Services / Active Directory Attack Assessment

Active Directory Attack Assessment

Single and multi-forest Active Directory penetration testing using real attacker TTPs — Kerberoasting, BloodHound path analysis, DCSync, delegation abuse, and full Entra ID hybrid identity exploitation. CREST-certified, OSCP/OSEP, CRTE/CRTP. Toronto, Canada.

Request an AD Security Assessment → View Certifications

Why Active Directory Security Matters

Active Directory Is the Target. Your Defences Should Know It.

Over 90% of Fortune 1000 enterprises rely on Active Directory for identity and access management. Attackers know it intimately. In every red team engagement we run, the path from a standard domain user account to Domain Admin passes through at least one exploitable AD misconfiguration — often within hours. Our active directory penetration testing methodology treats your environment the way a real threat actor would: systematically mapping trust relationships, enumerating permissions, and chaining weaknesses to full domain compromise.

15+

Years of offensive security experience

100%

Principal-led — no junior staff handoffs

CRTE / CRTP

Specialist Active Directory attack certifications held

CREST

Internationally recognised penetration testing standard

Arturs Stay, principal consultant at Cyber Security Pentesting Inc., holds the CRTE (Certified Red Team Expert) and CRTP (Certified Red Team Professional) credentials alongside CREST certification and OSCP/OSEP — a combination purpose-built for complex AD environments. Every assessment is delivered by the principal, not delegated to a junior analyst.

Attack Techniques We Test

The Full Active Directory Attack Surface

We test every technique a motivated adversary would use — mapped to MITRE ATT&CK for Enterprise so your blue team can correlate findings against your detection coverage.

Kerberoasting & AS-REP Roasting

We enumerate service accounts with SPNs and request their Kerberos service tickets for offline cracking. AS-REP roasting targets accounts without pre-authentication required. Both techniques extract crackable hashes without elevated privileges — often the first step toward lateral movement in AD environments with weak password policies.

T1558.003 / T1558.004

DCSync Attacks

By abusing Directory Replication Service privileges, we simulate a rogue domain controller to pull password hashes — including KRBTGT — for any account in the domain. DCSync requires no malware on the DC itself, making it difficult to detect without proper audit logging. We verify whether your SIEM alerts on this replication abuse.

T1003.006

BloodHound Attack Path Analysis

We deploy SharpHound collectors to map every permission relationship in your AD environment and visualise the shortest paths to Domain Admin. BloodHound analysis reveals attack chains that are invisible to manual review — delegated rights, group memberships, session data, and ACL edges that connect a low-privileged user to your crown jewels.

T1069.002 / T1087.002

DACL / ACL Abuse

Discretionary ACL misconfigurations are among the most common and underappreciated AD vulnerabilities. We identify accounts with WriteDACL, GenericAll, GenericWrite, or ForceChangePassword rights over high-value targets — and demonstrate how an attacker can exploit these to take ownership of administrative accounts, OUs, or GPOs without triggering standard alerts.

T1222.001 / T1098

GPO Manipulation

Group Policy Objects applied to OUs containing privileged accounts or systems represent a lateral movement and persistence vector that many organisations overlook. We test whether non-admin accounts can modify, create, or link GPOs to sensitive OUs — and whether such modifications would deploy malicious scripts, disable security controls, or establish persistent backdoors at scale.

T1484.001

Delegation Abuse (Constrained, Unconstrained, RBCD)

Unconstrained delegation allows any service to impersonate any user to any service — a dangerous configuration frequently found on older servers. We test constrained delegation for protocol transition abuse, resource-based constrained delegation (RBCD) for machine account takeover, and S4U2Self/S4U2Proxy chains that enable privilege escalation without user interaction.

T1134.001 / T1558.001

Inter-Forest Trust Attacks

Multi-forest environments create complex trust relationships that attackers actively exploit. We test SID history injection across forest trusts, abuse of bidirectional and transitive trust configurations, and escalation from a child domain to the forest root. Where Selective Authentication is misconfigured, we demonstrate cross-forest resource access that violates intended security boundaries.

T1482 / T1134.005

Golden & Silver Ticket Attacks

With the KRBTGT hash obtained via DCSync, we forge Golden Tickets to authenticate as any user to any service in the domain — independently of actual account states, making them nearly impossible to detect without specific monitoring. Silver Tickets target individual services without touching the KDC, flying under the radar of many detection tools. We validate your ability to detect both.

T1558.001 / T1558.002

Password Spraying & Credential Stuffing

We conduct carefully throttled password spraying campaigns against domain accounts using seasonally relevant and organisation-specific password patterns — without triggering lockout policies. Credential stuffing tests whether corporate accounts reuse passwords exposed in public breaches. Both techniques frequently yield valid domain credentials and validate whether your lockout policy and monitoring are adequate.

T1110.003 / T1110.004

Entra ID (Azure AD) Testing

Hybrid Identity Is a New Attack Surface

Most enterprises run a hybrid Active Directory and Entra ID (formerly Azure AD) environment — and the synchronisation boundary between on-premises and cloud is where attackers increasingly focus. Our Entra ID testing covers the full hybrid attack chain, from on-prem compromise that pivots to cloud administrator, to cloud-native attacks that push back into your internal network.

Hybrid Identity Exploitation

We test the Azure AD Connect server as an attack target — extracting the MSOL account credentials or the ADSync service account to gain Global Administrator privileges in your Entra ID tenant from an on-premises foothold. We also validate the reverse: can cloud compromise pivot back into your on-prem domain through writeback configurations and privileged sync accounts?

PRT Abuse (Primary Refresh Token)

Primary Refresh Tokens are long-lived session tokens issued to Entra ID-joined or hybrid-joined devices. We demonstrate how an attacker with local admin access can extract PRTs from Windows devices using tools such as ROADtoken and use them to authenticate as the device owner — bypassing MFA requirements and gaining access to cloud resources without knowing the user's password.

Conditional Access Policy Bypass

Conditional Access is Entra ID's primary defence against unauthorised access. We test for policy gaps — overly broad named location exclusions, legacy authentication protocol allowances, device compliance bypasses, and authentication strength gaps. Even well-designed Conditional Access policies often contain exceptions that an attacker can route around with the right token or device claim.

Application Consent Attacks

Illicit consent grants allow attackers to register malicious OAuth applications and trick users into granting them access to Microsoft 365 data — including email, files, and contacts. We test your tenant's application registration permissions, admin consent workflow configuration, and user consent policies. We also enumerate existing over-privileged enterprise applications that represent a persistent access risk.

Tooling

Attacker-Grade Tooling, Responsibly Applied

We use the same tools real adversaries use — because a simulation with sanitised tooling does not reflect your actual exposure. Every tool is operated carefully within agreed scope, with full operational logging to support engagement deconfliction.

Impacket

CrackMapExec / NetExec

BloodHound / SharpHound

Rubeus

Certipy (AD CS Attacks)

Mimikatz / pypykatz

ROADtools (Entra ID)

Custom Tooling & Scripts

AD CS (Active Directory Certificate Services) vulnerabilities — including ESC1 through ESC8 and beyond — are tested where certificate services are deployed. Certipy enables us to identify misconfigured certificate templates, vulnerable CA permissions, and relay attack opportunities that can yield domain compromise via crafted certificate requests. This attack surface is frequently overlooked in traditional AD assessments.

Deliverables

What You Receive After the Assessment

Every Active Directory security assessment produces a structured report designed to drive remediation — not just fill a compliance checkbox.

Executive Summary

Board-ready narrative covering business risk, key findings, and strategic recommendations — written without jargon for CISO and executive audiences.

Technical Findings Report

Every vulnerability documented with proof-of-concept evidence, CVSS scoring, MITRE ATT&CK mapping, and step-by-step reproduction instructions.

Prioritised Remediation Roadmap

Findings sequenced by exploitability and business impact, with actionable fix guidance your IT and security teams can action immediately.

BloodHound Attack Path Maps

Visualised attack paths from unprivileged entry points to domain compromise — shared as queryable BloodHound data and annotated diagrams for your remediation team.

Detection Guidance

For each technique exercised, we include recommended Sigma rules, Windows Event ID references, and SIEM query suggestions to improve your detection coverage.

Debrief Session

A structured walkthrough of findings with your technical and leadership teams — including Q&A — to ensure every finding is understood and remediation ownership is clear.

References & Standards

Assessment Framework & Authoritative Sources

Our Active Directory security assessment methodology is grounded in the most authoritative public research and industry frameworks available.

[1]

MITRE ATT&CK for Enterprise

The definitive framework for adversary tactics, techniques, and procedures. Every finding in our AD assessments is mapped to the relevant ATT&CK technique ID — enabling your blue team to validate detection coverage against the specific attack paths we exercised.

attack.mitre.org

[2]

AD Security Blog — Sean Metcalf (adsecurity.org)

Sean Metcalf's adsecurity.org is the most comprehensive public resource on Active Directory attack and defence techniques. His research on Golden Tickets, DCSync, Kerberoasting, and delegation abuse has directly shaped how the security industry understands AD as an attack surface.

adsecurity.org

[3]

SpecterOps BloodHound Documentation

The authoritative reference for BloodHound attack path analysis — covering graph traversal methodology, supported edge types, and how to interpret and act on attack path data. SpecterOps, the creators of BloodHound, continue to expand the tool's coverage of AD and Entra ID attack paths.

bloodhound.readthedocs.io

[4]

Microsoft Security Documentation — Active Directory and Entra ID

Microsoft's official security guidance for Active Directory hardening, Entra ID Conditional Access design, Privileged Identity Management, and hybrid identity architecture. We reference this documentation to validate remediation guidance and ensure our recommendations align with Microsoft's supported configuration options.

learn.microsoft.com/en-us/security/

Related Services

Extend Your Security Coverage

Active Directory sits at the centre of your identity infrastructure — but attackers rarely stay within a single attack surface. These related services complement your AD assessment.

RELATED SERVICES