Active Directory & Identity Security Testing
From Standard User to Domain Administrator. Every Step Documented.
Active Directory is the identity backbone of your enterprise — and the primary target of every advanced persistent threat actor operating today. A single misconfigured service account, an overpermissioned group, or an exploitable certificate template is all it takes to move from a compromised workstation to full domain compromise.
Evaluris executes the same techniques used by real-world APT groups against your Active Directory environment — mapping every exploitable path from initial access to domain administrator, identifying every misconfiguration that enables that path, and producing a remediation roadmap that closes them permanently.
Why Active Directory Is the Highest-Value Target in Your Environment
Domain Administrator access means access to everything. Email. File servers. Backup systems. Security tooling. Every endpoint. Every account. Every credential stored anywhere on the network.
The reason Active Directory attacks are so effective is not that AD is fundamentally broken — it is that the default configuration of most enterprise AD environments accumulates years of misconfigurations, legacy permission grants, over-privileged service accounts, and deprecated settings that were never cleaned up. Attackers know this. Most security teams do not have a complete picture of what their AD environment actually looks like from an attacker's perspective.
This engagement builds that picture — and closes the gaps before an adversary exploits them.
The majority of ransomware operations that result in full enterprise encryption achieve domain administrator access through Active Directory attacks — not zero-day exploits.
Methodology
AD Enumeration
BloodHound and SharpHound-based domain enumeration producing a complete attack graph of users, groups, GPOs, ACLs, trust relationships, and delegation configurations. Full domain topology mapped before exploitation begins.
Kerberos Attack Paths
Kerberoasting (SPN-linked service account hash extraction), AS-REP roasting (accounts without pre-authentication), Kerberos delegation abuse (unconstrained, constrained, and resource-based constrained delegation), and Silver/Golden Ticket scenarios.
ACL & Permission Abuse
GenericAll, GenericWrite, WriteOwner, WriteDACL, and ForceChangePassword ACE exploitation. Shadow credential attacks. AdminSDHolder misconfiguration. Protected Users group absence analysis.
Active Directory Certificate Services (AD CS)
ESC1–ESC8 template vulnerability testing. Certificate template misconfiguration exploitation. NTLM relay to AD CS HTTP endpoints (PetitPotam chains). Rogue CA assessment.
Group Policy & Privilege Escalation
GPO misconfiguration, script path hijacking, and logon script abuse. Local admin path analysis. LAPS deployment gaps. Restricted Groups misconfiguration.
Trust Relationship & Forest Attacks
Cross-domain and cross-forest trust exploitation. SID history abuse. ExtraSIDs attacks. Selective authentication bypass.
Azure AD / Entra ID Hybrid Assessment
Azure AD Connect misconfiguration, Password Hash Sync abuse, Pass-Through Authentication agent exploitation, and hybrid identity attack paths between on-premises AD and Entra ID.
What We Test
- On-premises Active Directory environments (all Windows Server versions)
- Azure AD / Microsoft Entra ID
- Hybrid identity configurations (AD Connect, PTA, ADFS)
- Active Directory Certificate Services (AD CS)
- Group Policy Objects and deployment
- Service account security and privileged access model
- Tier model / PAW implementation effectiveness
- Legacy protocol exposure (NTLMv1, LDAP signing, SMBv1)
Compliance Alignment
| Framework | Requirement |
|---|---|
| DORA Art. 25 | ICT infrastructure testing including identity systems |
| ISO 27001:2022 | A.5.15 — access control; A.8.2 — privileged access rights |
| PCI DSS v4.0.1 | Req. 7 & 8 — access control and identity management testing |
| SAMA | Identity and access management security included in VAPT scope |
| NIS2 Art. 21 | Access control and identity management security obligations |
| CIS Controls v8 | Control 5 — account management; Control 6 — access control management |
Deliverables
- BloodHound Attack Graph Export — interactive attack path visualization for your AD environment
- Privilege Escalation Chain Documentation — every exploited path from standard user to domain administrator, step by step
- AD CS Vulnerability Report — complete certificate services assessment findings
- Remediation Roadmap — prioritized by exploitability and blast radius, with AD-specific fix guidance
- Executive Summary — board-ready narrative of identity security posture
- Technical Report — full evidence, MITRE ATT&CK mapping, and fix recommendations
- Retest Window — post-remediation verification
Ready to scope this engagement?
Tell us about your environment, regulatory drivers, and timeline. We will align methodology, scope, and evidence requirements before testing begins.