Active Directory security threats

Credential theft

Credential theft is the process by which an attacker obtains valid authentication credentials without authorization.

This can include:

  • Usernames

  • Passwords

  • Password hashes

  • Authentication tokens (session tokens).

In Active Directory environments, credential theft is the most common attack path behind a successful breach. Once an attacker has a usable credential, they can authenticate to AD as a legitimate user and access the resources that users is allowed to reach.

Credential theft is often only the beginning of the attack in AD environments. A stolen credential allows the attacker to access every system, share and application that the user's account is authorized to reach, and serves as a foothold for moving laterally and escalating privileges, often intending to compromise the domain controller (DC).

How credentials get stolen

There's no single method. Attackers choose based on what's fastest, cheapest, and least likely to create noise or attract attention. The most common techniques in Active Directory environments include:

  • Password spray and brute force: This involves testing common or predictable passwords across large numbers of accounts. Password spray attacks attempt to avoid lockout thresholds by testing one or two passwords per account across many accounts, rather than many passwords against one account. AI allows attackers to perform these attacks faster, with greater success, and at scale.

  • Phishing and social engineering: Phishing describes the process of obtaining credentials through deception (fake login pages, malicious email attachments, voice phishing). These attacks are low effort, require very little technical sophistication, and have a high success rate.

  • Hash capture (Pass-the-Hash): NTLM authentication doesn't require the cleartext password, it uses the NTLM hash of the password. An attacker can intercept or extract this hash from memory, then use it to authenticate as that user without ever knowing the password. The hash is functionally equivalent to the password: capture the hash, own the account.

  • Kerberoasting: Any authenticated domain user can request a Kerberos service ticket for any service account with a Service Principal Name (SPN) registered in AD. The ticket is encrypted with the service account's password hash. An attacker can request that ticket, take it offline, and crack it against a GPU-based password cracking rig without ever touching a domain controller again. Service accounts with weak passwords are typically compromised in minutes.

  • AS-REP Roasting: Accounts with the "Do not require Kerberos preauthentication" flag enabled can be targeted without any credential at all. An attacker sends an authentication request, the domain controller returns and encrypted response that can be cracked offline. This attack doesn't require a valid credential to begin.

  • Golden Ticket attacks: If an atacker compromises the krbtgt account, the account whose key signs all Kerberos tickets, they can forge valid Kerberos tickets for any user, including users that do not exist, wiht any group membership and any expiry time. A Golden Ticket persists even after the compromised account's password is reset, until the krbtgt account key is rotated.

  • Credential exposure in scripts and config files: Service accounts and application credentials are stored in plaintext in logon scripts, configuration files, scheduled tasks, or Group Policy Preferences. An attacker who can read these files, which may be broadly accessible, obtains cleartext credentials directly.

Credential theft as the gateway to lateral movement

Credential theft is typically the beginning of the attack, not the end. Once an attacker holds a valid credential, they use it for lateral movement across the network, accessing additional systems and escalating privilege until they reach their target.

The defense against credential theft doesn't have to be (and likely won't be) perfect. Key security layers are multi-factor authentication (MFA), access controls, and session monitoring. The practical goal is to make each attack expensive, slow, and detectable, raising the cost high enough that the attacker either gives up or generates enough noise to be stopped before reaching their target.

See how UserLock protects against lateral movement and credential misuse

Lateral movement

Lateral movement is the art of gaining access to a network or cloud instance through a low-value compromise which is used to target high-value resources deeper inside the network. Or, if you like, moving sideways to great effect (also known as a horizontal kill chain).

For defenders, this is a huge problem. Perimeter network defense has evolved to keep people out, not stop them once they get in.

How lateral movement works in Active Directory environments

In an Active Directory context, the purpose of lateral movement is to hunt for new Active Directory credentials (especially the domain administrator) through which to increase privileges and move across the entire domain. Often, compromising the domain controller (DC) is the end goal.

Here's what a lateral movement sequence typically looks like in an Active Directory environment:

  1. Initial access: A credential is compromised, most often through credential theft.

  2. Reconnaissance: The attacker queries AD to map the environment: users, groups, computers, trust relationships, SPNs, GPOs. By default, AD is permissive about what authenticated users can read.

  3. Privilege escalation: The attacker identifies paths from their current access level to higher privilege: misconfigured ACLs, overly broad group memberships, delegation settings, accounts with elevated rights, and weak passwords.

  4. Lateral movement: Using escalated credentials, the attacker authenticates to additional systems, extracting more credentials and expanding their foothold.

  5. Objective: Ransomware deployment, data exfiltration, persistent backdoor installation, or all three.

Common lateral movement techniques

  • Pass-the-Hash / Pass-the-Ticket: Using a captured NTLM hash or Kerberos ticket to authenticate to other systems without knowing the plaintext credential. Because NTLM authentication uses the hash directly, this requires no cracking: capture on one system, replay on the next.

  • Remote execution via admin tools: Authenticating to a remote system using valid admin credentials and executing commands via PsExec, Windows Management Instrumentation (WMI), PowerShell remoting, or scheduled tasks. These are standard Windows administration tools, which makes this traffic hard to distinguish from legitimate admin activity.

  • Token impersonation: Stealing logon tokens from running processes on a compromised machine to act as a different user, often a more privileged one whose session is active on the same machine.

  • Kerberos delegation abuse: Unconstrained delegation allows a service to request Kerberos tickets on behalf of any user who authenticates to it. If an attacker compromises a machine with unconstrained delegation configured, they can capture TGTs from any user who connects to that machine and replay them elsewhere.

  • Domain trust exploitation: If multiple domains share a forest, default configurations allow an attacker who has compromised one domain to escalate to the next. With default privileged group configurations, a Domain Admin in one domain can escalate to Enterprise Admin in a single step, and from there to full forest control.

These can be contained by implementing least privilege principles and multi-factor authentication (MFA). limiting local accounts with admin access, and by segmenting the network with separate domain controllers for each network.

See also, Active Directory Insider Threats.

Spear phishing

Phishing attacks against organizations can be divided into two types – those targeting lots of people in the organization and those targeting only a select group or even an individual, also known as spear phishing.

The problem with attacking lots of people is that it tends to be noticed, and success is a game of percentages.

Spear phishing, on the other hand, is a lot more work. But when it succeeds, it often snares a victim who has higher privileges. Spear phishing depends on two principles: selective targeting and some degree of social engineering. It’s the combination that makes it so dangerous.

For example, a generic phishing attack might ask a user to reset their Microsoft 365 account credentials. A spear phishing attack, on the other hand, will make the same request but include the target’s name and business unit, mimicking the language of a genuine password reset request from that organization. Anyone can be fooled some of the time.