Joint guidance on detecting and mitigating Active Directory compromises

The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the following international partners in releasing cyber security guidance on mitigating Microsoft Active Directory compromises:

  • Cybersecurity and Infrastructure Agency (CISA)
  • National Security Agency (NSA)
  • New Zealands National Cyber Security Centre (NCSC-NZ)
  • United Kingdom Government Communications Headquarters (GCHQ)

Microsoft’s Active Directory is an authentication and authorization solution widely used in enterprise information technology networks globally. It’s a valuable target for threat actors, and if compromised, threat actors can gain privileged access to all of the systems and users that Active Directory manages. Responding to Active Directory attacks can be time consuming, costly and disruptive.

This guidance aims to provide prevention, detection and mitigation strategies for prevalent Active Directory compromises including:

  • Kerberoasting
  • AS-REP roasting
  • Password spray
  • MachineAccountQuota
  • Unconstrained delegation
  • Password in group policy reference
  • Active Directory certificate services
  • Golden certificate
  • DCSync
  • Dumping ntds.dit
  • Golden ticket
  • Silver ticket
  • Golden SAML
  • Microsoft Entra Connect
  • One-way domain trust bypass
  • SID history
  • Skeleton key

By implementing this guidance organizations can take the steps necessary to secure their enterprise directory services.

Read the joint guidance on mitigating Active Directory attacks.

Related links

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: