Active Directory Exploitation in Ransomware Attacks
Active Directory (AD) exploitation sits at the operational center of enterprise ransomware campaigns, transforming what begins as a single compromised endpoint into a domain-wide encryption event. Threat actors across ransomware-as-a-service ecosystems consistently target AD environments because control of a domain controller is functionally equivalent to control of every system in the enterprise. This page maps the mechanics, causal drivers, classification structure, and contested boundaries of AD exploitation as a ransomware attack phase, drawing on public guidance from CISA, NIST, and the FBI.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
Active Directory exploitation, in the context of ransomware, refers to the adversarial process of compromising Microsoft's centralized identity and access management service to achieve domain-level privilege, then weaponizing that privilege to deploy ransomware payload across an entire enterprise environment simultaneously. Microsoft Active Directory underpins identity infrastructure in the majority of Fortune 500 organizations and is present in an estimated 90 percent of enterprises globally, according to Microsoft's own published documentation on the service.
The scope of this attack surface encompasses AD Domain Services (AD DS), Azure Active Directory (now rebranded as Microsoft Entra ID), Active Directory Federation Services (AD FS), and hybrid configurations that bridge on-premises and cloud identity planes. CISA's #StopRansomware advisories — including joint advisories published with the FBI and NSA — consistently identify domain controller compromise as a terminal-phase objective in enterprise ransomware intrusions.
Regulatory significance is direct: when AD exploitation enables ransomware to reach systems containing protected health information, it triggers notification obligations under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). For publicly traded organizations, material incidents enabled by AD compromise may require disclosure under SEC Rule 17 CFR § 229.106. The ransomware reporting requirements in the US framework treats domain-wide encryption events as presumptively material.
Core mechanics or structure
AD exploitation follows a recognizable structural sequence that CISA documents in its Ransomware Guide published at cisa.gov/stopransomware:
Initial foothold establishment. Attackers gain access through a low-privilege account, typically via phishing, exposed RDP, or credential stuffing. This phase is covered in depth in the ransomware initial access vectors reference. The initial account need not hold any AD privileges — attackers use it as a reconnaissance platform.
Internal reconnaissance. Tools such as BloodHound (an open-source AD enumeration utility documented in the MITRE ATT&CK framework under technique T1087) are used to map the AD graph: identifying privileged accounts, group memberships, trust relationships, and delegation configurations. MITRE ATT&CK catalogs AD enumeration under tactic TA0007 (Discovery).
Credential harvesting. Attackers extract password hashes, Kerberos tickets, or NTLM credentials from memory (notably via the LSASS process) using tools such as Mimikatz. The pass-the-hash (PtH) and pass-the-ticket (PtT) techniques allow lateral movement without knowing plaintext passwords. NIST SP 800-63B addresses credential assurance levels that partially govern the attack surface here.
Privilege escalation to domain admin. Escalation paths include Kerberoasting (requesting service tickets for service accounts, then cracking them offline), AS-REP Roasting (targeting accounts without pre-authentication required), DCSync attacks (replicating AD credentials as if the attacker were a domain controller), and exploitation of misconfigured delegation settings. The 2021 CISA/FBI joint advisory on Conti ransomware (AA21-265A) explicitly named Kerberoasting and BloodHound enumeration as standard Conti tradecraft.
Domain controller compromise. With domain admin credentials, attackers authenticate directly to domain controllers, disabling security tools, modifying Group Policy Objects (GPOs) to distribute ransomware payloads, and creating persistent administrative backdoors. GPO modification is cataloged under MITRE ATT&CK technique T1484.001.
Payload deployment. Ransomware is distributed enterprise-wide via GPO startup scripts, PsExec, WMI, or SCCM — mechanisms that AD itself provides as legitimate administrative channels. This is what enables simultaneous encryption across hundreds or thousands of endpoints, a capability not achievable without domain-level control.
Causal relationships or drivers
The concentration of AD exploitation in ransomware campaigns is structurally causal, not incidental. Three primary drivers govern its prevalence:
Architectural centralization. AD's design purpose — centralizing authentication and policy for an entire domain — creates a single leverage point. Compromising one domain admin account can unlock administrative access to every joined system. This architectural reality is documented in Microsoft's own Active Directory security documentation and in NIST SP 800-207 on Zero Trust Architecture.
Legacy configurations and technical debt. Organizations running AD environments accumulated over 10 or more years frequently carry deprecated protocols (NTLM v1, unconstrained delegation, legacy Kerberos settings) that predate modern attack tooling. CISA's Known Exploited Vulnerabilities (KEV) catalog includes multiple AD-adjacent vulnerabilities — including CVE-2020-1472 (Zerologon), a critical flaw in the Netlogon protocol that received a CVSS score of 10.0 and allowed domain controller compromise without authentication.
Ransomware-as-a-service specialization. The ransomware-as-a-service model separates payload development from intrusion operations, enabling affiliate operators who specialize in AD exploitation to work across multiple ransomware families. CISA's advisory AA23-061A on Royal ransomware and AA22-040A on BlackByte both document AD exploitation as a documented affiliate capability.
Classification boundaries
AD exploitation in ransomware attacks spans distinct technical and taxonomic categories:
On-premises AD vs. hybrid/cloud identity. Pure on-premises AD exploitation targets domain controllers running Windows Server. Hybrid environments introduce Azure AD (Entra ID) as an additional attack surface, where techniques such as Pass-the-PRT (Primary Refresh Token) and OAuth token theft extend the exploitation chain into cloud-hosted resources.
Pre-ransomware exploitation vs. ransomware-as-delivery-mechanism. In pre-ransomware exploitation, AD compromise is a stepping stone to payload deployment. In a smaller set of cases, AD infrastructure itself is the target of destruction — attackers delete or corrupt AD databases to maximize recovery cost and time, even without file encryption.
Domain trust exploitation. Multi-domain environments with bidirectional or transitive trusts create cross-forest attack paths. Compromise of a less-secured child domain can be used to escalate into a parent domain or a separate trusted forest — a boundary condition documented in Microsoft's AD trust architecture guides and in BloodHound's ACL-based attack path analysis.
Service account vs. user account attack chains. Kerberoastable service accounts (accounts with registered Service Principal Names operating under weak passwords) represent a distinct exploitation class from standard user account credential theft. The distinction matters for defensive prioritization and is addressed separately in NIST SP 800-53 Rev. 5 under control families IA (Identification and Authentication) and AC (Access Control).
Tradeoffs and tensions
Detection visibility vs. attack dwell time. AD-focused monitoring generates high volumes of authentication and replication events. Organizations face a tradeoff between log retention depth (which increases storage costs and complexity) and the ability to reconstruct attack timelines. The average dwell time before ransomware deployment, cited in Mandiant's M-Trends 2023 report, was 16 days for ransomware-involved intrusions — a window entirely contained within AD audit logs if retention is sufficient.
Tiered administration vs. operational friction. Microsoft's recommended defense — tiered administrative model separating domain admin, server admin, and workstation admin tiers — materially reduces attack path options but imposes significant operational overhead on IT departments. Organizations with small IT staff frequently relax these boundaries, recreating the attack paths the tiering is designed to close.
Legacy protocol support vs. attack surface reduction. Disabling NTLM authentication and legacy Kerberos settings eliminates entire classes of credential relay attacks but risks breaking legacy applications that cannot be updated. This tension is documented in Microsoft's guidance on NTLM blocking and in CISA's SCuBA project for hardening identity infrastructure.
Cloud migration timing. Migration to Azure AD (Entra ID) and modern identity protocols can eliminate on-premises AD attack paths, but hybrid configurations during migration periods often expand the attack surface temporarily, combining on-premises and cloud identity vulnerabilities simultaneously.
Common misconceptions
Misconception: Domain admin compromise requires a highly privileged initial account. Corrections from CISA and MITRE ATT&CK documentation consistently show that attackers begin with low-privilege, often service-level accounts. BloodHound path analysis routinely reveals attack chains from unprivileged users to domain admin through misconfigurations in ACLs, delegation settings, or group memberships — chains that require zero exploit code.
Misconception: Multi-factor authentication (MFA) fully prevents AD exploitation. MFA protects authentication at the login boundary but does not prevent pass-the-hash, pass-the-ticket, or DCSync attacks that operate on credentials already present in memory or the directory. NIST SP 800-63B addresses MFA assurance levels but its controls operate at authentication time, not post-authentication lateral movement.
Misconception: AD exploitation is only relevant to large enterprises. CISA's Small and Medium Business resources and the FBI's reporting on ransomware sector impacts document AD exploitation in organizations with fewer than 500 employees. Any organization running Windows Server with Active Directory presents this attack surface regardless of size.
Misconception: Restoring encrypted files from backup fully recovers an AD-compromised environment. If attackers have created backdoor accounts, modified GPOs, or implanted persistent access within AD itself, file restoration does not remove the intrusion. Full AD forest recovery — a distinct and documented procedure in Microsoft's AD DS recovery guidance — is required when domain controllers are confirmed compromised.
Checklist or steps (non-advisory)
The following sequence reflects the documented phases of AD exploitation as described in CISA joint advisories and the MITRE ATT&CK framework. This is a reference map of attacker activity, not a prescriptive defensive procedure.
Phase 1 — Initial access and foothold
- [ ] Low-privilege credential obtained via phishing, credential stuffing, or exposed RDP (RDP vulnerabilities in ransomware)
- [ ] Attacker establishes persistence on initial host (scheduled tasks, registry run keys — ATT&CK TA0003)
Phase 2 — AD reconnaissance
- [ ] BloodHound or equivalent tool collects AD graph data (users, groups, ACLs, trust relationships)
- [ ] Service accounts with SPNs identified as Kerberoasting candidates
- [ ] Accounts without Kerberos pre-authentication identified (AS-REP Roasting candidates)
- [ ] Paths from current user to domain admin enumerated
Phase 3 — Credential harvesting
- [ ] LSASS memory dump via Mimikatz or equivalent (ATT&CK T1003.001)
- [ ] NTLM hashes extracted for pass-the-hash
- [ ] Kerberos TGT/TGS tickets extracted for pass-the-ticket or offline cracking
Phase 4 — Privilege escalation
- [ ] Kerberoastable service ticket cracked offline
- [ ] Delegation misconfiguration (unconstrained or constrained) exploited
- [ ] DCSync executed against domain controller to extract all password hashes
Phase 5 — Domain controller access
- [ ] Domain admin credential used to authenticate to domain controller
- [ ] Security tools disabled via GPO or direct process termination
- [ ] Backdoor admin accounts created in AD
Phase 6 — Payload deployment
- [ ] GPO modified to execute ransomware payload at startup across domain-joined systems
- [ ] PsExec or WMI used for targeted high-value system encryption
- [ ] Volume Shadow Copies deleted (ATT&CK T1490) to prevent local recovery
- [ ] Ransom note deposited and attacker communication channel established (ransomware negotiation process)
Reference table or matrix
| Technique | MITRE ATT&CK ID | AD Component Targeted | Primary Credential Type | Notable Ransomware Groups (per CISA Advisories) |
|---|---|---|---|---|
| Kerberoasting | T1558.003 | Service Principal Names (SPNs) | Kerberos TGS tickets | Conti (AA21-265A), LockBit (AA23-165A) |
| AS-REP Roasting | T1558.004 | User accounts (no pre-auth) | Kerberos AS-REP hash | Multiple RaaS affiliates |
| Pass-the-Hash | T1550.002 | NTLM authentication | NTLM hash | BlackByte (AA22-040A), Hive |
| Pass-the-Ticket | T1550.003 | Kerberos TGT/TGS | Kerberos ticket | Conti, Cuba ransomware |
| DCSync | T1003.006 | Domain Controller replication | All AD password hashes | Conti, BlackCat/ALPHV |
| GPO Modification | T1484.001 | Group Policy Objects | Domain Admin token | LockBit, Royal (AA23-061A) |
| Zerologon (CVE-2020-1472) | T1210 | Netlogon protocol | No credential required | Ryuk-era campaigns (2020) |
| BloodHound Enumeration | T1087 | AD graph (ACLs, trusts, groups) | Low-privilege read access | Conti (AA21-265A) |
| Unconstrained Delegation Abuse | T1558 | Kerberos delegation | Domain admin TGT | Advanced persistent RaaS operators |
| AD FS Token Forgery | T1606.002 | AD Federation Services | SAML token signing cert | Hybrid/cloud-targeting groups |
CISA advisory identifiers in the table above are publicly accessible at cisa.gov/news-events/cybersecurity-advisories. MITRE ATT&CK technique IDs are documented at attack.mitre.org.
The ransomware lateral movement reference provides additional context on how AD exploitation intersects with network traversal techniques once domain privileges are achieved. Organizations assessing exposure within this attack chain will find the active-directory-ransomware sector reference complementary to the technical classification above.
References
- CISA Stop Ransomware — Ransomware Guide
- CISA Joint Advisory AA21-265A — Conti Ransomware
- CISA Joint Advisory AA23-061A — Royal Ransomware
- CISA Joint Advisory AA22-040A — BlackByte Ransomware
- CISA Joint Advisory AA23-165A — LockBit 3.0
- MITRE ATT&CK Framework
- [NIST SP 800-207 — Zero Trust Architecture](https://cs