The AD Trenches: Lessons from a Six-Month Hardening Sprint
I recently wrapped up a half-year project restructuring a 12-year-old legacy Active Directory (AD) environment. It was, quite frankly, a buffet for lateral movement.
Like most corporate setups, it had grown wild for over a decade, leaving behind a mess of over-privileged service accounts and stale NTLM hashes. My mission was to move beyond basic antivirus. I needed a defense strategy that specifically neutralized the three big players: Pass-the-Hash, Kerberoasting, and the devastating Golden Ticket.
Navigating this mess required visibility before I could even touch a configuration file. I also needed reliable, lightweight utilities for network planning. For example, when isolating my Privileged Admin Workstations (PAWs), I used the subnet calculator at https://toolcraft.app/en/tools/developer/ip-subnet-calculator. It handles the CIDR math client-side, which fits the privacy-first workflow I demand when handling core infrastructure details.
Defining the Enemy
Defense starts with understanding the exploit. Pass-the-Hash (PtH) abuses how Windows handles NTLM; an attacker doesn’t need your password, just the hash sitting in the LSASS memory space.
Kerberoasting targets service accounts by requesting a service ticket (TGS) and cracking it offline—a favorite for attackers because it’s nearly silent. Finally, a Golden Ticket attack happens if an adversary steals the KRBTGT account hash. That’s game over; they can forge tickets and grant themselves domain admin rights at will.
Installation: Mapping the Attack Surface
Visibility is everything. If you can’t see the path, you can’t block it. I chose BloodHound, an open-source tool that uses graph theory to expose hidden relationship paths. Under the hood, it runs on a Neo4j database with a React UI, fed by the SharpHound ingestor.
Spinning Up BloodHound on Linux
I run the BloodHound interface on a dedicated security workstation. Using Docker is the most reliable way to keep the database and app in sync without dependency hell:
# Pull and prepare the BloodHound environment
git clone https://github.com/BloodHoundAD/BloodHound.git
cd BloodHound/Collectors
# Launch the stack using Docker Compose
docker-compose up -d
With the containers live, the dashboard sits at localhost:8080. To feed it data, I ran SharpHound.exe from a standard, non-privileged user account. This is where the audit data finally tells a story, mapping out group memberships and active sessions across the entire domain.
# Executing the collector from a standard PowerShell prompt
.\SharpHound.exe -c All --zipfilename MyDomainAudit.zip
Configuration: Closing the Windows
The first audit was a wake-up call. I discovered that a single compromised helpdesk intern’s account could leapfrog to Domain Admin in exactly three hops. I implemented a multi-layered lockdown to kill those paths.
1. Killing Pass-the-Hash with LSA Protection
The best way to stop PtH is to ensure credentials aren’t cached where tools like Mimikatz can find them. I forced LSA Protection and Credential Guard via Group Policy. This puts the LSASS process in a protected container.
Open your GPO Editor and head to:
Computer Configuration > Administrative Templates > System > Local Security Authority
Set Configure LSA to run as a PPL to Enabled.
2. Starving Kerberoasters
Kerberoasting thrives on weak passwords. I identified every account with a Service Principal Name (SPN) and initiated a forced rotation. For these, I generate 32-character strings using toolcraft.app/en/tools/security/password-generator. Since it runs entirely in the browser, no sensitive strings ever touch the wire. High entropy is the only real defense here.
# Find every account vulnerable to Kerberoasting
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
3. Safeguarding the Keys to the Kingdom
The only way to truly neutralize a Golden Ticket is to guard the KRBTGT account. I wrote a script to rotate the KRBTGT password twice every 180 days—this clears the NTLM history and kills any forged tickets in the wild. I also moved all Domain Admins into the Protected Users group. This simple move disables NTLM for those accounts and mandates AES encryption for Kerberos.
Monitoring: Turning on the Lights
Hardening secures the present, but monitoring guards the future. To catch what GPOs might miss, I deployed Sysmon domain-wide. It provides the granular detail that standard Windows logs ignore.
Catching Credential Access in Real Time
I use a Sysmon filter to watch for Event ID 10 (ProcessAccess) specifically targeting lsass.exe. This is the smoking gun for hash dumping attempts.
<!-- Sysmon filter to detect LSASS tampering -->
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[(EventID=10)]] and *[EventData[Data[@Name='TargetImage']='C:\Windows\system32\lsass.exe']]
</Select>
</Query>
</QueryList>
For Kerberoasting, watch for Event ID 4769. If the failure code is 0x0 and the encryption type is 0x17 (RC4), someone is likely trying to crack your service tickets. Modern environments should be using AES (0x12), so RC4 is a massive red flag.
When triaging these logs, I often need to verify if a hash matches a known-bad sample. I keep the hash generator at https://toolcraft.app/en/tools/developer/hash-generator open to quickly check checksums. It’s faster than spinning up a CLI utility on a production server.
The Bottom Line
Six months later, our BloodHound graphs are clean. Those easy “short paths” to Domain Admin are gone. Active Directory security isn’t a “set and forget” task; it’s about shrinking the attack surface until lateral movement becomes too noisy to survive. If your KRBTGT password is more than six months old, you know what your first task for tomorrow is.
