Why Active Directory remains a popular target for attackers and what to do about it [Q&A]

why-active-directory-remains-a-popular-target-for-attackers-and-what-to-do-about-it-[q&a]
Why Active Directory remains a popular target for attackers and what to do about it [Q&A]

Microsoft Active Directory (AD) turned 25 earlier this year — remarkable longevity in the technology world. It’s the identity backbone for more than 80 percent of enterprises, meaning a breach could be catastrophic.

We spoke to Sean Deuby, principal technologist at Semperis, to look at the top considerations for protecting AD for the future, as most organizations he talks to have no plans to move on from the aging technology.

BN: What makes AD such a foundational technology and how has its role evolved over the past two and a half decades?

SD: Active Directory enables centralized authentication and authorization, making it essential for securing user access to business-critical applications and data.

However, as enterprise environments have evolved, so have security challenges. AD was built for connectivity and ease of management, not today’s cyber threat landscape. Misconfigurations, legacy settings, and default permissions optimized for discovery rather than security leave many organizations vulnerable. Attackers frequently exploit these weaknesses, with nine out of 10 breaches involving AD in some form. Ransomware groups like LockBit and Vice Society regularly target AD, and catastrophic attacks — such as the 2017 NotPetya incident that crippled Maersk — demonstrate how AD compromise can bring business operations to a standstill.

Despite its age, AD remains a core component of IT infrastructure, integrating with Entra ID and other cloud services as businesses transition to hybrid environments. Yet, many businesses have not modernized their security approach. This is an issue, as a successful breach grants adversaries broad access to an organization’s entire network, which we refer to as the ‘keys of the IT kingdom.’ Without proactive monitoring and protection, AD remains a high-risk target for cybercriminals, emphasizing the need for organizations to rethink how they secure this foundational technology.

BN: What are the most common attack methods against AD today, and how have they evolved over time? What emerging threats should organizations be most concerned about?

SD: Attack methods on AD have only grown more sophisticated over the decades. While traditional techniques like password spraying and credential stuffing remain effective, attackers now leverage automation, AI-driven reconnaissance, and living-off-the-land tactics to evade detection. Ransomware groups and nation-state actors increasingly exploit AD misconfigurations to establish persistence, making it even harder to detect and remove threats. The rise of identity threat detection and response (ITDR) has helped organizations become more proactive, but many still lack the continuous monitoring and hardened defenses needed to prevent AD compromise.

Common attack methods include Kerberoasting, password spraying, exploitation of unconstrained delegation settings, one-way domain trust bypass, and Silver Tickets, which malicious actors use as an evasion technique. Attackers also leverage techniques like DCSync to extract password hashes and gain domain admin privileges (also known as pass-the-hash attacks). The Five Eyes Alliance released a report in late 2024, Detecting and Mitigating Active Directory Compromises, which lists 17 most common techniques used by adversaries and malicious actors to compromise Active Directory. The six techniques listed above are all included on this list.

Some of the most concerning threats are actually tried-and-true techniques that attackers turn to time and time again. Password spraying, credential stuffing, and brute force attacks remain widely used because their sheer volume makes detection challenging. In fact, brute force attacks account for 31 percent of initial attack vectors, and nearly a third of account compromises stem from password spray attacks.

In a password spray attack, an adversary repeatedly attempts to log in to a large number of target accounts using a limited set of passwords until they breach the target authentication system to gain account and system access. In a brute-force attack (the opposite of a password spray attack), an attacker repeatedly attempts to log in to a single account using different passwords until they breach the target authentication system to gain account and system access. In both cases, these techniques generate a high volume of data, making analysis time-consuming and tedious.

One concerning development in terms of how these attacks are unleashed is the weaponization of AI and automation. Armed with the power of AI, attackers are able to test massive volumes of compromised or weak credentials at unprecedented speed. 

Additionally, adversaries are increasingly using cloud-based attack vectors — such as abusing OAuth token persistence and compromising Entra ID accounts — to pivot into on-prem AD environments.

That said, most organizations can significantly increase their AD security posture by cleaning up the basics: strengthening service account passwords, implementing protection against common passwords, and generally working through the findings in a Purple Knight security assessment (recommended in the above Five Eyes report).

BN: What are the biggest mistakes organizations make when securing AD environments?

SD: One of the biggest mistakes organizations make is assuming AD is secure ‘by default.’ Many AD environments were built over 20 years ago with security as an afterthought, leaving legacy configurations, excessive privileges, and weak authentication protocols in place. Failure to apply least privilege principles and regularly audit privileged accounts creates a high-risk environment where attackers can escalate privileges with ease. AD remains one of the most valuable targets for criminals, making its security a top priority for organizations.

Another critical mistake is neglecting a robust AD recovery strategy. Many organizations lack a tested, cyber-resilient recovery plan, leaving them vulnerable to ransomware or wiper attacks that can cripple business operations. Attackers are increasingly targeting AD backups, knowing that if they encrypt or destroy them, organizations will have no choice but to pay a ransom to restore operations. Without immutable, off-network backups and a well-tested recovery plan, businesses risk prolonged downtime and greater vulnerability to extortion attempts. Again, testing your ability to recover is imperative. Implementing a well-defined incident response strategy that includes immutable backups, rapid AD forest recovery capabilities, and continuous threat monitoring is essential for reducing risk.

BN: As more organizations adopt hybrid environments, on-premises AD is integrated with Entra ID and other cloud platforms. What unique security challenges arise from this shift?

SD: Hybrid identity environments introduce new attack surfaces that many organizations are unprepared for. Many incorrectly assume the two are not connected. One key challenge is the synchronization between on-prem AD and cloud-based identity platforms like Entra ID. If an attacker compromises on-prem AD, they can often pivot to cloud services by exploiting synchronization mechanisms or stealing OAuth tokens.

Additionally, security configurations for cloud identity services often differ from traditional AD settings, leading to misconfigurations and gaps in enforcement. For example, organizations may have strong conditional access policies in Entra ID but leave legacy NTLM authentication enabled on-prem, creating an entry point for attackers. To mitigate these risks, organizations must enforce zero-trust principles across both environments, monitor identity-related threats in real time, and ensure unified security policies across their hybrid identity infrastructure.

Another challenge that’s not well recognized is that of successfully re-integrating AD and Entra ID after recovering the AD forest. This is a tricky operation that, if not executed correctly, could result in irrecoverable loss of Entra ID objects and thus access to integrated applications such as Microsoft 365.

BN: How should organizations with significant legacy AD infrastructure approach modernization while minimizing security risks?

SD: Modernizing AD without disrupting operations requires a strategic, phased approach that balances security improvements with business continuity. Rather than rushing to replace AD, organizations should first assess their specific business and security needs to determine the best path forward. A key starting point is eliminating legacy risks by disabling outdated protocols, enforcing least privilege access, and applying secure delegation practices. Regularly auditing AD configurations can further reduce vulnerabilities.

And, it’s important to remember that organizations with legacy AD infrastructure don’t need to replace it in its entirely to modernize their identity security. Gradually integrating modern cloud identity access control capabilities — such as conditional access, just-in-time (JIT) privileges, and cloud-based identity governance — into on-premises applications while strengthening their security measures will go a long way in improving AD security against modern threats. Hybrid identity models, where AD is supplemented by services like Entra ID, can help organizations enhance security and flexibility without the risks of a rushed migration.

Overall, a phased, security-first approach is key to strengthening AD environments so that they are well adapted to modern security challenges.

Image credit: Momius/depositphotos.com