Lesson1: AD Authentication Protocols - Technical Deep Dive
Lesson 1: AD Authentication Protocols – Technical Deep Dive
Visual Starter: The Keys to the Kingdom
[VISUAL PLACEHOLDER: Interactive diagram showing a castle with multiple gates representing different authentication paths. The main gate shows "On-Premises AD" with Kerberos/NTLM guards, a cloud gate showing "Azure AD/Entra ID" with OAuth/SAML tokens, and a bridge connecting them labeled "Hybrid Identity". Around the castle, red arrows show 9 out of 10 attack attempts targeting these gates, with a prominent breach showing 192.7M records stolen through an unsecured gate (representing Change Healthcare). Include statistics overlay: "90% of attacks target AD" and "Average breach cost: $1.2M"]
Think of authentication as the gates to your organization's castle. Some gates use ancient protocols born in the 1990s, while others leverage modern cloud-based verification. Attackers know exactly which gates to target—and they're succeeding 9 out of 10 times.
February 2024: When the Gates Failed
Picture this: One of America's largest healthcare payment processors, Change Healthcare, processes roughly 15 billion medical claims annually, about 40% of all claims in the United States. In February 2024, attackers from the BlackCat ransomware group breached their network through a simple Citrix remote access portal that lacked multi-factor authentication. Once inside, they had nine days to roam freely.
Here's where understanding Active Directory authentication becomes critical. After gaining initial access, the attackers escalated their privileges and compromised Change Healthcare's "crown jewels"—the Microsoft Active Directory Server. With control over AD, they accessed the entire kingdom. The result? 192.7 million individuals—roughly one-third of all Americans—had their medical records, Social Security numbers, and personal data stolen. The breach cost exceeded $1.5 billion.
This wasn't a sophisticated zero-day exploit. It was a fundamental authentication failure that you, as a SOC analyst, need to prevent.
Understanding On-Premises Active Directory: The Original Gatekeeper
When Microsoft introduced Active Directory in 2000, it revolutionized how organizations managed identity and access. Think of on-premises AD as a hierarchical security database that controls who gets through which gates.
[VISUAL PLACEHOLDER: Hierarchical tree diagram showing Forest at top, branching into Domains, then Domain Controllers, and finally Organizational Units (OUs) with user/computer objects at the bottom]
The architecture consists of domains (security boundaries for a group of resources), forests (collections of domains that trust each other), domain controllers (the servers that actually authenticate users), and organizational units (containers that organize users and computers). When you log into your work computer each morning, a domain controller verifies your identity using either Kerberos or NTLM protocols.
According to Semperis' 2024 Ransomware Risk Report, Active Directory is targeted in 9 out of 10 attacks. Why? Because compromising AD means controlling access to everything: files, applications, databases, and other systems. It's the ultimate prize for attackers.
Azure AD (Microsoft Entra ID): The Cloud Evolution
While on-premises AD manages your local network, Azure AD—now called Microsoft Entra ID—handles authentication for cloud services like Office 365, Azure resources, and thousands of SaaS applications. This isn't just "AD in the cloud." It's a fundamentally different beast.
Azure AD uses modern authentication protocols: OAuth 2.0 for authorization, OpenID Connect for authentication, and SAML for single sign-on. Instead of Kerberos tickets, you're dealing with JSON Web Tokens (JWTs) and Primary Refresh Tokens (PRTs). Research from 2024 shows that 78% of Active Directory attacks specifically target hybrid environments where on-premises and cloud systems connect—exactly the setup most organizations run today.
Hybrid Identity: Where Two Worlds Collide
Here's where things get interesting for you as a SOC analyst. Most organizations run hybrid environments—on-premises AD synchronized with Azure AD through Azure AD Connect. Users authenticate against on-premises domain controllers for internal resources but use Azure AD for cloud services. This creates what security professionals call "identity sprawl"—multiple authentication paths that attackers can exploit.
[VISUAL PLACEHOLDER: Side-by-side comparison showing Authentication Flow diagrams. Left side: On-Premises flow (User → Domain Controller → Kerberos TGT → Service Access). Right side: Azure AD flow (User → Azure AD → OAuth Token → Cloud Service Access). Center: Hybrid sync arrow showing Azure AD Connect bridging both sides]
Synchronization happens through Azure AD Connect, which replicates user accounts, passwords (as hashes), and group memberships. But here's the catch: misconfigurations in this sync process create security gaps. Attackers who compromise on-premises AD can potentially pivot to cloud resources, and vice versa.
Kerberos vs. NTLM: The Protocol Battle
When you authenticate to on-premises resources, two protocols dominate: Kerberos (introduced in Windows 2000) and the older NTLM. Understanding their differences is crucial for detecting attacks.
Kerberos uses a ticket-based system. When you log in, the Key Distribution Center (KDC) on your domain controller issues you a Ticket Granting Ticket (TGT). Want to access a file server? You present your TGT and receive a service ticket (TGS). These tickets contain encrypted information including your username, group memberships, and cryptographic keys. Modern implementations use AES-256 encryption, but legacy systems still use RC4 encryption, which is vulnerable to offline cracking attacks like Kerberoasting.
NTLM, conversely, uses a challenge-response mechanism. The server sends a challenge, your computer responds with an encrypted version using your password hash, and the server verifies it. NTLM is vulnerable to relay attacks, pass-the-hash attacks, and has no mutual authentication—the client can't verify the server is legitimate. Microsoft has been trying to deprecate NTLM for years, but it persists in legacy environments.
The Modern Threat Landscape
According to Semperis, 83% of organizations were targeted by ransomware in the past 12 months, and 74% of those were attacked multiple times. Authentication systems are the primary target. When attackers compromise authentication, they don't need to break into individual systems—they simply walk through the front door with valid credentials.
The Change Healthcare breach exemplifies this perfectly. No sophisticated exploit. No zero-day vulnerability. Just compromised credentials and missing multi-factor authentication on a critical access point. Industry reports show it takes attackers only about 16 hours to breach Active Directory once they gain initial access. That's less than one business day.
Why This Matters to You
As a SOC analyst, understanding authentication protocols isn't academic—it's survival. When you're reviewing logs at 2 AM investigating a potential breach, you need to instantly recognize normal Kerberos TGT requests versus suspicious service ticket requests with RC4 encryption downgrade. You need to spot the difference between legitimate Azure AD sign-ins and compromised Primary Refresh Tokens being replayed.
Only 27% of organizations maintain dedicated Active Directory-specific backups, yet AD manages access to nearly all users, groups, applications, and resources. You're often the last line of defense before an attacker escalates from a compromised user account to complete domain dominance. Understanding these authentication architectures, protocols, and their weaknesses gives you the foundation to detect attacks before they become breaches.
In the next lesson, we'll dive deeper into trust relationships and how attackers abuse them to move between domains—both on-premises and in the cloud.
Additional Resources
Last updated