What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Defensive-Playbook

0 sources verified·12 min read

By Lyrie.ai Senior Cyber Researcher·5/7/2026

Breaking the Kill Chain: The 2026 Defender's Playbook for Stopping Active Directory Lateral Movement

TL;DR

Active Directory remains the single most targeted attack surface in enterprise environments. In 2025, 74% of all enterprise breaches involved compromised identities — the overwhelming majority pivoting through AD. The attacker playbook is well-understood: compromise one endpoint, dump credentials from LSASS, pass a hash or ticket, reach a domain controller, and game over. Yet organizations continue to fail at the same chokepoints. This playbook covers the full kill chain from initial compromise to domain takeover, maps every technique to a concrete defensive control, and gives defenders the detection queries and configuration directives they need to shut it down. Microsoft's April 2026 predictive shielding model, the ongoing NTLM phase-out, and the emergence of AI-driven lateral movement detection make this the right moment to revisit your AD hardening stack from first principles.

Background: Why AD Lateral Movement Keeps Working in 2026

Active Directory has been the enterprise identity backbone for over twenty-five years. That longevity is also its curse. Most organizations are running AD environments built on architectural assumptions from the early 2000s — flat domains, implicit trust between subnets, service accounts with excessive permissions, and NTLM authentication that was never truly deprecated despite decades of known weaknesses.

The Verizon 2025 DBIR reported that 74% of breaches involve compromised identities. Of those, a significant proportion follow the same script: an attacker obtains initial access through phishing or a vulnerable edge service, harvests cached credentials, and then quietly walks through the internal network using those credentials as keys. The AD environment, which was designed to grant access frictionlessly, becomes the attacker's private highway.

What's changed in 2026:

Microsoft's NTLM deprecation is moving from policy to enforcement. Windows Server 2025 introduced formal tooling to audit and progressively disable NTLM authentication. Organizations that still rely on NTLM for file shares, legacy applications, or third-party integrations are now operating on borrowed time.
Predictive shielding has emerged as a viable containment layer. Microsoft's April 2026 case study documented a real incident where Defender for Identity's behavioral modeling detected a domain compromise in-flight, automatically applied containment to compromised identities, and broke the lateral movement chain before a domain controller was reached.
Ransomware groups have fully operationalized AD attack playbooks. From Scattered Spider to BlackByte to Akira, every major RaaS affiliate is now distributing attack packs that automate Kerberoasting, DCSync, and ACL abuse. Human expertise is no longer required. These tools run in minutes.

Technical Analysis: The AD Lateral Movement Kill Chain

Phase 1: Initial Access and Foothold

Attackers enter through phishing, exploitation of internet-facing services (VPN appliances, Exchange, OWA), or supply chain compromise. Once they have a shell on a domain-joined endpoint, the real work begins.

Attacker objective: Identify the domain, enumerate AD objects, and locate a path to domain admin.

Tools observed in the wild: BloodHound/SharpHound (automated path discovery), PowerView, LDAPSearch, Impacket suite.

Phase 2: Credential Harvesting

Pass-the-Hash (PtH): Windows NTLM authentication accepts a hashed password as proof of identity. The attacker reads the NTLM hash from LSASS memory using tools like Mimikatz or ProcDump → lsass.exe. The hash — not the cleartext password — is then used directly to authenticate against remote services. No password cracking required.

Pass-the-Ticket (PtT): Kerberos tickets (TGT and TGS) cached in memory are extracted and replayed. If an attacker can obtain a TGT for a privileged account, they can impersonate that user until the ticket expires (typically 10 hours for a TGT). This attack bypasses NTLM entirely and works even in environments that have disabled NTLM.

LSASS Dump Path:

1. Attacker gains local admin on workstation
2. Task Manager / ProcDump / comsvcs.dll MiniDump → lsass.dmp
3. Offline analysis with Mimikatz sekurlsa::minidump
4. Extracts: NTLM hashes, Kerberos tickets, DPAPI master keys, cleartext (WDigest)

Phase 3: Privilege Escalation via Kerberos Abuse

Kerberoasting: Any authenticated domain user can request a TGS ticket for any service account that has an SPN (Service Principal Name) registered. The ticket is encrypted with the service account's password hash. Attackers request tickets for high-value SPNs (SQL servers, Exchange, custom applications) and crack them offline. Service accounts with old, never-rotated passwords fall in minutes.

AS-REP Roasting: Accounts with "Do not require Kerberos preauthentication" enabled return their AS-REP response encrypted with their password hash — no authentication required to start the crack. Frequently found on legacy service accounts and migration artifacts.

Golden Ticket: Once the KRBTGT account's NTLM hash is compromised (typically via DCSync), an attacker can forge arbitrary Kerberos tickets for any user, with any group membership, valid for any time period. This is the AD equivalent of game over. Recovery requires resetting KRBTGT twice (with a gap between resets) and auditing every session that may have been established with forged tickets.

Silver Ticket: Similar but scoped — the attacker forges a TGS for a specific service using that service's account hash, bypassing the KDC entirely. Harder to detect because no domain controller log is generated.

DCSync: With the right AD permissions (specifically Replicating Directory Changes and Replicating Directory Changes All), an attacker can impersonate a domain controller and request password hashes for any or all accounts using the DRSUAPI protocol. This is how ransomware groups exfiltrate the entire credential database without touching a DC's disk.

Phase 4: ACL Abuse and Persistence

Modern attackers rarely need to brute-force their way to Domain Admin. BloodHound analysis frequently reveals "misconfiguration highways" — chains of ACL permissions that allow privilege escalation without triggering obvious alarms:

WriteDACL / GenericWrite on user objects: Allows adding the attacker's account to privileged groups
ForceChangePassword: Reset a privileged user's password without knowing the current one
AllExtendedRights: Includes password reset, Kerberoast forcibly, and more
Ownership of AdminSDHolder: Backdoors propagation to protected accounts

These ACL misconfigurations typically originate from lazy delegation during initial AD deployment, legacy system migrations, or "emergency access" grants that were never revoked.

The Microsoft Predictive Shielding Case Study (April 2026)

Microsoft's Security Blog documented an April 2026 incident that demonstrates the ceiling of what modern detection can achieve when properly deployed. A threat actor gained initial access through a phishing campaign, established persistence on a domain-joined workstation, and began enumerating AD via LDAP queries consistent with BloodHound reconnaissance.

Microsoft Defender for Identity detected:

1. Anomalous LDAP query volume from a non-admin workstation

2. Kerberos ticket requests for multiple SPNs within a 4-minute window (Kerberoasting signature)

3. A lateral movement event to a second workstation using a harvested credential

Rather than simply alerting, Defender for Identity's predictive shielding applied automatic identity containment — blocking the compromised accounts from authenticating beyond their current position, restricting new session establishment, and isolating the affected hosts' inbound Kerberos traffic. The attack was stopped before any domain controller was approached.

This represents a meaningful shift: from "detect and alert" to "detect and contain." The key enabler is behavioral baselining across the entire AD environment — knowing what normal Kerberos traffic, LDAP query patterns, and lateral movement paths look like for each identity and host, then acting automatically when that baseline is violated.

IOCs and Detection Signatures

Event Log Indicators

| Event ID | Source | Significance |

|----------|--------|--------------|

| 4624 / Logon Type 3 | Security | Network logon — check for anomalous source hosts |

| 4625 | Security | Failed logon — high volume = password spray or brute force |

| 4648 | Security | Explicit credential use — PtH signature |

| 4768 / 4769 | Security | Kerberos TGT/TGS requests — monitor for unusual SPN requests |

| 4771 | Security | Kerberos pre-auth failure — AS-REP roasting probe |

| 4776 | Security | NTLM authentication — should trend to zero after NTLM restriction |

| 5136 | Directory Service | AD object modification — ACL changes to sensitive objects |

| 4662 | Security | Object access with DCSync permissions requested |

Splunk Detection Queries

Kerberoasting Detection (multiple SPN requests):

index=windows EventCode=4769 
| stats count by src_ip, Account_Name 
| where count > 5 
| search NOT [| inputlookup service_accounts_whitelist.csv | fields Account_Name]

Pass-the-Hash (overpass-the-hash NTLM with new session):

index=windows EventCode=4624 Logon_Type=3 
| eval hour=strftime(_time, "%H")
| stats count by src_ip, Account_Name, hour 
| where count > 10 
| join type=inner Account_Name [search index=windows EventCode=4648]

DCSync Detection (replication rights invoked from non-DC):

index=windows EventCode=4662 
| search "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
| where NOT (src_host IN (domain_controllers_lookup))

Network-Level IOCs

LDAP enumeration: >500 LDAP queries per minute from a non-server asset
Mimikatz default pipe name: \\\\.\\pipe\\lsass_dump visible in ETW/Sysmon
Impacket DCSync: TCP 445 with DRSUAPI RPC traffic from non-DC source
BloodHound collection: LDAP queries for (objectClass=groupPolicyContainer), (sAMAccountType=805306368) in rapid succession

Lyrie Take

The core problem with AD security in 2026 is that most enterprises are defending a 2005-era architecture with 2020-era tools and hoping that's enough. It isn't.

Every major ransomware engagement we've analyzed follows the same structural pattern: the attackers don't find a zero-day — they find an NTLM hash on a workstation that hasn't been patched since 2022, a service account with a five-year-old password and DCSync rights granted for a project that no longer exists, and a BloodHound-visible path from that service account to Domain Admins that took our red team twelve minutes to traverse.

The predictive shielding model Microsoft demonstrated is promising, but it requires feeding accurate behavioral baselines — which means you must first enumerate your AD environment completely, understand what "normal" looks like for every identity, and have Defender for Identity deployed on every domain controller. Many organizations have none of that.

The NTLM deprecation arc is critically important and badly misunderstood. Disabling NTLM is not a configuration change — it is an infrastructure project. You must audit every application, service, and integration that uses NTLM (often embedded in file share automations, legacy apps, and monitoring tools), migrate each to Kerberos or certificate-based authentication, and enforce sequentially. Organizations that try to flip the switch wholesale will break production. Those that never start will remain vulnerable to pass-the-hash indefinitely.

Lyrie's autonomous scanning engine maps these AD attack paths continuously — not as a point-in-time BloodHound snapshot, but as a live graph that updates as permissions change, service accounts are created, and trust relationships are modified. The moment a new Kerberoastable service account appears or an ACL mutation creates a new path to Domain Admins, the graph flags it. Defenders should be closing these paths faster than attackers can walk them.

Defender Playbook: 14 Controls That Break the AD Kill Chain

Tier 0: Eliminate Credential Exposure

1. Deploy and enforce Windows Credential Guard

Credential Guard uses hardware-based virtualization (VSM) to isolate LSASS from the Windows kernel. It prevents Mimikatz-style hash extraction from LSASS memory. Requirements: UEFI, Secure Boot, TPM 2.0 — all present in any modern endpoint. Default-enable in Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → System Guard: Turn on virtualization-based security.

2. Enable Protected Users Security Group

Add privileged accounts (Domain Admins, Schema Admins, service accounts with DCSync) to the Protected Users group. This group enforces: no NTLM authentication, no DES/RC4 Kerberos encryption, TGT lifetime capped at 4 hours, no credential caching on hosts. Side effect: breaks legacy apps that require NTLM. Test before bulk-adding.

3. Enforce NTLM Restriction Progressively

Phase 1: Audit NTLM (Network security: Restrict NTLM: Audit NTLM in this domain → All)
Phase 2: Block NTLM to domain controllers (Restrict NTLM: Incoming NTLM traffic → Deny all domain accounts)
Phase 3: Domain-wide NTLM block after all applications confirmed migrated

4. Deploy LAPS (Local Administrator Password Solution)

Every domain-joined machine should have a unique, rotated local administrator password managed by LAPS. Without this, a single compromised local admin hash pivots to every machine sharing that common local admin credential — the classic "spray the hash" attack.

Tier 1: Restrict Privilege Scope

5. Implement the AD Tiering Model

Tier 0: Domain Controllers, AD Connect servers, PKI, privileged identity management tools. Tier 0 admin accounts NEVER log into Tier 1 or Tier 2 systems.
Tier 1: Servers (application, database, file, print). Tier 1 admin accounts are distinct from Tier 0.
Tier 2: Workstations and user endpoints. User accounts live here.
The tier boundary is enforced by GPO logon restrictions (Deny log on locally / Deny log on through Remote Desktop Services) and PAW (Privileged Access Workstation) policy.

6. Privileged Access Workstations (PAWs)

Dedicated, hardened workstations used exclusively for Tier 0 and Tier 1 administration. No email. No web browsing. No user applications. PAWs eliminate the attacker's most common path: compromising an admin's workstation and extracting privileged session tokens.

7. Audit and Remediate Kerberoastable SPNs

Run quarterly: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, PasswordLastSet. Flag any SPN account with PasswordLastSet > 180 days. Enforce Group Managed Service Accounts (gMSA) for all service accounts — gMSA passwords are 256 characters, rotated automatically every 30 days, and never exposed to humans.

8. Audit DCSync Permission Holders

Only Domain Controllers should hold Replicating Directory Changes rights. Run:

(Get-ACL "AD:\DC=domain,DC=com").Access | 
Where-Object {$_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"}

Any non-DC object in that output is a DCSync backdoor. Remove immediately.

Tier 2: Segment and Detect

9. Network Segmentation with AD-Aware Firewall Rules

Workstations should not be able to reach each other on SMB (TCP 445) or WMI (TCP 135/49152-65535). East-west SMB from workstation to workstation is almost always malicious lateral movement. Implement Windows Firewall baseline via GPO: block inbound SMB on all workstations, permit only from designated management subnets.

10. Deploy Defender for Identity on All Domain Controllers

MDI provides behavioral baselining, Kerberoasting detection, DCSync detection, and pass-the-hash behavioral signatures. It also integrates with Microsoft Sentinel for cross-signal correlation. Coverage gaps (unmonitored DCs) are complete blind spots.

11. Enable Advanced Audit Policies

Default Windows audit policy is insufficient for AD security. Enable via GPO: Account Logon (Success/Failure), Account Management (Success), DS Access (Success/Failure), Logon/Logoff (Success/Failure), Privilege Use (Success), Detailed Tracking (Success).

12. Monitor KRBTGT Account

Set an alert for any modification to the KRBTGT account password that wasn't initiated through your approved process (mandatory rotation every 180 days, twice in succession). Any unexpected KRBTGT reset may indicate an attacker attempting to invalidate your detection of forged golden tickets.

Tier 3: Contain and Respond

13. Automated Identity Containment Runbook

Pre-define a containment runbook triggered when Defender for Identity, MDI, or Sentinel flags a suspected domain compromise:

1. Automatically disable suspected compromised accounts

2. Force password reset on all accounts that logged into the affected host within 24 hours

3. Isolate affected hosts from the domain (network quarantine via NAC or firewall ACL)

4. Rotate KRBTGT (twice, 10-hour gap between rotations)

5. Audit all privileged sessions from the past 72 hours against the MDI timeline

14. Purple Team Your AD Quarterly

Use BloodHound Community Edition + custom attack simulations to validate that your tiering boundaries hold, your detection rules fire, and your containment runbook executes correctly. Document findings, close paths, re-test. Treat AD attack path reduction as a continuous process, not a one-time project.

Sources

1. Microsoft Security Blog — "Containing a domain compromise: How predictive shielding shut down lateral movement" (April 17, 2026) — https://www.microsoft.com/en-us/security/blog/2026/04/17/domain-compromise-predictive-shielding-shut-down-lateral-movement/

2. Qualys Threat Research — "Active Directory Attacks Demystified: Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Beyond" (March 4, 2026) — https://blog.qualys.com/product-tech/2026/02/11/qualys-etm-detect-pass-the-hash-pass-the-ticket-attacks

3. Elisity — "9 Lateral Movement Techniques Attackers Use (and How to Stop Them)" (February 28, 2026) — https://www.elisity.com/blog/lateral-movement-techniques

4. Microsoft Learn — "PAM environment tier model" — https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

5. SentinelOne — "What is a Golden Ticket Attack?" (January 23, 2026) — https://www.sentinelone.com/cybersecurity-101/cybersecurity/golden-ticket-attack/

6. Verizon 2025 Data Breach Investigations Report — Credential compromise statistics

Lyrie.ai Cyber Research Division — Senior Analyst Desk