Active Directory Angriffe
Active Directory (AD) is at the heart of nearly every Windows enterprise infrastructure—and thus a prime target for attacks. This article explains the most common AD attack techniques and how to protect yourself.
Table of Contents (3 sections)
Active Directory (AD) is Microsoft’s directory service and serves as the central system for identity and access management in over 90% of all Windows enterprise environments. It manages user accounts, computer accounts, groups, group policies, and trust relationships between domains. This central position makes AD the preferred target for professional attackers—whoever compromises the domain administrator controls the entire corporate network.
According to an analysis by SpecterOps (2024), Active Directory is the primary compromise vector in over 80% of all successful ransomware attacks.
Basic AD Concepts for Security Professionals
Before attack techniques can be understood, a few basic concepts are important:
Kerberos: The primary authentication protocol in AD. Operates via tickets (TGT and service tickets) issued by the Key Distribution Center (KDC) on the domain controller.
NTLM: An older challenge-response protocol still active in many environments. Considered insecure; actively exploited by attackers.
SPN (Service Principal Name): Unique identifier for a service in AD, linked to a service account. Basis for Kerberoasting.
ACL/ACE: Access Control Lists and Access Control Entries control permissions on AD objects. Misconfigured ACLs are a common attack vector.
BloodHound: Open-source tool for visualizing attack vectors in AD. Displays in graph form which permissions a compromised account can exploit to escalate to domain administrator.
Common Attack Techniques
Kerberoasting
How it works: Any authenticated domain user can request service tickets for all SPNs. These tickets are encrypted with the NTLM hash of the service account. An attacker requests these tickets, exports them, and attempts to crack the hash offline—often successfully, because service accounts frequently have weak, never-expiring passwords.
Why it works: Kerberos ticket requests are legitimate and do not trigger alerts in standard configurations. Offline cracking leaves no traces on the target system.
Detection: SIEM rule for an unusually high number of TGS requests (Event ID 4769) from a single account. Honeypot SPNs (faked service accounts with known hashes) for detection.
Protection: Service accounts with random passwords 25+ characters long. Managed Service Accounts (MSA/gMSA) automate password rotation. Enforce AES encryption for SPNs.
Pass-the-Hash (PtH)
How it works: With NTLM authentication, the password hash is used directly as proof of authentication—the plaintext password is not required. If an attacker has extracted the NTLM hash of a privileged account from the LSASS process using Mimikatz or similar tools, they can use it to authenticate on other systems.
Why it works: NTLM hashes have no session binding and do not expire. A hash from two years ago still works if the password has not been changed.
Detection: Logins with Event ID 4624 Type 3 (network login) from unusual sources. UEBA systems detect anomalies in login patterns.
Protection: Protected Users security group for privileged accounts (disables NTLM usage). Credential Guard (Windows 10+) protects LSASS from memory read attacks. Randomize local administrator passwords using LAPS.
DCSync
How it works: Domain controllers replicate directory data among themselves via the MS-DRSR protocol (Directory Replication Service Remote Protocol). If an attacker has an account with DS-Replication-Get-Changes-All permissions, they can use Mimikatz to mimic this replication and retrieve all password hashes in the domain—including those of the KRBTGT account.
KRBTGT Compromise: Anyone who knows the hash of the KRBTGT account can forge any Kerberos tickets (Golden Ticket). These tickets are valid for up to 10 years and enable permanent, undetected access—even if all user passwords are changed.
Detection: Event ID 4662 with the specific GUID values of the replication rights. Network traffic analysis: MS-DRSR from non-DC systems is a sure sign.
Protection: Restrict DS-Replication-Get-Changes-All to domain controller accounts only. Perform regular BloodHound scans to detect unintended ACL permissions.
AS-REP Roasting
How it works: Accounts with Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag) send encrypted AS-REP messages upon request without requiring the attacker to be authenticated. These messages contain data that can be cracked offline.
Difference from Kerberoasting: No valid domain user account is required for the request—vulnerable even without initial access to the domain.
Protection: Do not enable the DONT_REQ_PREAUTH flag on any account. Perform regular checks using: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}.
GPO Abuse (Group Policy Object Abuse)
How it works: Group Policy Objects (GPOs) are applied to Organizational Units (OUs) and control settings for all contained objects. If an attacker has write access to a GPO, they can use it to deploy malware to all affected systems, create users, or manipulate services.
BloodHound Relevance: BloodHound visualizes GPO write permissions as an attack path. In many environments, too many accounts have GPO write permissions due to misconfigured delegations.
LLMNR/NBT-NS Poisoning
How it works: Windows systems use LLMNR (Link-Local Multicast Name Resolution) and NBT-NS for name resolution when DNS fails. An attacker on the same network segment can respond to these broadcasts and impersonate a legitimate server—the victim then sends its NTLM hash for authentication.
Tool: Responder is the standard tool for this attack and delivers hashes within minutes in typical enterprise networks.
Protection: Disable LLMNR and NBT-NS via Group Policy. Implement network segmentation to prevent lateral broadcast communication.
AD Hardening Measures
Tier Model / Enterprise Access Model
Microsoft recommends a three-tier privilege model:
- Tier 0: Domain controllers, Tier 0 assets, AD administrators
- Tier 1: Member servers, application servers
- Tier 2: Workstations, regular users
Administrators may only log in to the tier assigned to them. A Tier 1 administrator must not log in to a workstation, thereby exposing their hash to that workstation’s LSASS.
Privileged Access Workstations (PAW)
Dedicated, hardened workstations exclusively for administrative tasks—without internet access, email, or Office applications.
Regular BloodHound Analyses
Automated weekly BloodHound scans visualize new attack paths created by user or group changes.
Reset KRBTGT Account Regularly
The KRBTGT password should be reset twice at least once a year, preferably every 180 days (due to password history). This is critical after every security incident.
Further information: Request a network penetration test | AWARE7 Active Directory Security Assessment
Sources & References
- [1] Microsoft - Active Directory Security Best Practices - Microsoft
- [2] MITRE ATT&CK - Enterprise Techniques - MITRE Corporation
- [3] BloodHound - Attack Path Analysis - SpecterOps
- [4] BSI - Absicherung von Active Directory - Bundesamt für Sicherheit in der Informationstechnik
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
