2025 Security Predictions: Active Directory Will Remain a Key Target for Threat Actors Despite Efforts to Secure It

An advisory issued by the Five Eyes intelligence alliance of Australia, the U.S., Canada, New Zealand, and the UK provides a compelling reminder of the persisting cyberthreat posed by attackers targeting Active Directory. Developed by Microsoft, Active Directory is the most widely used authentication and authorization solution in enterprise IT networks globally, noted the Five Eyes guidance.

The advisory, titled “Detecting and Mitigating Active Directory Compromises”, aims to inform organizations about 17 common techniques that the authoring agencies have observed threat actors using to target Active Directory. The authoring agencies include the Australian Signals Directorate (ASD), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

Active Directory manages and authenticates user identities within Windows networks and offers some compatibility with macOS and Linux systems. Active Directory manages authentication by verifying the identity of users or devices trying to access resources such as applications, files, or systems within enterprise networks. Thus, from the perspective of identity compromise, Active Directory offers attackers the proverbial “keys to the kingdom” within enterprise IT environments, according to CrowdStrike.

Given prevailing techniques observed in ransomware campaigns over the past year, ExtraHop predicts that Active Directory will remain a leading attack vector for threat actors in 2025. This prediction builds on a similar security forecast we issued last year, where we envisioned that Active Directory would “likely be leveraged by attackers and exploited in nearly all major ransomware cases in 2024.” We projected this targeting trend despite Microsoft’s pledge to reduce the Active Directory attack surface in April 2023.

Last year, Microsoft deployed several updates in preview builds of Windows 11 and Windows Server, such as encrypting LDAP by default, adding encryption controls to SMBv3, and rolling out new features to help IT teams deprecate NTLM. Nevertheless, our forecast proved accurate with the compromise of Active Directory being documented in every major ransomware campaign, the most notable example being the Change Healthcare cyberattack. This intrusion was staged by the now-disbanded ALPHV (BlackCat) ransomware gang, and has cemented its place in history as the most expensive breach to date.

Reporting on the Change Healthcare breach, HIPAA Journal noted that the “initial point of entry for the BlackCat ransomware affiliate was a server that did not have multifactor authentication enabled” After accessing that server, the ALPHV affiliate “escalated privileges and gained privileged access to the Microsoft Active Directory Server,” according to HIPAA Journal. The enduring exploitability of Active Directory remains a leading security concern, particularly given that 2024 was “another record-breaking year” for ransomware payouts, according to TechCrunch.

The Enduring Exploitability of Active Directory

The Five Eyes guidance noted that Active Directory includes multiple services, including Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS) and Active Directory Certificate Services (AD CS). The advisory noted that these Active Directory services “provide multiple authentication options, including smart card logon, as well as single sign-on with on-premises and cloud-based services.”

Active Directory’s centrality to authentication and authorization makes it a high-value target for threat actors. Attackers generally target Active Directory environments after they have already gained initial access into a victim’s network, which they typically breach by phishing, exploiting compromised credentials, or targeting unpatched vulnerabilities in publicly exposed web services. Once inside the victim's network, attackers look to perform reconnaissance on and escalate privileges in Active Directory environments. The Five Eyes guidance said that Active Directory is “susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues.”

Specifically, Active Directory’s vulnerability to exploitation is partially due to the fact that “every user in Active Directory has sufficient permission to enable them to both identify and exploit weaknesses,” according to the advisory. These highly modular permission controls mean that attackers who get access to one low-privilege Active Directory user account have generally limitless potential when it comes to expanding their access to a victim’s network.

Overall, Active Directory’s vast default permissions significantly amplify its attack surface, making it much more difficult to defend. The domain service’s vast exploitability is also rooted in the “complexity and opaqueness of relationships that exist within Active Directory between different users and systems,” according to the advisory. Often overlooked by organizations, these hidden Active Directory relationships are prime targets for adversarial exploitation, enabling threat actors to gain complete control over a victim’s enterprise IT network.

Once inside a victim’s Active Directory environment, threat actors specifically try to obtain domain administrator or enterprise administrator credentials to achieve sweeping “root” access to the network. This “privileged access can often be extended to cloud-based systems and services via Microsoft’s cloud-based identity and access solution, Microsoft Entra ID” noted the Five Eyes advisory. System compromise of this nature enables threat actors to “access cloud-based systems and services, however, it can also be exploited” by them to maintain and expand their access, the advisory said.

Regarding insecure legacy protocols, which many Active Directory environments continue to support, TLS Version 1.1, NTLM, LAN Manager, and SMB Version 1 present the most glaring security risks. Ideally, organizations should fully disable all three of these protocols. Of the three, NTLM, a 30-year-old protocol that predates the inception of Kerberos, is particularly problematic.

Microsoft first announced plans to formally kill off the NTLM protocol in October 2023. Bleeping Computer reported that NTLM has been “extensively abused in cyberattacks known as NTLM Relay attacks, where Windows domain controllers are taken over by forcing them to authenticate against malicious servers.” Despite Microsoft promoting measures like SMB signing to defend against relay attacks, attacks on NTLM authentication persist to this day.

Bleeping Computer also noted that attackers targeting NTLM-based authentication can still easily snatch password hashes via "pass-the-hash" attacks, which they obtain via phishing attacks, or which they extract “directly from stolen Active Directory databases or a server's memory.” In June, Microsoft announced they had “officially deprecated NTLM authentication on Windows and Windows servers, stating that developers should transition to Kerberos or Negotiation authentication to prevent problems in the future,” according to Bleeping Computer.

Regarding the inadequacy of prevailing security tools for detecting malicious activity in Active Directory environments, this issue is mostly owed to the fact that the scale and complexity of these networking environments are too overwhelming. Consider that the typical enterprise Active Directory ecosystem consists of thousands of users, computers, and groups–collectively referred to as “objects”–along with a labyrinthine sprawl of crisscrossing access policies.

For example, each of these Active Directory objects has its own unique permissions. As such, the relationships between various objects and their entangled permissions can make it extremely difficult for most tools to track potential security issues and visualize these intricate attack paths. Security visibility in these environments is further challenged by the continuously evolving nature of enterprise Active Directory arrangements, with logons, group policy changes, and permissions perpetually updating.

Consequently, real-time observability is highly limited for most Active Directory monitoring solutions, including Microsoft’s Advanced Threat Analytics (ATA) and Azure AD Identity Protection. Prevailing Active Directory monitoring tools also struggle to navigate environments burdened by generations of accumulated technical debt, not to mention enterprise network arrangements transformed by hybrid and multi-cloud migrations. Regarding the latter, growing cloud complexity and provider diversity often creates significant gaps in visibility across environments, especially for traditional on-premises Active Directory management tools.

17 Critical Active Directory Attacks

The Five Eyes advisory cautions about the following 17 critical Active Directory attack types:

1. Kerberoasting
2. Authentication Server Response (AS-REP) Roasting
3. Password spraying
4. MachineAccountQuota compromise
5. Unconstrained delegation
6. Password in Group Policy Preferences (GPP) compromise
7. Active Directory Certificate Services (AD CS) compromise
8. Golden Certificate
9. DCSync
10. Dumping ntds.dit
11. Golden Ticket
12. Silver Ticket
13. Golden Security Assertion Markup Language (SAML)
14. Microsoft Entra Connect Compromise
15. One-way domain trust bypass
16. Security Identifier (SID) History compromise
17. Skeleton Key

Continued Targeting of Active Directory Will Spur NDR Adoption

Given the convergence of growing ransomware profitability and the enduring exploitability of Active Directory environments, ExtraHop predicts that more organizations will adopt network and detection response (NDR) tools this year.

With four eight-figure ransom payments recorded in 2024, threat intelligence experts like Recorded Future’s Allan Liska anticipate that the cyber extortion threat is “only likely to worsen as younger threat actors join the ransomware foray, as we’ve seen with highly skilled and financially motivated hackers like Lapsus$ and, more recently, Scattered Spider,” TechCrunch reported.

Despite over 20 successful global law enforcement actions targeting ransomware operators this year, the string of eight-figure extortion payments tracked in 2024 only embolden threat actors and incentivize increased cyber big game hunting (BGH), particularly among younger cybercriminals. Highlighting the sophisticated threat posed by this cybercrime youth movement, the “2024 Threat Hunting Report” from CrowdStrike noted that Scattered Spider “remains the most prominent adversary in cloud-based intrusions, conducting 29% of all associated activity observed in 2023.”

This is why the RevealX™ network detection and response (NDR) platform from ExtraHop® has become mission-critical for organizations looking to secure the Active Directory environments. RevealX captures all network telemetry data and metadata, including full packets and NetFlow, across different protocols autonomously, in real-time, at the most granular level, and at cloud-scale. The ability to capture and decrypt full packets expands organizations’ visibility into all high-risk access and privilege escalation attempts in Active Directory environments that would otherwise be indiscernible to endpoint detection and response (EDR), SIEM, and other security monitoring tools.

RevealX and Active Directory Security

On the most elemental level, RevealX optimizes visibility into Active Directory environments by streamlining IT asset management with comprehensive device discovery and classification. This helps defenders get a better handle on the objects that inhabit their Active Directory environments.

When analyzing network traffic, RevealX employs over one million predictive machine learning models and incorporates behavioral modeling based on more than 5,000 different attributes as it looks for anomalies in data exchange and a plethora of other metrics. This capability enables RevealX to maintain a continuously evolving baseline audit of network communication patterns and behaviors in Active Directory environments and beyond.

Most relevant to Active Directory attack surface visibility is the industry-leading protocol decryption library that is proprietary to RevealX, and which offers coverage for over 90 different network communication schemes. This real-time decryption coverage extends to critical Active Directory protocols like Kerberos, LDAP, SMB 3, MSRPC, and WSMAN/WinRM. By decrypting these protocols, RevealX gains complete visibility into that traffic at the most intrinsic packet level. Inevitably this involves the processing of Kerberos and, to a lesser extent, deprecated NTLM auth exchanges. Decrypting Kerberos auth exchanges, and the protocols encrypted via Kerberos, also empowers RevealX to develop novel, higher-relevance, and higher-quality security detections via its perpetually evolving machine learning logic engine.

One key example of the differentiated utility that RevealX offers for securing Active Directory environments is its ability to detect malicious SharpHound reconnaissance conducted over encrypted LDAP traffic. RevealX is the only NDR provider on the market that has operationalized this capability.

Another detection capability exclusive to RevealX is PrintNightmare exploitation attempts staged via encrypted SMBv3 data exchange. Printightmare is a critical Windows Print spooler remote code execution (RCE) vulnerability first disclosed in 2021.

Overall, RevealX provides detection coverage for at least 55 Active Directory attack typologies including post-exploitation Kerberoasting techniques favored by sophisticated BGH ransomware threat actors like BlackSuit.

Beyond Kerberoasting, RevealX Active Directory detection has a direct overlap with seven common Active Directory attack techniques cited by the Five Eyes advisory, including golden ticket attacks, silver ticket attacks, GPP compromise, DCsync attacks, dumping ntds.dit, password spraying, and AS-REP Roasting.

Via its vast Active Directory protocol coverage, detection repositories for domain controller exploitation, and AI-powered recognition of malicious lateral movement patterns, RevealX can be meaningfully applied to the other ten attack scenarios highlighted by the Five Eyes guidance as well.

As prevailing ransomware payout trends threaten to incentivize heightened BGH activity in 2025, the recent Five Eyes advisory is an alarming reminder for security practitioners about the persisting unknown risks lurking in their Active Directory environments. Fortunately, RevealX can help defenders gain full visibility over their opaque Active Directory resources and all attack paths camouflaged in their sprawling object relationships and permission schemes. In the end, RevealX empowers organizations to detect malicious Active Directory activity in its earliest stages, arming defenders with a fighting chance to intervene in ransomware attacks before they cause significant damage.