Active Directory & Identity Domination Attack Chain

How threat actors compromise on-prem AD, hybrid identity, and cloud Entra ID by exploiting protocol-level invariants that haven't changed since Kerberos was designed.

Last updated: 2026-04-14

The Chokepoint Convergence Principle

Every actor in the matrix below follows the same sequence of stages. They must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Each card represents a MITRE ATT&CK technique. Dots indicate which groups or families use it. Cards with an orange border are universal chokepoints used by every tracked actor. Click an actor below to filter.

Initial Access
Valid Accounts
T1078
Cloud Accounts
T1078.004
Trusted Relationship
T1199
Phishing
T1566
Execution
Command and Scripting Interpreter
T1059
Credential Access
Password Guessing
T1110.001
Password Spraying
T1110.003
Steal Application Access Token
T1528
Steal Web Session Cookie
T1539
MFA Request Generation
T1621
Lateral Movement
Remote Desktop Protocol
T1021.001
SMB/Windows Admin Shares
T1021.002
Application Access Token
T1550.001
Lateral Tool Transfer
T1570
Discovery
Permission Groups Discovery
T1069
System Information Discovery
T1082
Account Discovery
T1087
Domain Trust Discovery
T1482
Collection
Email Collection
T1114
Exfiltration
Exfiltration Over C2 Channel
T1041
Exfil Over Alternative Protocol
T1048
Exfiltration Over Web Service
T1567
Impact
Inhibit System Recovery
T1490

Chokepoint Opportunities by Stage

Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.

1 Initial Access
Chokepoint

Valid credential presented to authentication endpoint (AD, Entra ID, or federated IdP)

Detection Signals
  • Sign-in from unfamiliar ASN or hosting provider with valid credentials
  • MFA fatigue: repeated push notifications followed by acceptance from new device
  • Device code authentication request from unexpected IP or user-agent
  • Delegated admin access from partner tenant to sensitive resources
2 Credential Access
Chokepoint

DRSUAPI replication call (DCSync) OR elevated process reading LSASS memory OR token grant from OAuth endpoint

Detection Signals
  • LSASS process access by non-system process (Sysmon EID 10)
  • DRSUAPI replication request from non-DC source IP (DCSync)
  • Kerberos TGS-REQ spike for service accounts with RC4 encryption (Kerberoasting)
  • OAuth token exchange from unfamiliar device fingerprint or user-agent
  • Service principal credential added outside normal provisioning workflow
Browser Credential Theft
3 Privilege Escalation
Chokepoint

Kerberos TGT forged or GPO modified OR OAuth app consent with admin-level permissions

Detection Signals
  • Kerberos TGT with anomalous lifetime or issued for non-existent user (Golden Ticket)
  • Group Policy Object modified outside change management window
  • OAuth application consent granted with Mail.Read, Files.ReadWrite, or Directory.ReadWrite.All
  • Admin role assigned to recently-created or newly-compromised account
EDR Bypass Techniques
4 Lateral Movement
Chokepoint

Authenticated session established to remote host via SMB/RDP/WinRM OR cross-tenant token used

Detection Signals
  • Network logon Type 3 + service creation across multiple hosts in short window
  • AD Connect Sync account authenticating to Azure from unexpected source
  • Cross-tenant access from partner account to sensitive SharePoint/OneDrive
  • Unusual admin account authenticating to 5+ hosts within 30 minutes
Remote Execution Tools
5 Persistence
Chokepoint

Service principal credential added OR inbox rule created OR device registered to Entra ID

Detection Signals
  • New OAuth application registered with broad Graph API permissions
  • New device registered to Entra ID from unfamiliar IP after token use
  • Inbox rule created to forward or delete mail containing keywords (invoice, payment, wire)
  • Service principal credential (secret or certificate) added outside normal workflow
  • New federated domain or trust relationship added to tenant
6 Impact / Objectives
Chokepoint

Mass file encryption via GPO deployment OR bulk email/cloud data exfiltration via Graph API

Detection Signals
  • GPO-deployed scheduled task or startup script across multiple OUs (ransomware deployment)
  • Mass email forwarding to external address (BEC exfil)
  • Large download from SharePoint/OneDrive by service principal or compromised account
  • vssadmin delete shadows / bcdedit recovery disable (pre-encryption)

Actor Convergence Matrix 5 actors tracked

Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover, regardless of which actor you're facing.

Actor Initial Access Credential Access Privilege Escalation Lateral Movement Persistence Impact / Objectives
APT29 / Midnight Blizzard
Espionage		 Spearphishing + partner trust abuse (StellarParticle, SolarWinds supply chain) DCSync via DSInternals Get-ADReplAccount + Chrome cookie theft via Cookie Editor extension Service principal hijack (Microsoft StaffHub) + ApplicationImpersonation role abuse Cross-tenant delegated admin access + credential hopping (different creds per hop) Rogue OAuth apps with Mail.Read/Files.ReadWrite + federated domain trust manipulation Long-term espionage. Email collection, cloud storage exfil, source code theft.
Storm-0501
Active		 Exploited public-facing apps + IAB-purchased access + weak credentials LSASS dump via Impacket SecretsDump + DCSync across domain AD Connect Sync account abuse to pivot on-prem to cloud On-prem to Azure pivot via compromised Entra Connect Sync account + RDP Cloud session hijacking of on-prem user with cloud admin role (MFA disabled) Embargo ransomware deployment across hybrid environment
Storm-2372
Active		 Device code phishing via email. IT helpdesk / Teams invite pretext. OAuth refresh token obtained via device authorization grant Token used for persistent API-level access to M365 Graph endpoints Internal spearphishing from compromised account to additional targets App registration with delegated permissions + device registration in Entra ID Email collection via Graph API + lateral expansion via internal phishing
Scattered Spider
Active		 Social engineering helpdesk to Okta/Entra password reset + MFA fatigue bombing AD credential theft via compromised endpoints + MFA bypass tokens + session cookies Okta admin escalation + Entra ID role assignment RDP/SSH from management network + cross-IdP pivot (Okta, Azure, AWS) SSH key persistence + OAuth app consent + Entra device registration Data exfiltration + ransomware deployment (Alphv/BlackCat affiliate)
Ransomware Operators
Active		 IAB-purchased creds / VPN exploit / phishing to Cobalt Strike LSASS dump + DCSync + Kerberoasting. Universal across all tracked families. Golden Ticket / GPO modification for domain-wide deployment PsExec + WMI + RDP. Same techniques documented across every DFIR Report intrusion. Minimal. Ransomware operators prioritize speed over stealth. GPO-deployed ransomware + vssadmin delete + bcdedit recovery disable
The Chokepoint Valid credential presented to authentication endpoint (AD, Entra ID, or federated IdP) DRSUAPI replication call (DCSync) OR elevated process reading LSASS memory OR token grant from OAuth endpoint Kerberos TGT forged or GPO modified OR OAuth app consent with admin-level permissions Authenticated session established to remote host via SMB/RDP/WinRM OR cross-tenant token used Service principal credential added OR inbox rule created OR device registered to Entra ID Mass file encryption via GPO deployment OR bulk email/cloud data exfiltration via Graph API

The Protocol Invariant

Unlike other attack chains where convergence stems from OS-level constraints, identity domination converges because of protocol-level invariants. Kerberos, LDAP, SAML, OAuth 2.0, and OpenID Connect are the only authentication and authorization protocols available. Every actor, from nation-state espionage to commodity ransomware, must use one of these protocols to authenticate, escalate, and move laterally. The protocol is the chokepoint.

On-prem AD: Must call DRSUAPI to replicate credentials (DCSync). Must request a TGS to access any kerberized service (Kerberoasting). Must modify GPO to deploy domain-wide (ransomware).

Hybrid identity: Must authenticate through AD Connect Sync account to pivot from on-prem to cloud. The sync account is the bridge, and the chokepoint.

Cloud Entra ID: Must obtain a valid OAuth token to access any resource. Must modify servicePrincipal credentials for persistent access. Must register a device or app for long-term persistence.

Research Methodology

Procedure-level data in this attack chain was extracted and corroborated using Kitsune, an AI-driven threat intelligence pipeline. 12 vendor and government reports were analyzed across 5 actors covering on-prem AD, hybrid identity, and cloud Entra ID attack paths. Reports were sourced from ORKL and direct vendor publications including Microsoft Threat Intelligence, CrowdStrike, Mandiant / Google Threat Intelligence, CISA, ReliaQuest, and The DFIR Report. Only techniques observed in two or more actors appear in the TTP diagram above. Actor-specific procedures are recorded in the source data but filtered from the convergence view.

  • Ransomware - Ransomware operators rely on AD credential access and GPO abuse for domain-wide deployment
  • AiTM / Phishing Kits - AiTM-stolen session tokens feed directly into the identity domination chain at the credential access stage
  • Infostealers - Infostealer-harvested credentials sold via IABs provide initial access for identity-based attacks
  • Hypervisor Compromise - VM clone of domain controllers for offline NTDS.dit extraction bridges hypervisor and AD chains