID Premium customers. Through billions upon billions of authentication attempts, Microsoft can curate a list of some of the most common passwords that are used in password spray attacks.”
Privilege Escalation
Getting access to a target network, accessing a user account, and then elevating access rights for that account is a goal for many attackers. That approach is called Privilege Escalation and is one of the most potentially damaging cyberattacks in a bad actor’s bag of tricks. Once that compromised user account has been elevated to a high degree of access privilege, the attacker has the ability to move more freely laterally across a compromised system.
Privilege escalation attacks often rely on a system bug, misconfiguration, or other defect or flaw to gain access to a target system. Once a bad actor has access, they can then engage in horizontal privilege escalation—moving between user accounts in different departments, for example—or the aforementioned increase in access privileges, which is called vertical privilege escalation. Both can be damaging, but the latter is the most dangerous, as it can give bad actors access to the same level of system access powers as the most privileged admin accounts in the system, which can give the attacker complete control over the network and full access to all system resources.
When it comes to defending against Privilege escalation attacks in an AD forest, a tiered access model is one of the best methods for securing Active Directory you can adopt. In his blog post entitled How to Mitigate Privilege Escalation with the Tiered Access Model for Active Directory Security, Brian Desmond explains that the tiered access model is composed of three access tiers. Those tiers are:
- Tier 0: Assets that provide direct control of security and identity infrastructure. AD is the preeminent Tier 0 asset, but other common examples are services such as public key infrastructure (PKI), Entra ID Connect, Entra ID, identity and access management (IAM) tools, federation (e.g., AD FS, Ping, Okta, etc.), and management systems for Tier 0 assets.
- Tier 1: Servers, applications, and cloud services. Tier 1 access typically provides a significant amount of access to critical business data. Within Tier 1, it is not uncommon to further segment access to limit privileged access to different sets of servers, applications, and services.
- Tier 2: Client computers and related devices. Administrative access or indirect control (e.g., help desk/desktop support) of an end-user device is the most common example of Tier 2 access. Within Tier 2, it is permissible to further segment access to limit privileged access to different sets of Tier 2 assets.
According to Desmond, this tiered access approach implements technical controls that make it more difficult for attackers to cross tier boundaries. “When credentials cross tier boundaries, they become susceptible to compromise through credential theft and other avenues,” explains Desmond. “Technical controls are implemented with Group Policy Objects (GPOs) to prevent these situations.”
General AD Attack Prevention Methods
While we’ve already covered some specific prevention tips tailored to each of the five AD attacks listed above, defending your AD environment from attacks and breaches requires that you take a number of overall (and proactive) defense measures to successfully protect against AD attacks. Let’s discuss three broad categories of defense, including strengthening password policies, regular audits and monitoring, implementing least privilege principles, and adopting advanced security measures.
- Continuous Monitoring and Regular Audits: Two other bits of good general security advice are to implement a continuous monitoring plan and to perform regular audits. For the former, continuous monitoring can be helpful in detecting unusual activities and potential breaches. Security events from domain controllers should be forwarded to a SIEM like Microsoft Sentinel (link to our page). The SIEM should generate alerts for anomalous activities like changes to privileged groups and patterns that are indicative of an attempted or successful compromise. A regular system security audit is part of the basic blocking and tackling of any AD security plan, with regular security audits being vital to identifying system vulnerabilities and ensuring compliance.
- Implementing Least Privilege Principle: We’ve discussed this a bit in the section on privilege escalation attacks, but the same principle—granting users only the access necessary for their roles—is one that should be applied across your entire organization. Using role-based access control (RBAC) and implementing regular reviews of permissions should be added to regular system security reviews.
- Advanced Security Measures: In addition to some of the security measures outlined above, there are a few other advanced security measures you can adopt to improve the security of your organization’s network.
Endpoint Detection and Response (EDR) solutions can identify and respond to threats in real-time and can provide tangible benefits for mitigating AD attacks. EDR solutions like Microsoft Defender can detect and prevent tools like BloodHound or Mimikatz and advanced attack patterns such as attempting to access or modify LSASS memory.
Another advanced security technique is User Entity Behavior Analytics (UEBA), which is a security process that relies on AI and data analytics to monitor and evaluate user behavior within a network. UEBA can then act upon that monitoring by identifying patterns that could help detect security breaches.
AD Security: Achievement Unlocked
While no system will ever be completely immune to cyberattacks, following the steps, tips, and suggestions we’ve outlined in this article—and keeping a proactive security posture—can help safeguard your sensitive information and make it much harder for attacks on your Active Directory environment to succeed.
Ravenswood Technology Group's Expertise
Get in touch with Ravenswood Technology Group today to learn how we can help you identify and mitigate Active Directory vulnerabilities—so you can protect your network, safeguard your data, and maintain trust in your organization’s security posture.
