Active Directory Defense and Monitoring: Tiering, LAPS, and Detection Engineering

Tools & Defense
2025.11.27
Time it takes to read this article 5 minutes.

Disclaimer: This article is for education and authorized testing only. Run the attacker-side commands solely against systems you own or are explicitly permitted to assess in writing. Unauthorized access to computer systems is illegal in virtually every jurisdiction.

Introduction / Overview

Most Active Directory compromises do not rely on a single exotic exploit. They chain ordinary misconfigurations: a Tier-0 admin logging into a workstation, identical local administrator passwords across the fleet, an over-permissioned certificate template, and logging that nobody reads. In this article we flip the usual offensive lens and build the defensive program: an administrative tiering model, LAPS for local password randomization, honeypot accounts for high-fidelity alerting, ADCS hardening, and the Windows Event IDs you need to catch the attack chains described in posts like Kerberoasting and DCSync.

By the end you will have concrete commands, registry keys, and Sigma-style detection logic you can deploy in a lab.

How it Works / Background

Active Directory trust is transitive and credential-centric. When a privileged credential lands in memory on a low-trust host, an attacker who controls that host can harvest it (Mimikatz, sekurlsa::logonpasswords) and reuse it. The defensive answer is clean source / tiering: you never expose a higher-privilege credential to a lower-trust system.

Microsoft's tier model defines three planes:

  • Tier 0 — Domain Controllers, AD CS, ADFS, anything that can control identity.
  • Tier 1 — Servers and applications.
  • Tier 2 — User workstations.

The cardinal rule: a Tier-0 account may only authenticate to Tier-0 assets. Enforcement is done with authentication silos, Protected Users, logon-rights GPOs (Deny log on locally / Deny log on through Remote Desktop), and dedicated Privileged Access Workstations (PAWs).

Prerequisites / Lab Setup

  • A Windows Server 2019/2022 Domain Controller and at least one member server and workstation.
  • Windows LAPS (built into Windows 11/Server 2022 and patched Windows 10/Server 2016+ since April 2023).
  • An OU structure separating Tier 0 / Tier 1 / Tier 2 objects.
  • A SIEM or at least wevtutil access and Sysmon for endpoint telemetry.

Defensive Walkthrough / PoC

1. Deploy Windows LAPS

Legacy "Microsoft LAPS" is superseded by Windows LAPS. Extend the schema and configure via GPO or directly:

# Extend the AD schema for Windows LAPS (run as Schema Admin)
Update-LapsADSchema

# Grant the managed device the right to update its own password
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=local"

# Verify and read a stored password (requires delegated read rights)
Get-LapsADPassword -Identity "WKSTN01" -AsPlainText
PowerShell

Configure rotation policy through registry / GPO under HKLM\Software\Microsoft\Policies\LAPS:

PasswordLength            = 24
PasswordComplexity        = 4
PasswordAgeDays           = 30
BackupDirectory           = 2   # 2 = Active Directory, 1 = Entra ID
PostAuthenticationActions = 3   # reset password + terminate sessions
Plaintext

LAPS breaks lateral movement via Pass-the-Hash of the local admin account because every host has a unique, rotating password. Restrict read access to the ms-LAPS-EncryptedPassword attribute to a single Tier-0 group.

2. Enforce Tiering with Authentication Policies

Create an authentication policy silo so Tier-0 accounts are issued TGTs only from approved hosts:

New-ADAuthenticationPolicySilo -Name "Tier0-Silo" -Enforce
New-ADAuthenticationPolicy -Name "Tier0-Policy" -Enforce `
  -UserTGTLifetimeMins 240
Grant-ADAuthenticationPolicySiloAccess -Identity "Tier0-Silo" -Account "DA-alice"
Set-ADUser -Identity "DA-alice" -AuthenticationPolicySilo "Tier0-Silo"

# Add Tier-0 admins to Protected Users (disables NTLM, unconstrained deleg, weak crypto)
Add-ADGroupMember -Identity "Protected Users" -Members "DA-alice"
PowerShell

Then block downward logons with a GPO linked to Tier-2 OUs assigning SeDenyInteractiveLogonRight to the Tier-0 admin group.

3. Plant a Honeypot Account

A honeypot (decoy) account is a non-privileged user that should never be touched. Any authentication attempt is a high-fidelity signal. Make it attractive to Kerberoasting and AS-REP roasting:

New-ADUser -Name "svc-sql-backup" -SamAccountName "svc-sql-backup" `
  -Description "SQL backup service - legacy" -Enabled $true `
  -AccountPassword (ConvertTo-SecureString "D3coyP@ss!verylong" -AsPlainText -Force)

# Make it Kerberoastable by setting an SPN
Set-ADUser "svc-sql-backup" -ServicePrincipalNames @{Add="MSSQLSvc/decoy.corp.local:1433"}

# Optionally make it AS-REP roastable
Set-ADAccountControl "svc-sql-backup" -DoesNotRequirePreAuth $true
PowerShell

Now configure auditing so any Kerberos service-ticket request (event 4769) for this account fires an alert. Because no legitimate process requests this SPN, the false-positive rate is near zero.

4. Harden AD CS (Certipy-resistant)

ESC1 through ESC8 abuse enrollment misconfigurations. Audit your templates:

# From an attacker/auditor box, enumerate vulnerable templates
certipy find -u auditor@corp.local -p 'Password123' -dc-ip 10.0.0.10 -vulnerable -stdout
Bash

Remediate the common findings:

  • ESC1 — Remove ENROLLEE_SUPPLIES_SUBJECT (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) from templates that grant client authentication, or require Manager Approval.
  • ESC6 — Disable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on the CA:
certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
Restart-Service certsvc
PowerShell
  • ESC8 — Enforce HTTPS + Extended Protection for Authentication (EPA) on the web enrollment endpoint, and disable NTLM relay to the CA.
  • Apply the CVE-2022-26923 (Certifried) patch and enforce strong certificate mapping per KB5014754 (full enforcement mode since February 2025).

Mermaid Diagram

Active Directory Defense and Monitoring: Tiering, LAPS, and Detection Engineering diagram 1

The diagram shows how each defensive control (LAPS, honeypot, ADCS hardening) severs a distinct link in the workstation-to-Domain-Admin kill chain.

Detection & Defense (Blue Team)

Defense without telemetry is wishful thinking. Map controls to detection logic:

Key Event IDs to collect (Security log):

Event ID Meaning Detection use
4768 Kerberos TGT requested (AS-REQ) AS-REP roasting, anomalous source
4769 Kerberos service ticket (TGS-REQ) Kerberoasting, honeypot hits, RC4 (0x17) tickets
4624 / 4625 Logon success / failure Tier violations, password spraying
4662 Operation on a directory object DCSync (replication GUIDs 1131f6aa-...)
4670 / 4738 Permissions / account change Persistence, ACL backdoors
5136 Directory object modified GPO/ACL tampering
4886 / 4887 Certificate requested / issued (CA log) ADCS abuse, ESC1 enrollment

Detect Kerberoasting / honeypot abuse — alert on any 4769 for the decoy account, and on 4769 events with Ticket Encryption Type = 0x17 (RC4) at scale:

EventID=4769 AND (ServiceName="svc-sql-backup" OR TicketEncryptionType="0x17")
AND TargetUserName != "machine accounts"
Plaintext

Detect DCSync — alert on Event 4662 where the access mask includes the replication extended rights GUIDs (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 and 1131f6ad-...) from a principal that is not a Domain Controller.

Detect LAPS bypass attempts — monitor reads of ms-LAPS-EncryptedPassword and the legacy ms-Mcs-AdmPwd attribute via Directory Service Access auditing (4662) and alert on reads outside the delegated Tier-0 group.

Detect ADCS abuse — correlate Event 4886/4887 on the CA with certificates whose Subject Alternative Name does not match the requesting principal (the ESC1/ESC6 signature). Microsoft's KB5014754 strong-mapping events 39 / 41 in the System log flag certificates lacking a secure mapping.

Hardening summary:

  • Tiering + Protected Users + authentication policy silos.
  • Windows LAPS with PostAuthenticationActions = 3.
  • Disable RC4 in Kerberos where feasible; prefer AES.
  • Patch CVE-2022-26923, CVE-2021-42287/42278 (sAMAccountName spoofing / noPac), and enable KB5014754 enforcement.
  • Run BloodHound/PingCastle quarterly to map attack paths; honeypot every tier.

Use the Microsoft baseline GPOs from the Security Compliance Toolkit and ship all of the above logs to a SIEM with at least 90 days of retention.

Conclusion

Each control here is cheap individually but devastating in combination: LAPS kills credential reuse, tiering kills credential exposure, honeypots give you a free tripwire, and ADCS hardening closes a path to Domain Admin that bypasses every password policy you have. Pair them with the Event IDs above and you convert a silent breach into a noisy, contained incident. For the offensive counterparts of these defenses, see DCSync and DCShadow and ADCS ESC1 Exploitation.

References

Comments

Copied title and URL