Active Directory remains the backbone of enterprise identity management for the vast majority of organisations we assess across the UK and USA. After twelve years of auditing AD environments, the persistence of certain attack primitives is both unsurprising and alarming. Kerberoasting, AS-REP roasting, and pass-the-hash are not relics — they are constants. What has changed dramatically is the hybrid layer: Azure AD Connect, Entra ID, and the PRT ecosystem have opened attack surfaces that did not exist three years ago.
The Classics Still Work
In our last 40 enterprise engagements, Kerberoasting yielded crackable service account hashes in 34 of them. Organisations have improved password complexity for human accounts considerably, but service accounts — used by applications, scheduled tasks, and legacy integrations — consistently lag behind. Weak passwords on accounts with SPN attributes set remains one of the highest-ROI attack paths available to any threat actor.
AS-REP roasting targets accounts where pre-authentication is disabled, a setting that still persists in environments that never cleaned up legacy compatibility flags. During a recent red team engagement in the financial sector, we obtained domain admin within four hours using this vector alone against an organisation that had passed its most recent Cyber Essentials audit the previous month.
Pass-the-hash and pass-the-ticket attacks against NTLM and Kerberos remain effective, particularly where organisations have not disabled NTLM on internal networks or enforced Protected Users security group membership for privileged accounts.
The Hybrid Shift Changes Everything
Azure AD Connect has been a consistent source of critical findings. Misconfigured sync accounts, over-privileged on-premises service accounts used by the connector, and the MSOL_ account with replication rights create a bridge between on-prem and cloud that attackers can traverse in both directions.
DCSync via Azure AD Connect is particularly dangerous. The MSOL_ account provisioned by AAD Connect holds DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights on the domain. If this account's credentials are compromised, an attacker can perform a full DCSync — extracting every password hash in the domain — from any machine, without domain admin privileges.
Primary Refresh Token theft has emerged as another critical vector. PRTs are long-lived session tokens tied to a device that bypass MFA entirely. An attacker who compromises a device and extracts its PRT can impersonate the device user against any Azure AD-protected resource without triggering any additional authentication challenge. We have reproduced this in 11 of 14 hybrid engagements conducted since January 2026.
Practical DCSync via AAD Connect — What We See
In a typical attack chain, we:
- Enumerate the AAD Connect service account using BloodHound or manual LDAP queries
- Extract credentials from the AAD Connect server's encrypted configuration (requires local admin on the AAD Connect host)
- Execute DCSync remotely using mimikatz or impacket's
secretsdump.py
The entire chain takes under 90 minutes from initial foothold to domain-wide credential compromise.
Lateral Movement Patterns in 2026
Beyond the initial compromise vectors, lateral movement has also evolved. The most common patterns we observe:
- ADCS abuse — Active Directory Certificate Services misconfigurations (ESC1 through ESC13) allow privilege escalation and persistence via certificate-based authentication. Still underestimated by most blue teams.
- LAPS bypass — Local Administrator Password Solution provides per-machine rotating passwords, but read access to LAPS attributes is frequently over-granted. Any account with read rights to
ms-Mcs-AdmPwdon a target machine has local admin. - GPO abuse — Accounts with write access to Group Policy Objects can deploy malicious scripts or disable security tooling domain-wide. BloodHound surfaces these edges but many organisations don't act on them.
What Defenders Should Prioritise
- Audit all accounts with SPNs set and enforce 25+ character randomly generated passwords via a PAM solution
- Enable Entra ID Conditional Access policies with compliant device requirements to limit PRT blast radius
- Review Azure AD Connect service account privileges and apply Microsoft's tiered administration model
- Enumerate and remediate ADCS misconfigurations using
CertifyorCertipy— run them on your own environment before an attacker does - Deploy Microsoft Defender for Identity to detect Kerberoasting and lateral movement in near-real-time
- Restrict
DS-Replication-Get-Changes-Allrights to only the AAD Connect account and monitor for DCSync attempts
AD security in 2026 is a hybrid problem requiring hybrid thinking. The organisations that treat their on-premises and cloud identity planes as a single, unified attack surface are the ones building genuinely resilient architectures.
How to Detect and Mitigate Kerberoasting in Active Directory
Audit service principal names (SPNs)
Use Get-ADUser to enumerate all accounts with SPNs set. Document each account, its purpose, and password age.
Identify weak service account passwords
Run Rubeus or Impacket's GetUserSPNs.py against your own environment from a non-privileged account. Anything that cracks in under 24 hours of effort is a critical finding.
Rotate to 25+ character random passwords
Use a Privileged Access Management solution to enforce randomly generated 25+ character passwords on all SPN accounts.
Migrate to Group Managed Service Accounts (gMSA)
Where applications support it, replace traditional service accounts with gMSAs which rotate passwords automatically every 30 days.
Deploy Defender for Identity
Enable Microsoft Defender for Identity (or equivalent) and configure alerting on Kerberoasting detection rules.
References
Frequently Asked Questions
Is Kerberoasting still a viable attack in 2026?
Yes. In our last 40 enterprise engagements, Kerberoasting yielded crackable service account hashes in 34 of them. Service accounts with SPNs set and weak passwords remain one of the highest-ROI attack paths available.
What is PRT token theft and why is it dangerous?
Primary Refresh Token (PRT) theft allows an attacker who compromises a device to impersonate the device user against any Azure AD-protected resource — bypassing MFA entirely. We reproduced this in 11 of 14 hybrid engagements since January 2026.
How should organisations prioritise Active Directory hardening?
Start with enforcing 25+ character randomly generated passwords on all SPN accounts via a PAM solution, enable Conditional Access with compliant device requirements, and deploy Microsoft Defender for Identity to detect Kerberoasting in near-real-time.
What is DCSync via Azure AD Connect?
The MSOL_ account provisioned by Azure AD Connect holds DS-Replication-Get-Changes rights on the domain. If compromised, an attacker can extract every password hash in the domain via DCSync from any machine, without domain admin privileges. We see this attack chain succeed in roughly 80% of hybrid environment audits.
Does Cyber Essentials or Cyber Essentials Plus protect against these attacks?
No. Cyber Essentials covers baseline hygiene (patching, firewall, secure config) but does not assess Active Directory architecture, privileged identity, or hybrid trust relationships. We have obtained domain admin against multiple organisations who passed their Cyber Essentials Plus audit the same quarter.
How long does an Active Directory penetration test typically take?
A focused AD assessment typically runs 5–10 working days for scoping, active testing, and reporting. Hybrid environments with Azure AD Connect, ADCS, and multiple forests add days to the engagement. We provide a fixed-price quote after a one-hour scoping call.
Should we use BloodHound on our own environment?
Yes — running BloodHound or BloodHound Community Edition against your own environment is one of the highest-value defensive exercises available. It surfaces the same attack paths attackers will identify. We recommend running it quarterly and treating high-edge findings as remediation priorities.