How Active Directory (AD) attacks have evoved—and what that means for blue teamers

In 1999, Microsoft debuted Active Directory (AD), a system for storing and supplying directory data to devices on networks. AD organizes users’ devices into forests and domains, and stores user information related to usernames, passwords, phone numbers, and more. Bad actors can often retry their attacks against AD with little consequence. Today, about 90% of Fortune 1000 companies rely on Active Directory.

An attacker who gets access to a high-privileged AD account gains the “keys to the kingdom”, with access to nearly everything on the network. Renamed to Active Directory Domain Services (AD DS) in 2020, the service is believed to be responsible for 80% of security exposures, according to a Cyber Express report for 2024. Many of these due to misconfigurations that leave AD assets open to attacks. 

Since 1999, attackers have found a variety of ways to break into AD networks. It’s hard to nail down specific dates, but they roughly fall into the system’s early days (starting in its release in 1999), the Post-Mimikatz era (released in 2007), and its present security trends (Including the late 2010s and early 2020s).

The Early ‘00s: Classic AD attacks

AD networks have had some sorts of risks since the beginning of its 25-year history. Some of the earliest attacks against AD systems include Pass-the-Hash (PtH) attacks, Kerberoasting, and NTLM relay attacks.

• PtH attacks: An attacker gains access to a hashed password for a user account. If the target system is vulnerable, the attacker doesn’t need to crack or decode the hash, they simply pass off the hash as the password, and the system accepts it and starts a user session.

• Kerberoasting: Kerberos is an authentication protocol for service accounts, which typically need to run on multiple devices, making them tempting targets for an attacker. Kerberos only works with service accounts, creating a Request Ticket for those services to access a device. An attacker with access to an AD account can try to crack or brute-force the password from that ticket, and gain access to the service account.

• NTLM Relay: An attacker with a Man-in-the-Middle (MITM) position listening to network traffic captures the challenge/response for a device connecting over the NTLM protocol. Because the challenge/response is hashed, the connection is in plaintext. This allows the attacker to crack the hash, or relay the hash, and use it for further attacks.

Try this HTB Academy module on NTLM Relay Attacks ✨

These attacks exploited weaknesses in default configurations and weak passwords. As Microsoft addressed these issues, some organizations continue to use outdated versions, like NTLMv1 (which was formally deprecated in 2024) which predates AD and was replaced with NTLMv2 in 1998.

It’s also noting that humans are still one of the weakest links in the security chain. Even without misconfigurations, a user setting a weak, guessable password or falling prey to a phishing scam still gives an attacker the foothold they need to probe deeper into the network. 

Mid-2000s: Advanced tactics and Lateral Movement

Sometimes, a bad actor gets access to a user account that doesn’t have any useful permissions, but reveals ways to access a similarly-privileged account that could have more luck. This is lateral movement, and it's a key technique for moving through a network. There are a variety of tools for lateral movement, but three of the most common are:  

• Mimikatz: After gaining initial access, many AD DS threat actors turn to Mimikatz. Originally released in 2007, it’s a tool for extracting plaintext passwords from memory, passing hashes, and creating “Golden” tickets for Kerberos. Getting access to more credentials is step 1 for lateral movement, so it quickly became an indispensable tool, and is still used widely today.

• Golden Tickets: If an attacker is able to get access to the “KRBTGT” account through Kerberoasting, they may gain the ability to make Ticket-Granting Tickets (TGT), called “golden” tickets because they give the user access to make their own Kerberos service tickets, effectively giving access to any AD account.

• BloodHound: When an actor can combine the extra access from either a Golden or Mimikatz memory dump with the 2016 network-mapping tool BloodHound, their lateral movement efforts can really take off. BloodHound creates a wireframe map of the network, and has tools to search for objects within AD--such as Administrative accounts. 

Learn BloodHound for AD Mapping 🗺️

These attacks are, again, often bolstered by AD misconfigurations or other insecure networking practices. If accounts are configured with Unconstrained Delegation, this can allow an attacker’s compromised Kerberos account to impersonate any other account. 

If the default “AdminSDHolder” template account isn’t protected properly, an attacker could stamp those permissions into a new Administrative account.

Get into AD Trust Attacks on HTB Academy 🧠

Late 2010s to Now: “Living off the land”, Stealth Attacks, and Ransomware

As networks have become more complex, the attacks that can be used against AD DS have also become more sophisticated. Threat actors can use a company’s software against them, ransom network owners, and evade detection by exploiting Cloud environments.

• Living Off the Land (LOTL): Once inside a user’s device, threat actors may try to use software, tools, and binaries already installed on the device. This includes things like the PowerShell automation shell, AD Explorer, DCSync (A tool for syncing Domain Controllers) and DCPromo (a tool for adding and removing Domain Controllers). Not every user requires access to these tools, but if they aren’t disabled, they can leave the host vulnerable.

• Ransomware attacks: The 2021 Colonial Pipeline attack gained access through a disabled AD account, and the LockBit ransomware that spread in 2022 and also exploited AD weaknesses. AD seems a natural target for these types of attackers, as gaining Admin access gives a hacker a lot of power to shut companies out of their systems or spread malware.

• Azure AD Attacks: Azure AD is Microsoft’s Cloud-based AD solution, and it is no less susceptible to misconfigurations than its on-premises counterpart. Even with the latest technology, Azure AD networks are still vulnerable to PtH, MITM, and Brute-force attacks, and users remain vulnerable to phishing and social engineering.

Understand LDAP in depth 🔍

Today: How AD Attacks inform blue team strategy 

A lot of early techniques are still a hacker’s first steps into hacking an AD network. Understanding and configuring a network to be resilient against PtH or Kerberoasting attacks may not guarantee that the network never gets hacked, but those steps can stop some bad actors from getting a foothold into the network.

There are also a lot of ways networks can protect themselves. Configuring and requiring Multi-Factor Authentication (MFA) adds an extra layer of protection, even if an attacker can get a credential pair. Logging and monitoring, System Information and Event Management (SIEM) tools, and following a technical framework like MITRE ATT&CK gives you a sense of the attack chain and how to break it.

IT Teams can also try putting themselves in the shoes of a threat actor to gain new insights into weaknesses and holes in your security.

This is where purple team exercises--run internally or with external help--can come in. Giving your Security teams the chance to compete against a team of pentesters or hackers they can consult gives them hands-on experience with significantly less risk than waiting for an attack.

From lab to real world: How to stay prepared

Red team and IT team training never goes amiss. Taking courses on Active Directory management and researching AD hardening guides are two great places to start. Microsoft has a variety of useful resources and best practices guides about their own technology, which your team may find indispensable.

Hack the Box (HTB) offers a new Certified Active Directory Pentesting Expert (CAPE) certification that teams can consider. The program offers HTB’s signature hands-on, scenario-based structures, and covers many of the tools mentioned here. It can also give Red Teamers and Blue Teamers a common playbook of AD attacks to work from during Purple Team exercises. 

Get HTB CAPE certified