Reading width
Wide uses the full column for everything, text, diagrams, code, and exercises. Narrow keeps the standard reading width.
Text size
Scales the body text. Headings and code blocks keep their size.
In this section
Threats Against Active Directory: Why It Is Attacked
You already know what a bad week looks like in the news: a company offline for a fortnight, screens locked, operations halted, a ransom note.
What the headline rarely says is that somewhere in the middle of almost every one of those stories, the attacker took control of Active Directory. The last sub showed you what AD is and why it is the most valuable thing in the estate. This sub turns that value around and looks at it from the other side, as the reason AD is the most attacked thing too.
Scenario
You read three breach reports back to back. One is a ransomware case, one is a quiet nation-state intrusion that sat undetected for months, one is an insider who walked off with a database. Different actors, different motives, different industries. Yet all three reports describe, in different words, the same middle chapter: the attacker gained control of the domain. Why does a path through Active Directory show up in intrusions that otherwise have nothing in common? That common thread is the whole point of this sub, and the reason the rest of the course exists.
The answer is the one fact you carried out of the last sub: Active Directory is the single authority every system trusts. That makes it the place where effort pays off most. An attacker who works hard against one server has compromised one server. An attacker who works hard against Active Directory has compromised the means by which every server, every share, and every account is trusted. The payoff is the whole organization, from a single prize.
And the prize is unusually concentrated. In most networks there is no second, independent authority to compromise instead; everything funnels through the one directory. An attacker does not have to defeat every defense in the estate, only the defenses around Active Directory, because once that falls the rest follows by design. That concentration is a gift to the attacker and the central problem for the defender, and it is why so much security effort rightly focuses here.
Why Active Directory is the target
Think about it from the attacker's side as a question of return on effort. Most intrusions start small, with one phished user or one exposed service. From that small start, the attacker wants the largest possible result for the least additional risk. Active Directory is the answer to that calculation, because it converts one foothold into total reach.
That single fact explains why the threat is so broad. Active Directory is not attacked by one kind of adversary with one motive. It is attacked by almost everyone, because almost every objective runs through it.
Ransomware operators are the loudest example. To do real damage, ransomware has to run everywhere at once, on every server and workstation before anyone can react. The fastest way to push a program to every machine in a Windows network is to use the same central control the administrators use, which means controlling Active Directory first. Most large ransomware cases are, underneath, an Active Directory compromise with an encryption payload at the end.
This is also why modern ransomware is so damaging. The crews learned that encrypting one server is a nuisance, but encrypting every server at once, after first stealing the data to extort separately, is a business-ending event. Both halves of that, the mass encryption and the bulk data theft, depend on the domain-wide reach that only control of Active Directory provides. The directory is not incidental to the attack; it is what gives the attack its scale.
Nation-state and espionage actors want something different, quiet and lasting access, but they reach for the same target. Control of the directory lets them create accounts, grant themselves rights, and forge credentials that survive password resets, so they can stay for months. The motive is patience rather than destruction, and the path still runs through AD.
And the techniques travel. A method published in offensive research, refined by a penetration tester, and folded into a criminal toolkit is the same method in each pair of hands. So a small organization that thinks it is too dull to interest a nation-state still faces the nation-state's techniques, because those techniques are now in the ransomware crews' playbooks too.
Insiders round out the picture. An employee with legitimate access who wants to steal data, or whose account has been compromised, does not need to break in at all; they are already inside, and the same directory that grants their normal access can be turned toward what they should not reach. The motive differs again, but the directory is still the lever. That is the recurring lesson of this sub: whatever the goal, Active Directory is where it gets achieved.
What the attacker is trying to achieve
Whoever they are, the objectives against AD fall into a small, repeating set, and the whole course is organized around them. It helps to see them as a sequence, because that is how an intrusion usually unfolds.
Reconnaissance comes first: the attacker reads the directory to learn who the privileged users are, which accounts are weak, and how the groups and trusts connect. Credential access follows, stealing or cracking a password or a ticket. Privilege escalation turns a modest account into a powerful one by abusing a misconfiguration. Domain dominance is the goal, full control of the directory itself, the ability to authenticate as anyone. And impact is whatever the actor came for: ransomware deployed estate-wide, data stolen, or quiet persistence left behind.
You will spend a module on each of these stages, learning the attack and then how to see it. For now the point is the shape: AD intrusions are not random, they march through a recognizable set of objectives, and a defender who knows the march knows where to watch.
It is worth noting how uneven these stages are to detect, because that shapes the course. Reconnaissance is quiet and often invisible in the native logs, so there the defense leans on posture rather than alerts. Credential access and escalation, by contrast, leave distinct marks once you know the encryption types and directory changes to look for.
Domain dominance is the loudest in principle, since replication and ticket forging have clear tells, yet it is also where a skilled attacker works hardest to blend in. Knowing which stages you can catch cleanly and which you cannot is part of defending honestly.
The uncomfortable truth: most of it is not a bug
Here is the part that surprises people new to AD security, and it changes how you have to think. The large majority of these attacks do not exploit a software vulnerability at all. They abuse features that are working exactly as designed.
Kerberos issues a ticket encrypted with a service account's password, because that is how the protocol proves the ticket. Delegation lets one service act on behalf of a user, because that is a feature real applications need. Replication lets a domain controller pull directory data, because that is how controllers stay in sync. Permissions let one account modify another, because administration requires it. Every one of those is a legitimate, documented behavior, and every one is the basis of an attack you will learn.
None of these can simply be switched off. Kerberos is how the network authenticates, delegation runs real applications, replication keeps the domain alive. You cannot patch away a feature the business depends on, so defending AD is not about removing these capabilities. It is about constraining them, watching how they are used, and catching the moment a legitimate mechanism is bent to an illegitimate end.
This is why patching, on its own, does not defend Active Directory. Patching closes software bugs, and you should absolutely do it, but a fully patched domain is still wide open to Kerberoasting, to delegation abuse, to credential replay, and to the rest, because none of those need a bug. They need a weak password, an over-broad permission, a privileged account used carelessly. The directory is doing what it was told to do.
There is a related habit that makes this harder still. Skilled attackers live off the land: they use the same built-in tools and protocols the administrators use, rather than dropping obvious malware.
A request for a Kerberos ticket, a query against the directory, a change to a group membership, these are the actions of a busy admin and of an intruder alike. The difference is context, not the action itself, which is why a defender has to understand the legitimate behavior deeply enough to know when it is out of place.
Anti-pattern
Treating Active Directory security as a patching problem. "We are fully patched, so we are secure" is one of the most common and most dangerous assumptions in AD defense. Most domain compromises in the wild use no CVE at all; they chain together features and misconfigurations that no patch will ever remove, because they are not defects. Patching is necessary and you must do it, but it defends against the minority of AD attacks, not the majority. The majority you defend against by understanding the abuse and watching for it, which is what this course builds.
These are modern, current threats
None of this is history. It would be easy to assume AD attacks are a solved problem from a decade ago, but the threat is alive and moving.
Recent additions to the directory bring their own abuses: delegated managed service accounts on Windows Server 2025 introduced the dMSA successor path known as BadSuccessor, and the 2026 vulnerability cycle has produced fresh service-principal and Kerberos issues such as CVE-2026-25177. Certificate Services, a feature many organizations turned on without hardening, opened a whole family of escalation techniques that are now standard in real intrusions.
So the techniques you learn here are the ones being used now, against current and supported versions of Windows Server, on domains that are fully patched. This course deliberately leaves the museum pieces aside, the attacks that only worked on retired systems, and concentrates on what a defender will actually meet. As new techniques appear, the way you reason about them stays the same: understand the feature being abused, find what it leaves in the evidence, and watch for it.
The pace is the reason that matters. Every year brings new directory features, and features bring abuse; every year brings research that turns a quiet misconfiguration into a named technique.
A course that taught only a fixed list of attacks would date quickly. What does not date is the method, so this course spends as much effort on how to reason about an AD attack as on any single technique, so that the next one you meet, the one not yet published, is something you can still work out for yourself.
That shapes the whole job. Because most AD attacks look like legitimate administration, defending the directory is rarely about blocking obviously bad software. It is about recognizing when a normal-looking action, a ticket request, a permission change, a replication, is being done by the wrong account for the wrong reason. That is a subtler skill than running an antivirus, and it is exactly the skill the rest of this course is built to give you.
You now know why Active Directory draws so many attackers, what they are trying to achieve, and why most of what they do needs no vulnerability. The next sub gets specific about where the directory is exposed, the attack surface: the concrete features, accounts, and settings that turn into the footholds and stepping stones an intrusion uses.