Active Directory — Overview
Status: Scaffold — content in progress
Active Directory Domain Services (AD DS) is Microsoft's on-premises directory service, deployed in the vast majority of enterprise environments. It is the single most attacked identity system in enterprise security, with a mature and well-documented attack surface.
Architecture
Core Components
| Component | Role |
|---|---|
| Domain Controller (DC) | Hosts the directory database (NTDS.dit), handles authentication (Kerberos/NTLM), and enforces policy |
| NTDS.dit | The AD database — stores all objects, attributes, password hashes |
| SYSVOL | Shared folder on all DCs — stores Group Policy files and scripts |
| Global Catalog (GC) | Partial replica of all objects in the forest; used for cross-domain queries |
| DNS | AD depends on DNS for DC location (SRV records) |
Logical Structure
Forest (trust boundary)
└── Domain Tree
└── Domain (security boundary)
└── Organizational Units (OUs)
└── Objects (users, computers, groups)
Physical Structure
- Site: group of well-connected IP subnets
- Domain Controller: physical/virtual server hosting AD
- Replication: DCs replicate changes via AD replication (RPC/IP or SMTP)
Key Identity Objects
| Object Type | Security Relevance |
|---|---|
| User account | Authentication principal, password hash stored in NTDS.dit |
| Computer account | Has a password hash too (used for Kerberos machine tickets) |
| Service account | Often high-privilege, infrequently rotated — primary Kerberoasting target |
| Group | Used for authorization; nested group membership is an escalation path |
| GPO (Group Policy Object) | Applies security settings, startup scripts, mapped drives |
Security Model & Trust Boundaries
- Domain: primary security boundary in AD
- Forest: trust boundary — separate forests have no implicit trust
- Domain Admin: has full control of the domain; Domain Admins of child domains cannot compromise the parent by default
- Enterprise Admin: forest-wide privilege; lives in the forest root domain
Common Misconfigurations
| Misconfiguration | Attack |
|---|---|
| SPN on user accounts | Kerberoasting |
| Unconstrained delegation on non-DC | Pass-the-Ticket / TGT theft |
| Writable adminSDHolder ACL | Persistent backdoor on protected accounts |
| Over-permissive ACLs on AD objects | ACL abuse for privilege escalation |
| Weak ADCS template permissions | Certificate-based privilege escalation |
| LM/NTLMv1 enabled | Pass-the-Hash with weaker hashes |
Telemetry This System Emits
| Event ID | Description | Attack relevance |
|---|---|---|
| 4624 | Successful logon | Logon type, source address |
| 4625 | Failed logon | Password spray detection |
| 4648 | Explicit credential use | Pass-the-Hash, runas |
| 4672 | Special privileges assigned | Privileged logon tracking |
| 4768 | Kerberos TGT request | AS-REP Roasting, Golden Ticket detection |
| 4769 | Kerberos service ticket request | Kerberoasting detection |
| 4776 | NTLM authentication | NTLM relay tracking |
| 4662 | AD object access (requires audit) | DCSync, ACL abuse |
| 4742 | Computer account changed | Machine account password reset |
| 5136 | AD object modified | ACL changes, attribute modification |
Cross-Links
| Topic | Link |
|---|---|
| Kerberos | kerberos.md |
| NTLM | ntlm.md |
| ADCS | adcs.md |
| AD Attacks | AD Attacks |
| AD Lab | lab-ad-setup |