Last Updated on May 21, 2026 by Satyendra
Microsoft Active Directory is used by tens of thousands of organizations across the globe, including about 90% of Fortune 1000 companies, as a way to manage access to resources on their networks. Companies are also taking advantage of Microsoft’s cloud-based equivalent, Entra ID (Azure AD). As you would expect, both Active Directory and Entra ID are prime targets for cybercriminals looking to steal sensitive data and engage in other types of malicious activity.
Active Directory attacks are techniques cybercriminals use to exploit Microsoft’s directory service to gain unauthorized access, steal credentials, or escalate privileges within an organization’s network. According to Microsoft’s Digital Defense Report, identity-based attacks targeting Active Directory have increased significantly, with credential theft and privilege escalation among the most frequently observed tactics mapped to the MITRE ATT&CK framework.
What are the most common Active Directory attack methods?
It is imperative that organizations are aware of the most common ways attackers can compromise Active Directory, as explained below.
- Kerberoasting
- Password Spraying
- Local Loop Multicast Name Resolution (LLMNR)
- Pass-the-hash with Mimikatz
- Default Credentials
- Hard-coded Credentials
- Privilege Escalation
- LDAP Reconnaissance
- BloodHound Reconnaissance
- NTDS.dit Extraction
1. Kerberoasting
What it is: Kerberoasting is an attack technique that targets service accounts by exploiting the ServicePrincipalName (SPN) attribute to extract and crack password hashes offline (MITRE ATT&CK T1558.003).
How it works: Services publish their SPNs to AD objects when they authenticate themselves, and adversaries will try to target these service accounts and change the SPN values to suit their needs, especially if the account belongs to privileged groups.
How to prevent it: Organizations must continuously monitor user objects for anomalous changes made to SPN values and service accounts must be protected with strong passwords.
2. Password Spraying
What it is: Password spraying is a brute-force attack where adversaries attempt to authenticate using commonly used passwords against multiple accounts to avoid triggering account lockouts (MITRE ATT&CK T1110.003).
How it works: Since most authentication systems will lock out users after multiple failed logon attempts, the attacker will try different combinations of usernames until they find a match.
How to prevent it: Ensure that employees are using complex passwords, and where possible, use multi-factor authentication to prevent password spraying attacks. A solution that also maintains a list of previously compromised passwords and hashes can also be effective in detecting anomalous logon attempts.
Download Whitepaper
3. Local Loop Multicast Name Resolution (LLMNR)
What it is: LLMNR poisoning is an attack that exploits the Windows name resolution protocol to intercept network traffic and capture authentication credentials.
How it works: LLMNR allows for name resolution without the requirement of a DNS server. Multicast packets are broadcast to the network, asking for the IP address of a given hostname. Attackers can intercept these packets, and claim that the IP address is linked to their hostname.
How to prevent it: This feature isn’t necessary if the Domain Name System (DNS) is properly configured. As such, the best way to mitigate this threat would be to simply disable LLMNR altogether.
4. Pass-the-hash with Mimikatz
What it is: Pass-the-hash is a credential theft technique where attackers use stolen password hashes to authenticate as a user without knowing the actual password (MITRE ATT&CK T1550.002).
How it works: Attackers use a tool called Mimikatz, which exploits the NTLM authentication protocol to impersonate a user and dump credential hashes from memory. This technique also facilitates lateral movement throughout the environment.
How to prevent it: Organizations must ensure that privileged account hashes are not stored in a place where they can be easily extracted. They should also consider enabling LSA Protection and using Restricted Admin mode for Remote Desktops.
5. Default Credentials
What it is: Default credential attacks exploit unchanged factory-set usernames and passwords on devices and systems to gain unauthorized network access.
How it works: Companies often forget to change the default passwords on devices/systems, and attackers will look for these devices/systems in order to break into your network.
How to prevent it: Organizations must ensure that they change the default passwords and keep an up-to-date inventory of all network hardware. It might also be worth adopting a solution that creates random passwords for line-of-business users and devices.
6. Hard-coded Credentials
What it is: Hard-coded credential attacks target sensitive authentication information embedded directly in scripts or application code by developers.
How it works: Software developers will hard-code credentials into scripts, which is obviously a security risk, especially if the credentials provide privileged access. The developers may have hard-coded the credentials in order to test the functionality of the script and then forgot to remove them.
How to prevent it: Administrators must keep a close eye on all user accounts to ensure that they are being used for their intended purposes. Implement code review processes and use secrets management solutions.
7. Privilege Escalation
What it is: Privilege escalation is an attack technique where adversaries elevate their access rights from a standard user account to gain administrative or system-level privileges (MITRE ATT&CK TA0004).
How it works: Cybercriminals will typically try to gain access to a standard user account by exploiting poor password practices. Once they have gained access, they will try to elevate their privileges through social engineering, exploiting software/hardware vulnerabilities, misconfigurations, installing malware, and so on.
How to prevent it: Organizations must maintain an up-to-date inventory of which accounts have access to which resources, especially critical resources. Accounts must have the least privileges they need to perform their role, and all privileged account activity must be continuously monitored, with real-time alerts being sent to the administrator.
8. LDAP Reconnaissance
What it is: LDAP reconnaissance is an information-gathering technique where attackers query Active Directory to discover users, groups, computers, and network structure.
How it works: Adversaries who have already gained access to your Active Directory environment can use LDAP queries to gather further information about the environment. Using this method, they can discover users, groups, and computers, which will help them plan their next move.
How to prevent it: Preventing LDAP reconnaissance is tricky because most information in Active Directory is available to all users by default. As such, you will need to closely monitor LDAP traffic for anomalies, and ensure that all accounts are given the least access they need to perform their roles.
9. BloodHound Reconnaissance
What it is: BloodHound reconnaissance uses specialized tooling to map and visualize attack paths through Active Directory by analyzing relationships between users, computers, and permissions.
How it works: BloodHound is a tool that helps adversaries identify and visualize attack paths in Active Directory environments. The tool works by creating a map of which computers are accessible to which users, and what user credentials can be stolen from memory.
How to prevent it: Organizations can also use BloodHound to help them identify and fix vulnerabilities in their environment, as well as provide meaningful insights about how to assign the appropriate level of access to users.
10. NTDS.dit Extraction
What it is: NTDS.dit extraction is an attack where adversaries steal the Active Directory database file containing all domain credentials and configuration data (MITRE ATT&CK T1003.003).
How it works: Domain controllers store all Active Directory data in a file called ntds.dit, or “the dit”, as some call it. By default, this file is located at the following path: C:\Windows\NTDS. If an adversary gains access to Active Directory, they can access the ntds.dit file, or compromise the organization’s backup solution and extract the ntds.dit file from the backup.
How to prevent it: Minimize the number of accounts that can log on to domain controllers, control access to the physical domain controller machines, and take all of the steps necessary to harden your Active Directory environment.
Active Directory Attack Methods Comparison
| Attack Method | Primary Target | Key Mitigation |
|---|---|---|
| Kerberoasting | Service account credentials | Strong passwords, SPN monitoring |
| Password Spraying | User account credentials | MFA, complex passwords, lockout policies |
| LLMNR Poisoning | Network traffic/credentials | Disable LLMNR, configure DNS properly |
| Pass-the-hash | Credential hashes in memory | LSA Protection, Restricted Admin mode |
| Default Credentials | Devices/systems | Change defaults, maintain inventory |
| Hard-coded Credentials | Scripts/application code | Code reviews, secrets management |
| Privilege Escalation | User permissions | Least privilege, continuous monitoring |
| LDAP Reconnaissance | Directory information | Monitor LDAP traffic, limit access |
| BloodHound Reconnaissance | Attack paths/relationships | Use defensively, reduce attack paths |
| NTDS.dit Extraction | Domain controller database | Restrict DC access, secure backups |
- Credential-based attacks dominate: Kerberoasting, password spraying, and pass-the-hash attacks all target credentials—implementing MFA and strong password policies is essential.
- Reconnaissance enables advanced attacks: LDAP and BloodHound reconnaissance help attackers map your environment; monitoring for unusual queries can provide early warning.
- Least privilege is foundational: Limiting account permissions reduces the impact of privilege escalation and lateral movement attempts.
- Continuous monitoring is critical: Real-time alerting on anomalous behavior, failed logons, and changes to privileged accounts enables rapid response.
- Defense in depth works: Combining technical controls (LSA Protection, disabling LLMNR) with process controls (code reviews, inventory management) provides comprehensive protection.
Using Lepide’s Free Tool to Prevent Active Directory Attacks
It is important to remember that visibility is paramount when it comes to protecting accounts and information! You’ll require a solution that keeps a careful eye for irregularities in your Active Directory setup. Lepide Change Reporter (Free Tool) can detect and respond to anomalous usage behaviours, such as irregular access to sensitive information, , unusual failed logon attempts, and any changes made to individuals , groups, machines, objects, and others using machine learning methods. Download and install the free tool Lepide Change Reporter to see how it can assist you in protecting your Active Directory infrastructure.
Related Articles:
Frequently Asked Questions
NTDS.dit extraction is often considered the most dangerous Active Directory attack because it gives adversaries access to the entire domain database, including all user credentials and configuration data. However, pass-the-hash and Kerberoasting attacks are more commonly observed and can lead to complete domain compromise if privileged accounts are targeted.
Detecting Active Directory attacks requires monitoring for anomalous behaviors such as unusual failed logon attempts, unexpected changes to service account SPNs, abnormal LDAP query patterns, and unauthorized access to domain controllers. Implementing a security information and event management (SIEM) solution combined with Active Directory auditing tools can help identify these indicators of compromise.
Kerberoasting targets service accounts by requesting Kerberos service tickets and cracking them offline to obtain passwords, while pass-the-hash steals NTLM password hashes from memory and uses them directly for authentication without needing to crack them. Both are credential theft techniques but exploit different authentication protocols.
Protect privileged accounts by implementing the principle of least privilege, using privileged access workstations (PAWs), enabling multi-factor authentication, monitoring all privileged account activity, and ensuring privileged credentials are not stored where they can be easily extracted from memory.
