Active Directory Security: The Most Common Attacks and Their Defenses

27/02/2025

Active Directory (AD) is one of the fundamental pillars in an organization’s IT infrastructure. This system plays a crucial role, being responsible for authenticating and authorizing users, creating groups and organizational units, and managing privileges and access throughout the corporate network. It centralizes and controls essential data about all users and devices, ensuring that only authorized individuals have access to company resources.

Due to its importance, Active Directory is an extremely attractive target for cybercriminals. Successful attacks on this infrastructure can compromise an organization’s entire network, resulting in financial losses, reputational damage, and even the exposure of sensitive data. Several ransomware incidents and other cyber intrusions have had AD as their entry point, where hackers have managed to escalate privileges and access machines, users, and groups, compromising the security of the entire network.

In this scenario, continuous assessment of Active Directory security and constant monitoring of its operations become essential to the protection of the organization. Proactivity in this process is key to identifying vulnerabilities before they are exploited.

Top Attacks on Active Directory

Enumeration and Reconnaissance Attacks

Username Enumeration

In the context of Active Directory security, enumeration and reconnaissance attacks are some of the most common techniques used by attackers to map and identify vulnerabilities in the environment. One of the most recurrent attacks in this category is user enumeration, which can be performed quite silently, without the need for prior authentication in Active Directory.

The Username Enumeration attack can occur with a simple access to port 88 of the Kerberos protocol on a Domain Controller. This type of attack requires the attacker to have only connectivity to the Kerberos authentication port, which is responsible for exchanging tickets in AD. Using tools such as Kerbrute, the attacker can send a wordlist of possible usernames to this port. The Kerberos protocol then attempts to validate these users and, depending on whether or not an account exists in the Key Distribution Center (KDC), returns a different error code.

If the user doesn’t exist in the directory, Kerberos returns error code 0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN), indicating that the ticket was requested for a nonexistent user. This behavior is relatively rare and serves as a clear indication that the attacker is trying to identify valid users in the system, without performing failed login attempts that could trigger alerts.

The user enumeration attack often goes unnoticed as it does not generate login failures that could be easily detected by standard monitoring systems. However, to mitigate this risk, it is essential to enable Event ID 4768 on Domain Controllers, which records when a Kerberos authentication ticket is requested. This event can be configured to alert on ticket requests to non-existent users, allowing security administrators to detect potential username enumeration attempts.

If multiple ticket requests with the error code 0x6 are made from a single IP address, this can be a strong indication that Active Directory is being targeted by a username enumeration attack. Detecting this type of behavior can help stop the attack before it evolves into a brute force attempt, password spraying, or even ASREPRoast, which are common techniques used in subsequent attacks.

LDAP Enumeration

Another very common reconnaissance and enumeration attack in Active Directory environments is enumeration via LDAP. This type of attack can be done with multiple tools and, in most cases, requires authentication. However, in some specific scenarios, such as when LDAP Guest Access is open, it is possible to enumerate the domain without requiring credentials.

With LDAP, an attacker can query and map virtually the entire structure of Active Directory, including users, groups, OUs, permissions, ACLs, and other important objects. If he can do this enumeration, he already has a clear view of the environment and can plan the next steps of the attack, such as privilege escalation or lateral movement.

The main tools used for this type of attack are PowerView and BloodHound. PowerView is a PowerShell-based tool that allows you to query the LDAP of the domain. It can be run directly on a machine inside the environment or even outside, if the attacker has valid credentials and access to ports 389 (LDAP) and 445 (SMB). Because it makes small queries at a time, it can be more difficult to detect since it blends in better with normal traffic in the environment.

BloodHound, on the other hand, works differently. It has a graphical interface that makes it easy to analyze trusts within AD. It uses ingestors, which are scripts responsible for collecting data from the environment and sending it to the graphical interface. These ingests can be executed both inside the domain and externally, as long as the attacker has access to ports 389 and 445. Because BloodHound collects a much larger volume of data in a short amount of time, it ends up being noisier and easier to detect.

Detecting LDAP enumeration can be challenging because any Domain Controller responds equally to these queries. In many environments, security focuses only on the main DCs, leaving some less monitored, such as a DC-06 or DC-08, which can become easier targets for this type of attack. Proper monitoring can identify suspicious LDAP queries, such as those that list SPNs or make large volumes of requests in sequence. A good example is the query (&(samAccountType=805306368)), which is often used to fetch service accounts in the environment. This type of behavior may indicate that an enumeration tool is being used in the domain.

Another important point in detection is the monitoring of Windows events. Event ID 5145 can help identify suspicious access to sensitive resources. In addition, Relative Target Names, such as lsarpc, srvsvc, and samr, are often accessed by enumeration tools, and if a single IP or user is querying many of these objects in a short period of time, it is a strong indication that the environment is being mapped.

If an environment allows LDAP queries without authentication, this can make an attacker’s life even easier, as they can obtain information without needing credentials.

Credential Attacks

Password Spray

In Active Directory environments, one of the most common attacks against credentials is Password Spraying. Unlike Brute Force, which tries multiple passwords against a single user until it finds the right one, Password Spraying takes a more subtle and effective approach: instead of testing multiple passwords for a single user, the attacker chooses one or a few passwords and tests them against a wide list of users.

This technique has one major advantage over conventional attacks: it drastically minimizes the risk of automatic blocks. Most AD security policies lock accounts after a few failed attempts in a row, making a brute force attack easier to detect. In Password Spraying, because each user receives only one password attempt per round, locks are rarely triggered, making it difficult to detect.

The attack becomes even more efficient when the attacker has already performed a reconnaissance of the environment. If it was able to enumerate valid users —whether via unauthenticated Kerberos, PowerView, or BloodHound— it can test weak or predictable passwords with a high chance of success. Many organizations still use predictable password patterns, such as Empresa@2025, Password123, Welcome2025, and similar variations. Because many users follow this practice, this type of attack often results in valid access.

Once the attacker obtains legitimate credentials, the scenario changes completely. Now, he can perform lateral movement, escalate privileges and access internal resources without arousing suspicion. Password Spraying is a widely explored technique precisely because of its simplicity and efficiency, making it essential for companies to adopt robust password policies and continuous monitoring to mitigate risks.

In several pentests we have performed, it is not uncommon to find accounts — including administrative ones — protected by weak passwords, easily compromised through this technique. Often, privileged credentials end up being exploited precisely because they follow a predictable pattern, representing a critical risk to the security of the environment. Detecting this type of attack requires active monitoring of authentication logs. One of the most obvious signs of Password Spraying is the occurrence of multiple login failures in different accounts, but all from the same IP. Unlike Brute Force, where a single account can be quickly locked out, Password Spraying spreads login attempts discreetly, easily bypassing conventional security policies.

To minimize this risk, implementing strong password policies is essential. Passwords must be at least 12 characters long, combining uppercase, lowercase, numbers, and special characters. In addition, it is essential to block the use of predictable patterns, such as Empresa@2025 or Password123.

User awareness is another critical factor. Periodic training on good security practices, combined with the use of password vaults for secure storage of credentials, significantly reduces exposure to attack. Without a security-oriented organizational culture, tools and monitoring alone are not enough to protect the environment. Password Spraying remains one of the most exploited gateways by attackers, and only a proactive and strategic approach can mitigate this threat effectively.

Kerberoasting

Kerberoasting is one of the preferred techniques for attackers exploiting Active Directory environments. This attack targets service accounts, which often have administrative privileges or are responsible for critical processes within the network. To perform it, the attacker first needs a valid account in the domain, that is, he must already be authenticated in the environment.

In Active Directory, any authenticated user can request a Ticket Granting Service (TGS) to access a specific service registered with a Service Principal Name (SPN). The SPN is an identifier that links a specific service to an account in AD, allowing applications and systems to use Kerberos authentication. The problem is that this TGS is encrypted using the hash of the password of the service account associated with the SPN. This means that if the password is weak, the attacker can extract the ticket and obtain the password.

The great advantage of Kerberoasting for an attacker is that they can perform an offline brute force attack, testing thousands or millions of password combinations without the risk of account lockouts. To do this, he can use tools such as Rubeus and GetUserSPNs from the Impacket suite, which allow him to enumerate service accounts with SPN and request the necessary tickets for the attack. The process can be performed either on the attacker’s own machine or on any other authenticated station in the domain.

In several pentests, we compromised service accounts that were part of administrative groups, giving us privileged access to the environment. This is because many of these accounts use weak passwords or have never been changed, making them easy targets. The best defense against Kerberoasting is to ensure that service accounts have complex and unique passwords, securely stored in password vaults. In addition, it is recommended to implement Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA), which automatically manage passwords and reduce the risk of compromise.

Another very effective approach to detect Kerberoasting attempts is to create a fake SPN as a honeypot. This SPN is not tied to any actual service, meaning there is no legitimate reason for a TGS to be requested for it. If an attacker attempts to retrieve a ticket for this fake SPN, it may indicate malicious behavior and that the user account used for the request is already compromised. This type of detection allows for a quick response, making it possible to investigate the suspicious account before the attack escalates.

Kerberoasting remains one of the most effective ways to escalate privileges within a domain, and its mitigation requires not only good password practices, but also continuous monitoring of suspicious TGS requests and alerts about the use of known tools for this type of attack. Environments that do not take these precautions remain vulnerable, allowing attackers to escalate privileges and compromise the entire infrastructure.

AS-REP Roasting

AS-REP Roasting is an attack technique widely used in Active Directory environments to obtain credentials, and its main advantage is that the attacker does not need to be authenticated in the domain to perform it. The attack exploits a flaw in the Kerberos configuration, specifically in user accounts that have the “Do not require Kerberos preauthentication” option enabled. This option allows anyone to request an Authentication Service Response (AS-REP) without the need for prior authentication.

When this setting is enabled for a user, the attacker is able to request an AS-REP ticket for the account in question. This ticket is encrypted with the hash of the user’s password, which means that once obtained, the attacker can perform an offline brute force attack, attempting to crack the password hash. This process is very similar to Kerberoasting, but the difference is that, while Kerberoasting requires the attacker to have an account in the domain, in AS-REP Roasting the attacker can exploit the vulnerability even without being authenticated, making it a more accessible and difficult attack to detect initially.

Although Kerberos preauthentication is the default setting for all accounts in Active Directory, there are some situations in which it is disabled, usually for compatibility reasons with legacy systems or with services that do not support the preauthentication mechanism. In some cases, administrators can disable this setting to circumvent problems with old applications or custom systems, which opens a loophole for this type of attack. Another scenario that facilitates the exploitation of this attack is inherited or neglected configurations, where some accounts have pre-authentication disabled without this being noticed.

To mitigate the risks of AS-REP Roasting, it is critical to ensure that the Kerberos pre-authentication option is enabled for all user accounts in the environment, especially for administrative and service accounts. In addition, it is essential to proactively monitor AS-REP requests, investigating attempts to obtain tickets from accounts that should not be involved in this process. Another important point is the use of strong and complex passwords, which makes it difficult to crack the hashes obtained during the attack. Privileged accounts should never have pre-authentication disabled.

Elevation of Privilege Attacks

One of the biggest reasons for elevation of privilege within an Active Directory environment is the excess of permissions granted to user accounts, often without the administrator’s awareness. In some cases, a user may be added to a group with more privileges than necessary, just to make it easier for them to access a specific feature or service. This creates a point of vulnerability, as an attacker who compromises this account could exploit these privileges to escalate their permission within the network.

The risk is even greater when permissions are assigned without a careful assessment of the actual needs of each account. The principle of least privilege—granting only the minimum permissions necessary for a user’s tasks to be performed—is often not strictly followed, resulting in an exponential increase in access rights. Without proper identity and access management control, the environment becomes a fertile field for escalating privileges in an undetectable way.

Another critical aspect to privilege escalation in Active Directory is privilege delegation settings. There are different types of delegation, such as Unconstrained Delegation, Constrained Delegation, and Resource-Based Delegation.

Unconstrained delegation, for example, allows a server to assume a user’s identity on any other server, which can be exploited by attackers to improperly access services and resources. Constrained delegation is more secure because it limits the services to which a server can delegate credentials, but still, if misconfigured, it can be a gateway for elevation of privilege. Resource-based delegation, on the other hand, allows control over delegation to be more fine-grained, but it can also be misconfigured, creating security holes.

To mitigate these risks, it is critical to conduct an ongoing audit of granted permissions and delegation settings within Active Directory. As a specialized security company, iT.eam can perform a security assessment to identify and correct these flaws, ensuring that only the necessary permissions are assigned, and that the delegation of privileges is configured securely.

Persistence and Lateral Movement

DCSync Attack

Within the persistence techniques in Active Directory, the DCSync attack is one of the most common and effective. This attack allows the attacker to obtain the credential hashes of all users and machines in the domain, providing complete access to the network. For the attack to be successful, the attacker must have compromised an account with domain replication privileges. By default, Domain Admin and Domain Controller accounts already have this privilege, but in some cases, other accounts or groups may gain elevated permissions due to misconfigurations or privilege management failures.

Once the attacker has access to these permissions, he emulates a Domain Controller and requests Active Directory replication. The legitimate Domain Controller server then sends a copy of the NTDS.dit database to the attacker as if it were a legitimate controller. NTDS.dit is the primary database that contains all Active Directory authentication information, including credential hashes. With access to this database, the attacker can extract all stored credentials and use them to perform Pass-the-Hash attacks or even create a Golden Ticket, using the hash of the krbtgt account (which we will talk about in another section).

To detect this type of attack, it is important to monitor event 4662, which indicates access to objects in Active Directory. This event includes replication request logs, and can be configured to alert on suspicious activity involving domain replication. By looking at replication-related strings, such as “DS-Replication-Get-Changes” or “DS-Replication-Get-Changes-All”, you can identify when an unauthorized account is attempting to perform a DCSync. In addition, certain GUIDs associated with replication privileges can be monitored, such as 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 and 89e95b76-444d-4c62-991a-0facbeda640c, which represent unique identifiers of domain replication rights in Active Directory.

Continuous monitoring of these events and GUIDs can help detect DCSync attempts made by unauthorized accounts, allowing corrective actions to be taken quickly to mitigate the risk of total environment compromise. Implementing an effective monitoring strategy, along with a regular review of replication permissions, are measures to protect Active Directory from this type of attack.

Pass-the-Hash (PtH)

Pass-the-Hash (PtH) is a technique widely used by attackers to interact with services and protocols, but instead of using the password in clear text, it makes use of the user’s NTLM hash. This hash can be extracted in several ways, including techniques such as DCSync (already discussed in previous topics), or through attacks such as LSASS memory dumping, SAM (Security Account Manager) extraction, and System file, among other approaches.

With the NTLM hash in hand, the attacker can perform various malicious actions in the compromised environment. One of the most common is the execution of commands on remote machines using tools such as PsExec, which allows the attacker to execute commands on the target system without having to know the password. Similarly, the attacker can use Windows Remote Management (WinRM) to interact with the remote administration service, execute commands on the system, and even use Windows Management Instrumentation (WMI) to obtain system information or control other processes.

In addition, the attacker can also authenticate to RDP (Remote Desktop Protocol) sessions using NTLM hashing, gaining full access to the target machine without ever needing to know the user’s actual password. This makes Pass-the-Hash a very powerful attack, as it allows the attacker to compromise systems and perform actions that would normally require legitimate authentication.

In short, Pass-the-Hash makes it possible for the attacker to perform almost all the operations that a user with the clear text password could perform.

Golden Ticket

The Golden Ticket attack is widely known for its high impact on an Active Directory environment. This attack becomes possible after executing the DCSync attack and extracting the hash of the krbtgt account, which is the account responsible for signing the Kerberos tickets in the domain. Once the attacker obtains the hash of this account, he is able to create and sign any ticket in the domain, causing the ticket to be validated and accepted by the highest authority in Active Directory, which is the domain controller itself.

With Golden Ticket, the attacker can generate Kerberos tickets that can have a validity of up to 10 years or more. This demonstrates the power of this technique, because once the ticket is created, the attacker can use it for years, regardless of changes to the user’s password or other associated credentials. This type of attack can ensure almost permanent access to the environment, giving the attacker continuous control over systems.

One of the most dangerous features of Golden Ticket is the attacker’s ability to customize all ticket parameters. This includes setting information such as ticket duration, but also allows for the manipulation of security identifiers. For example, an attacker can create a ticket that gives the user a higher level of privilege, such as making them an administrator, even if that account did not originally have administrator privileges. This means that, within the scope of the Golden Ticket, the attacker can act as if they were an administrator, without the real account having this privilege.

Mitigating against this attack involves essential security practices, with constantly changing the krbtgt account password being the most important measure. When you periodically change this password, the key to sign the tickets is changed, making it difficult to use previously generated Golden Tickets.

Pass-the-Ticket (PtT)

The Pass-the-Ticket (PtT) attack is a technique similar to Pass-the-Hash, but instead of using the user’s NTLM hash, the attacker uses a valid Kerberos ticket to authenticate to services on behalf of that user, without the need to know their password. This technique is particularly dangerous because it allows the attacker to authenticate and interact with systems and services as if they were the user themselves, taking advantage of the trust that the Kerberos protocol provides.

Tools such as Rubeus are commonly used for this type of attack, as they allow the attacker to export all authentication tickets stored on the compromised machine, even if these tickets belong to other users. With this, the attacker can capture valid tickets and reuse them to authenticate to different services within the domain, facilitating lateral movement in the network without raising suspicion.

Active Directory Hardening and Defense Strategies

One of the first actions should be to add critical accounts to the “Protected Users” group. This prevents the use of old authentication methods such as NTLM and old Kerberos, making these accounts more secure against attacks such as Pass-the-Hash.

Another important measure is to isolate administrative workstations. This helps ensure that these machines, which have elevated privileges, do not share the network with more vulnerable devices, which reduces the chances of a larger-scale compromise.

Constant monitoring and detailed logging are vital to identify suspicious activity quickly. Setting up alerts for anomalous behavior can be an efficient way to detect threats and enable an immediate response. In addition, implementing a tiering strategy, which classifies users and devices according to privilege level, is also essential. This restricts access to the most critical resources and isolates sensitive areas from the rest of the network.

Using SIEM solutions for real-time data analysis and correlation makes it easier to spot unusual patterns and malicious activity. Deception strategies such as honeypots are also effective, as they lure attackers into controlled environments where their actions can be observed and neutralized.

Another crucial measure is the implementation of LAPS (Local Administrator Password Solution), which manages the passwords of local administrators, avoiding the use of weak or reused passwords, common in many environments.

Finally, ensuring that patches and updates are applied regularly is a key step in fixing known vulnerabilities and preventing flaws from being exploited.

How to Assess the Security of Your Active Directory

Assessing AD security is one of the most important steps in protecting a company’s digital assets. Performing penetration testing (Pentest) in AD offers an effective way to identify flaws before an attacker can exploit them. Pentests emulate real attacks, allowing you to assess how the system responds to threats and providing valuable insights into potential vulnerabilities.

In addition, it is important to take a continuous approach to security assessment, as threats are constantly evolving. Implementing a routine of regular testing, updates, and constant monitoring of AD allows you to quickly detect suspicious behavior and fix failures before an attack happens. In an enterprise environment, real-world AD compromise cases show how vulnerabilities, often unnoticed, can be exploited to gain unfettered access to sensitive information and critical systems.

How Our Pentest Solution Can Help

Our Pentest solution is designed to provide a complete diagnosis of vulnerabilities in your Active Directory. With a technical and detailed approach, we perform an emulation of real attacks to validate the effectiveness of your defenses, identifying loopholes that can be exploited by attackers.

In addition, our reports are customized and offer practical and straightforward recommendations for risk mitigation, with actions that can be implemented immediately to improve the security of your AD. We also offer consulting to implement good practices and a customized hardening process, adjusting security settings according to the needs and particularities of your environment.

Conclusion

Active Directory security is essential for protecting a company’s digital infrastructure. AD is a central point for access control and the integrity of systems, and is therefore a prime target for attackers. Conducting continuous testing and applying appropriate security measures are key to preventing sophisticated attacks that can compromise critical data. To ensure your business is well protected, contact us and schedule a detailed assessment of your Active Directory security. We’re ready to help strengthen the security of your infrastructure!