Despite the rise of cloud identity providers and Zero Trust initiatives, Active Directory remains present in the vast majority of enterprise environments. As a result, it continues to be one of the most attractive targets for attackers seeking privilege escalation and domain dominance. In nearly every red team engagement, the path to full domain compromise runs straight through AD misconfigurations that have existed for years — undetected.
Here are the five most common ones penetration testers find today.
1. Kerberoasting — Service Accounts with Weak Passwords
Kerberoasting is one of the most well-known Active Directory attacks, and it still works in 2026. Any domain user can request a Kerberos service ticket for any account with a Service Principal Name (SPN). That ticket is encrypted with the service account’s password hash — and can be cracked offline, with no alerts triggered.
Fix: Service accounts should use strong, randomized passwords (25+ characters) or be replaced with Group Managed Service Accounts (gMSA), which rotate passwords automatically.
Detection: Monitor Event ID 4769 for unusual volumes of TGS requests, especially from a single user requesting tickets for multiple services in a short time window.
2. AS-REP Roasting — Accounts Without Pre-Authentication
When Kerberos pre-authentication is disabled on an account, any unauthenticated attacker can request an AS-REP response for that user. The response contains data encrypted with the user’s password hash — crackable offline, no credentials needed.
Fix: Audit your AD for accounts with `DONT_REQUIRE_PREAUTH` set and enable pre-authentication everywhere. There are very few legitimate reasons to disable it.
Detection: Monitor Event ID 4768 for AS-REP requests from unexpected sources or for accounts that should not be authenticating externally.
3. Excessive Privileges and ACL Abuse
Active Directory permissions are inherited, accumulated, and rarely cleaned up. Over time, low-privileged users and service accounts accumulate rights they should never have — such as `GenericAll`, `WriteDACL`, or `ForceChangePassword` on sensitive accounts or groups.
These ACL misconfigurations are the gift that keeps giving for attackers. Tools like BloodHound make it trivial to visualize attack paths through these relationships and find routes to Domain Admin that no one realized existed.
Fix: Run BloodHound CE regularly and audit ACLs on privileged objects. Apply the principle of least privilege and remove any permissions that cannot be justified.
Detection: Monitor for unexpected ACL modifications via Event ID 5136 (Directory Service Object Modified).
4. Unconstrained Delegation
When a computer or service account is configured for unconstrained delegation, any user who authenticates to that service hands over their Kerberos Ticket Granting Ticket (TGT). If an attacker compromises a machine with unconstrained delegation, they can capture TGTs and impersonate any user who authenticated — including Domain Admins.
Fix: Replace unconstrained delegation with constrained delegation or Resource-Based Constrained Delegation (RBCD) wherever possible.
Detection: Audit delegation settings regularly. Flag any new accounts granted unconstrained delegation and monitor for unusual TGT activity.
5. DPAPI Credential Exposure
The Windows Data Protection API (DPAPI) is used to encrypt stored credentials — browser passwords, Wi-Fi keys, RDP credentials, and more. DPAPI abuse deserves an article of its own because of the impact it can have during post-exploitation activities in Active Directory environments — master the art of DPAPI exploitation by reading this comprehensive technical guide.
In a domain environment, DPAPI master keys are backed up to the Domain Controller. With the right privileges, an attacker can decrypt credentials from any machine in the domain — silently and without triggering most security tools.
Fix: Restrict access to DPAPI backup keys and audit which accounts have DPAPI-related privileges on Domain Controllers.
Detection: Monitor for unusual access to `lsass.exe` and DPAPI-related registry keys. Correlate with lateral movement indicators.
How Defenders Can Detect These Attacks — Key Event IDs
| Event ID | Description |
| 4768 | Kerberos AS-REQ (monitor for pre-auth disabled accounts) — not enabled by default |
| 4769 | Kerberos TGS-REQ (monitor for Kerberoasting patterns) — not enabled by default |
| 5136 | Directory Service Object Modified (ACL changes) |
| 4742 | Computer Account Changed (delegation changes) |
| 4662 | Operation performed on AD object (monitor for DPAPI master key access) |
Run BloodHound CE on a continuous basis — not just during incident response. Treat it as a permanent visibility tool, not a one-time audit.
Conclusion
Attackers don’t need zero-days to compromise an enterprise. They need a valid domain user account and a few hours with BloodHound. The misconfigurations described in this article are not theoretical — they are found in real environments, in real engagements, every single day.
The good news is that most of them are fixable. The bad news is that most organizations don’t know they have them.
