Active Directory remains the identity backbone of most enterprise Windows environments — and the most consistently exploited. The attack surface is not a collection of isolated bugs. It is a system of interconnected weaknesses: misconfigured service accounts, poorly scoped ACLs, certificate templates that predate modern security thinking, and protocols that were designed before privilege escalation was a threat model.

This guide maps the Active Directory attack landscape as it stands in 2026 — from initial enumeration through credential access, privilege escalation, and cloud pivot. Each technique links to a dedicated deep-dive with full tooling, detection logic, and hardening guidance.

Step 0: Mapping the Environment — BloodHound

Before any exploitation, attackers map the attack surface. BloodHound ingests Active Directory data (users, groups, GPOs, ACLs, trust relationships) and renders every privilege escalation path as a graph. The question changes from “where is Domain Admin?” to “what is the shortest path from my current account to Domain Admin?”

BloodHound from First Run to Domain Admin: A Practical Red Team Guide covers SharpHound data collection, reading attack paths, and writing Cypher queries to find the paths that automated analysis misses.

BloodHound is the foundation. Every technique below is more effective when you know the exact ACL path that makes it reachable.

Credential Access: Three Paths to Hashes

Kerberoasting

Any authenticated domain user can request a Kerberos service ticket for any account that has a Service Principal Name (SPN). That ticket is encrypted with the service account’s password hash — and can be cracked offline, with no further interaction with the target.

The attack exploits a structural property of the Kerberos protocol, not a vulnerability. Service accounts with weak passwords are the target. Service accounts with strong passwords (25+ characters) or gMSA-managed passwords are immune.

Kerberoasting: A Deep Dive into Service Account Attacks covers the full attack chain, Event ID 4769 detection, and the AES enforcement and gMSA hardening that closes the path.

LSASS Dumping

The Local Security Authority Subsystem Service (LSASS) holds plaintext credentials and NTLM hashes for recently authenticated users. Dumping LSASS memory is one of the most impactful post-exploitation techniques available — it can yield domain account credentials without any interaction with the domain controller.

The technique ranges from trivial (Task Manager, ProcDump) to sophisticated (direct syscalls that bypass EDR hooks). Detection is primarily through Sysmon Event ID 10 (process access to lsass.exe) and ETW-based kernel telemetry.

LSASS Dumping: Techniques, Evasion, and Detection surveys the full technique landscape and the detection stack for each method.

Shadow Credentials

Shadow Credentials targets accounts where an attacker has GenericWrite or WriteProperty permissions over the msDS-KeyCredentialLink attribute. By adding a rogue Key Credential to that attribute, the attacker can authenticate as the target account via PKINIT — without knowing or changing its password. The technique works against both user accounts and computer accounts.

Shadow Credentials: Account Takeover Without a Password covers Whisker and Certipy exploitation, Event ID 5136 detection, and the ACL auditing that reveals exposure.

Privilege Escalation: Certificate Services

Active Directory Certificate Services (ADCS) is present in the majority of enterprise environments — and is almost universally misconfigured. The research published by SpecterOps in “Certified Pre-Owned” (2021) identified eight distinct privilege escalation categories. Certipy has since automated their discovery and exploitation entirely.

The most impactful misconfigurations:

  • ESC1 — Certificate template lets any domain user request a certificate as any identity, including Domain Admin. Direct privilege escalation in under five minutes.
  • ESC8 — NTLM relay to the ADCS HTTP Web Enrollment interface. Force a Domain Controller to authenticate outbound, relay to ADCS, obtain a DC machine certificate, authenticate via PKINIT, DCSync the entire domain.
  • ESC4 — Template ACL misconfiguration lets a low-privileged user modify a template and re-enable ESC1.

ADCS abuse is the domain-level equivalent of credential dumping — ESC8 via DCSync yields every account hash in the domain simultaneously.

ADCS Abuse with Certipy: From Low-Priv User to Domain Admin via Certificate Services covers ESC1 through ESC15 with full Certipy tooling, KQL detection rules, and remediation for each misconfiguration class.

The Full Kill Chain

Individual techniques are more dangerous in sequence. A realistic engagement chains them:

  1. BloodHound — enumerate ACLs, find Kerberoastable accounts and writable objects
  2. Kerberoasting — crack a service account; if hashes are strong, pivot to Shadow Credentials
  3. LSASS dumping — local credential access on compromised workstations
  4. ADCS ESC1/ESC8 — escalate to Domain Admin via certificate abuse
  5. DCSync — extract all domain hashes including krbtgt for Golden Ticket persistence

AD Attack Chains: From Initial Access to Domain Admin walks the complete purple team kill chain with detection rules at every step — from initial foothold through Kerberoasting, DCSync, and Golden Tickets.

Cloud Pivot: On-Premises to Entra ID

Active Directory compromise does not end at the domain boundary. Most enterprise environments synchronize on-premises AD with Entra ID (formerly Azure AD) via AD Connect. A compromised on-premises account or a forged Kerberos ticket can translate directly into cloud access.

Beyond credential reuse, Entra ID has its own attack surface: Device Code phishing bypasses MFA by abusing Microsoft’s own OAuth flow; PRT theft provides up to 90 days of silent access to all organizational resources; Conditional Access policies can be satisfied by registering an attacker-controlled device as a “trusted” organizational asset.

Entra ID Attacks: Device Code Phishing, PRT Theft, and Conditional Access Bypass covers the full cloud identity attack chain and detection with KQL and Microsoft Sentinel.

For a broader view of cloud identity exploitation beyond the AD-to-cloud pivot: Identity-First Attacks in Cloud.

Detection Summary

Every technique in this guide leaves traces — if you have the right telemetry in place:

TechniquePrimary Detection SourceKey Event
KerberoastingWindows Security LogEvent ID 4769, EncryptionType 0x17
LSASS DumpingSysmonEvent ID 10, GrantedAccess 0x1FFFFF
Shadow CredentialsWindows Security LogEvent ID 5136 (msDS-KeyCredentialLink modified)
ADCS ESC1CA Security LogEvent ID 4887, requester ≠ subject
ADCS ESC8CA Security Log + networkEvent ID 4887 + NTLM relay indicators
BloodHound collectionWindows Security LogEvent ID 4662 (LDAP enumeration volume)
Entra ID Device CodeEntra Sign-in LogsauthenticationProtocol = deviceCode

The consistent gaps: ADCS auditing is disabled by default on most CAs, and Entra ID sign-in logs require active collection into a SIEM. Both are fixable in an afternoon. Windows Event Log Security Analysis covers the log collection infrastructure that makes these detections possible.