How Attackers Can Achieve a DoS Attack in Microsoft Active Directory

In this blog, we explore how attackers can exploit a limitation in Active Directory (AD) Security Identifiers (SIDs) to lock users out of the domain without requiring administrative privileges. By overloading a user’s access token with group memberships, attackers can target any user—including Domain Admins—resulting in a Denial of Service (DoS) event.

Purpose:

To demonstrate how attackers can leverage an existing security issue to initiate a DoS attack on users within a Microsoft Domain Active Directory environment.

Summary

This vulnerability impacts Microsoft Active Directory users. While reported responsibly, Microsoft declined to patch it, categorizing it as less than “critical” or “severe,” and argued that it is more of a policy issue—since domain administrators control group creation—than a technical flaw.

Pentera is releasing this information to the broader security community due to our concern that Microsoft’s assessment underestimates the risk. This issue contradicts the principle of least privilege: a user with minimal permissions to create groups should not be able to impact domain-wide access. Even when Domain Admins grant a user the ability to create groups, there is an expectation of sufficient restrictions to prevent such an attack.

We believe this is fundamentally a technical issue, as the software should enforce restrictions that prevent users from performing actions beyond their intended permissions.

What is the attack?

Upon login, the Domain Controller generates an access token that includes all Security Identifiers (SIDs) for the groups a user belongs to. If this SID count exceeds a certain limit (usually 1,024), the login will fail.

The identified vulnerability allows an attacker to assign a user to enough groups to exceed this SID limit. When the user next attempts to log in, the system fails to generate the access token, resulting in a login failure. This effectively locks out users—including Domain Admins—causing significant downtime and disruption.

In all Microsoft AD environments, the “Domain Users” group is a default group. By targeting this group, an attacker can add “Domain Users” to enough security groups to exceed the SID threshold, leading to a DoS for the entire domain and locking out every user.

This vulnerability is particularly impactful for enterprises with large domains, as they may have shadow admin accounts that can be exploited for this attack.

Does it apply to my organization?

This vulnerability is most relevant for enterprises with large numbers of domain users or shadow admins.

Who should read this article?

This article is especially pertinent to CISOs and blue team members.

Conclusion

Read the full article to understand the attack in detail, along with suggested mitigation steps and scripts for effective prevention.