Active Directory Attack Paths in 2025: What's Changed and What Hasn't

Active Directory remains the backbone of enterprise identity management for the vast majority of organisations we assess. After twelve years of auditing AD environments, the persistence of certain attack primitives is both unsurprising and alarming. Kerberoasting, AS-REP roasting, and pass-the-hash are not relics — they are constants. What has changed dramatically is the hybrid layer: Azure AD Connect, Entra ID, and the PRT ecosystem have opened attack surfaces that did not exist three years ago.

The Classics Still Work

In our last 40 enterprise engagements, Kerberoasting yielded crackable service account hashes in 34 of them. Organisations have improved password complexity for human accounts considerably, but service accounts — used by applications, scheduled tasks, and legacy integrations — consistently lag behind. Weak passwords on accounts with SPN attributes set remains one of the highest-ROI attack paths available to any threat actor.

AS-REP roasting targets accounts where pre-authentication is disabled, a setting that still persists in environments that never cleaned up legacy compatibility flags. During a recent red team engagement in the financial sector, we obtained domain admin within four hours using this vector alone against an organisation that had passed its most recent Cyber Essentials audit the previous month.

The Hybrid Shift Changes Everything

Azure AD Connect has been a consistent source of critical findings. Misconfigured sync accounts, over-privileged on-premises service accounts used by the connector, and the MSOL_ account with replication rights create a bridge between on-prem and cloud that attackers can traverse in both directions. Primary Refresh Token theft has emerged as particularly dangerous — PRTs are long-lived session tokens that bypass MFA entirely.

An attacker who compromises a device and extracts its PRT can impersonate the device user against any Azure AD-protected resource without triggering any additional authentication challenge. We have reproduced this in 11 of 14 hybrid engagements conducted since January 2025.

What Defenders Should Prioritise

• Audit all accounts with SPNs set and enforce 25+ character randomly generated passwords via a PAM solution
• Enable Entra ID Conditional Access policies with compliant device requirements to limit PRT blast radius
• Review Azure AD Connect service account privileges and apply Microsoft's tiered administration model
• Deploy Microsoft Defender for Identity to detect Kerberoasting and lateral movement in near-real-time

AD security in 2025 is a hybrid problem requiring hybrid thinking. The organisations that treat their on-premises and cloud identity planes as a single, unified attack surface are the ones building genuinely resilient architectures.