Active Directory (AD) still authenticates most enterprise workforces more than two decades after release, and it remains the richest target on nearly every internal network. When a red team lands a foothold on a corporate laptop, the laptop is never the objective. The prize is the path from one unprivileged user to Domain Admin, and Active Directory hands attackers an unusually generous map to walk it.
Those paths exist because AD is a distributed trust system optimized for administrative convenience: nested groups, delegated permissions, service accounts with excessive rights, and certificate templates configured a decade ago and never reviewed. None of these are vulnerabilities in the CVE sense. They are design and configuration choices that compose into a chain, and defenders who patch diligently but never audit relationships stay exposed.
The attack paths defenders underestimate
Most AD compromises do not rely on a memory-corruption exploit. They abuse features working exactly as designed.
- ▸Kerberoasting: Any authenticated user can request a service ticket for an account with a Service Principal Name, then crack it offline. Service accounts with weak passwords and domain admin rights turn this into game over.
- ▸AS-REP roasting: Accounts with Kerberos pre-authentication disabled leak a crackable hash to any requester who asks.
- ▸Unconstrained and constrained delegation: Misconfigured delegation lets a compromised host impersonate other users, including privileged ones, to back-end services.
- ▸Active Directory Certificate Services (ADCS): A family of template misconfigurations, publicly catalogued as ESC1 through ESC8, can let a low-privileged user enroll a certificate that authenticates as a domain admin.
Where Kerberos hands over the keys
Kerberos was designed to reduce password exposure on the wire, but its ticketing model creates offline-crackable material and impersonation primitives. Kerberoasting is attractive precisely because it is quiet: requesting a service ticket is normal behavior, so the noisy part, offline cracking, happens on the attacker's own hardware. Golden and silver tickets go further; once an operator extracts the KRBTGT hash, they can forge tickets for arbitrary users and persist through password resets. ADCS abuse has become the modern favorite because a forged or maliciously enrolled certificate survives credential rotation entirely and is rarely monitored.
Mapping the graph with BloodHound
You cannot defend a relationship you have never visualized. BloodHound and its data collectors ingest AD objects and render them as a graph where every edge is a usable privilege: member-of, has-session, can-reset-password, generic-write. The tool's killer feature is its shortest-path query: pick any owned principal, ask for the route to Domain Admins, and the graph returns the exact chain of abuses. Red teams use it to plan; blue teams should run the same queries first and delete the edges before an attacker finds them.
A tiered model that actually holds
Microsoft's tiering guidance, now folded into its Enterprise Access Model, is the durable fix, but it only works as a hard boundary rather than a diagram. A practical rollout looks like this:
1. Classify assets into tiers: Tier 0 for identity systems (domain controllers, ADCS, sync servers), Tier 1 for servers and applications, Tier 2 for workstations. 2. Bind admin credentials to their tier: A Tier 0 admin account must never authenticate to a Tier 2 workstation, where its credentials can be harvested. 3. Use privileged access workstations for all Tier 0 administration, isolated from email and browsing. 4. Purge SPNs from privileged accounts and give service accounts group-managed passwords (gMSA) so Kerberoasting yields nothing crackable. 5. Audit ADCS templates for dangerous enrollment and enrollment-agent rights, and enable certificate mapping enforcement. 6. Re-run BloodHound quarterly and treat any new path into Tier 0 as an incident, not a backlog item.
The engineering trade-off is real: strict tiering slows administrators down and demands discipline that convenience-driven IT resists. But the alternative is a graph in which one phished helpdesk account reaches the domain controller in three hops.
For a business, hardening AD is the highest-leverage internal security investment available, because it is the substrate everything else trusts. A red team that maps these paths and a blue team that closes them together turn the enterprise's most-attacked system into its best-instrumented one, and that resilience is exactly what regulators, insurers, and customers now expect organizations to prove rather than assert.
