Active Directory Attack Paths Every Malaysian Bank Should Patch

The 2026 AD threat landscape

Active Directory remains the central nervous system of nearly every Malaysian bank, insurer and DFI. It is also the single most reliable lateral-movement and privilege-escalation surface for adversaries. Mandiant's 2024 M-Trends report continues to identify identity compromise — particularly via on-premises Active Directory and the federated path into Entra ID — as the dominant route from initial access to full domain compromise across financial services engagements globally. The pattern repeats across every intelligence-led penetration test we run on Malaysian FIs.

The good news: nearly every successful AD attack path in 2026 exploits the same handful of misconfigurations. The hardening checklist is short, well-known, and within reach of any well-staffed AD operations team. The bad news: the misconfigurations are the operational defaults, and removing them requires careful, coordinated change management across IT, identity, security and application teams.

The top 10 attack paths

Below are the ten attack paths we exploit most reliably in Malaysian FI engagements. Ranked by frequency-of-success in our 2025-2026 caseload.

1. Kerberoasting

Any authenticated user can request a Kerberos service ticket for any service principal name. Tickets encrypted with a service account's password hash are extractable from memory, then offline-cracked. Service accounts with weak passwords (still common — historic vendor installs, default-policy gaps) hand over plaintext credentials. The fix: rotate all service-account passwords to 25+ character random secrets, prefer Group Managed Service Accounts (gMSAs), monitor for unusual SPN ticket request patterns.

2. AS-REP Roasting

Accounts with the “Do not require Kerberos pre-authentication” flag set return AS-REP messages to anyone who asks — including attackers. The AS-REP is encrypted with the user's password hash and cracks offline. The flag is rarely needed; an audit usually finds it set on a handful of legacy accounts whose owners no longer exist. Fix: identify and remove the flag from every account that does not have a documented operational requirement.

3. DCSync

Accounts holding the Replicating Directory Changes permission can request the password hash of any AD account — including KRBTGT — by impersonating a domain controller. That permission is sometimes granted to service accounts that no longer need it, or to legacy migration tooling that was never decommissioned. Fix: enumerate every principal with DS-Replication-Get-Changes-All and remove any that are not a tier-0 sync mechanism. Monitor DCSync events as a high-fidelity SOC alert.

4. Golden Ticket

Attackers with the KRBTGT password hash can forge unlimited domain admin tickets, valid for the lifetime of the KRBTGT password. Mitigation requires rotating KRBTGT twice (back-to-back, with replication settle in between) on a periodic cadence — annually at minimum, and immediately on any suspected compromise. Most Malaysian banks we test have not rotated KRBTGT in over three years.

5. AD CS ESC1-8 (certificate template abuse)

Active Directory Certificate Services is the highest-impact, lowest-awareness AD attack surface in 2026. The Certified Pre-Owned research from SpecterOps (ESC1-ESC8 — and now ESC9-15) catalogues template misconfigurations that allow any authenticated user to mint a certificate authenticating as Domain Admin. ESC1 in particular (templates allowing Subject Alternative Name supply by the requester) remains widespread. Fix: audit every certificate template against the Certified Pre-Owned methodology, restrict enrolment, disable msPKI-Certificate-Name-Flag where feasible, and monitor for certificate enrolment spikes.

6. Unconstrained Kerberos delegation

Any computer or service account configured with unconstrained delegation can capture TGTs for users who authenticate to it — including a domain admin. Servers with unconstrained delegation should not exist in 2026; constrained delegation or resource-based constrained delegation (RBCD) is the modern replacement. Fix: identify every account with the TRUSTED_FOR_DELEGATION flag and migrate or remove.

7. Excessive ACLs on tier-0 objects

Every modification right (WriteDACL, WriteOwner, GenericAll, ForceChangePassword) on a tier-0 object is a path to domain admin. Operational sprawl over the years grants these to help-desk groups, automation accounts, decommissioned application service accounts, and former employees. BloodHound visualises the resulting graph in seconds. Fix: enumerate, ratify the minimal set of principals that need elevated rights, and aggressively prune.

8. Weak machine account passwords

Machine account passwords default to randomly generated, regenerated periodically. But a domain joined via password-reuse, or with disabled rotation, can have a guessable machine secret — and machine accounts are full computer-class principals with their own attack surface. Validate the machine password rotation policy is enforced and monitor for any account with a machine password older than 30-60 days.

9. SMB signing not enforced and NTLM relay

SMB signing not enforced + IPv6 unmanaged + LLMNR/NBT-NS unfiltered = NTLM relay paradise. An attacker on the LAN poisons name resolution, captures NTLMv2 hashes, and relays them to any unsigned SMB server (or LDAP, if signing is also off there) for code execution. Fix: enforce SMB signing globally, disable LLMNR and NBT-NS via group policy, and enable LDAP signing and channel binding on domain controllers.

10. Print Spooler and PetitPotam-class coercion

The Print Spooler service and the EFS RPC interface (PetitPotam) and several other RPC interfaces can be coerced into authenticating outbound to an attacker-controlled host. Combined with NTLM relay or AD CS ESC8, that authentication gives the attacker domain control. Fix: disable Print Spooler on domain controllers, patch known coercion CVEs, restrict outbound from DCs and apply Extended Protection for Authentication on AD CS web endpoints.

A real Mandiant 2024 finding

Mandiant's public M-Trends 2024 report identifies that the median dwell time for financial services intrusions remains in the days-to-weeks band, with identity compromise (Active Directory and federated identity) as the dominant lateral movement and privilege escalation vector. The financial services case studies in the report repeatedly show the same pattern — initial access through phish or vendor compromise, followed within days by AD reconnaissance, Kerberoasting, ACL abuse and DCSync. The exact statistics and case studies are best read directly in the published M-Trends report rather than summarised here.

A BloodHound walkthrough

BloodHound is the AD attack-path graph visualiser. Defenders should run it on their own AD as a routine assessment — what BloodHound shows you, attackers will see within hours of initial access. The standard workflow:

• Run SharpHound (the collector) from a domain-joined host with a least-privilege user — produces JSON files
• Import into BloodHound (the GUI), let it ingest
• Run the built-in analytics queries — Shortest Paths to Domain Admin, Shortest Paths to High Value Targets, Kerberoastable Users
• Document each path, identify the minimum set of edge removals that breaks the most paths
• Re-run after remediation to validate path closure

For most Malaysian banks the first BloodHound run reveals 5-15 distinct shortest paths to Domain Admin. Closing the top 3 typically eliminates 60-80% of the graph.

Hardening priority list

In execution order — earliest items deliver the biggest blast-radius reduction per unit of effort.

1. Audit and rotate every service-account password to 25+ character random secrets; migrate to gMSAs where supported
2. Enumerate and prune DCSync rights — only Tier-0 sync mechanisms keep them
3. Audit AD CS templates against Certified Pre-Owned methodology; remediate any ESC-class finding
4. Rotate KRBTGT twice (annual minimum) and document the cadence as policy
5. Identify and remove unconstrained delegation; migrate to constrained or RBCD
6. Run BloodHound; pick the top 5 shortest paths and break each by ACL pruning
7. Enforce SMB signing, LDAP signing, LDAP channel binding; disable LLMNR and NBT-NS
8. Disable Print Spooler on DCs; patch all known coercion CVEs
9. Remove the “do not require Kerberos pre-authentication” flag from every account that does not need it
10. Implement a tiered admin model (Tier-0/1/2) — domain admins only log in to Tier-0 jump hosts

AD CS gotchas (read this twice)

AD CS is currently the highest-leverage AD attack surface and is rarely well-administered. Two specific gotchas trip up Malaysian banks repeatedly:

• Templates with EDITF_ATTRIBUTESUBJECTALTNAME2 set on the CA itself — every template is then exploitable. Disable this flag.
• NTLM Relay to AD CS HTTP enrolment endpoints (ESC8) — enable Extended Protection for Authentication and require channel binding.

Azure AD (Entra ID) hybrid risks

On-premises AD and Entra ID share more than the casual reader expects. Synchronisation accounts (MSOL_*), seamless SSO computer accounts (AZUREADSSOACC), and Pass-Through Authentication agents are all federation-critical principals. A compromise of any of them collapses the boundary between the on-premises and cloud directory.

Hardening the federation interface is its own programme — enforce phishing-resistant MFA on all Entra ID Global Admins, restrict the on-premises sync account permissions, and monitor for token theft and primary refresh token abuse using Entra ID risk signals plus Microsoft Defender for Identity.

For execution: see our Active Directory security assessment service, intelligence-led penetration testing, and our RMiT compliance practice.