Active Directory attack and defense: from Kerberoasting to Golden Tickets
Most enterprise breaches end in Active Directory. Knowing the attack chain — Kerberoast, AS-REP, DCSync, Golden Ticket — is what makes defense possible.
Active Directory has been the identity backbone of enterprise environments for two decades and remains the primary target of post-compromise activity. The MITRE ATT&CK Enterprise Matrix lists dozens of AD-specific techniques. Defenders who do not understand the attack chain cannot detect or interrupt it. SpecterOps, Tenable, and CrowdStrike publish updated playbooks; BloodHound and the BloodHound Community Edition map AD attack paths visually.
Common attack techniques in 2026 include Kerberoasting (T1558.003) — extracting service account TGS tickets and brute-forcing offline against weak passwords; AS-REP Roasting (T1558.004) — same attack against accounts with Kerberos pre-authentication disabled; DCSync (T1003.006) — abusing replication permissions to dump every credential from a domain controller; Golden Ticket (T1558.001) — forging Kerberos TGTs with a stolen krbtgt hash, granting permanent admin; and ADCS abuses (the ESC1 through ESC15 family documented by SpecterOps) — abusing misconfigured Active Directory Certificate Services to escalate to domain admin.
Hardening starts with Tier model. Microsoft's Tier 0/1/2 model — Tier 0 is domain admins and DCs, Tier 1 is server admins, Tier 2 is workstation admins — keeps high-privilege credentials off lower-tier hosts where they get harvested. Tier 0 admins use Privileged Access Workstations (PAWs) only. Disable Kerberos pre-authentication only where genuinely required. Use Group Managed Service Accounts (gMSA) with auto-rotated 240-character passwords for service accounts. Enforce LAPS for local admin password rotation on every workstation and server. Audit ADCS template permissions with PSPKIAudit or Certipy and remove the ESC1-vulnerable templates first.
Detection is half the battle. Configure advanced audit policy to log Event IDs 4768 (TGT request), 4769 (TGS request), 4624/4625 (logon), 4720 (account creation), 4728/4732 (group membership change). Microsoft Defender for Identity (formerly ATA) detects DCSync, Golden Ticket, lateral movement patterns. SIEM correlation rules from Sigma's open-source rules cover most public TTPs. Run BloodHound on your own AD quarterly to find the new shortest path from a regular user to Domain Admin and remove it before an attacker uses it. Most domains have at least three such paths sitting unused since the last forest restructuring.
Related reading
DNS security: DNSSEC, DoH, DoT, and protective DNS
DNS is the unglamorous foundation that attackers abuse for C2, exfiltration, and phishing. Hardening it is cheap and catches a category of attacks no firewall sees.
Email authentication: SPF, DKIM, DMARC, and BIMI in practice
Email spoofing is a 30-year-old problem with a working solution. Here is how to deploy SPF, DKIM, and DMARC correctly so attackers cannot impersonate your domain.
Web Application Firewall: deploying WAF without breaking the app
A WAF blocks SQL injection, command injection, and bots — but only when tuned. Untuned WAF either lets attacks through or blocks legitimate users.