Red Team Attack Paths in Active Directory: From Kerberos Abuse to Domain Compromise

• February 11, 2026
• By Secnora

In today’s advanced threat environment, Active Directory stands at the core of enterprise identity and access management, making it the most valuable target for determined adversaries. It controls authentication, authorization and trust relationships across users, servers, applications and hybrid cloud services. Compromising Active Directory does not result in limited access to a single host but enables control over the entire organizational environment. This centralization of identity and privilege makes AD a single point of strategic failure in modern networks.

Sophisticated attackers understand that dominance over Active Directory enables long term persistence, covert lateral movement and complete control over security enforcement mechanisms. With sufficient privileges, adversaries can manipulate authentication flows, disable logging, deploy malware at scale and maintain access even after incident response efforts. As a result, nearly every advanced intrusion campaign ultimately pivots toward Active Directory abuse as the final objective for enterprise compromise.

Attack #1: Kerberoasting
Kerberoasting targets Active Directory service accounts that are linked to a Service Principal Name (SPN). Any authenticated domain user can request a Kerberos service ticket for these accounts. The ticket contains an encrypted password hash that attackers can extract and crack offline without interacting with the domain again.

Tools

• Rubeus (C#): Commonly used on Windows to enumerate SPNs, request Kerberos tickets and export them for cracking using Hashcat.
• py (Impacket): A Python based tool used by attackers usually from Linux based systems to request and dump service tickets remotely.

The Execution
Attackers request Ticket Granting Service (TGS) tickets, forcing RC4 encryption when it is still allowed. RC4 hashes are significantly faster to crack than AES. The captured tickets are then converted into formats supported by password cracking tools like Hashcat or John the Ripper.

Defense

• Managed Service Accounts: Use Group Managed Service Accounts (gMSAs) which automatically rotate long, complex passwords and cannot be easily cracked offline.
• Encryption: Enforce AES-256 Kerberos encryption and disable RC4 wherever possible. Strong encryption greatly increases the time and resources required for offline password cracking making the attack impractical.

Attack #2: AS-REP Roasting
AS-REP Roasting targets domain user accounts that have Kerberos preauthentication disabled. When pre-auth is not required, the Key Distribution Center responds to authentication requests without first verifying the user. This allows an attacker to obtain an AS-REP response that includes data encrypted using the user’s password hash.

Tools

• Rubeus: Used to identify vulnerable accounts and request AS-REP responses directly from a Windows environment.
• py (Impacket): Commonly used from Linux to query the domain for users with pre-auth disabled and extract AS-REP hashes remotely.

The Execution
The attacker sends an AS-REQ for a target user without providing valid credentials. The KDC returns an AS-REP containing encrypted material derived from the user’s password. This hash is then cracked offline using brute-force attacks. The attack is stealthy because it does not require logging into the account or accessing a service.

Defense

• Configuration Audit: Regularly audit Active Directory using PowerShell scripts or tools like BloodHound to identify accounts with “DontRequirePreauth” set to “True” and remediate them immediately.
• Honey Accounts: Create decoy user accounts with pre-authentication disabled and no real privileges. Any AS-REQ activity against these accounts should trigger alerts helping detect attackers early in the reconnaissance phase.

Attack #3: DCSync Attack
A DCSync attack abuses Active Directory’s built-in replication mechanism. Instead of cracking passwords, the attacker pretends to be a Domain Controller and requests user credential data through the Directory Replication Service Remote Protocol. This can expose password hashes for any account, including the critical KRBTGT account used by Kerberos.

Tools

• Mimikatz (lsadump[::]dcsync): Allows attackers to directly request and dump credential data from a Domain Controller.
• py: An Impacket tool commonly used to extract password hashes, Kerberos keys and other secrets via replication abuse.

The Execution
The attacker must already control an account with elevated privileges such as Domain Admin or explicit directory replication permissions. Once executed, the DC treats the request as legitimate replication traffic and returns sensitive credential data without triggering standard authentication failures.

Defense

• Monitor Replication: Continuously monitor and alert on DS-Replication-Get-Changes-All events, specifically Event ID 4662 when they originate from non Domain Controller systems.
• Least Privilege: Restrict directory replication rights to only essential Domain Controllers and service accounts. Regularly review permissions to ensure no unnecessary or legacy accounts retain replication capabilities.

Attack #4: Golden, Silver and Diamond Ticket Attacks
These attacks abuse Kerberos ticket trust to achieve stealthy persistence in Active Directory. Once successful, attackers can impersonate users or services without needing valid credentials again.

• Golden Ticket: Using a stolen KRBTGT hash to forge a Ticket Granting Ticket (TGT) that grants the attacker Domain Admin rights for years.
• Silver Ticket: Using a specific service’s hash like CIFS to forge a service ticket (TGS) for just that service, bypassing the DC entirely.
• Diamond Ticket: An advanced stealthy technique where the attacker requests a legitimate TGT and then “modifies” the PAC (Privilege Attribute Certificate) to elevate rights making the ticket look more authentic to monitoring tools.

Tools

• Mimikatz: Used to extract Kerberos hashes and create forged tickets.
• Rubeus: Used for advanced Kerberos ticket requests, manipulation and replay.

Defense

• KRBTGT Rotation: Rotate the KRBTGT account password at least twice per year and immediately after any suspected compromise to invalidate forged tickets.
• Tiered Admin Model: Enforce a tiered administrative model so Domain Admin credentials are only used on highly secured systems. Prevent their use on low-tier or potentially compromised workstations to reduce credential theft risk.

Attack #5: Pass-the-Ticket (PtT)
Pass-the-Ticket avoids password cracking entirely by stealing an already issued Kerberos ticket from system memory. Once a valid ticket is obtained, the attacker can reuse it to authenticate as the victim user without knowing the password.

Tools

• Mimikatz (kerberos[::]ptt): Used to extract Kerberos tickets from memory and inject them into an attacker-controlled session.
• Rubeus: Commonly used to dump, monitor and reuse Kerberos tickets across systems.

The Execution
When a high-privilege user such as a Domain Admin logs into a compromised workstation, their Ticket Granting Ticket is stored in LSASS memory. The attacker dumps this ticket and injects it into their own session, instantly inheriting the same administrative permissions.

Defense

• Credential Guard: Enable Windows Defender Credential Guard to isolate LSASS in a secure, virtualized environment preventing ticket extraction.
• Restricted Admin Mode: Connecting via RDP to lower-trust machines using mstsc /restrictedAdmin reduces credential exposure by ensuring credentials are not sent to or stored on the remote system helping limit credential theft and lateral movement risk

Attack #6: NTLM Relay Attacks
NTLM Relay attacks abuse the fact that NTLM authentication does not bind credentials to a specific server. If SMB signing is disabled, an attacker can capture an NTLM authentication attempt and forward it to another system, effectively authenticating as the victim without knowing their password.

Tools

• Responder: Used to poison name resolution and coerce systems into sending NTLM authentication requests.
• py: An Impacket tool that relays captured NTLM credentials to target services such as SMB, LDAP or HTTP.

The Execution
The attacker positions themselves between systems on the network using spoofing techniques. When a victim authenticates, the NTLM challenge-response is captured and immediately relayed to a target server like a Domain Controller or file server. If the victim has administrative rights on the target, the attacker gains access instantly.

Defense

• SMB Signing: Enforce “RequireSecuritySignature” through Group Policy across all servers and workstations to prevent NTLM authentication relaying.
• AD CS Hardening: Apply KB5005413 and enforce Extended Protection for Authentication (EPA) and LDAP signing.

Conclusion
Ultimately, the common thread across all of these attack techniques is simple control over identity equals control over the enterprise. Whether through offline ticket cracking, replication abuse or forged Kerberos trust, attackers are not looking for noisy destruction but for quiet, durable dominance of Active Directory. Once that control is achieved, traditional security boundaries lose meaning and remediation becomes exponentially more complex.

Closing these attack paths requires disciplined identity hygiene, continuous monitoring and a security model that assumes Active Directory is always under threat. Organizations that harden Kerberos, reduce privilege sprawl and actively hunt for identity abuse can turn Active Directory from an attacker’s greatest advantage into a defended stronghold ending the intrusion before it becomes a domain-wide compromise.