Direct Inward Dialing: +1 408 916 9892
Active Directory pentesting is an authorized simulation of real attacks against your AD infrastructure. You're trying to find exploitable weaknesses before adversaries do, chaining vulnerabilities together into full attack paths that show how an attacker moves from initial foothold to domain admin.
A typical AD pentest covers domain controllers, user accounts, service accounts, Group Policy Objects, trust relationships, delegation settings, and credential hygiene across the environment. The difference between this and a vulnerability scan is worth understanding clearly. A scanner identifies individual weaknesses in isolation.
A pentester chains them together.
A scanner might flag a weak service account password. A pentester cracks that password, uses it to move laterally, escalates privileges through misconfigured delegation, and compromises the entire domain. Same weakness, vastly different story.
Organizations pentest AD because it remains the most targeted identity system in enterprise breaches. Compliance requirements reinforce this: PCI-DSS Requirement 11.3 requires periodic penetration testing of the cardholder data environment, and ISO 27001 control A.12.6 calls for technical vulnerability management including testing.
A structured AD pentest progresses through four phases. Each phase builds on information or access gained in the previous one.
Reconnaissance begins before the pentester has any credentials. The goal is to map the AD environment, identify naming conventions, discover accounts, and understand trust relationships.
Passive reconnaissance involves gathering information without directly interacting with the target domain: OSINT, DNS record enumeration, and LinkedIn employee discovery for username pattern identification.
Active reconnaissance involves direct interaction: network scanning with Nmap, LDAP enumeration, SMB enumeration, and SPN discovery. Tools like Kerbrute validate usernames against the domain without triggering account lockouts. BloodHound and SharpHound map attack paths by ingesting AD relationship data and visualizing the shortest path from any compromised user to Domain Admin.
At this stage, pentesters look for:
With enumeration complete, the pentester attempts to gain initial credentials or a foothold.
LLMNR/NBT-NS poisoning. When a Windows host cannot resolve a name via DNS, it broadcasts the request on the local network using Link-Local Multicast Name Resolution or NetBIOS Name Service. A pentester running Responder intercepts these broadcasts, poses as the intended server, and captures the requesting user's NTLMv2 hash.
SMB relay attacks. If SMB signing is not enforced, the pentester relays captured NTLM authentication to another host, gaining code execution without ever cracking the hash.
Password spraying. The pentester tries one or two common passwords against every discovered account, staying below the lockout threshold. This works more often than it should because even a single weak password among hundreds of accounts gives a foothold.
AS-REP roasting. Accounts configured without Kerberos pre-authentication can have their authentication responses requested by anyone. The pentester captures the encrypted AS-REP and cracks it offline.
Once the pentester holds valid credentials for a low-privilege account, the next goal is escalating to higher-privilege access.
Kerberoasting is one of the most reliable escalation techniques. The pentester requests Kerberos service tickets for accounts with registered SPNs. These tickets are encrypted with the service account's password hash, and the pentester cracks them offline.
If the service account's password is weak, the pentester gets its plaintext credentials. This entire process happens without generating a single failed logon event.
Unconstrained and constrained delegation abuse allows the pentester to impersonate any user who connects to a compromised delegation host. With unconstrained delegation, every connecting user's TGT is cached on the host.
ACL abuse exploits overly permissive Access Control Lists. Permissions like GenericAll, WriteDACL, and ForceChangePassword on sensitive objects give a low-privilege user the ability to reset passwords, modify group memberships, or grant themselves additional rights.
Active Directory Certificate Services (ADCS) abuse exploits misconfigured certificate templates (ESC1 through ESC8). A vulnerable template can allow any authenticated user to request a certificate that grants domain admin access.
With elevated privileges, the pentester moves toward full domain compromise.
Pass-the-hash uses a stolen NTLM hash to authenticate to other systems without knowing the plaintext password. Pass-the-ticket does the same with a stolen Kerberos ticket.
DCSync is a technique where the pentester, using an account with directory replication rights, requests credential replication from a domain controller. The DC responds with the password hashes of every account in the domain, including the krbtgt account.
Golden Ticket attacks use the compromised krbtgt hash to forge Ticket Granting Tickets for any user. A Golden Ticket grants unrestricted access to every resource in the domain, and because the krbtgt password rarely changes, the persistence lasts until it is rotated twice.
Silver Ticket attacks forge service tickets for individual services rather than domain-wide access. DCShadow registers a rogue domain controller to inject malicious changes directly into the AD replication stream. Skeleton Key installs a master password on a domain controller, allowing the attacker to authenticate as any user while legitimate passwords continue to work normally.
The following table summarizes the weaknesses pentesters find most frequently and the impact each has on the engagement.
| Vulnerability | Why it is exploitable | Pentest impact |
|---|---|---|
| Weak service account passwords | SPNs with crackable passwords enable Kerberoasting | Lateral movement, privilege escalation |
| LLMNR/NBT-NS enabled | Broadcasts allow hash interception on the local network | Credential theft |
| Overprivileged groups | Users in Domain Admins or with DCSync rights unnecessarily | Direct domain compromise |
| No SMB signing | Allows relay attacks against unauthenticated SMB sessions | Credential relay, code execution |
| Unconstrained delegation | Compromising a delegation host reveals all connecting users' TGTs | Privilege escalation |
| Stale accounts with active credentials | Dormant service or user accounts with unchanged passwords | Persistence, undetected access |
| Misconfigured ADCS templates | Certificate templates allowing domain escalation (ESC1 through ESC8) | Domain admin via certificate forgery |
| Lack of LAPS | Shared local admin passwords across workstations | Lateral movement |
| No tiered administration | Admin accounts used across all tiers (workstations, servers, DCs) | Single-hop to domain admin from workstation |
Pentest reports that sit unresolved in a shared drive become a roadmap for attackers who find the same weaknesses independently. The techniques pentesters use are identical to those used in real breaches, so unpatched findings are just open doors with a map taped to them.
Kerberoasting remains one of the most exploited AD attack techniques because it requires only a single valid domain account and produces no failed logon events. The attack is entirely offline after the service ticket is requested, which makes it invisible to threshold-based detection. In environments where service accounts hold domain admin privileges and use weak passwords, a successful Kerberoasting attack jumps from low-privilege access to full domain compromise in minutes.
Ransomware operators routinely use pass-the-hash for lateral movement after gaining initial access. Once a single workstation is compromised and a local admin hash is extracted from memory, the attacker replays that hash across every machine sharing the same local admin password. Without LAPS deployed, a single compromised workstation can give an attacker access to hundreds of machines within the same network segment.
DCSync requires an account with directory replication permissions, which pentesters often obtain through ACL abuse or by compromising an overprivileged service account. In real breaches, DCSync is the step between "elevated access" and "complete domain ownership." Once an attacker replicates the krbtgt hash, they can forge Golden Tickets and maintain persistence indefinitely, surviving password resets for every other account in the domain.
Misconfigured certificate templates are one of the highest-impact findings in modern AD pentests. Exploiting a vulnerable template (ESC1, for example) allows any authenticated user to request a certificate as a domain admin, then use that certificate to authenticate. Unlike credential-based attacks, certificate-based persistence survives password resets because the certificate itself grants access independently of the account's current password.
ADAudit Plus detects these attack techniques through its Attack Surface Analyzer, which identifies Kerberoasting, Golden Ticket, DCSync, pass-the-hash, and pass-the-ticket activity in real time using event correlation and behavioral analysis.
Windows generates specific Event IDs for every pentest technique. The challenge is not the absence of data; it is finding signals in the noise.
| Technique | Event ID generated | What to look for |
|---|---|---|
| Kerberoasting | 4769 | Service ticket requests using RC4 encryption (encryption type 0x17) for accounts with SPNs |
| Pass-the-hash | 4624 | Logon Type 3 (network) with NTLM authentication where the source machine does not match expected patterns |
| DCSync | 4662 | Access to directory replication rights (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All) by a non-DC account |
| Golden Ticket | 4768 | TGT requests with anomalous lifetimes, or TGTs issued for accounts that did not recently authenticate |
| Brute-force / password spray | 4625 | Multiple failed logons across many accounts within a short time window from the same source |
| Privilege escalation via group change | 4728, 4756 | Member added to a privileged security group outside of change windows |
Native auditing has several practical limitations that make it difficult to act on pentest findings in any sustained way.
No centralized view. Security event logs reside on individual domain controllers. You have to check each DC separately or deploy Windows Event Forwarding infrastructure before any correlation is possible.
No behavioral baselining. Native tools cannot tell the difference between a pentester requesting 50 service tickets in one minute and normal Kerberos activity. There is no per-user or per-host baseline to compare against.
No cross-event correlation. Linking a spike in Event ID 4769 (Kerberoasting) to a subsequent Event ID 4624 (lateral movement logon) requires manual log review across multiple DCs.
Limited log retention. Security logs have fixed size limits. In busy environments, logs overwrite within hours. Once the data is gone, forensic investigation becomes impossible.
No real-time alerting on attack patterns. Windows Task Scheduler can trigger on individual Event IDs, but it cannot evaluate patterns like "more than 20 service ticket requests from the same account within 60 seconds."
No automated response. When native tools detect suspicious activity, they cannot disable the offending account, terminate the session, or create a ticket for the security team.
No MITRE ATT&CK® technique mapping. Event Viewer displays raw events without any classification. Determining whether a cluster of 4769 events constitutes Kerberoasting requires the analyst to know the technique definition and manually evaluate the evidence.
The Attack Surface Analyzer has named detection rules for the AD attacks pentesters use most frequently: Kerberoasting, Golden Ticket attack, Silver Ticket attack, pass-the-hash attack, pass-the-ticket attack, DCSync attack, DCShadow attack, Skeleton Key attack, brute force attacks, and AD password spray attacks.
Real-time alerts deliver notifications through email and SMS the moment an attack pattern is detected. Each alert includes drill-down forensics: who performed the action, from which machine, at what time, and what they did before and after the detected event.
| Pentest finding | Event ID(s) generated | ADAudit Plus report or feature |
|---|---|---|
| Kerberoasting successful | 4769 (RC4 encryption requested) | Attack Surface Analyzer: Kerberoasting detection |
| Pass-the-hash lateral movement | 4624 (Logon Type 3) | Attack Surface Analyzer: pass-the-hash detection; UBA: First Time Host Accessed by User |
| Brute-force or password spray | 4625 (multiple) | Attack Surface Analyzer: brute force / AD password spray; UBA: Unusual Volume of Logon Failure |
| DCSync replication | 4662 (replication rights) | Attack Surface Analyzer: DCSync detection |
| Golden Ticket forged | 4768 (anomalous TGT) | Attack Surface Analyzer: Golden Ticket detection |
| LLMNR poisoning credential theft | 4624 from unexpected source | UBA: First Time Host Accessed by User; Logon Activity based on IP Address |
| Privilege escalation via group change | 4728/4756 (member added to privileged group) | Recently Added Members to Security Groups; alert profile: Modified Admin Groups |
| Stale account exploitation | 4624 on dormant account | UBA: Unusual Logon Activity Time; Logon Attempts by Locked out users |
| Capability | Native Windows auditing | ADAudit Plus |
|---|---|---|
| Centralized event collection across all DCs | Requires Windows Event Forwarding setup | Automatic, all DCs in a single console |
| Behavioral baselining per user | Not available | Machine learning baseline per user and host |
| Named attack detection (Kerberoasting, DCSync, etc.) | Manual event correlation required | Attack Surface Analyzer with named detection rules |
| Real-time alerting on attack patterns | Task Scheduler limited alerts | Pre-configured alert profiles with email and SMS |
| Automated response on trigger | Not available | Disable account, terminate session, create ticket |
| MITRE ATT&CK® technique mapping | Not available | Attack Surface Analyzer aligned with MITRE ATT&CK® |
| Long-term forensic data retention | Limited by log size; overwrites | Archival with compliance-ready retention periods |
| Hybrid AD and Microsoft Entra ID (formerly Azure AD) correlation | Separate tools required | Single console for on-premises and cloud |
Try ADAudit Plus free for 30 days. No credit card required.
A vulnerability scan identifies individual weaknesses in isolation: accounts without password expiry, systems missing patches, that sort of thing. An AD pentest chains those weaknesses together into full attack paths, showing how an attacker moves from a single compromised account to domain admin. Scans tell you what is weak.
Pentests show you what is exploitable.
Most compliance frameworks require annual penetration testing at minimum. PCI-DSS Requirement 11.3 mandates testing at least once per year and after any significant infrastructure change.
Organizations with high-risk environments or rapid change rates benefit from semi-annual testing. Between pentests, continuous monitoring with ADAudit Plus catches new vulnerabilities as they appear rather than waiting for the next assessment cycle.
Common tools include BloodHound and SharpHound for attack path mapping, Mimikatz for credential extraction, Impacket for remote execution and protocol abuse, CrackMapExec (NetExec) for lateral movement automation, Kerbrute for username enumeration, Responder for LLMNR/NBT-NS poisoning, and Certipy for ADCS exploitation.
Yes. Every pentest technique generates specific Windows Security Event IDs. The hard part is separating those signals from normal activity.
ADAudit Plus addresses this through user behavior analytics that establishes per-user baselines. When a pentester (or attacker) deviates from established patterns, such as requesting an unusual volume of service tickets or accessing hosts for the first time, the system flags the anomaly immediately.
Prioritize findings by exploitability and business impact, not just severity rating. Fix credential-based findings first (weak passwords, excessive privileges, lack of LAPS) because these enable the fastest attack paths.
Then map each finding to a continuous detection rule so that if the vulnerability reappears, or an attacker exploits it before remediation is complete, your monitoring catches it. ADAudit Plus lets you create alert profiles mapped directly to the attack techniques identified in the pentest report.
