Active Directory remains the backbone of enterprise identity management for the vast majority of organisations we assess across the UK and USA. After twelve years of auditing AD environments, the persistence of certain attack primitives is both unsurprising and alarming. Kerberoasting, AS-REP roasting, and pass-the-hash are not relics — they are constants. What has changed dramatically is the hybrid layer: Azure AD Connect, Entra ID, and the PRT ecosystem have opened attack surfaces that did not exist three years ago.

The Classics Still Work

In our last 40 enterprise engagements, Kerberoasting yielded crackable service account hashes in 34 of them. Organisations have improved password complexity for human accounts considerably, but service accounts — used by applications, scheduled tasks, and legacy integrations — consistently lag behind. Weak passwords on accounts with SPN attributes set remains one of the highest-ROI attack paths available to any threat actor.

AS-REP roasting targets accounts where pre-authentication is disabled, a setting that still persists in environments that never cleaned up legacy compatibility flags. During a recent red team engagement in the financial sector, we obtained domain admin within four hours using this vector alone against an organisation that had passed its most recent Cyber Essentials audit the previous month.

Pass-the-hash and pass-the-ticket attacks against NTLM and Kerberos remain effective, particularly where organisations have not disabled NTLM on internal networks or enforced Protected Users security group membership for privileged accounts.

The Hybrid Shift Changes Everything

Azure AD Connect has been a consistent source of critical findings. Misconfigured sync accounts, over-privileged on-premises service accounts used by the connector, and the MSOL_ account with replication rights create a bridge between on-prem and cloud that attackers can traverse in both directions.

DCSync via Azure AD Connect is particularly dangerous. The MSOL_ account provisioned by AAD Connect holds DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights on the domain. If this account's credentials are compromised, an attacker can perform a full DCSync — extracting every password hash in the domain — from any machine, without domain admin privileges.

Primary Refresh Token theft has emerged as another critical vector. PRTs are long-lived session tokens tied to a device that bypass MFA entirely. An attacker who compromises a device and extracts its PRT can impersonate the device user against any Azure AD-protected resource without triggering any additional authentication challenge. We have reproduced this in 11 of 14 hybrid engagements conducted since January 2026.

Practical DCSync via AAD Connect — What We See

In a typical attack chain, we:

  1. Enumerate the AAD Connect service account using BloodHound or manual LDAP queries
  2. Extract credentials from the AAD Connect server's encrypted configuration (requires local admin on the AAD Connect host)
  3. Execute DCSync remotely using mimikatz or impacket's secretsdump.py

The entire chain takes under 90 minutes from initial foothold to domain-wide credential compromise.

Lateral Movement Patterns in 2026

Beyond the initial compromise vectors, lateral movement has also evolved. The most common patterns we observe:

  • ADCS abuse — Active Directory Certificate Services misconfigurations (ESC1 through ESC13) allow privilege escalation and persistence via certificate-based authentication. Still underestimated by most blue teams.
  • LAPS bypass — Local Administrator Password Solution provides per-machine rotating passwords, but read access to LAPS attributes is frequently over-granted. Any account with read rights to ms-Mcs-AdmPwd on a target machine has local admin.
  • GPO abuse — Accounts with write access to Group Policy Objects can deploy malicious scripts or disable security tooling domain-wide. BloodHound surfaces these edges but many organisations don't act on them.

What Defenders Should Prioritise

  • Audit all accounts with SPNs set and enforce 25+ character randomly generated passwords via a PAM solution
  • Enable Entra ID Conditional Access policies with compliant device requirements to limit PRT blast radius
  • Review Azure AD Connect service account privileges and apply Microsoft's tiered administration model
  • Enumerate and remediate ADCS misconfigurations using Certify or Certipy — run them on your own environment before an attacker does
  • Deploy Microsoft Defender for Identity to detect Kerberoasting and lateral movement in near-real-time
  • Restrict DS-Replication-Get-Changes-All rights to only the AAD Connect account and monitor for DCSync attempts

AD security in 2026 is a hybrid problem requiring hybrid thinking. The organisations that treat their on-premises and cloud identity planes as a single, unified attack surface are the ones building genuinely resilient architectures.