Steps to Defend Against Active Directory Identity Threats

Active Directory Is a Prime Target for Attacks

Perhaps no surprise here, but over 90% of cyberattacks target Active Directory.

Active Directory vulnerabilities, if unknown or not addressed, open the door to cyber attackers wishing to steal from you or do you harm. It is your responsibility to stop them.

Identity management infrastructure is complex and broad. Attackers can defeat many currently deployed defenses and find ways in. Once in, assume they look to spread their attacks as far as they can within your organization.

Common threats and exploits against Active Directory

• Credential theft and authentication exploits

A wide range of vulnerabilities like insufficient or unenforced password policies, replication protocols, and social engineering can leave you open to credential theft attacks like:

Phishing: If the attacker intercepts tokens, MFA can be bypassed with stolen credentials entered on fake login pages.

Password Spraying: Targeting weak passwords and password policies, attackers “spray” common passwords across many accounts to avoid lockouts and detection by monitors.

Credential Stuffing: Attackers already possessing valid username/password combinations from previous credential theft attacks can use them to attack at scale, executing millions of login requests quickly.

Kerberoasting: After an initial compromise of a valid user account via phishing or other means, the attack requests Kerberos service tickets for accounts with Service Principal Names (SPNs). The encrypted tickets are cracked offline (so undetected), and the plaintext password is used to access sensitive systems and data, or to deploy malware.

DCSync: Attackers use replication protocols (e.g., Mimikatz) to request password hashes and then mimic domain controllers.

Golden Ticket: Attackers gain persistent access by compromising the KRBTGT account hash and generating unlimited tickets.

Token replay: Attackers intercept tokens using Adversary-in-the-Middle (AiTM) tools, for example, then have access even with MFA in place.

Pass-the-Hash: Password hashes are stolen and allow authentication without cleartext passwords.

Legacy protocol abuse: Protocols like NTLM lacking MFA support crack open the door to brute-force attacks.

• Privilege escalation

Common techniques for escalating privileges in Active Directory include:

Horizontal escalation: Moving laterally between accounts with similar privileges to expand access.

Vertical escalation: Elevating from low-privilege accounts (e.g., standard user) to administrative roles.

Account manipulation: Adding users to privileged groups (e.g., Domain Admins, DNSAdmins).

Token theft: Impersonating high-privilege accounts via stolen access tokens.

Example:

Group Policy Object (GPO) abuse: These attacks exploit excessive permissions on GPOs in Active Directory to modify configurations across entire domains. Attackers can inject malicious tasks or disable security by modifying the GPOs. These attacks are commonly used to create backdoor accounts or scheduled tasks that enable sustained access.

• Lateral Movement

Post-breach tactics that allow attackers to pivot across systems and reach high-value assets like domain controllers make attacks worse for the victim. Some examples:

Pass-the-Ticket: Stolen Kerberos tickets grant unauthorized access to remote systems.

Mimikatz: Lateral movement is gained through credentials, hashes, and Kerberos tickets extracted from memory.

PowerSploit/PowerView: PowerShell script execution for reconnaissance and lateral movement via SMB, WMI or DCOM.

Kerberos delegation attacks: Misconfigured delegation is used to impersonate users across services.

Approaches to defending against attacks

Traditional approaches to security of identity management have limitations. Privileged Identity Management (PIM) and Privileged Access Management (PAM) solutions don’t completely protect from exploitation of privileged accounts, service accounts, and legacy credentials those accounts might have. Misconfigurations or gaps in coverage can allow attackers to escalate privileges or activate admin roles that have been dormant but never removed. All these activities may be undetected. And manual efforts to study audit logs are tedious and error prone.

Better ways to bolster your defenses

So, what can be done to better protect Active Directory from attacks? That is best answered in three phases: 1) Awareness of vulnerabilities; 2) Awareness of in-process identity threats and exploits; and 3) Actions to take to address vulnerabilities and the spread of ongoing attacks.

Indicators of Exposure (IOEs): Before attacks occur, vulnerabilities lurk. To be proactive, security operations teams must find those vulnerabilities and then determine the best way to fix each of them.

A few examples of IOEs:

• Use of weak passwords or default credentials

• Unenforced MFA policies

• Misconfigured permissions

• Open ports incorrectly exposed to external access

• Unpatched software with known vulnerabilities

• Expired SSL certificates

IOEs identify risks – allowing operations teams to fix them before an attack occurs. Penetration tests and configuration auditing are helpful to surface these.

Indicators of Compromise (IOCs): Some liken an IOC to a piece of forensic evidence – it is data that identifies potentially malicious activity. A security breach has perhaps already happened, or an attack is underway.

Examples of IOCs:

• Unusual network traDic, maybe with malicious IPs, or sudden spikes in abnormal activity.

• Malicious domain names or URLs.

• Registry changes or file modifications.

• Suspicious login attempts.

• Suspicious process executions.

• File hashes of known malware.

These are investigative. Obtaining these pieces of evidence allows the security team to detect breaches and more fully understand the scope and nature of an attack. They are utilized by many SIEM systems and threat intelligence platforms to detect threats in logs and on networks.

Actions to take: Best practices for improving your security posture and minimizing e6ects of infiltrations by bad actors

Remediation of vulnerabilities is an iterative process requiring both IOEs and IOCs for full knowledge of the extent of the attack surface all the time. Continuously monitor for IOE and IOC events so appropriate steps can be taken as new evidence of security gaps or malicious behavior are found.

Many indicators are mentioned in the best practices below.

Steps to Active Directory Attack Surface Hardening

1. Implement Least Privilege Models

Assign users the minimum permissions necessary for their roles. Avoid granting excessive privileges, especially for day-to-day tasks. Use just-in-time or privileged access management (PAM) solutions to grant admin rights only when needed and revoke them automatically after the task is complete. Delegate only permissions necessary.

For example: The ability to add machine/computer accounts must be controlled closely, so delegate the Create Computer Objects permission to the specific OU where computer accounts should be created.

For sensitive resources, use RBAC to systematically restrict access. And place highly privileged accounts in protected groups, like the “Protected Users” group.

Follow MITRE ATT&CK mitigation guidance: T1003, T1558, T1134, M1026, M1015, M1018

2. Setup and Enforce Authentication and Access Controls

Enable Kerberos pre-authentication for all accounts to defend against AS-REP Roasting attacks. And enforce strong, unique passwords (ideally passphrases of at least 30 characters). Monitor for accounts configured without Kerberos pre-authentication or with weak passwords and raise alerts for immediate awareness and remediation.

Require MFA for all users, neutralizing threats from stolen passwords being used for infiltration. And require robust authentication for every connection; implicit trust is likely to help attackers.

Use IP allowlisting for network-level control.

Disable or delete inactive, orphaned, or unnecessary user and service accounts. Continuous or regular monitoring will detect these.

MITRE ATT&CK mitigation guidance: T1556.001, T1621, T1040, M1015, M0915, M1036, M1018

3. Adopt Tiered Administration and Network Segmentation

Separate administrative activities by implementing a tiered model (e.g., Tier 0 for domain controllers, Tier 1 for server admins, Tier 2 for end users). Admin accounts are then limited to a tier and can’t access higher tiers. Protection of critical resources like domain controllers from a malicious actor pivoting from a compromised workstation, etc., is the goal here. Kerberoasting and pass-the-hash attacks are disrupted.

Restrict administrative access to dedicated, hardened workstations that are isolated from internet access and general user environments.

Domain controllers and other core identity infrastructure components should be isolated from all other workstations and servers.

Use penetration tests, and alert on cross-zone authentication attempts, (e.g., Tier 1 to Tier 0), to validate segmentation and make corrections where necessary.

MITRE ATT&CK mitigation guidance: T1482, T1536.002, T1136, T1098, M1015, M1026, M1030

4. Harden and Monitor Service Accounts

Service accounts are high-value targets for attacks in Active Directory because of their elevated privileges and broad access. They deserve special attention in your attempts to reduce the attack surface and repel attackers.

Wherever possible, use Group Managed Service Accounts (gMSAs) for automated password management and rotation, reducing the risk of password-based attacks on service accounts.

Don’t copy old service accounts. Instead, create service accounts from scratch to avoid excessive permissions. Regular audits of service account permissions and usage can detect unnecessary access.

MITRE ATT&CK mitigation guidance: M1015, M1026, T1078

5. Apply Secure Configuration

Deploy domain controllers using the Server Core installation option, minimizing installed components on the server, so reducing possible vulnerabilities. And disable legacy protocols (NTLM, SMBv1) and unused services (IIS, Print Spooler) on domain controllers.

Enable advanced auditing for Active Directory object changes using Event 4738 (User account changed) and Event 4742 (Computer account modified).

MITRE ATT&CK mitigation guidance: T1543, M1026, M1028, M1047, T1562.010, M1041, T1197

6. Enforce Patch Management

Patch management is often considered the most effective activity for reducing the attack surface in AD. And it future proofs your defenses as new threats appear.

Regularly update and patch all Active Directory systems, including domain controllers and administrative hosts, to address known vulnerabilities, reducing ways in for attackers.

MITRE ATT&CK mitigation guidance: M1051

7. Implement Continuous Monitoring

Monitoring is widely considered essential to improving the Active Directory security posture, allowing you detect suspicious activity and threats quickly.

Monitor all changes to users, roles, groups, delegations, and policies. This includes tracking who made a change, when, and what was changed. Monitor directory changes, privileged account activities, and authentication attempts to detect suspicious behavior quickly. Set up real-time alerts for critical changes.

MITRE ATT&CK mitigation and data source guidance: T1558, T1003.006, T1098, M1015, DS0026

8. Use Auditing Wisely

Auditing will help you detect and investigate potential threats early. Maintain the resulting logs for guidance an investigation later.

Audit successful account management, successful directory service access, and successful and failed logon events. Mitigate threats by auditing for relevant events such as configuration changes, group memberships, delegations and privilege assignments.

MITRE ATT&CK mitigation guidance: T1003.006, T1558.003, T1134, T1558.001, T1036, T1556, T1556, T1070

9. Encrypt and Backup Critical Data

Security is constructed in layers. Encryption and data backups add critical layers to your overall security posture. Do not leave these out of your overall security plans.

Regular data backups ensure business resilience if data are compromised by malicious actors. And your last line of defense around sensitive and business critical identity security data is encryption.

Encryption

Data at rest or in transit calls for protection against unauthorized access by going beyond Active Directory default settings to require strong encryption (e.g., AES-256) for authentication and data storage. Combine with continuous monitoring and regular audits, allowing early detection of suspicious activity and misconfigurations.

MITRE ATT&CK Mitigation using encryption: T1556.005, T1558, M1015, M1041, M104, T1557, T1558, T1003, T1040

Backups

Encrypt backup files. Store them in encrypted locations, both onsite and offsite, to prevent attackers gaining access to sensitive Active Directory data.

Backup domain controllers at least twice per domain for redundancy and resilience. During a ransomware attack, it will be possible to restore data without paying a ransom, if reliable backups are available.

Immutable Backups. Use write-once-read-many (WORM) storage.

Offsite and Isolated Storage. Store backups in cloud services or physical offsite locations to ensure availability during onsite breaches.

Regular Testing: Validate backup integrity by periodically restoring them to confirm recoverability

MITRE ATT&CK mitigation using backups: M1053, T1486, T1490

Conclusion

By systematically taking the actions in this post, organizations can significantly reduce the attack surface of both Active Director, improving the overall security posture and resilience against identity-based threats.

Want to know more? You can read more about reducing the attack surface of Entra ID in the second post of this series.