Active Directory is still the control plane for identity in many organizations. If AD falls, everything connected to it becomes easier to compromise.
Active Directory (AD) has been "dead" for many years. Much to the industries chagrin, it continues to be the present in a majority of organization, from small business to large enterprises.
Just look at the stats:
1The stats below are from a conversation on the hybrid identity protection podcast by Semperis with guest Cliff Fisher.
86% of organizational workloads STILL touch Active Directory in some way.
Only 53% of organizations expect to get to 50-50 (Active Directory - Entra ID) within the next 5 years.
19% of organizations expect getting to 50-50 (Active Directory - Entra ID) will take 10-20+ years.
Now let's look at how many businesses there are, just in the United States, with lets say over 10 employees.
NAIC census data showing businesses of each employee count category as of December 3, 2024:
Employee Count | Number of Businesses |
|---|---|
10–19 | 809,398 |
20–49 | 409,391 |
50–99 | 151,979 |
100–249 | 89,573 |
250–499 | 33,612 |
500–999 | 19,380 |
1,000+ | 24,399 |
That's roughly 1.5 million businesses with 10+ employees. Statistically speaking, that’s a lot of organizations who still use Active Directory.
The numbers are hard to ignore. Active Directory is alive and well and continues to be a major infrastructure component for many, many organizations.
That means that Active Directory will continue to be attacked.
That also means that learning to defend Active Directory will continue to be important.
What is an Active Directory Attack Path?
In Active Directory, an attack path is the route an attacker can take from an initial compromised user or machine to a high-impact target by abusing credentials, permissions, group membership, misconfigurations, and vulnerabilities.
They can be as simple as compromising Suzie in Accounting's workstation, dumping credentials, and moving laterally to a Domain Controller.
Or they can be as complex as compromising a standard user, identifying an Active Directory misconfiguration that allows access to a server, which then allows a threat actor access to another forest, that then leads to additional misconfigurations, that then leads to full domain compromise.
Here's how it looks from the attackers perspective:
Compromise Suzie in Accounting’s workstation
See that a domain admin previously logged into that workstation
Steal that admin's Kerberos ticket from memory
Reuse that domain admin ticket to access a domain controller
Perform a DCSync attack and compromise the entire domain
As a defender, it's our job to make sure that doesn't happen, by breaking the attack path.
Attack Path Pre-requisites
In order to have a complete attack path, an attacker typically needs:
1) Access: The threat actor first has to get into the environment
2) Credentials: They need credential material for privileged accounts
3) Targets: They need somewhere to use the credentials they have obtained
4) Weak or Missing Defensive Controls: They need hardening/mitigation controls to NOT be in place
What Defenders Should Do
This is not news to you but AD is old. It’s a collection of inherited configurations. And unfortunately, most organizations do not have a clear picture of who can control what.
If you want to get a clearer picture of how an attacker would go after your environment, I recommend creating an attack path kill list.
An Attack Path Kill List is just a fancy saying for identifying where potential attack paths exist in your environment, then mitigating or eliminating them with defensive controls.
Identify Attack Paths
Prioritize Remediations
Fix, Re-test
Repeat
This all sounds daunting, I know. But you do not secure AD by fixing random findings forever. And in fact, you don’t even need to fix everything.
You secure AD by understanding how an attacker would move, then removing the paths that let them succeed.
Once you understand how the attacker wins, you can start breaking the chain.
All the best
Spencer Alessi
PS - I’m giving a workshop this Friday June 12th at 1:30pm Eastern for ContinuumCon. I’ll be talking about Killing Active Directory Attack Paths Once and For All and I’ll showcase via the hands-on workshop how you can completely eliminate lateral movement in active directory. If you manage/secure AD I highly recommend checking out the workshop and the whole conference.