Active Directory Penetration Testing & Hardening

Active Directory wasn't designed for the modern threat model — it was designed for trust. Two decades of accumulated ACLs, nested group memberships, service accounts with SPNs and weak passwords, and ADCS templates with subtle permission grants all add up to attack paths nobody documented. The assessment makes those paths visible.

What we test: Kerberoasting against service accounts with SPNs (T1558.003), AS-REP roasting against accounts with pre-auth disabled (T1558.004), ACL abuse via WriteOwner / WriteDACL / GenericAll on tier-zero objects, GPO weaponization where a low-privilege user can modify a policy applied to higher-tier systems, ADCS exploitation across the documented ESC1-ESC16 patterns, unconstrained / constrained / RBCD delegation abuse, BloodHound path analysis to identify every route from low-privilege user to Domain Admin, and DCSync / DCShadow capability validation for accounts that have replication rights.

The headline deliverable is a path-to-Domain-Admin write-up: the actual narrative of how a starting low-privilege user became Domain Admin in your environment, with screenshots and command logs at each step. Even if there is more than one path (there usually is), we document the cleanest two or three so your team can prioritize remediation.

Paired with the attack narrative is a prioritized hardening roadmap: specific registry keys to change, GPOs to deploy, ACLs to revoke, ADCS templates to remove or restrict, service account password policies, tier-zero isolation patterns (the Microsoft tier model adapted to your environment), and Kerberos hardening (AES-only, no RC4, FAST). Every recommendation maps to the finding that motivated it, and every finding maps to a MITRE ATT&CK technique ID so your SOC / EDR team can write detections in parallel.

AD pentests touch the tactics that matter most to defenders: initial access (T1078 valid accounts, T1133 external remote services), credential access (T1558 Kerberos abuse, T1003 OS credential dumping), privilege escalation (T1548, T1134), defense evasion (T1550 alternate auth), persistence (T1098 account manipulation, T1078 valid accounts), and lateral movement (T1021 remote services). The report is structured around the ATT&CK tactic chain so your detection team can validate each tactic in their SIEM. For broader ATT&CK validation, see MITRE ATT&CK assessments.

See our Active Directory pentest case study for the full path-to-DA narrative — Kerberoasting, ADCS ESC1 abuse, lateral movement via SMB, and the hardening roadmap that closed the chain. This is the depth of reporting and analysis you should expect on every engagement.

AD assessments served from Macon, GA, with clients across Atlanta, Savannah, and nationwide. For the broader pentest program, see our penetration testing services.