Active Directory is at the center of many attacks because it remains the main source of identity and access management in the enterprise.

Hackers typically target Active Directory with various attack techniques covering many attack vectors. Let’s take a look at some of these attacks and what organizations can do to protect themselves.

Modern Active Directory Attacks Used by Threat Actors

Many different attacks targeting Active Directory Domain Services (AD DS) can compromise the environment. Note the following modern attacks used against AD DS.

  1. DCSync
  2. DCShadow
  3. password spray
  4. Pass-the-hash
  5. Pass-the-ticket
  6. golden ticket
  7. Service principal name
  8. AdminCount
  9. adminSDHolder


Domain controllers hosting Active Directory Domain Services use a type of replication to synchronize changes. An experienced attacker can mimic legitimate domain controller replication activity and use the GetNCChanges request to request credential hashes from the primary domain controller.

There are free and open-source tools, like Mimikatz, available to make this type of attack extremely easy.

Protect against DCSync attacks:

  • Implement good security practices for domain controllers, protecting privileged accounts with strong passwords
  • Remove unnecessary accounts from Active Directory, including service accounts
  • Monitor changes to domain groups and other activities


The DCShadow attack is very similar to the DCSync attack because it takes advantage of legitimate Active Directory communication traffic between domain controllers. Additionally, the DCShadow attack uses the DCShadow command as part of the Mimikatz lsadump module.

It uses Microsoft Directory Replication Service Remote protocol instructions. It allows attackers to register an unauthorized domain controller in the environment and replicate its changes to other domain controllers in the background. This can include adding hacker-controlled accounts to the domain administrators group.

Protect against DCShadow attacks:

  • Protect your environment from privilege escalation attacks
  • Use strong passwords on all protected accounts and service accounts
  • Do not use domain administrator credentials to log in to client PCs

3. Password spray

Password spray is a password attack targeting weak account passwords in Active Directory Domain Services. With password spraying, attackers use a single common or weak password and try that same password on multiple Active Directory accounts.

It offers advantages over the classic brute force attack as it does not trigger an account lockout, as the attacker only tries the password once per account. In this way, attackers can find weak passwords in the environment of multiple users.

Protection against password spray attacks:

  • Enforce strong passwords by using good password policies
  • Prevent the use of incremental passwords or breach passwords
  • Prevent account password reuse
  • Encourage the use of passphrases for passwords

4. Pass the hash

Like other password databases, Active Directory hashes passwords stored in the database. A hash is simply a mathematical representation of a password in clear text that hides the password in plain sight. A pass-the-hash attack allows the attacker to access the hashed form of the user’s password and use it to create a new session on the same network to gain access to resources.

With this attack, the attacker does not need to know or decrypt the password, he only has the hash of the password.

Protection against Pass-the-hash attacks:

  • Limit the number of users with administrator rights
  • Use hardened workstations as administrative junction boxes
  • Implement the Microsoft Local Administrator Password (LAPS) solution for local accounts

5. Pass the ticket

Modern Active Directory environments use Kerberos authentication, a ticket-based authentication protocol. Pass-the-ticket attacks use stolen Kerberos tickets to authenticate resources in the environment.

Attackers can leverage authentication using this attack to move around an Active Directory environment, authenticate resources as needed, and for privilege escalation.

Protection against pass-the-ticket attacks:

  • Use strong passwords, especially for administrator and service accounts
  • Eliminate hacked passwords in the environment
  • Improve your overall security posture by following best practices in the environment

6. Golden ticket

The Golden Ticket attack is a cyberattack in which an attacker steals the NTLM hash of the Active Directory Key Distribution Service (KRBTGT) account. They can get this hash using other types of attacks. Once they have the password for the KRBTGT, they can grant themselves and others the ability to create tickets.

Detecting this type of attack is difficult and can lead to a long-term compromise.

Protect against Golden ticket attacks:

  • Change the KRBTGT password regularly, at least every 180 days
  • Enforce least privilege in your Active Directory environment
  • Use strong passwords

7. Service Principal Name

A service principal name (SPN) is a special identifier for a service instance in Active Directory. Kerberos uses the SPN to associate a service instance, such as Microsoft SQL Server, with an Active Directory account. Kerberoasting attacks attempt to crack the service account password used for the SPN.

First, they capture the TGS ticket issued by their malicious Kerberos service ticket request. Then they take the captured ticket offline to use tools like Hashcat to crack the plain text service account password.

Protect against Kerberoasting attacks:

  • Monitor suspicious activity, such as unnecessary Kerberos ticket requests
  • Use extremely strong passwords on service accounts and alternate them
  • Monitor usage of service accounts and other privileged accounts

8. Number of directors

Attackers typically perform environment monitoring once they gain low-level access to a network. One of the first additional tasks an attacker seeks is to elevate their privileges. To elevate privileges, they need to know which accounts are privileged accounts.

An Active Directory attribute, called the AdminCount attribute, identifies users who have been added to protected groups, such as domain administrators. An attacker can effectively identify objects with administrative privileges by monitoring this attribute.

Protection against adminCount attacks:

  • Regularly monitor the adminSDHolder ACL for malicious users or groups
  • Monitor accounts with adminCount attribute set to “1”
  • Use strong passwords at all levels

9. adminSDHolder

Another common Active Directory attack vector is to abuse the Security Descriptor Propagation Process (SDProp) to gain privileged access.

What is SDProp?

This is an automated process in Active Directory where every 60 minutes the SDProp process runs and copies the ACL from the adminSDHolder object to every user and group with an adminCount attribute set to “1”. Attackers can potentially add an unauthorized user or group to the adminSDHolder ACL.

The SDProp process will then adjust the permissions of unauthorized users to match the adminSDHolder ACL, thereby elevating their privileges.

Protect against adminSDHolder attacks:

  • Regularly monitor the adminSDHolder ACL for malicious users or groups
  • Monitor accounts with adminCount attribute set to “1”
  • Use strong passwords at all levels

Strengthen Active Directory Security with Specops Password Policy (SPP)

Active Directory is a prime target for attackers looking for easy ways to compromise critical business data.

Weak, breached, incremental, and other types of passwords often make it easy for accounts to be compromised. Unfortunately, Active Directory does not contain native tools to enable modern password policies or protect against hacked passwords.

Specops password policy helps organizations protect passwords against various types of Active Directory attacks and provides a natural extension of existing group policies. With the Specops password policy, organizations can:

  • Create custom dictionary lists to block words common to your organization
  • Find and prevent the use of over 3 billion compromised passwords with Breached Password Protection, which includes passwords found on lists of known breaches as well as passwords used in ongoing attacks.
  • Provide real-time dynamic feedback to end users on password change with Specops Authentication Client
  • Block usernames, display names, specific words, consecutive characters, incremental passwords and reuse part of current password
  • Target any GPO level, computer, user or group population
  • Specops offers powerful breached password protection
Specops password policy
Specops password policy


Protecting your Active Directory infrastructure from attack is crucial to your overall cybersecurity posture. Cybercriminals typically attack Active Directory accounts using many different attack vectors, including the ones we’ve listed.

Increasing the overall password security in the environment, enforcing good password hygiene, and eliminating breached, incremental, and otherwise weak passwords all help strengthen the security of your environment Active Directory and your privileged accounts.

Specops password policy with Breach Password Protection helps organizations achieve this goal efficiently and easily.

Sponsored and written by Specops software


Source link