CASE 01 Domain Admin — On-Premise AD CRITICAL account: Domain Admin environment: On-premise Active Directory Risk Profile Domain Admin accounts represent the highest-value target in any on-premise environment. Full control over all domain objects, GPOs, and trust relationships makes compromise equivalent to total organizational takeover. Pass-the-Hash DCSync Attack Golden Ticket Lateral Movement Top Vulnerabilities Permanent membership in Domain Admins group — no JIT access enforced LIKELIHOOD: HIGH IMPACT: CRITICAL [CRITICAL] No session recording — privileged actions unauditable post-incident LIKELIHOOD: HIGH IMPACT: CRITICAL [CRITICAL] Credentials reused across multiple admin accounts — credential stuffing risk LIKELIHOOD: MEDIUM IMPACT: CRITICAL [CRITICAL] No tiered admin model — DA used for routine administrative tasks LIKELIHOOD: HIGH IMPACT: HIGH Interactive logon to non-privileged workstations — credential exposure risk LIKELIHOOD: MEDIUM IMPACT: HIGH Compliance Gaps NIST 800-53 AC-6, AC-17 likely non-compliant ▲ JIT not implemented CIS Controls Control 5 — Admin privileges gap ▲ No tiered model ISO 27001 A.9.4 — Session audit missing ▲ No session logs Hardening Controls 01 Implement JIT access via CyberArk — DA rights expire after 1 hour 02 Enable PSM session recording for all privileged sessions 03 Enforce MFA on all DA accounts — FIDO2 hardware key required 04 Deploy tiered admin model — Tier 0/1/2 separation 05 Rotate DA credentials every 24h via automated vault rotation Detection & Response 🔴 DCSync replication requests from non-DC sources THRESHOLD: Any occurrence → immediate alert 🟠 DA logon outside PAM vault or approved PAW THRESHOLD: 1 occurrence → P1 incident 🟡 After-hours GPO modifications by DA account THRESHOLD: Any → SOC review within 15 min