



Every Indian enterprise running Microsoft Active Directory is sitting on the most valuable target an attacker can find inside a corporate network. Active Directory (AD) is the keys to the kingdom — it controls who gets access to what, across every server, workstation, and application. When an attacker owns AD, they own the business. And in 2026, threat actors know exactly how to go after it.
At PJ Networks, our 24/7 SOC teams respond to dozens of Active Directory-related incidents every year across Indian enterprises spanning banking, manufacturing, pharma, IT services, and logistics. The pattern is almost always the same: initial access via a phishing email or an exposed RDP service, lateral movement through credential theft, and finally full domain compromise — often within 48 to 72 hours of the first foothold. The attackers are methodical, patient, and increasingly automated.
This guide breaks down the most dangerous AD attack techniques in use today, the specific indicators your SOC should be hunting, and the hardening steps every Indian enterprise should implement before the next breach attempt.
Active Directory was designed in an era when corporate networks were bounded and trusted. Today, with hybrid cloud environments, remote workforces, and interconnected supply chains, the threat model has fundamentally changed — but many Indian enterprises are still running AD configurations that look the same as they did in 2015.
The numbers tell a stark story. According to Microsoft’s own security intelligence reports, over 95 percent of Fortune 500 companies use Active Directory. In India, AD penetration among mid-to-large enterprises is similarly high. Nearly every major ransomware incident in recent years — including attacks on Indian manufacturing plants, logistics companies, and financial institutions — involved Active Directory compromise as a key pivot point.
Here is why AD is so attractive to attackers:
Pass-the-Hash is one of the oldest credential theft techniques and remains devastatingly effective. When an attacker gains local administrator access to a workstation, they can extract NTLM password hashes from memory using tools like Mimikatz. These hashes can then be used to authenticate to other systems on the network without ever knowing the actual plaintext password.
The key insight: if your domain admin account has ever logged into a workstation — say, to perform maintenance — that hash may be cached in memory and harvestable by any process running with local admin rights. This is exactly why the Principle of Least Privilege is non-negotiable, and why you should never use domain admin credentials on standard workstations.
Kerberoasting exploits a fundamental feature of the Kerberos authentication protocol. Any domain user can request a service ticket (TGS) for any service principal name (SPN) registered in AD. Service tickets are encrypted using the service account’s password hash. Once the attacker obtains the ticket offline, they can brute-force the encryption to recover the plaintext password.
Service accounts associated with SQL Server, IIS, backup software, and other enterprise applications frequently have SPNs registered — and they are often configured with weak passwords and excessive AD privileges. Kerberoasting is entirely silent from an authentication log perspective because requesting a service ticket is legitimate behaviour. Without dedicated detection logic, most SOC teams never see it coming.
DCSync is a credential dumping technique that impersonates a Domain Controller to request password data for any account in the domain — including the highly sensitive KRBTGT account — using the Directory Replication Service (DRS) protocol. An attacker who has obtained the rights of Domain Replication (typically through compromising a domain admin, a DC, or abusing AD delegation) can silently extract every password hash in the domain.
With the KRBTGT hash in hand, an attacker can forge Golden Tickets — Kerberos tickets that are valid for any service in the domain, with any privileges, for up to 10 years. Golden Ticket attacks survive password resets of individual accounts. The only remediation is resetting the KRBTGT account password twice, which causes temporary disruption across the domain.
Similar to Kerberoasting, AS-REP Roasting targets accounts where Kerberos pre-authentication has been disabled — a setting found more often than you would expect, particularly on service accounts and legacy application accounts. Without pre-authentication, an attacker can request an authentication ticket for any such account and crack the encrypted portion offline.
When a server is configured for unconstrained delegation, any user who authenticates to it passes their Kerberos ticket to that server. If an attacker compromises a server with unconstrained delegation enabled — say, a file server or print server — they can capture Kerberos tickets for every privileged account that connects to it, including Domain Controllers. This is a particularly dangerous misconfiguration found in a surprisingly large number of Indian enterprise networks that have never been formally audited.
AdminSDHolder is an often-overlooked AD object that serves as a template for Access Control Lists on privileged groups. Attackers with Domain Admin access can modify AdminSDHolder’s ACL to grant themselves or a low-privileged account elevated permissions that persist even after their access is revoked. This backdoor is subtle, survives most remediation attempts, and is rarely checked during incident response.
Based on PJ Networks incident response engagements, the typical domain compromise in an Indian enterprise follows a recognisable kill chain:
The uncomfortable truth: In most of the Indian enterprise breaches PJ Networks has responded to, the attacker had full domain admin access for 24 to 48 hours before anyone noticed. Without adequate AD telemetry and 24/7 SOC monitoring, detection simply does not happen in time.
Hardening Active Directory is not a one-time project. It is an ongoing programme. Here is where to start:
Hardening reduces attack surface, but detection is what catches the attacks that get through. Your SIEM and SOC must be ingesting and alerting on:
Active Directory hardening must be complemented with a Zero Trust architecture. The traditional “trust but verify” model — where anything inside the network perimeter is implicitly trusted — is precisely what makes AD attacks so devastating. Once an attacker gets past the perimeter, AD’s internal trust relationships do the rest of the work for them.
Zero Trust Network Access (ZTNA) principles change this calculus:
FortiGate NGFW combined with Fortinet’s ZTNA solution provides Indian enterprises with the network-level enforcement layer needed to contain the blast radius of any AD compromise. Even if an attacker achieves credential theft, micro-segmentation prevents them from reaching the high-value targets — Domain Controllers, backup servers, financial systems — that make domain compromise catastrophic.
Indian enterprises have specific regulatory obligations when Active Directory compromise leads to a data breach. Under the CERT-In Directions of 2022, organisations must report any cybersecurity incident — including unauthorised access to IT systems and data breaches — within 6 hours of detection. Under the Digital Personal Data Protection (DPDP) Act, breaches involving personal data must be reported to the Data Protection Board of India.
A full AD compromise almost certainly triggers both obligations, since AD contains personal data (employee records, email addresses, HR system credentials) and the attack typically results in access to multiple downstream systems holding customer and employee data.
Having an incident response playbook specifically for AD compromise — including clear detection-to-report timelines — is no longer optional for Indian enterprises under regulatory scrutiny.
PJ Networks’ managed security practice combines proactive AD hardening, continuous monitoring, and rapid incident response to give Indian enterprises the protection that in-house teams — stretched thin across daily operations — simply cannot sustain alone.
The threat to Active Directory is not theoretical. It is the backbone of nearly every major ransomware and data breach incident PJ Networks has responded to over the past three years. The techniques are well-documented, the tools are freely available, and the attackers are systematic.
Indian enterprises that treat AD security as a checkbox — running a single hardening exercise and moving on — will find themselves responding to a breach rather than preventing one. Sustained AD security requires continuous hardening, detection tuned to the specific attack patterns, and 24/7 monitoring by a team that knows what to look for.
If you have not audited your Active Directory environment in the last six months, the question is not whether your AD is vulnerable — it is how many attack paths an adversary could already map through it.
Speak to PJ Networks about our Active Directory Security Assessment and 24/7 Managed SOC services. We will map the attack paths in your environment and close them — before an attacker does. Contact us at pjnetworks.com/contact to schedule a consultation.