Threat groups tracked by CrowdStrike that actively target Active Directory infrastructure. Click an adversary to highlight their techniques in the matrix above.
APT29 · Midnight Blizzard · The Dukes · Nobelium
Russian SVR intelligence group known for stealthy, long-term espionage operations. Pioneered Golden SAML attacks during SolarWinds and leverages AD FS token-signing certificate theft for persistent cloud access.
8 techniques
APT28 · Sofacy · Forest Blizzard · Strontium
Russian GRU military intelligence unit targeting government, military, and critical infrastructure. Known for credential harvesting via NTLM relay, Pass-the-Hash campaigns, and brute-force attacks against AD and Entra ID.
7 techniques
Sandworm · IRIDIUM · Seashell Blizzard · TeleBots
Russian GRU Unit 74455 responsible for the most destructive cyber attacks in history. Uses EternalBlue, GPO-based payload deployment, and AD credential dumping for domain-wide destruction.
8 techniques
Turla · Snake · Secret Blizzard · Uroburos
Russian FSB group conducting highly sophisticated espionage with advanced AD persistence techniques including custom backdoors.
5 techniques
APT41 · Brass Typhoon · Winnti · Double Dragon
Chinese dual-purpose group conducting both state-sponsored espionage and financially-motivated operations. Uses Kerberoasting, shadow admin account creation, and supply chain access for persistent AD compromise.
8 techniques
Bronze President · Earth Preta · Twill Typhoon · RedDelta
Chinese espionage group targeting government and NGO organizations with credential theft and AD enumeration for lateral movement.
4 techniques
APT3 · UPS · Buckeye · TG-0110
Chinese MSS-affiliated group known for exploiting Windows and AD vulnerabilities for credential harvesting and lateral movement.
5 techniques
APT34 · OilRig · Hazel Sandstorm · EUROPIUM
Iranian threat group targeting Middle Eastern organizations with AD credential theft, Kerberoasting, and domain enumeration.
5 techniques
Fox Kitten · Parisite · UNC757
Iranian group specializing in VPN exploitation for initial access, followed by AD credential harvesting and lateral movement.
5 techniques
Lazarus Group · Diamond Sleet · ZINC · Hidden Cobra
North Korean state group known for financially-motivated attacks and espionage. Uses credential dumping, lateral movement via SMB, and AD exploitation to deploy ransomware and exfiltrate data from compromised domains.
7 techniques
Gold Blackburn · ITG23 · FIN12 · Trickbot Group
Prolific eCrime group behind Conti, Ryuk, and TrickBot. Pioneered BloodHound-based AD reconnaissance at scale, combining Kerberoasting, DCSync, and GPO-based ransomware deployment for domain-wide encryption.
8 techniques
Evil Corp · Gold Drake · Manatee Tempest
Sanctioned Russian cybercrime group (Evil Corp) behind Dridex and WastedLocker, using AD compromise for domain-wide ransomware deployment.
5 techniques
FIN7 · Gold Niagara · Sangria Tempest
Sophisticated eCrime group combining financial fraud with ransomware. Uses Kerberoasting, AD enumeration, and PowerShell-based attack tooling for privilege escalation and lateral movement across enterprise AD environments.
7 techniques
Octo Tempest · Star Fraud · 0ktapus · UNC3944
Young, English-speaking group known for social engineering, SIM swapping, MFA fatigue attacks, and aggressive AD/Entra ID compromise. Targets Okta and Entra ID federated with on-prem AD for maximum impact.
7 techniques
BlackCat · ALPHV · Noberus
Ransomware-as-a-Service operation with sophisticated AD attack playbook. Uses GPO-based ransomware deployment, Kerberoasting, DCSync, and cross-platform Rust-based payloads for domain-wide encryption.
7 techniques
LAPSUS$ · Strawberry Tempest
Notorious data extortion group known for MFA fatigue attacks, SIM swapping, and targeting Okta/Entra ID to compromise federated AD environments. Focused on data theft and public embarrassment over ransomware.
6 techniques