1. Unpatched vulnerabilities

Unpatched vulnerabilities are known security flaws in software that have not been remediated. Like any critical infrastructure, Active Directory Domain Services relies on the security of the system on which it runs. When vulnerabilities exist in the operating system or supporting components, attackers may exploit those gaps to gain initial access or escalate privileges.

According to the 2025 Verizon DBIR, exploitation of known vulnerabilities accounts for roughly 20% of breaches and is up around34% year over year. These attacks don’t target AD DS because it’s weak—they target environments that fail to apply available fixes. Timely patching is essential to protect against attackers who take advantage of systems left unpatched.

Detection:

• Use Microsoft Defender Vulnerability Management for real-time visibility.
• Defender for Endpoint validates risk reduction.
• Configuration Manager (SCCM) deploys updates and monitors compliance.

Recommendations:

• Automate and enforce timely patch deployment using Azure Update Manager or SCCM.
• Use Microsoft Defender Vulnerability management to prioritize patching based on exploitability and asset exposure.
• Apply Windows Server 2025 OSConfig security baselines to domain controllers.

Once attackers gain an initial foothold—often through unpatched systems—they look for ways to move laterally and escalate privileges. One common technique is authentication relay attack.

2. Authentication relay attacks

Authentication relay attacks (a form of man-in-the-middle) allow adversaries to impersonate users by forwarding legitimate login requests, often exploiting NTLM and sometimes Kerberos. These attacks exploit legitimate authentication flows, enabling lateral movement, data theft, and full domain compromise.

Detection:

• Defender for Identity alerts on suspicious authentication patterns, lateral movement, and NTLM relay attempts.
• Monitor Windows Event Logs for failed logons and unusual authentication attempts.

Recommendations:

• Deprecate and disable NTLM wherever possible.
• Enforce SMB signing and LDAP channel binding. In Windows Server 2025, this is enabled by default.
• Use Extended Protection for Authentication (EPA).
• Implement Just-In-Time (JIT) access and MFA for sensitive resources, and use Privileged Identity Management (PIM) to enforce JIT and MFA.

After establishing a presence, attackers often pivot to techniques that target service accounts, which contain service tickets. Kerberoasting is a prime example, leveraging legitimate Kerberos functionality to extract and crack service tickets.

3. Kerberoasting

Kerberoasting targets service accounts by requesting Kerberos service tickets and performing offline brute-force attacks to recover passwords. Because the attack uses legitimate Kerberos functionality, it often goes undetected. And since many service accounts use weak or non-expiring passwords, they are especially vulnerable. The attack does not require elevated privileges to initiate and leaves minimal traces in logs. If successful, it can serve as a stepping stone to full domain compromise.

Detection:

• Check for ticket requests with unusual Kerberos encryption types in the events in Microsoft Defender XDR.
• Check for alerts from Microsoft Defender XDR, which will raise an alert with an external ID 2410 for suspected Kerberos SPN exposure.
• Use Defender for Identity to detect suspicious ticket requests.

For more information on how to detect Kerberoasting, see Microsoft Security Blog – Kerberoasting.

Recommendations:

• Migrate service accounts to Group Managed Service Accounts (gMSA).
• Disable RC4 encryption for Kerberos. Starting WS2025, RC4 will be disabled by default.
• Regularly audit and remove unused SPNs.
• Enforce security baselines for Windows Server 2025.

The success of Kerberoasting and similar attacks is amplified when accounts are over-permissioned or misconfigured. Excessive privileges can create shortcuts for attackers to escalate access and compromise critical assets.

4. Excessive privileges & account misconfigurations

Excessive privileges and misconfigurations occur when accounts have more permissions than necessary, often due to legacy setups or poor access control. Overprivileged accounts are prime targets for attackers. If compromised, they can be used to disable security tools, access sensitive data, or take control of the domain. These risks are amplified in hybrid environments where on-prem and cloud permissions intersect. A single misconfigured account can serve as a bridge between environments, expanding the blast radius of an attack.

Detection:

• Defender for Identity flags risky settings and maps lateral movement paths.
• Use Active Directory Administrative Center to review group memberships and delegated permissions using Active Directory tools.

Recommendations:

• Apply least privilege principles.
• Use JIT access and MFA for admin tasks.
• Implement Microsoft’s Tiered Administration model.
• Audit and clean up legacy permissions.

Beyond misconfigurations, legacy features like unconstrained delegation introduce additional risk. If left in place, they can allow attackers to impersonate users and access sensitive resources without detection.

5. Unconstrained delegation

Unconstrained delegation is a legacy Kerberos feature that lets services impersonate any user, posing serious risks if compromised. When enabled, a user’s TGT is stored in memory and reused, posing serious risks. Because the TGT is valid across the domain, if compromised, attackers can extract TGTs to impersonate users and access any Kerberos-protected service, including domain admins.

Detection:

• Use PowerShell to find systems with unconstrained delegation.
• Defender for Identity identifies risky configurations.

Recommendations:

• Deploy Credential Guard on endpoints.
• Add high-risk accounts to the “Protected Users” group.
• Mark privileged accounts as “sensitive and cannot be delegated.”
• Remove support for unconstrained delegation.

Once attackers achieve high privilege, they often seek persistence. Golden Ticket attacks represent the ultimate escalation—granting attackers the ability to forge Kerberos tickets and maintain control indefinitely.

6. Golden Ticket attack

Golden Ticket attacks use a stolen KRBTGT account key to forge Kerberos tickets, granting unrestricted domain access. If this key is compromised, the environment is already seriously breached. Prevention centers on blocking key theft and quickly detecting forged tickets.

This attack is especially dangerous because it bypasses standard authentication and enables persistent, stealthy domain access. Attackers often pair it with methods like DCSync or credential dumping to steal the KRBTGT hash.

Detection:

• Defender for Identity provides real-time alerts for Golden Ticket usage, DCSync/DCShadow attacks, and unusual Kerberos activity.
• Enable Kerberos audit logging on all domain controllers.

Recommendations:

• Rotate the KRBTGT password at least every 180 days (reset twice to fully invalidate tickets).
• Enable LSA Protection on domain controllers.
• Remove non-admin accounts with DCSync permissions.
• Implement tiered administration and least privilege to limit replication rights and administrative access.

Upgrade your cybersecurity with Microsoft

Active Directory Domain Services is central to enterprise identity and access management, making it a frequent focus for cyberattacks. Proactive detection and remediation are essential to reduce risk. If you suspect a compromise, rapid containment is critical. Microsoft Incident Response can help before, during, and after a cybersecurity incident. To learn more, visit Upgrade proactive and Reactive defenses with Microsoft Incident Response.

By applying the detection methods and remediation steps outlined above, organizations can significantly reduce their attack surface. Microsoft’s security tools—Defender for Identity, Defender Vulnerability Management, Sentinel, and Privileged Identity Management—provide the analytics and controls needed to help stay ahead of evolving threats.