More than 9 out of 10 attacks target Active Directory (AD). As the nerve centre of a company's information system, it centralises identity and access management. But this concentration of power also makes it the «Holy Grail» for cybercriminals. Discover the most common vulnerabilities and how to prevent an insecure AD from compromising your entire IT system.
Every year confirms the same trend: when a cyberattack is successful, Active Directory almost always ends up appearing in the chain of compromise. Regardless of the initial point of entry, the objective remains the same: Taking control of identity means taking control of the information system.
The central role of Active Directory
First, it is important to understand what Active Directory (AD) is: it is the directory service that centralises identity and access management in Windows environments.
AD is not only used to create user accounts. It defines who can connect, to what, with what rights and under what conditions. It orchestrates authentication, privilege delegation, application access, and trust between machines.
In other words, AD represents the foundation of trust for the IS. Once an attacker exploits it, they no longer bypass security controls: they act as a legitimate actor.
Why AD has become the favourite target of hackers
First and foremost, the very architecture of AD makes it a strategic target. Identities are no longer just a simple element of the IS: they define who can do what, which resources and when. Instead of attacking isolated services, attackers now target identity to gain pivot, a point of support for moving around the IS.
Next, the historical complexity of AD poses a problem. Most AD forests (a logical group of one or more domains) have more than ten years of legacy. Over time, teams have added service accounts, stacked GPOs (Group Policy Objects: rules deployed on workstations/servers), granted «temporary» rights that were never withdrawn.
Unlike a modern application that can be rewritten, AD lives with its past. This accumulation allows attackers to easily find over-privileged groups, excessive rights or forgotten accounts. So many ways to gain privileges.
Furthermore, although Microsoft now offers advanced protection mechanisms, few organisations activate or configure them correctly..
In reality, many organisations are reluctant to touch AD. They fear the impact on production. This understandable caution, however, allows a sense of identity-related technical debt, which attackers exploit methodically.
For example, the group «Protected users» introduced in Windows Server severely restricts the use of stolen credentials. It prevents the use of NTLM (former Windows authentication protocol), imposes stricter behaviours around Kerberos (modern ticket-based authentication) and disables certain risky delegations for sensitive accounts.
However, this feature requires recent versions of domain controllers and workstations, as well as recently renewed passwords.
How attacks exploit AD
On the pitch, the striker does not usually break through AD like a barrier. He exploits its legitimate mechanisms to their advantage. A common scenario begins with a targeted phishing or compromise of a user workstation.
From there, the attacker enumerates the directory (collecting information: accounts, groups, machines). They list the groups, identify privileged accounts, and locate service accounts. This phase remains discreet and often goes unnoticed without dedicated supervision.
Then he follows up with some well-known techniques:
- Kerberoasting : it requests Kerberos tickets for service accounts and breaks offline hashes.
- Pass-the-Hash (PtH) : it reuses a recovered NTLM hash to authenticate itself on other resources without knowing the password.
- Abuse of delegations or GPOs : he escalates privileges via poorly controlled rights.
- DCSync : it simulates a domain controller to synchronise directory secrets like a legitimate DC. At this point, the domain goes down.
Each of these steps relies on standard AD protocols, but allows the attacker to progress without triggering an alarm if supervision is lacking.
However, vulnerabilities often remain basic.
Contrary to popular belief, AD attacks do not rely on sophisticated vulnerabilities or zero-day exploits, but rather on persistent bad practices. Among the most common risks are:
- From groups with excessive privileges (Domain Administrators, Enterprise Administrators).
- From non-segmented service accounts and static passwords.
- From passwords never renewed, which facilitates exploitation during Kerberoasting.
- L'absence of MFA on sensitive accounts, which is nevertheless recommended by NIS 2 and modern best practices.
- A reduced visibility into authentication behaviour, making it difficult to identify abnormal actions.
In practice, inherited rights, dormant accounts, and approximate configurations are sufficient to accelerate an escalation.
So, how can you really secure Active Directory?
What concrete measures can be taken to reduce this attack surface?
First, regain control of privileges
Start by applying the principle of least privilege. (grant only the necessary rights). Segment rights by creating specific roles and avoiding the use of highly privileged groups for day-to-day administration. This limits the impact of compromised accounts.
As a reminder, AD contains critical built-in groups such as Domain Administrators, Enterprise, and Schema, compromising which allows control over the entire forest.
Next, activate the protected accounts.
Microsoft provides a native mechanism that is often underutilised: the group. Protected Users (Protected users) for administrative accounts. This approach prevents certain forms of credential theft and enforces Kerberos authentication with modern encryption, reducing the risk of ticket reuse or NTLM cache attacks.
Implement authentication policies and silos.
This allows you to further restrict the conditions under which certain accounts can authenticate or obtain tickets.
These policies, combined with regular audits of members of sensitive groups, provide a better defensive posture.
Strengthening access through MFA
This should be second nature: apply MFA not only for external access, but also for high-value accounts, in accordance with NIS 2 recommendations. Multi-factor authentication drastically reduces the likelihood of compromise, even in the event of a password leak.
Finally, monitor and correct
Even with robust technical controls, it is necessary to actively monitor identity behaviours. This includes analysing invalid Kerberos requests, sensitive group changes, and unusual authentications.
Many modern AI tools applied to security (Microsoft Defender for Identity, CrowdStrike Identity Protection, Exabeam, or Securonix) enable the identification of weak signals indicating an attack, ticket spikes, inconsistent access sequences, atypical lateral movements. Today, AI in cybersecurity relies primarily on UEBA: behaviour analysis.
In addition, integrate AD with network security solutions such as firewalls. who directly use AD objects and groups in their policies enables further reduction of unauthorised access vectors and a more granular access policy.
Active Directory is not a problem because it is obsolete. It is a problem because it remains too powerful and too poorly monitored. By placing identity at the heart of their cybersecurity strategy, tightening essential settings and leveraging modern detection capabilities, organisations can drastically reduce their exposure.
Ultimately, securing AD does not mean rebuilding everything. It means understanding, simplifying, and regaining control.
