Active Directory Security Assessment

BloodHound attack path mapping, Kerberoasting and DCSync exposure, AD CS certificate template review (ESC1-8), and Azure AD/Entra ID hybrid assessment — identifying the privilege escalation routes attackers use to achieve domain dominance from a standard user account.

BloodHound Attack Paths
Domain Admin Route Mapping
On-Prem · Azure AD · Entra ID
Hybrid Environment Coverage
Kerberoasting · DCSync · AS-REP
Credential Attack Surface
AD CS · ESC1–ESC8
Certificate Services Misconfigs
Assessment Scope

On-Prem AD · Azure AD · Credential Attacks · AD CS

Three assessment dimensions covering on-premises Active Directory attack paths, Azure AD and hybrid identity security, and the credential attack surface including AD CS certificate abuse vulnerabilities.

Domain Dominance Risk

On-Premises AD & Attack Path Analysis

BloodHound-based attack path analysis of your on-premises Active Directory — mapping every privilege escalation route from standard domain user to Domain Admin, identifying the shortest exploit chain, and quantifying how many steps an attacker needs to achieve domain dominance from an initial foothold. Goes beyond checking obvious misconfigurations — we find the non-obvious paths your defenders are not watching.

  • BloodHound attack path mapping — all routes to Domain Admin
  • Tier 0 asset identification and exposure analysis
  • Privileged group membership review (Domain Admins, Enterprise Admins, Schema Admins)
  • AdminSDHolder and ACL abuse path identification
  • Forest and domain trust relationship review
  • Group Policy security configuration assessment
Hybrid Identity Assessment

Azure AD / Entra ID & Hybrid Security

Security review of your Azure AD (Entra ID) tenant and hybrid synchronisation between on-premises AD and the cloud — identifying conditional access policy gaps, application permission abuse paths, service principal over-privilege, Azure AD Connect configuration security, and attack paths allowing on-premises compromise to lead to full Azure AD tenant takeover.

  • Azure AD Conditional Access policy gap review
  • Application registration permission audit (OAuth consent abuse)
  • Service principal and managed identity privilege review
  • Azure AD Connect configuration security assessment
  • Hybrid join security review (PRT abuse, device trust exploitation)
  • Emergency Access (Break Glass) account configuration review
Lateral Movement & Persistence

Credential Attacks & AD CS Review

Targeted assessment of the credential attack surface within Active Directory — Kerberoasting exposure, AS-REP Roasting, DCSync privilege identification, Shadow Credentials paths, and a full Active Directory Certificate Services (AD CS) review covering ESC1 through ESC8 template misconfigurations that allow domain compromise through certificate abuse.

  • Kerberoasting exposure — SPN account audit and password strength assessment
  • AS-REP Roasting — pre-authentication disabled account identification
  • DCSync privilege audit — who can replicate domain secrets
  • Shadow Credentials attack path identification
  • AD CS template misconfiguration review (ESC1-ESC8 vulnerabilities)
  • Golden Ticket and Silver Ticket risk assessment and KRBTGT hygiene
The AD Attack Surface

Active Directory Is in 95% of Breaches. Is Yours the Next?

Active Directory is the identity backbone of virtually every corporate network — and present in investigations of more than 95% of all significant corporate network compromises. The reason is simple: whoever controls Active Directory controls every system, every user, every server, and every file share in the enterprise. Domain Admin access, achieved through any of dozens of documented attack paths, means game over.

The most dangerous aspect of AD security is that the attack paths leading to Domain Admin are often invisible to traditional security tools. BloodHound attack path mapping reveals the non-obvious, multi-hop privilege relationships — an account that can modify a group that has GenericAll rights over a computer that has unconstrained delegation — that attackers specifically look for because defenders are not watching them.

Active Directory credential-based attacks were present in 86% of all investigated data breaches in 2024 (Verizon DBIR 2024)
Average time from initial foothold to Domain Admin access in tested environments: 3.7 hours using BloodHound-identified privilege paths
AD CS ESC vulnerabilities are present in over 90% of enterprise environments with AD CS deployed (SpecterOps 2024)

3.7 Hours to Domain Admin

Average time from initial foothold to Domain Admin using BloodHound-identified paths in tested environments

AD CS ESC Vulnerabilities

Present in 90%+ of enterprise environments with AD CS — most organisations have never been assessed for these

Hybrid Attack Paths

Azure AD Connect misconfiguration can turn on-prem compromise into full cloud tenant takeover

Attack Path Visualisation

BloodHound screenshots showing exact privilege escalation chains — not theoretical risk descriptions

Our Process

5-Phase Active Directory Assessment Methodology

From BloodHound data collection and attack path analysis through credential attack surface assessment, hybrid review, and visualised findings with a prioritised hardening roadmap.

01

Enumeration & Data Collection

BloodHound data collection from within the domain using SharpHound — collecting all users, computers, groups, GPOs, ACLs, sessions, and trust relationships required for complete attack path analysis. Collection is read-only and produces no indicators beyond normal LDAP queries. Azure AD collected via AzureHound for hybrid environments.

02

Attack Path Analysis & Tier 0 Mapping

Analysing BloodHound graph data to identify all paths to Tier 0 assets (Domain Controllers, Domain Admin accounts, AD CS servers) from low-privileged starting positions — finding shortest paths, most dangerous intermediate nodes, and the configuration findings creating each attack path. Tier 0 blast radius quantified.

03

Credential Attack Surface Assessment

Targeted assessment of Kerberos-based credential attack exposure: Kerberoastable SPN accounts enumerated and assessed for password strength, AS-REP Roastable accounts identified, DCSync-capable accounts inventoried, AD CS templates reviewed for ESC1-8 vulnerabilities, and KRBTGT account history verified.

04

Azure AD & Hybrid Trust Assessment

Review of Azure AD security configuration, conditional access policies, application registrations and OAuth permissions, service principal privileges, and Azure AD Connect synchronisation security — with specific focus on hybrid attack paths allowing on-premises compromise to cross into the Azure tenant.

05

Findings Report & Remediation Roadmap

Comprehensive report with BloodHound attack path visualisations for all critical findings, a Tier 0 blast radius heatmap, specific remediation guidance for each identified attack path, a prioritised hardening action plan, and a tiered administration architecture recommendation where appropriate.

Coverage

End-to-End AD Security Coverage

From BloodHound attack paths through Kerberoasting, AD CS vulnerabilities, Azure AD conditional access, ACL abuse, and tiered administration hardening.

BloodHound Attack Path Mapping

Complete BloodHound-based attack path analysis mapping all privilege escalation routes from standard domain user to Domain Admin — identifying shortest paths, most dangerous intermediate nodes, and the specific configuration findings creating each path.

Kerberoasting & AS-REP Exposure

Enumeration of all Kerberoastable service accounts (SPNs) and AS-REP Roastable accounts — assessing password strength indicators and the realistic cracking timeframe for each exposed ticket, prioritised by risk of successful offline cracking.

AD CS Certificate Template Review

Full review of Active Directory Certificate Services templates for ESC1 through ESC8 vulnerabilities — certificate templates allowing standard domain users to request certificates enabling Domain Admin impersonation, persistence, or credential theft.

Azure AD & Conditional Access

Azure AD (Entra ID) security review covering conditional access policy gaps, MFA bypass paths, application registration OAuth permission abuse, service principal over-privilege, and Privileged Identity Management (PIM) configuration assessment.

ACL & AdminSDHolder Abuse

Targeted review of Access Control List misconfigurations across AD objects — identifying GenericAll, WriteDACL, WriteOwner, and other dangerous ACE entries that create non-obvious privilege escalation paths invisible without BloodHound-style graph analysis.

AD Hardening & Tiered Model

Remediation guidance and architectural recommendations for a tiered administration model — Tier 0/1/2 separation, PAW implementation, legacy protocol disablement (NTLM reduction, SMBv1/v2 removal), and KRBTGT account hygiene.

Why Adayptus

See Your AD Through an Attacker's Eyes

We use the same tools and methodology attackers use — giving your defenders the visibility into AD attack paths that adversaries have, and that traditional security tooling cannot provide.

BloodHound-Native Methodology

We use the same tools attackers use. BloodHound attack path analysis reveals non-obvious multi-hop privilege relationships that manual review and traditional scanners will never find — because attackers chain these paths together, automated tools assess them in isolation.

Attack Path Visualisation

Every critical finding is delivered with a BloodHound attack path screenshot — showing the exact node chain from unprivileged user to Domain Admin. An actual visualised route your remediation team can understand and act on immediately.

AD CS Depth

AD CS is the most impactful and most underassessed attack surface in modern enterprise environments. We review all ESC1-8 template vulnerability classes — findings most other assessments miss entirely due to requiring specialist knowledge outside standard AD tooling.

Hybrid & Entra ID Coverage

On-premises AD and Azure AD are increasingly inseparable. Azure AD Connect synchronisation can allow on-prem compromise to become cloud tenant takeover. We assess both environments together — including the hybrid trust relationships bridging them.

Tools & Frameworks We Use

BloodHound / SharpHound
AzureHound
Impacket
CrackMapExec
Rubeus
Certipy (AD CS)
PingCastle
Microsoft Entra ID Tools
FAQs

Frequently Asked Questions

Everything you need to know about Active Directory security assessment

Get Started

Find Your Path to Domain Admin Before an Attacker Does

BloodHound attack path analysis reveals the privilege escalation routes in your Active Directory that attackers actively look for — and that your defenders are not watching. Schedule a scoping call to define your AD assessment scope.

Get in Touch

Ready to secure your future? Reach out to us for a consultation.