The most consequential security control in any modern enterprise is not the firewall, not the EDR, not the SIEM. It is whichever person, system, or process effectively controls Active Directory and Entra ID. Attackers have understood this for at least fifteen years. Defenders have, in many cases, not caught up. The result is that most ransomware intrusions of the past decade have one common feature: at some point during the kill chain, the attacker became Domain Admin, and from that moment everything else was inevitable.
The good news is that the AD attack surface is now well-mapped, and the high-leverage defensive controls are well-known. The problem is that almost none of them are easy.
The AD attack tree
Attackers move through Active Directory along well-trodden paths. The Active Directory Security framework documented by SpecterOps and visualised by their open-source BloodHound tool (bloodhound.specterops.io) is the canonical map. Common techniques:
Kerberoasting. Service accounts in AD have associated Service Principal Names (SPNs); requesting a Kerberos service ticket for any SPN returns an encrypted blob that can be cracked offline if the service-account password is weak. Service accounts with weak passwords are everywhere, often legacy and undocumented. Mitigation: long, random passwords for service accounts; group Managed Service Accounts (gMSA) that rotate automatically; alerting on bulk SPN ticket requests.
AS-REP roasting. Accounts with "Do not require Kerberos preauthentication" enabled can be queried for an AS-REP that is similarly crackable offline. The flag is rarely needed and often left enabled by mistake on legacy accounts.
Pass-the-hash and pass-the-ticket. Once an attacker has captured an NTLM hash or Kerberos ticket from one machine’s memory, they can replay it across other machines without ever cracking the underlying password. This is what makes Mimikatz famous and why credential-protection EDR features (Credential Guard, LSASS protection) matter.
DCSync abuse. The DCSync replication right, when granted to an account that should not have it, lets the attacker request a copy of the entire AD password database, every NTLM hash for every account in the domain. Misconfigured replication ACLs are a common privilege-escalation path in older domains.
ADCS / Active Directory Certificate Services exploitation. SpecterOps’ "Certified Pre-Owned" research catalogues 11 distinct AD CS misconfigurations (ESC1 through ESC11) that allow privilege escalation, including issuing certificates as arbitrary users. ADCS is widely deployed and frequently misconfigured. Tools: Certify, Certipy, the auditing capability in BloodHound CE.
Group Policy abuse. Modifying GPOs that affect domain controllers or privileged users; abuse of group policy preferences (the cpassword issue from 2014 is still findable in many old domains).
Trust attacks. Cross-domain and cross-forest trust relationships have been a quiet privilege-escalation vector for years. Attackers in a trusting forest can enumerate and sometimes pivot into the trusted forest.
Tier-bleed. Privileged credentials cached on lower-tier systems. Domain Admin logging into a Tier-2 server caches credentials there; compromise of that server compromises Domain Admin. The Microsoft tiering model (since renamed to Enterprise Access Model) at learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model is the structural defence.
What an attacker actually does
A typical 2024–2025 ransomware intrusion runs through these steps in some order:
Initial access through phishing or VPN exploit produces a low-privilege foothold.
The attacker runs SharpHound or BloodHound CE locally to map the domain, privileged groups, trust relationships, kerberoastable accounts, ADCS templates, GPO ACLs.
They identify the shortest path from the current account to Domain Admin or equivalent. BloodHound’s "Find Shortest Paths to Domain Admins" query is the canonical visualisation.
They execute the path. Kerberoasting if a service account is weak; ADCS exploitation if a vulnerable certificate template is available; lateral movement plus credential theft from a privileged user’s session if a tier boundary is broken.
They obtain Domain Admin or DCSync rights, dump NTDS.dit, and now have every credential in the domain.
The remaining intrusion, backup destruction, ransomware deployment, is mechanical from this point.
The controls that move the needle
Tiered administration. The single most important architectural control. Domain administrative accounts log in only from dedicated Privileged Access Workstations (PAWs); never from regular endpoints; never from servers outside the highest tier. Microsoft’s Enterprise Access Model is the canonical reference. Done well, this breaks the most common credential-theft path.
Protected Users group and Authentication Policy Silos. AD features that explicitly prevent caching of privileged credentials on member servers and restrict where privileged accounts can authenticate from. Underused; high impact.
LAPS / Local Administrator Password Solution. Random, unique local-administrator passwords on every machine, stored in AD and rotated automatically. Prevents lateral movement via shared local-admin credentials. Microsoft’s modern implementation is Windows LAPS, included in Windows Server 2025 and current Windows 11 editions.
Restrict NTLM. Modern AD environments can disable NTLM authentication except for specific allow-listed cases. Closes the entire pass-the-hash attack class. Operationally challenging because of legacy applications; achievable with discipline.
ADCS hardening. Audit certificate templates against the SpecterOps ESC1-ESC11 list. Tools: PSPKIAudit, Certify in audit mode, Locksmith. Remove or restrict templates with the "Enrollee can supply subject" flag combined with weak ACLs.
Credential Guard and Remote Credential Guard. Windows features that isolate LSASS into a virtualised secure container and protect credentials in memory from in-process theft. Mostly transparent to deploy on modern hardware; substantially raises the bar against Mimikatz-class attacks.
Tiered passwords and gMSA. Service accounts get long random passwords managed by AD itself, rotated on a schedule. Eliminates Kerberoastable weak service accounts.
Auditing and detection. Specific event IDs for credential theft and lateral movement (4624, 4625, 4768, 4769, 4776, 5145, 4662 with replication GUID) sent to a SIEM with detection rules. The Microsoft "Auditing Best Practices" guidance and the SwiftOnSecurity Sysmon configuration give defensible starting points.
Entra ID and the cloud-identity twin
Entra ID (formerly Azure AD) is now the identity provider for nearly every Microsoft 365 customer and a substantial fraction of all enterprise SaaS. The same threat patterns appear in slightly different form:
Phishing-resistant MFA on every administrator account; Conditional Access policies for risk-based authentication; Privileged Identity Management (PIM) for time-bound admin elevation rather than standing access; Identity Protection alerts wired to the SOC; sign-in log retention and monitoring.
Microsoft’s "Securing Privileged Access" reference at learn.microsoft.com/en-us/security/privileged-access-workstations/ consolidates the AD and Entra ID guidance. It is long. It is detailed. It is almost everything you need.
The framing that helps most: identity is the perimeter, and your AD/Entra ID is the most consequential system you own. Every other security investment is downstream of how well that identity layer is operated. The breach economy has known this for a decade. The defender’s challenge is to act on it.