Skip to main content
Attack Paths

How Attackers Become Domain Admin

Understand the common attack chains from initial access to domain compromise: privilege escalation, lateral movement, and credential theft.

14 min read
Updated January 19, 2025

How Attackers Become Domain Admin

How Attackers Become Domain Admin

Understanding how attackers actually move through an environment is what lets you stop them before it turns into a full domain compromise.

Initial Access

Most attacks don’t start with anything fancy. It’s usually one of the following:

  • Phishing emails with a malicious link or attachment
  • Exposed services like VPN, RDP, or web apps
  • Reused or leaked credentials
  • Third-party or supply chain access

From there, the goal becomes taking a regular user and turning their access into Domain Admin.

Common Attack Paths

1. Credential Theft and Reuse

This is still the most reliable path to domain compromise, and we see it constantly.

Attackers look for ways to pull credentials or crack them offline, then reuse them across the environment. That can look like:

  • Kerberoasting service accounts with weak passwords
  • AS-REP roasting accounts without preauth
  • Password spraying across large user sets
  • Dumping LSASS to grab credentials from memory
  • Reusing local admin or service account passwords across systems

If any of those credentials have elevated rights, escalation is usually quick.

Remediation: Use strong, unique passwords (especially for service accounts). Enforce MFA where possible. Deploy LAPS or equivalent. Lock down high-value accounts with Protected Users and remove unnecessary privilege.

2. Network Traffic Response Spoofing & NTLM Relaying

If attackers can sit on the network, they don’t always need passwords. They can trick systems into authenticating to them and relay that authentication elsewhere.

Common paths include:

  • LLMNR/NBT-NS spoofing to capture hashes
  • NTLM relay to SMB, LDAP, or AD CS endpoints
  • Relaying authentication to gain code execution or modify directory objects

This turns normal network behavior into an escalation path.

Remediation: Disable LLMNR/NBT-NS. Enforce SMB and LDAP signing, along with LDAP Channel Binding. Restrict NTLM where possible. Segment the network to limit where authentication can be relayed.

3. ACL Abuse

Misconfigured permissions in Active Directory are one of the most overlooked issues, and one of the most powerful.

If an attacker can write to the right object, they don’t need an exploit. They can:

  • Reset passwords on privileged accounts
  • Add themselves to high-privilege groups
  • Modify delegation settings
  • Grant themselves rights that lead to further escalation

This is often how low-privileged users turn into domain admins without needing any type of exploit.

Remediation: Audit ACLs regularly. Remove inherited or overly broad permissions. Follow least privilege and keep control of who can modify users, groups, and key AD objects.

4. Group Membership & Excessive Privileges

Over time, environments accumulate privilege, including extra group memberships, legacy roles, and “temporary” access that never gets removed.

Attackers take advantage of that by:

  • Identifying nested group memberships that lead to privilege
  • Abusing over-privileged service accounts
  • Leveraging accounts with rights on many systems
  • Chaining smaller privileges into full domain control

Remediation: Regularly review group membership and effective permissions. Remove standing privilege where possible and move toward just-in-time or role-based access.

5. Active Directory Certificate Services (AD CS) Abuse

AD CS is meant to strengthen authentication, but misconfigurations can turn it into a direct path to domain compromise.

Attackers can:

  • Request certificates as other users (including admins)
  • Relay authentication to enrollment endpoints (ESC8)
  • Abuse template permissions to issue themselves valid credentials

Once a certificate is issued, it can be used to authenticate as that user without needing their password.

Remediation: Audit certificate templates and enrollment permissions. Lock down who can request and enroll certificates. Disable or secure web enrollment endpoints. Regularly review AD CS configuration for known abuse paths.

Breaking the Chain

Stopping domain compromise isn’t about any one fix, but rather removing the paths attackers rely on.

  • Reduce initial access: patch external services, enforce MFA
  • Protect credentials: eliminate weak passwords and reuse
  • Remove escalation paths: fix ACLs, delegation, and AD CS issues
  • Control privilege: clean up group membership and excessive rights
  • Validate regularly: test the environment the same way an attacker would

Attackers don’t always need zero-days, just need a path. Your job is to make sure there isn’t one.

attack pathsprivilege escalationdomain admin

Related Resources

Attack Paths
15 min

Top Active Directory Misconfigurations

Common AD misconfigurations that create attack paths: weak delegation, permissive ACLs, trust abuse, and GPO issues.

misconfigurationsattack pathshardening
AD CS
13 min

ADCS ESC1 and ESC4 Explained

Understanding Active Directory Certificate Services vulnerabilities: ESC1 and ESC4 attack techniques, how they work, and how to prevent them.

adcscertificatesattack paths+2 more

Need this validated in your environment?

Our Active Directory security assessment identifies these issues and provides prioritized remediation guidance.

Learn About AD Security Assessments