Contents
- Why Active Directory is a key target
- Endorsed by Five Eyes security agencies
- How attackers compromise Active Directory
- Three ways to turn the ASD’s guidance into action
- Protecting Active Directory at scale with the right tools
- Saving US$19.7 million in a ransomware scenario
Why Active Directory is a key target
In today’s highly distributed enterprise, employees need to be able to access systems and data from anywhere. But to ensure those systems and data are protected, organisations must ensure they only allow the right people to access the resources they need.
Protecting users’ identities and authentication credentials, therefore, has become a business imperative. For more than 90 per cent of organisations globally, according to Gartner, that means protecting Active Directory.
Since its launch by Microsoft more than two decades ago, Active Directory has been a foundational pillar of enterprise information technology (IT) systems. It enables organisations to centrally manage and authenticate users, devices and permissions across enterprise networks – controlling who can access what and under what conditions.
However, Active Directory’s pivotal role in enterprise IT makes it a common and valuable target for cyberattacks. An Active Directory breach can be like a thief getting a master key to your business, unlocking access to emails, business applications, sensitive files and connected cloud services.
As IBM’s X-Force Threat Intelligence Index 2024 reveals, 80 per cent of enterprise cyberattacks use Active Directory to perform privilege escalation and lateral movement across networks. Furthermore, attackers can persist inside an Active Directory for months or even years.
These threats are why the ASD and its Five Eyes partner agencies have developed detailed guidance on Detecting and Mitigating Active Directory Compromises.
Endorsed by Five Eyes Security Agencies |
The Active Directory guidance was jointly developed with leading cyber agencies from Five Eyes alliance nations, reflecting a consensus among leading cybersecurity experts on the magnitude of Active Directory threats. Contributing agencies included the ASD, the US Cybersecurity and Infrastructure Security Agency and National Security Agency, the UK’s National Cyber Security Centre, the Canadian Centre for Cyber Security and New Zealand’s National Cyber Security Centre. The guidance builds on the ASD’s widely acknowledged Essential Eight and other cybersecurity frameworks. |
“Active Directory can be misused by malicious actors to establish persistence in organisations. Some persistence techniques allow malicious actors to log in to organisations remotely, even bypassing multi-factor authentication controls. Many of these persistence techniques are resistant to cybersecurity incident response remediation activities intended to evict malicious actors … Sophisticated malicious actors may persist for months or even years inside Active Directory.”
– Detecting and Mitigating Active Directory Compromises, Australian Signals Directorate
How attackers compromise Active Directory
Active Directory is, by default, highly vulnerable to attacks. As the ASD guidance says: “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships and permissions, support for legacy protocols, and lack of tooling for diagnosing Active Directory security issues.”
The guidance identifies numerous attack techniques that leverage these vulnerabilities. Furthermore, as enterprise networks have grown with migrations to the cloud, organisations that rely on Microsoft Entra ID (formerly Azure Active Directory) are also at risk.
The attack techniques work in four ways: by stealing credentials, escalating privileges, taking over domains and hiding on networks for extended periods.
1. Credential theft
First, the attackers steal usernames and passwords by guessing, cracking or finding them in files – or even purchasing them on the dark web.
Techniques | What they do |
Kerberoasting | Cracks passwords of service accounts by requesting Kerberos service tickets and breaking the encryption. |
Authentication server response (AS-REP) roasting | Takes advantage of accounts not requiring a security check to extract and crack passwords. |
Password spraying | Attempts common passwords across many user accounts to find one that works. |
Credential hunting in shares | Searches shared folders for saved passwords or config files containing secrets. |
Pass-the-hash | Uses stolen password hashes (representations of passwords) to log in directly. |
2. Privilege escalation
The attackers then escalate their access to gain admin-level control by exploiting misconfigurations.
Techniques | What they do |
MachineAccountQuota exploit | Abuses a setting that lets regular users create new computer accounts, which attackers can misuse. |
Unconstrained delegation | Allows attackers to impersonate users by misusing a feature meant to help services work on their behalf. |
Group policy preferences (GPP) | Finds old, encrypted passwords stored in configuration files and decrypts them. |
Active Directory certificate services (AD CS) exploits | Requests fraudulent certificates to impersonate privileged users. |
Golden certificate | Uses a stolen Certificate Authority key to create fake certificates for unlimited access. |
Skeleton key | Installs a universal password that works for any account. |
Security identifier (SID) history Injection | Tricks Active Directory into giving a user old privileges from a previous identity. |
AdminSDHolder abuse | Grants admin-level rights by modifying a special security mechanism used to protect admin accounts. |
3. Domain takeover
Once inside, they can take over the entire network, giving them full access to systems and data.
Techniques | What they do |
Directory replication (DCSync) | Fakes being a domain controller to download all password hashes from Active Directory. |
Dumping | Steals the main Active Directory database, which contains passwords and sensitive account data. |
Data protection API (DPAPI) key theft | Extracts backup encryption keys that allow attackers to decrypt user-stored secrets. |
4. Persistence through stealth
To maintain control, attackers leverage reusable and stealth techniques to avoid detection and stay in the environment long term.
Techniques | What they do |
Golden ticket | Uses the Kerberos Ticket Granting Ticket (KRBTGT) account to access anything by forging login tokens that never expire. |
AdminSDHolder abuse, golden certificate, SID history injection, skeleton key | Can be reused at will or enable attackers to remain hidden long after the initial breach. |
“Gaining control of Active Directory gives malicious actors privileged access to all systems and users that Active Directory manages. With this privileged access, malicious actors can bypass other controls and access systems, including email and file servers, and critical business applications at will.”
– Detecting and Mitigating Active Directory Compromises – Australian Signals Directorate
Three ways to turn the ASD’s guidance into action
The ASD’s guidance recommends a comprehensive, defence-in-depth approach to protecting this critical infrastructure from compromise. This approach emphasises the need to both prevent and detect attacks.
Key recommendations include securing privileged access using Microsoft’s tiered Enterprise Access Model, removing legacy and vulnerable features, reducing unnecessary permissions and exposures, enforcing strong authentication and closely monitoring for signs of compromise. Preparing for disaster recovery is vital too, since a full compromise of Active Directory can be extremely time-consuming and costly to remediate.
Implementing these recommendations is another matter because every organisation’s Active Directory environment is unique. Even so, the following strategies should enable all organisations to detect, mitigate and recover quickly from Active Directory attacks.
1. Detect and respond to Active Directory threats in real time
A central pillar of the ASD guidance is early detection. Many identity-based attacks involve subtle, low-noise behaviours, like a new account being added to a privileged group or a forged Kerberos ticket being used to access a sensitive system. These signals can easily be lost in the noise of everyday operations without continuous, contextual monitoring.
The solution is to use real-time detection tools to spot attacks before they escalate. This allows security teams to isolate the threat, investigate its scope and take swift action. It also helps reduce attacker dwell time, limiting the potential damage to systems and data.
Visualising potential attack paths |
A US state transportation agency needed to harden its complex Active Directory environment against identity-based attacks, especially after losing several veteran IT staff members after the pandemic. Its challenge was identifying hidden Active Directory attack paths and conveying the urgency of fixes to business decision makers. Using SpecterOps BloodHound Enterprise – part of Quest’s Security Guardian suite – the agency could visualise potential attack paths in its Active Directory. Business stakeholders could see why dangerous permissions or configurations had to be removed. The agency shut down those attack pathways, significantly reducing the risk of breaches. It now protects Tier-0 assets like domain controllers in real time by cutting off opportunities for attackers before they can be exploited. |
2. Maintain deep visibility and traceability
The guidance also emphasises the importance of full auditability. Organisations should be able to track who changed what, when and where – across users, groups, policies and systems. This level of visibility is essential for forensic investigations, enabling compliance and ensuring changes to sensitive systems are authorised and traceable.
Without centralised auditing, it’s difficult to determine how a compromise occurred or whether malicious changes are still in place. Visibility also supports better governance, so when privileged changes are seen and reviewed, they are less likely to be abused.
Gaining full audit trails of Active Directory changes |
Greif, a global leader in industrial packaging, needed to improve the visibility of its Active Directory environment, strengthen its security and manage users more efficiently. To address these challenges, the company deployed Quest’s Active Roles and Change Auditor. These solutions enabled centralised, automated management of Active Directory permissions, single-click account provisioning and restoration, and full audit trails of Active Directory changes. As a result, Greif gained tight control over privileged access and established a more secure and efficient Active Directory environment. The company has reduced the risk of threats, ensuring the right users have the right access and all changes are fully traceable. |
3. Be prepared for fast, secure recovery
The ASD guidance recognises that some attacks may succeed, especially those involving credential theft, golden tickets or full domain compromise. In these cases, recovery is not just a technical task; it’s a business continuity issue. The guidance recommends having tested, secure backups and the ability to rebuild Active Directory in a clean, isolated environment, free from attacker persistence mechanisms such as backdoors or forged credentials.
Restoring an Active Directory requires more than traditional backup – it demands granular recovery options, the ability to validate environments before restoring them and a plan that prioritises both speed and security. The ability to restore Active Directory quickly and cleanly could be the difference between days of downtime and a controlled, well-managed response.
Reducing Active Directory recovery time to two hours |
AtkinsRéalis, a global engineering and project management firm, faced challenges with prolonged Active Directory disaster recovery times, which posed risks to business continuity. To address this, the company implemented Quest’s Recovery Manager for Active Directory Disaster Recovery Edition and On Demand Recovery solutions. The new solutions reduced the company’s Active Directory recovery time from two days to just two hours, even for environments with multiple domain controllers. The Quest tools also automated the restoration of hybrid objects, such as cloud-only attributes, eliminating manual steps and further minimising downtime. |
“Evicting the most determined malicious actors can require drastic action, ranging from resetting all users’ passwords to rebuilding Active Directory itself.”
– Detecting and Mitigating Active Directory Compromises, Australian Signals Directorate
Protecting Active Directory at scale with the right tools
The ASD’s guidance includes a checklist of more than 100 security controls to mitigate Active Directory threats. So, while its recommendations are comprehensive and robust, implementing them manually can be resource-intensive and time-consuming – especially in large, complex environments. Factor in the need for continuous monitoring and rapid disaster recovery capability, and manually protecting Active Directory soon becomes unsustainable for many organisations.
Executing the recommendations at scale requires dedicated tooling that automates or streamlines all the necessary processes. For example, Quest offers a comprehensive suite of identity threat detection and response tools, including the following products:
- Security Guardian supports real-time detection of identity threats across Active Directory and Microsoft Entra ID, helping security teams prioritise risks and act faster.
- Change Auditor provides detailed auditing of every Active Directory change, making it easier to detect unauthorised actions and support compliance efforts.
- Recovery Manager for Active Directory Disaster Recovery Edition enables fast, flexible recovery of Active Directory, including clean rebuilds in isolated environments to eliminate attacker footholds.
Saving US$19.7 million in a ransomware scenario |
When Active Directory fails, an organisation’s IT environment can come to a grinding halt – along with the entire business. To quantify the cost of recovering from such a disaster, Quest commissioned a study by Forrester Consulting. The study, The Total Economic Impact of Quest Recovery Manager for Active Directory Disaster Recovery, found that for a composite global enterprise with 30 domain controllers, the cost of an Active Directory being offline was US$730,000 per hour. It also found that using Quest’s disaster recovery solution reduced Active Directory recovery time from 30 hours to 3 hours. In a ransomware scenario, this translates into savings of US$19.7 million due to faster recovery. |
With the right tools, organisations can implement the ASD’s guidance sustainably and at scale. The tools can provide the visibility, control and resilience needed to defend against identity-based attacks and recover confidently when they occur.
Contact Quest for more information about how we can help you implement the ASD’s guidance and protect your organisation against Active Directory threats.
Regions
Published by
About our partner
Quest.com
At Quest, we create and manage the software that makes the benefits of new technology real while empowering users and data, streamlining IT operations and hardening cybersecurity from the inside out. Companies turn to us to manage, modernise and secure their business, from on-prem to in-cloud, from the heart of the network to the vulnerable endpoints.We help you conquer your next challenge with confidence and achieve true IT resilience — because next is here now. Our solutions includeBecome data-driven: Empower enterprise IT stakeholders to use data assets strategically for data operations, data protection and data governance. Improve your identity security posture: Achieve identity-centric cybersecurity to protect the people, applications and data essential to business, with solutions for identity governance, access management, privileged access management, and Active Directory security.Migrate & consolidate Microsoft workloads: Conquer your next migration (now and in the future) by making it a non-event for users.Protect and secure your endpoints: Discover, manage and secure evolving hybrid workforce environments. Strengthen hybrid AD and Microsoft 365 security: Detect, defend against and recover from cyber attacks and insider threats.Get control of your data backup and recovery: Speed data recovery and reduce storage costs.
Learn more
Recommendations
GIW Federal 2025: Cyber Resilience & Organisational Uptime Using Microsegmentation by Raja Ukil
GIW QLD: Overcoming unique cybersecurity challenges in rural and remote communities with Telstra and EMHS
EntraGoat is a deliberately vulnerable lab that simulates real-world identity misconfigurations in Microsoft Entra ID.
Webinar: Building Your Best Tender Response: Expert Insights to Win More Government Work
