Mastering AD Domain Security: Attack Techniques and Defense Strategies

1. Domain

Domain environments use Active Directory (AD) and Domain Controllers to provide centralized access control, allowing users to log in with a single account across the network. AD is the built‑in directory service on Windows Server, while Domain Controllers store all object information and provide authentication and authorization for users, computers, groups, departments, applications, and more.

2. Domain Attack and Defense Tactics

Domain Controllers host high‑risk services such as SMB and RPC, have high network penetration, large impact scope, and strong persistence, making them prime targets for attackers.

1. Domain Attack Techniques

Based on the MITRE ATT&CK model and PTES framework, attackers employ more than 220 techniques across reconnaissance, credential theft, privilege escalation, lateral movement, and persistence stages, including SPN scanning, password spraying, Kerberoasting, and others.

SPN Scanning collects Service Principal Names to identify services in the domain, facilitating further attacks and is difficult to detect because Microsoft provides scanning methods.

User Enumeration leverages the AS_REQ phase of Kerberos to query user existence without needing passwords, using the client info field to receive distinct responses for existing or non‑existing accounts.

Password Spraying uses a single password against many accounts to bypass lockout thresholds, allowing attackers to test common passwords after enumerating valid usernames.

AS‑REP Roasting targets accounts without pre‑authentication, obtaining TGT tickets and encrypted session keys that can be cracked offline to recover plaintext passwords.

Kerberoasting queries service accounts with SPNs, obtains service tickets encrypted with RC4_HMAC_MD5, and cracks the tickets offline to reveal NTLM hashes and ultimately clear‑text passwords.

DCSync Attack exploits the GetNCChanges replication request to retrieve domain data from a Domain Controller without logging in, allowing attackers to harvest credential information.

SYSVOL and GPP Vulnerabilities involve compromising the SYSVOL shared folder or Group Policy Objects to read or modify sensitive files and policies, enabling attackers to control user and computer behavior.

Windows Privilege‑Escalation Vulnerabilities such as MS14‑068, CVE‑2016‑3225, CVE‑2020‑1472, and CVE‑2022‑26963 allow attackers to obtain domain admin privileges through Kerberos ticket manipulation, SMB privilege escalation, Netlogon spoofing, and certificate abuse.

Pass‑the‑Hash (PTH) Attack captures NTLM hashes and uses them to authenticate without needing plaintext passwords, facilitating lateral movement across the network.

Golden Ticket abuses the krbtgt account’s NTLM hash to forge Kerberos tickets, granting attackers unrestricted access to any service.

DCShadow Attack creates a forged Domain Controller with admin privileges to push malicious objects into the AD replication process, providing persistent control.

2. Domain Defense Techniques

To mitigate AD security challenges, organizations should strengthen security management, implement fine‑grained network isolation, deploy honeypots for active defense, and maintain continuous monitoring and operation.

Reduce Attack Surface and Standardize Domain Management – unify OS and patches across all Domain Controllers, regularly audit and remove unnecessary applications and services, and apply the principle of least privilege to admin accounts.

Implement Domain Controller Network Isolation – use a bastion host and dedicated security workstations for admin access, enforce firewall rules that only allow these workstations to reach Domain Controllers, and disable remote execution tools like PSExec.

Deploy Honeypots – set up user honeypots to detect credential misuse and trigger alerts when suspicious actions occur.

Deploy a Domain Controller Protection Platform and Continuous Monitoring – enable advanced Windows audit policies, retain large security logs, collect and analyze authentication and network traffic with tools such as Microsoft ATA, build behavior models to detect unknown attacks, and conduct regular baseline scans, vulnerability monitoring, phishing drills, and red‑blue exercises.

3. Domain Protection Summary

The AD domain is the core of enterprise networks, making its protection critical. Daily operations should follow the principle of least privilege, reduce the attack surface, enforce network isolation, deploy honeypots, and use comprehensive monitoring platforms. Effective AD security also requires proper security equipment, continuous operation, and heightened employee security awareness.