The UK’s National Cybersecurity Center defines Tier 0 as “the root of trust all other administration relies upon.” For Active Directory, this includes privileged accounts (such as Domain Admins) and domain controllers (DCs). A medieval Tier 0 analogy is that of a kingdom’s castle keep, where the king and his trusted advisors safely reside. If a threat actor gains control of a Tier 0 asset, they have control of Active Directory (or potentially the kingdom). But Tier 0 in AD encompasses more than just domain admins and DCs. What about the ability to change permissions on the AD containers that hold privileged accounts or DCs? What about control of Group Policy objects (GPOs) that are linked, or can be linked, to a privileged object or container? What about the Azure AD Connect server and service account that syncs users to Azure AD? These are all potential AD attack paths—and there are more.