In this section
Active Directory Alert Triage
What you already know
Endpoint alerts scope a single host. Active Directory alerts rarely stay on one host: a DCSync or Kerberoast touches the directory every domain-joined machine trusts.
Scenario
Defender for Identity raises a Kerberoasting alert against a service account. It looks like one event on one host. It is not: the attacker now holds an offline-crackable ticket for an account every server in the domain trusts. Rachel needs Tom to treat this as a directory event from the first minute, not a single-host curiosity.
Active Directory alerts represent the most consequential category of security events in an on-premises or hybrid environment. When Defender for Identity detects DCSync, golden ticket usage, or Kerberoasting, the alert is not saying "something suspicious happened on an endpoint." It is saying "the attacker may have obtained domain-level credentials that grant access to EVERY system in the environment." The triage responder must understand that AD alerts occupy a different severity tier than endpoint alerts: a compromised workstation affects one user, but a compromised Active Directory affects the entire organization."
Figure TR3.3. The domain compromise ladder. AD alerts escalate from reconnaissance (probing) through credential theft (partial access) to domain dominance (total control). Each tier demands a different triage response and escalation urgency.
The domain compromise assessment
Before triaging individual alerts, the triage responder must understand what "domain compromise" means operationally. Active Directory is the authentication and authorization backbone for every on-premises Windows system. The domain's KRBTGT account hash is the master key: an attacker who obtains it can forge Kerberos tickets for any account (golden ticket), granting access to any system, as any user, for as long as the hash remains unchanged.
The domain compromise assessment asks three questions during triage:
Question 1: Has the attacker obtained domain admin credentials? If the alert involves DCSync, pass-the-hash with a domain admin account, or golden ticket usage, the answer is yes or probable. This triggers emergency response, not standard triage. The incident team must assume the attacker can access any system and begin scoping from that assumption.
Question 2: Has the attacker obtained the KRBTGT hash? DCSync for the KRBTGT account is the specific indicator. If the IdentityDirectoryEvents show a replication request targeting the KRBTGT object from a non-DC source, the attacker can forge unlimited golden tickets. Containment requires a KRBTGT password reset (twice, per Microsoft's guidance): a disruptive action that invalidates all existing Kerberos tickets in the domain.
Question 3: Can the attacker persist beyond credential reset? Golden tickets forged before the KRBTGT reset remain valid for the ticket's lifetime (default 10 hours). Skeleton key attacks persist until the DC is rebooted. Backdoor accounts in privileged groups persist until discovered and removed. The triage responder flags these persistence possibilities for the investigation team.
Tier 1: Reconnaissance alerts
Suspected brute force (Kerberos/NTLM)
What this means: Multiple failed authentication attempts against one or more accounts from a single source. Defender for Identity detects this through the domain controller's authentication logs, failed Kerberos pre-authentication (Event ID 4771) or failed NTLM authentication (Event ID 4776).
Triage procedure: The critical question, identical to the password spray triage in TR2.2, is whether ANY account succeeded. A brute force with 0 successes is a detected-and-failed attack. A brute force with 1+ successes is initial access.
// KQL: Check for successful authentications from the brute force source
IdentityLogonEvents
| where TimeGenerated > ago(4h)
| where IPAddress == "203.0.113.55" // Source IP from the alert
| where ActionType == "LogonSuccess"
| project TimeGenerated, AccountName, AccountDomain,
DeviceName, IPAddress, Protocol, LogonType
| sort by TimeGenerated ascFP patterns: Service accounts with expired passwords generating repeated failures. Users who forgot their password and are trying variations. Application servers with cached credentials for a changed password. Check the targeted account: if it is a service account and the failures occur at a regular interval (every 5 minutes, matching a service restart cycle), it is a misconfiguration, not an attack.
Triage decision: Zero successes from a single source = close as detected attack, document the source IP, add to watchlist. One or more successes = probable TP, run the 10-command triage (TR3.1) on the system that authenticated successfully, check for post-authentication lateral movement.
Account enumeration
What this means: The attacker is querying Active Directory for account information, typically through LDAP queries for user accounts, group memberships, service principal names (SPNs), or computer accounts. This is reconnaissance: the attacker is mapping the environment before attacking it.
Triage procedure: Account enumeration from a workstation is suspicious (users do not run LDAP enumeration tools). Account enumeration from a known IT admin system during business hours MAY be legitimate (AD administration). The source system determines the classification:
// KQL: LDAP enumeration from the alerting device
IdentityQueryEvents
| where TimeGenerated > ago(4h)
| where DeviceName =~ "DESKTOP-NGE042"
| where ActionType == "LDAP query"
| summarize QueryCount = count(), UniqueQueries = dcount(QueryTarget) by AccountName
| where QueryCount > 50 // Threshold for unusual volumeAt NE, the CHAIN-PRIVILEGE attacker ran SharpHound (the BloodHound data collector) from a compromised workstation, generating thousands of LDAP queries in 3 minutes. The volume and diversity of queries (users, groups, OUs, GPOs, trusts) immediately distinguished it from legitimate admin activity.
FP pattern: IT administrators running AD administration tools (ADUC, ADSI Edit, AD PowerShell), SCCM discovery cycles, vulnerability scanners querying AD for host inventory. These produce LDAP query volume but with predictable patterns and from known admin systems.
Anti-Pattern
Triaging an AD alert as a single-host event
A Kerberoast or DCSync alert names one host, so it is tempting to scope the incident there. But the technique targets the directory: the cracked service ticket or the replicated hashes work against every machine in the domain. Scope an AD alert at the directory level from the start, or you contain one workstation while the attacker keeps the keys.
Tier 2: Credential theft alerts
Kerberoasting
What this means: The attacker requested Kerberos TGS tickets for multiple service accounts within a short window. The tickets are encrypted with the service account's password hash: the attacker takes them offline and cracks them. If any service account has a weak password, the attacker obtains those credentials.
Triage procedure: Kerberoasting is a legitimate Kerberos operation (requesting TGS tickets) used maliciously. The triage indicators are VOLUME (requesting tickets for 10+ service accounts in minutes) and SOURCE (from a workstation that does not normally request service tickets):
// KQL: Kerberoasting pattern detection
IdentityLogonEvents
| where TimeGenerated > ago(4h)
| where Protocol == "Kerberos"
| where ActionType == "LogonSuccess"
| where Application != "" // SPN-based requests
| where DeviceName =~ "DESKTOP-NGE042"
| summarize TicketCount = count(), UniqueServices = dcount(Application)
by AccountName, bin(TimeGenerated, 5m)
| where TicketCount > 5At NE, the CHAIN-PRIVILEGE attacker Kerberoasted 15 service accounts from a compromised workstation. One service account (svc-backup) had a password that was crackable in 4 hours. The attacker used the svc-backup credentials to access the backup infrastructure and delete offsite backup copies before deploying ransomware.
FP pattern: Penetration testing (check for change tickets. TR0.7 Alert 5 covers this exact scenario). Some monitoring tools that enumerate service accounts. IT administrators auditing service account SPNs.
Triage decision: If the Kerberoasting came from a compromised endpoint (cross-reference with endpoint alerts): confirmed TP, probable credential compromise. The investigation team must assess: which service accounts were targeted, do any have weak passwords (the attacker will have cracked them), and do any have privileged access? The triage responder cannot determine whether the cracking succeeded, only the investigation team (or a proactive password audit) can assess that. But the triage report should flag: "Kerberoasting of 15 service accounts detected. Assume credentials compromised for accounts with weak passwords. Priority: identify which targeted accounts have administrative privileges."
NTLM relay
What this means: The attacker is relaying NTLM authentication from one system to another, capturing an authentication attempt and forwarding it to a different target to gain access. This is a network-level credential theft technique that does not require knowing the password.
Triage procedure: NTLM relay requires the attacker to be positioned on the network between the victim and the target (man-in-the-middle). The Defender for Identity alert identifies the relay pattern: the same NTLM authentication appears at two different targets within milliseconds. The source system that initiated the authentication may be compromised (the attacker triggered the authentication), or the attacker may be intercepting legitimate traffic.
Check: is NTLM signing enforced in the domain? If yes, relay attacks should fail (signing prevents the relayed authentication from being accepted). If no: this is a domain configuration weakness that the attacker is exploiting. Flag for the investigation team: NTLM signing should be enforced as a remediation action.
Pass-the-hash
What this means: The attacker is authenticating using a stolen NTLM hash rather than a password. The hash was obtained from a credential dump (LSASS, SAM database, or NTDS.dit). The attacker does not know the password, they use the hash directly for NTLM authentication.
Triage procedure: The critical question: WHOSE hash is being used? An attacker passing the hash of a standard user account has limited access. An attacker passing the hash of a domain admin account has unrestricted access. Check the account in the alert:
// KQL: Check if the passed hash belongs to a privileged account
IdentityDirectoryEvents
| where TimeGenerated > ago(30d)
| where ActionType == "Group Membership change"
| where DestinationDeviceOrGroup has_any ("Domain Admins", "Enterprise Admins", "Schema Admins")
| where TargetAccountUpn =~ "svc-backup@northgateeng.com" // Account from the alertIf the account is a member of Domain Admins, Enterprise Admins, or Schema Admins: escalate as CRITICAL. The attacker has domain admin access via hash. If the account is a standard user: escalate as HIGH. The attacker has lateral movement capability but not domain dominance.
Tier 3: Domain dominance alerts
DCSync
What this means: The attacker is replicating the Active Directory database by impersonating a domain controller. DCSync requests the password hashes for specific accounts, or ALL accounts, from a legitimate DC. The attacker does not need to compromise the DC itself; they need an account with replication privileges (Domain Admin, or an account explicitly granted Replicating Directory Changes rights).
Triage procedure: DCSync from a non-DC source is ALWAYS malicious. Legitimate replication only occurs between domain controllers. If the source IP in the alert is not a domain controller: confirmed TP, CRITICAL severity.
// KQL: DCSync detection — replication from non-DC sources
IdentityDirectoryEvents
| where TimeGenerated > ago(4h)
| where ActionType == "Directory Service Access"
| where Protocol == "DRSUAPI" // Directory Replication Service
| where DeviceName !in ("DC01-NGE-BRS","DC02-NGE-SHF","DC03-NGE-EDN","DC04-NGE-MAN")
| project TimeGenerated, AccountName, DeviceName, IPAddress,
TargetAccountUpn = tostring(AdditionalFields.TARGET_OBJECT.VALUE)
| sort by TimeGenerated ascThe KRBTGT check: If TargetAccountUpn includes "krbtgt", the attacker has obtained the KRBTGT hash and can forge golden tickets for any account. This is the worst-case Active Directory compromise. Escalate immediately. The investigation team must plan a KRBTGT password reset (twice: the first reset creates a new hash, the second invalidates the old hash which is still cached in the DC's history). This reset invalidates every Kerberos ticket in the domain and requires all users and services to re-authenticate: a significant operational disruption that must be coordinated with IT and business leadership.
At NE, the CHAIN-PRIVILEGE attacker executed DCSync from a compromised workstation at 01:30, targeting the KRBTGT account and 4 domain admin accounts. Rachel's triage classified this as CRITICAL within 3 minutes of the alert. The KRBTGT reset was executed at 02:15 (coordinated with Phil's IT team, who re-authenticated critical services over the next 4 hours).
FP pattern: Essentially zero for DCSync from non-DC sources. The only conceivable FP: a misconfigured tool that accidentally performs replication requests, extremely rare and easily verified by checking with the IT team.
Golden ticket usage
What this means: The attacker is using a forged Kerberos TGT (golden ticket) to authenticate as any user. Golden tickets are created using the KRBTGT hash obtained via DCSync. The ticket is valid for its configured lifetime (default 10 hours) and bypasses all authentication controls except Kerberos ticket validation.
Triage procedure: Defender for Identity detects golden tickets through anomalies in the Kerberos ticket: ticket lifetime exceeding policy, ticket issued by a non-existent or renamed KRBTGT account, or ticket with an impossible encryption type. The alert confirms the KRBTGT hash was compromised (you cannot forge a golden ticket without it).
Triage decision: If a golden ticket alert fires: the KRBTGT hash is compromised. This is a confirmed domain compromise regardless of any other alert context. The previous DCSync attack (which provided the hash) may have occurred days or weeks ago. The golden ticket is the EXPLOITATION of the stolen hash. Containment requires KRBTGT reset, but the golden ticket remains valid until its lifetime expires (up to 10 hours after the reset, for tickets forged before the reset).
Immediate actions: (1) Begin KRBTGT password reset coordination with IT. (2) Identify the account being impersonated by the golden ticket. (3) Isolate the system from which the golden ticket is being used. (4) Escalate to the CISO, domain compromise requires executive notification.
Skeleton key
What this means: The attacker has installed a skeleton key on a domain controller. A skeleton key patches the LSASS process on the DC to accept a master password for ANY account while still accepting the legitimate password. This means every account in the domain has a second password that only the attacker knows. Skeleton key attacks are rare but devastating.
Triage procedure: Skeleton key detection requires monitoring for unusual LSASS behavior on domain controllers. Defender for Identity detects it through specific anomalies in the DC's authentication processing. The alert is ALWAYS a TP, there is no legitimate reason for the LSASS process on a DC to be patched with an additional authentication provider.
Containment: Reboot the affected domain controller. The skeleton key exists only in memory, it does not survive a reboot. However, the attacker may reinstall it after the reboot if they retain access to the DC. The investigation team must determine how the attacker gained DC access and eradicate that access path before the reboot.
The AD triage escalation framework
AD alerts require a different escalation framework than endpoint or cloud alerts because the blast radius is organizational, not individual:
Reconnaissance alerts (brute force, enumeration): Standard triage. Score the triage scorecard. Escalate if successes are detected. Close if the attack failed and the source is documented.
Credential theft alerts (Kerberoasting, NTLM relay, pass-the-hash): Escalate as HIGH. The attacker has credentials (or is attempting to obtain them). Even if the specific stolen credentials have limited privileges, the attacker is one escalation step from domain compromise. The investigation team must assess: which credentials were stolen, what access do they grant, and has the attacker used them to escalate further?
Domain dominance alerts (DCSync, golden ticket, skeleton key): Escalate as CRITICAL, immediate CISO notification. Domain compromise means the attacker can access every system, read every email, modify any configuration, and persist indefinitely. This is not a triage-and-close alert. This is an emergency response requiring: KRBTGT reset planning, full AD health assessment, and potentially a complete credential rotation for all accounts.
Worked artifact: AD alert escalation matrix
| Alert Type | Severity | Action | Escalation |
|---|---|---|---|
| Brute force (0 success) | Low | Document, watchlist, close | Standard |
| Brute force (1+ success) | High | Full triage for successful accounts | IR team |
| Kerberoasting | High | Identify targeted service accounts | IR team |
| NTLM relay | High | Check NTLM signing enforcement | IR team |
| Pass-the-hash (standard user) | High | Isolate source, assess lateral movement | IR team |
| Pass-the-hash (domain admin) | Critical | Isolate source, assume domain access | CISO + IR team |
| DCSync (any account) | Critical | Assume credential compromise | CISO + IR team |
| DCSync (KRBTGT) | Critical | KRBTGT reset required | CISO + IR team + IT |
| Golden ticket | Critical | KRBTGT reset + full scope assessment | CISO + IR team + IT |
| Skeleton key | Critical | DC reboot + access path eradication | CISO + IR team + IT |
⚖ Decision Point
Kerberoasting targeting a low-privilege SQL service account. Check whether the cracked credential has been USED, sign-ins as the SQL account from unusual sources. If no subsequent use, classify HIGH (not CRITICAL). The attacker may still be cracking the hash.
In Sentinel, run: SecurityAlert | where TimeGenerated > ago(90d) | where ProductName == "Azure Advanced Threat Protection" | summarize count() by AlertName | sort by count_ desc | take 10. Defender for Identity alerts appear under "Azure Advanced Threat Protection" in Sentinel. The most common alert type reveals whether your domain faces reconnaissance (brute force, common), credential theft (Kerberoasting, less common but more dangerous), or domain dominance (DCSync, rare but catastrophic). If you see zero Defender for Identity alerts: verify that the Defender for Identity sensor is installed on your domain controllers and the data connector is enabled in Sentinel.
Ransomware operators target AD regardless of organization size because AD is the fastest path to encrypting the entire environment. A single compromised endpoint → credential dump → DCSync → domain admin → encrypt every server via Group Policy. The attack chain works identically on a 200-user domain and a 20,000-user domain. In fact, smaller organizations often have weaker AD security (no tiered administration, domain admins logging into workstations, no LAPS for local admin passwords, NTLM signing not enforced), making the attack chain EASIER, not harder. The 2025 ransomware statistics show that over two-thirds of ransomware attacks targeted businesses with fewer than 500 personnel. Small domains are not safer, they are softer targets.
Troubleshooting
"IdentityDirectoryEvents and IdentityLogonEvents are empty in Sentinel." These tables require the Defender for Identity sensor on your domain controllers AND the Microsoft Defender XDR data connector in Sentinel with identity data enabled. Check: Defender portal → Settings → Identities → Sensors. If no sensors are deployed, these tables will be empty. Without Defender for Identity, AD attack detection relies on native Windows event logs (Event IDs 4624, 4625, 4768, 4769, 4771, 4776), which provide less context but are available on any DC with default auditing.
"The DCSync alert fired but I am not sure if it succeeded." Check the IdentityDirectoryEvents for the specific replication request. If the ActionType shows "Directory Service Access" with Result "Success," the replication succeeded: the attacker has the targeted account hashes. If the Result shows "Failure," the attacker's account did not have sufficient privileges: the attempt was blocked. A failed DCSync still indicates a compromised account with malicious intent, escalate as HIGH even if the replication failed, because the attacker may attempt alternative escalation paths.
"Management questions whether a KRBTGT reset is necessary, it is too disruptive." Present the alternative: the attacker retains the ability to forge authentication tickets for any user in the domain, for any system, indefinitely. Every server, every database, every email account, every file share is accessible. The KRBTGT reset is disruptive (4-8 hours of service account re-authentication). A domain compromise where the attacker retains golden ticket capability is catastrophic (complete loss of trust in the entire authentication infrastructure). The reset disruption is a fraction of the breach cost.