Every time an attacker gets into a corporate network and walks out with Domain Administrator credentials, the question that follows in the incident review is always the same: how did they get there so fast? The answer, in the overwhelming majority of cases, is Active Directory. Not because AD is poorly designed. Because it works exactly as intended, and attackers have learned to use that against you.
Active Directory has been the backbone of enterprise identity and access management for over two decades. It authenticates users, authorises access to resources, applies group policies, and manages every service account running in your environment. That centrality is precisely what makes it the highest-value target on any corporate network. According to Semperis research, AD is the target in 9 out of 10 ransomware attacks. The Verizon 2025 Data Breach Investigation Report found that 88% of breaches now involve compromised credentials, with attackers increasingly using AD authentication itself rather than deploying malware. That is not a coincidence. That is a strategy.
This guide covers how Active Directory attacks happen, what specific techniques threat actors use in 2025, and what security controls actually reduce your risk. If you manage AD for an organisation in the UAE or broader GCC region, the threat context here is directly relevant to you.
Why Active Directory Is Still the Crown Jewel
Some people hear “Active Directory” and think legacy infrastructure. Something to migrate away from eventually. The reality is that the vast majority of organisations globally still run on-premises AD, and even those moving to Azure AD or Entra ID typically maintain a hybrid setup that keeps on-prem AD in the picture for years. Hybrid environments, as it turns out, expand the attack surface rather than reduce it.
AD controls access to every user resource in the network. Compromise it and you control the network. Attackers can move laterally across systems, escalate privileges, access sensitive data, disable endpoint protections and SIEM logging, and deploy ransomware, all by abusing the same identity and access mechanisms that your legitimate users depend on every day. What makes this particularly hard to defend against is that much of the attack activity looks like normal AD operations. A Golden Ticket attack, for instance, is just a Kerberos authentication. There is nothing obviously malicious on the surface.
The 2024 Change Healthcare breach illustrates the stakes clearly. Attackers entered through a server without multi-factor authentication, pivoted to AD, escalated privileges, and then executed a catastrophic attack. Patient care stopped. Health records were exposed. The organisation paid millions in ransom. That is not a worst-case scenario. That is a representative case for what happens when AD is compromised in a large enterprise.
For organisations in the UAE, the risk context is equally stark. The UAE is the second most-targeted country in the Middle East, accounting for 12% of all regional cyberattacks, with the average cost of a cyber incident reaching approximately USD 2.9 million according to CPX’s UAE Cybercrime Statistics 2025. Ransomware activity surged through 2025, with Russia-linked groups such as Everest, Medusa, and Embargo actively targeting UAE entities using tactics that include phishing, privilege escalation, and lateral movement through AD environments.
How Attackers Get In: The Three Entry Points
Before they can touch Active Directory, attackers need a foothold on your network. In the vast majority of intrusions investigated by incident response teams, that foothold comes through one of three routes: exploitation of internet-facing vulnerabilities, compromised credentials, or phishing.
Unpatched vulnerabilities in publicly exposed systems remain a reliable entry point. In January 2025, Microsoft disclosed CVE-2025-21293, a critical privilege escalation vulnerability in Active Directory Domain Services with a CVSS score of 8.8. A proof-of-concept exploit was made public, and active exploitation followed. The window between patch release and deployment across all domain controllers is exactly the kind of gap attackers actively scan for and exploit. Patch Tuesday for AD-related components is not an optional exercise.
Credential compromise is increasingly the preferred entry method. Phishing operations, infostealer malware, credential stuffing against exposed login portals, and social engineering all feed into a pipeline of stolen usernames and passwords that threat actors use to log in rather than break in. Once inside with any valid account, even a low-privilege one, the path to Domain Administrator is often shorter than organisations expect.
The third entry point, phishing, serves double duty. It can deliver credentials directly or drop malware that establishes a beachhead for further exploitation. In 2025, adversary-in-the-middle phishing is increasingly used to intercept authentication tokens and bypass MFA entirely, which means the traditional assumption that MFA blocks credential theft no longer holds in all cases.
The Attack Path: From Foothold to Domain Compromise
Understanding the typical attack progression inside an AD environment matters because defenders need to know where to build friction. The sequence is rarely random.
After gaining initial access, the attacker’s first priority is reconnaissance. AD is an exceptionally useful reconnaissance tool. It exposes users, groups, computers, shared folders, service accounts, group policies, and trust relationships. All of this information is accessible to any authenticated domain user. Attackers query it systematically to map the environment and identify the fastest path to elevated privileges.
Privilege escalation follows. The attacker is looking for paths from their current access level to Domain Administrator, or something close to it. Misconfigurations, overprivileged accounts, and legacy settings are the most common routes. An account that was granted Domain Admin rights during a troubleshooting exercise three years ago and never reviewed. A service account with domain-level permissions that only needs access to a single application. A Group Policy misconfiguration that allows a non-administrative user to modify sensitive settings. These are not exotic vulnerabilities. They are the routine accumulation of years of changes in a large AD environment that nobody has audited with fresh eyes.
Lateral movement comes next. With elevated credentials, the attacker moves across the network, accessing additional systems, locating valuable data, identifying backup infrastructure, and identifying where ransomware will cause the most damage. AD makes this efficient because the same credentials authenticate against multiple systems. A Domain Admin account does not just open one door.
Persistence is typically established at multiple points before the attacker makes any visible move. This is intentional. Incident responders frequently find that attackers had been inside an environment for weeks or months before the ransomware deployed or the data exfiltration was noticed.
The Attack Techniques You Need to Understand
Kerberoasting
Kerberoasting targets service accounts. Any authenticated domain user can request a Kerberos service ticket for any account with a Service Principal Name (SPN) registered. The ticket is encrypted with the service account’s password. The attacker takes that ticket offline and cracks it using GPU-accelerated brute-force tools. If the service account has a weak or non-expiring password, which many do, the password is recovered in minutes or hours.
What makes Kerberoasting dangerous is its stealth. It uses legitimate Kerberos functionality. It generates the same event logs as normal authentication traffic. And the cracking happens entirely offline, outside the reach of any monitoring you have on your AD environment.
The mitigation is straightforward in principle: migrate service accounts to Group Managed Service Accounts (gMSAs), which use 120-character randomly generated passwords that are automatically rotated by AD itself. Microsoft now also offers Delegated Managed Service Accounts (dMSAs) on Windows Server 2025 as an additional option. Disable RC4 encryption for Kerberos, since it is significantly more vulnerable to offline cracking than AES. Audit all accounts with SPNs and remove any that are unnecessary.
Golden Ticket Attacks
A Golden Ticket attack represents the end-state of AD compromise. To execute it, the attacker needs the NTLM hash of the KRBTGT account, the service account used by the Key Distribution Center. With that hash, they can forge Kerberos Ticket Granting Tickets with any permissions, any group membership, and any expiry date they choose. The forged ticket can be set to remain valid for years. It bypasses standard authentication entirely and is extremely difficult to detect because it looks like legitimate Kerberos traffic.
Tools like Mimikatz, freely available and widely used by threat actors, make the technical execution of this attack accessible. Once an attacker has Domain Controller access, extracting the KRBTGT hash is not a sophisticated operation.
Preventing Golden Ticket attacks requires keeping the KRBTGT hash from being stolen in the first place, which means protecting Domain Controllers with the same intensity as your most sensitive assets. It also requires monitoring for unusual Kerberos ticket lifetimes and anomalous authentication patterns. Microsoft Defender for Identity provides real-time alerts for Golden Ticket usage and should be part of any mature AD security programme. When a Golden Ticket attack is discovered, the KRBTGT account password must be reset twice in sequence to invalidate all existing tickets.
DCSync and DCShadow
DCSync abuses Active Directory’s domain replication functionality. Domain Controllers replicate AD data between themselves as a normal operational process. An attacker with the right replication permissions, even from a standard workstation rather than a Domain Controller, can request a replication of sensitive data including password hashes for any user in the domain. This means the attacker can pull the Administrator password hash, the KRBTGT hash, and credentials for every privileged account, without ever logging onto a Domain Controller.
DCShadow is a related technique that works in reverse: the attacker registers a rogue domain controller and uses it to push malicious changes into the AD directory, such as adding a user to the Domain Admins group.
Both of these attacks require elevated privileges to execute, which means limiting the attack surface for DCSync and DCShadow starts with strictly controlling which accounts hold replication permissions.
Pass-the-Hash and Pass-the-Ticket
Pass-the-Hash attacks steal the NTLM password hash from memory on a compromised system and use that hash to authenticate against other systems without ever needing to know the actual password. It works because NTLM authentication accepts the hash itself as proof of identity.
Pass-the-Ticket applies the same principle to Kerberos, using a stolen Kerberos ticket to authenticate as another user. These techniques are the primary driver of lateral movement inside AD environments.
The most effective mitigation is disabling NTLM wherever your environment can support it, which eliminates the entire Pass-the-Hash attack category. Enforcing SMB signing and LDAP channel binding closes additional relay attack vectors. Windows Server 2025 enables SMB signing by default; environments running older infrastructure need to configure it explicitly.
Authentication Relay and NTLM Relay Attacks
In an NTLM relay attack, the attacker positions themselves between a client and a server, intercepting a legitimate authentication request and relaying it to another service to authenticate as that user. These are man-in-the-middle attacks that exploit how NTLM handles authentication flows. They require no credential theft, no password cracking, and they leave minimal traces.
Microsoft has issued specific 2025 guidance to enforce SMB signing domain-wide and implement Extended Protection for Authentication (EPA) to block these attacks. Deprecating NTLM across the environment, while operationally complex, removes the attack vector entirely.
What a Hardened Active Directory Actually Looks Like
Security recommendations for AD have been published extensively, but the gap between a published best practice and an implemented control remains wide in most organisations. The following areas are where investment has the highest practical impact.
Least Privilege, Applied Consistently
The proliferation of privileged accounts in large AD environments is one of the most consistent findings in post-incident reviews. Domain Admin accounts used for routine tasks. Service accounts with domain-level permissions. User accounts that accumulated access through years of position changes without any review. Privileged group memberships granted during troubleshooting and never revoked.
Reviewing and reducing privileged accounts is not exciting work, but it is arguably the highest-return security activity available to AD administrators. An attacker who compromises a Domain Admin account has a qualitatively different level of access than one who compromises a standard user. Every unnecessary privileged account is an unnecessary path to full domain compromise.
Implement Just-In-Time (JIT) access for sensitive administrative tasks, where elevated permissions are granted for a specific time window rather than held permanently. Privileged Identity Management (PIM) tooling supports this model and integrates with both on-premises AD and Azure AD in hybrid environments.
Separating Privileged Administration from Daily Operations
Domain Controllers and privileged AD management should not be accessible from the same workstations used for email, web browsing, and general productivity. Privileged Access Workstations (PAWs) or a dedicated administrative forest, sometimes called a Red Forest, ensure that even if a standard user workstation is compromised through phishing or drive-by download, the attacker does not automatically have a path to the administrative tier.
This tiering model, where Tier 0 covers domain controllers and the most privileged accounts, Tier 1 covers servers and applications, and Tier 2 covers end-user workstations, creates barriers that slow down lateral movement and privilege escalation even after initial compromise. Building those barriers is precisely what buys incident responders the time they need to detect and contain an attack before it reaches full domain compromise.
Group Managed Service Accounts for All Services
The persistence of static, non-expiring passwords on service accounts is one of the most common configurations that Kerberoasting exploits. Migrating to gMSAs, or dMSAs on Windows Server 2025, removes the human element from service account credential management entirely. AD rotates the passwords automatically. The passwords are 120 characters, randomly generated, and never visible to any user. This does not just mitigate Kerberoasting; it also simplifies post-incident recovery, since organisations with gMSAs can reset service account credentials without manually identifying every application dependency.
After removing a threat actor from a compromised environment, every account credential must be reset, including Kerberos, administrator, service, and user accounts. Organisations that have not implemented gMSAs often find this process paralyzing, because nobody has a complete map of which services depend on which service account credentials. gMSAs make that process manageable.
SPN Hygiene
Every account with an SPN registered is a Kerberoasting target. Organisations accumulate unnecessary SPNs over time, through application migrations, decommissioned services that were never cleaned up, and misconfigured deployments. An SPN audit is a direct attack surface reduction activity. Remove any SPN that is not actively in use. Identify any service accounts with SPNs that are members of privileged groups and remove those privileges immediately.
Run regular SPN audits using the setspn -X command to identify duplicate SPNs, which can cause Kerberos to fall back to NTLM and introduce additional vulnerabilities. Keep a documented, current inventory of all service accounts and their associated SPNs.
Continuous Monitoring and Anomaly Detection
Most AD attack techniques abuse legitimate functionality, which means signature-based detection is insufficient. Behavioural analytics are essential. You need visibility into baseline patterns for authentication, logon times, privilege use, and replication activity, so that deviations stand out. Unusual Kerberos ticket lifetimes. Authentication requests at abnormal hours from unexpected locations. Service ticket requests that do not match any known application pattern. DCSync operations originating from a non-Domain-Controller workstation.
Microsoft Defender for Identity provides purpose-built detection for AD attack techniques, including Kerberoasting, Golden Ticket attacks, DCSync, DCShadow, and NTLM relay attempts. It integrates with Microsoft Sentinel for correlation with broader network and endpoint telemetry. For organisations running a Security Operations Centre, AD monitoring should have dedicated detection rules and playbooks, not just be a feed into a general SIEM dashboard that nobody reviews unless something explodes.
Regular AD Security Assessments
Configuration drift is real in any environment that has been running for years. Permissions accumulate. Legacy settings persist. New attack techniques emerge that were not in scope when your last security review was conducted. A structured AD security assessment, conducted by experienced incident responders rather than automated tooling alone, evaluates your AD implementation against current attack techniques, identifies specific misconfiguration and privilege issues, and provides prioritised remediation guidance. Doing this assessment before an incident, without the pressure of an active threat actor, gives you the ability to fix problems rather than contain damage.
Hybrid AD and the Cloud Expansion of the Attack Surface
For organisations that have extended AD into Azure AD or Microsoft Entra ID through hybrid synchronisation, the security considerations do not stop at the on-premises boundary. Hybrid environments create bidirectional trust relationships between on-premises and cloud identity systems. An attacker who compromises an on-premises account synced to the cloud can potentially pivot into cloud resources, and vice versa.
In 2025, data shows that 78% of Active Directory attacks specifically focused on hybrid setups where local networks connect to cloud services. Attackers have learned to steal OAuth tokens from cloud applications to impersonate synced accounts and then pivot into on-premises AD. This cross-environment movement is harder to detect because it spans two separate monitoring domains.
Extending your AD security posture into the cloud layer means applying the same least-privilege and monitoring principles to cloud identity as you apply to on-premises AD. It also means understanding exactly what is synchronised, which accounts are in scope, and where the trust boundaries are.
What Happens After a Domain Compromise
If an attacker reaches Domain Administrator, the response is not just a password reset and a scan. Every credential in the environment must be treated as compromised. The KRBTGT password must be reset twice. All administrator accounts must be reset. All service accounts must be reset. All user accounts should be rotated. Persistence mechanisms planted by the attacker, including rogue accounts, modified group policies, backdoored Group Managed Service Accounts, and scheduled tasks on Domain Controllers, must be identified and removed before any credential rotation takes place, otherwise the attacker simply uses the persistence mechanism to re-establish access.
This process typically takes days at minimum in a large environment, and weeks in organisations that do not have a clean asset inventory, documented service account dependencies, or tested incident response procedures. The organisations that recover fastest are the ones that made the investment before the incident.
Securing AD Is Not a One-Time Project
Active Directory security is an ongoing operational discipline, not a project with a completion date. The threat landscape moves. New attack techniques emerge. Environments change. Staff turnover means institutional knowledge about why certain configurations exist is lost. Legacy systems create pressure to keep NTLM enabled long past the point where it should have been deprecated.
The organisations that keep AD secure over time are those that treat it as a governed, audited, monitored asset with regular reviews, clear ownership, and well-practised response procedures. They know how many privileged accounts exist. They have tested what happens when a Domain Controller needs to be rebuilt. They have practised resetting KRBTGT and understand what it breaks. They have anomaly detection on authentication behaviour and someone whose job includes reviewing those alerts.
For businesses across Dubai and the UAE operating in a threat environment that saw ransomware groups actively targeting the region through 2025, that level of AD governance is not aspirational. It is the operational baseline.
iConnect’s incident response and cybersecurity services in Dubai include Active Directory security assessments, identity security architecture reviews, and managed detection capabilities that cover AD attack techniques. If your organisation has not had a structured review of your AD environment recently, or if you are managing a hybrid environment and want clarity on your actual exposure, our team is available to help you get there before an attacker does.
