What is Active Directory and Why Attackers Target It?

What Active Directory Is and How It Works

Active Directory is a directory service developed by Microsoft that runs on Windows Server. It stores information about objects in the network — users, computers, groups, printers, and other resources — and provides authentication and authorization services across the network. Every Windows domain environment uses Active Directory as its central identity and access management system.

The core components of Active Directory are domains, organizational units (OUs), forests, and trusts. A domain is a logical grouping of network objects that share the same AD database. Organizational units are containers within a domain that organize objects for administrative purposes and apply group policy. Forests are collections of domains that share a common schema and global catalog. Trusts define relationships between domains and forests that allow users in one domain to access resources in another.

Domain Controllers

Domain controllers are the servers that run Active Directory services. Every authentication request in a Windows domain environment is processed by a domain controller. When a user logs into their workstation, the workstation sends the authentication request to a domain controller. The domain controller verifies the credentials and returns an authentication token that grants access to domain resources. Domain controllers are the most critical infrastructure in a Windows environment — their compromise gives an attacker the ability to impersonate any user, access any system, and persist indefinitely.

Why Active Directory Is the Primary Target for Attackers

Active Directory is the crown jewel of every Windows environment for precisely the reason it is the crown jewel for legitimate administrators: it controls everything. An attacker who achieves Domain Administrator privileges in Active Directory has, effectively, access to every Windows system in the domain, the ability to create new accounts with any level of privilege, the ability to modify existing accounts and their permissions, access to credentials stored in AD, and the ability to establish persistence that survives most remediation efforts.

The Active Directory attack path is so well-documented and so consistently followed that it has become the standard post-exploitation playbook: gain initial foothold on any system, harvest credentials from that system's memory, use those credentials to pivot to additional systems, continue credential harvesting and lateral movement until reaching a domain admin account, and then leverage domain admin to achieve the attack objective. This path is repeatable because Active Directory's design — optimized for enterprise manageability — creates credential exposure opportunities at every step.

Securing Active Directory

Active Directory security is a deep discipline with significant overlap with the broader identity security domain. The highest-impact controls include tiered administration models that prevent administrative accounts from being used on standard workstations where credential theft is most likely, privileged access workstations dedicated to administrative tasks that are hardened against credential theft, regular Active Directory health assessments that identify misconfigurations and privilege accumulation, monitoring of privileged account activity and sensitive AD object modifications, and protection of domain controller infrastructure against unauthorized access.

Specific AD configurations that consistently appear in penetration tests and breach investigations: accounts with Kerberoastable service principal names that allow offline password cracking, accounts with 'Do Not Require Kerberos Preauthentication' enabled (AS-REP roasting), excessive membership in privileged groups, unconstrained delegation settings that allow credential impersonation, and AdminSDHolder misconfigurations that grant unexpected privileged access.

Real-World Example: The NotPetya Active Directory Propagation

NotPetya's extraordinary speed of propagation — taking down Maersk's global network in hours — was enabled by its Active Directory exploitation capability. NotPetya used a modified version of the Mimikatz credential extraction tool to harvest credentials from the memory of compromised systems. It then used the Windows PSEXEC and WMIC tools with the harvested credentials to authenticate to additional systems on the network and deploy its destructive payload. In environments where privileged credentials were used on standard workstations — extremely common — NotPetya rapidly harvested credentials with domain-level access and used them to reach every accessible system. Network segmentation that prevented domain credentials from reaching across network zones was the only control that slowed propagation.