Microsoft Security: Top 5 Enterprise Active Directory Attacks

Most of the world’s enterprises run Microsoft Active Directory (AD) on-premise or a hybrid of AD and Entra (formerly Azure Active Directory AAD) for identity and network access.

Because of Active Directory’s broad enterprise use, it is a high priority target for cybercriminals. Here’s a look at the top 5 AD attacks being used in 2025 and how your enterprise can protect itself.

Other than an enterprise's family jewels, there is nothing in a Microsoft environment that should be safeguarded with greater care than Active Directory. -- Robert E. LaMear IV, Founder, US Cloud

#1 LLMNR Poisoning

LLMNR poisoning is a potent attack vector that poses a significant threat to enterprise networks, particularly those utilizing Active Directory.

This man-in-the-middle attack exploits the Link-Local Multicast Name Resolution (LLMNR) protocol, which Windows systems use for name resolution when DNS lookups fail.

Attackers can intercept LLMNR requests and respond with malicious IP addresses, redirecting traffic and potentially capturing sensitive information, including password hashes [1]. The implications of a successful LLMNR poisoning attack are severe, ranging from credential theft and unauthorized access to privilege escalation and data breaches.

To protect against this threat, enterprises should consider disabling LLMNR and NBT-NS protocols entirely, as they are often unnecessary in well-configured networks with proper DNS infrastructure[5]. Additionally, implementing strong password policies, utilizing Network Access Control, and conducting regular penetration tests can significantly enhance an organization's resilience against LLMNR poisoning attacks [2].

By taking these proactive measures, enterprises can fortify their Active Directory environments and mitigate the risks associated with this dangerous exploit.

#2 SMB Relay

SMB relay attacks pose a significant threat to enterprise networks, exploiting vulnerabilities in the Server Message Block (SMB) protocol to gain unauthorized access and potentially compromise entire Active Directory infrastructures.

In this attack, hackers intercept authentication attempts between clients and servers, relaying them to target systems to impersonate legitimate users. This can lead to privilege escalation, lateral movement, and data exfiltration, putting sensitive corporate assets at risk [3].

To protect against SMB relay attacks, enterprises should implement a multi-layered defense strategy. This includes enforcing SMB signing on all devices, disabling outdated SMB versions like SMBv1, and transitioning to more secure protocols such as Kerberos where possible. Additionally, organizations should segment their networks, implement strong firewall rules to restrict outbound SMB traffic, and regularly update and patch systems [4].

Employing advanced threat detection tools and educating users about the risks of clicking on suspicious links can further bolster defenses. By adopting these measures, enterprises can significantly reduce their vulnerability to SMB relay attacks and enhance their overall Active Directory security posture.

#3 IPv6 Relay

The IPv6 relay attack, also known as MITM6, is a potent threat to Active Directory environments that exploits the default IPv6 configuration in Windows systems.

Attackers can leverage this vulnerability by setting up a rogue IPv6 DHCP server and DNS server, intercepting authentication requests, and potentially capturing NTLM credentials or performing relay attacks. This technique is particularly dangerous because many organizations have IPv6 enabled by default but lack proper IPv6 security controls [5].

To protect against this attack, enterprises should implement a multi-layered defense strategy. First, they should configure Windows systems to prefer IPv4 over IPv6 using Group Policy. Additionally, organizations should enable IPv6 router advertisement (RA) guard and DHCPv6 guard on network switches to prevent unauthorized IPv6 traffic. Implementing strong LDAP signing and channel binding, as well as SMB signing, can further mitigate the risk of successful relay attacks [6].

Finally, enterprises should consider deploying comprehensive IPv6 security measures, including proper firewall rules and intrusion detection systems capable of monitoring IPv6 traffic, to ensure a robust defense against this sophisticated attack vector.

#4 Pass the Hash

Pass-the-Hash (PtH) attacks pose a significant threat to enterprise security, particularly for organizations relying on Windows-based networks and Active Directory.

In this sophisticated credential theft technique, attackers bypass the need for plaintext passwords by stealing and reusing password hashes to move laterally within a network, potentially escalating privileges to gain widespread control [7].

To protect against PtH attacks, enterprises must implement a multi-layered defense strategy. This includes enabling Windows Defender Credential Guard to isolate and harden credential storage, implementing the principle of least privilege to limit user and administrative access, and utilizing network segmentation to contain potential breaches.

Organizations should also transition from vulnerable NTLM authentication to more secure Kerberos protocols where possible, enforce strong password policies, and regularly monitor for suspicious authentication patterns. Additionally, implementing multi-factor authentication (MFA) for privileged accounts and utilizing Privileged Access Workstations (PAWs) for administrative tasks can significantly reduce the risk of credential compromise [8].

By adopting these measures and maintaining a proactive approach to security, enterprises can substantially mitigate the threat of Pass-the-Hash attacks and protect their critical Active Directory infrastructure.

#5 Kerberoating

Kerberoasting has emerged as a significant threat to enterprise security, with recent statistics showing a staggering 583% year-over-year increase in incidents.

This sophisticated post-exploitation technique targets the Kerberos authentication protocol in Active Directory environments, allowing attackers to extract and crack service account passwords offline [9]. The insidious nature of Kerberoasting lies in its ability to evade detection, as it doesn't trigger alerts or leave suspicious logs.

To protect against this growing threat, enterprises must implement a multi-layered defense strategy. This includes using strong, complex passwords for service accounts and regularly rotating them, preferably through group managed service accounts. Implementing multi-factor authentication and disabling weak encryption types like RC4 in favor of stronger protocols such as AES can significantly reduce vulnerability [10].

Additionally, organizations should leverage advanced identity security solutions and threat hunting capabilities to detect anomalous Kerberos ticket requests and potential offline cracking attempts. By combining these measures with continuous security validation and employee awareness training, enterprises can fortify their defenses against Kerberoasting and safeguard their critical Active Directory infrastructure.

Sources:

[1] https://maddevs.io/glossary/llmnr-poisoning-attack/

[2] https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/

[3] https://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/

[4] https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

[5] https://www.threatlocker.com/blog/hardening-active-directory/

[6] https://attack.mitre.org/mitigations/M1037/

[7] https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-how-to-prevent-them-in-windows-domains/

[8] https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/pass-the-hash-attack/

[9] https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/

[10] https://www.semperis.com/blog/protecting-active-directory-from-kerberoasting/