Active Directory
Testing
Targeted assessment of on-premises Active Directory environments — mapping every privilege path and demonstrating realistic domain compromise chains from a single user account.
Active Directory remains the crown jewel of most enterprise environments — and the most targeted. A compromised domain is a compromised organisation. Our AD assessments are conducted by operators who specialise in Microsoft identity attack paths, using the same tooling and techniques as real adversaries.
We focus exclusively on on-premises Active Directory — enumerating every attack path from a standard domain user account through to Domain Admin and beyond. Our approach treats AD as an attacker would: as a graph of privilege relationships to be traversed, not a checklist to be ticked.
Our assessments are structured to provide both a technical attack narrative and a clear picture of the organisational risk — what an attacker could do once they have a foothold, and how far they could progress from a single compromised user account.
Domain Enumeration
Comprehensive enumeration of users, groups, computers, GPOs, ACLs, trusts, and SPNs using BloodHound, ldapdomaindump, and custom tooling. We map all privilege paths and high-value targets before any exploitation begins.
Kerberos Attack Paths
Kerberoasting of service accounts, AS-REP roasting, unconstrained and constrained delegation abuse, resource-based constrained delegation, and S4U2Self/S4U2Proxy abuse. We identify and exploit every Kerberos attack path in scope.
ACL & Privilege Abuse
Analysis of Active Directory ACLs for over-permissive write access — GenericAll, WriteDACL, ForceChangePassword, GenericWrite, and AddMember rights on high-value groups and accounts. These misconfigurations routinely provide a path to Domain Admin.
Credential Attacks
NTLM relay via NTLMRelayx, Pass-the-Hash, Pass-the-Ticket, and password spraying against Kerberos and exposed services. DPAPI secret recovery from accessible hosts and LSASS credential extraction where permitted by rules of engagement.
ADCS Abuse
Enumeration and exploitation of Active Directory Certificate Services misconfigurations — ESC1 through ESC15 attack paths including certificate template abuse, CA misconfiguration, and relay to ADCS endpoints to obtain domain user and machine certificates.
Domain Compromise & Reporting
Where vulnerabilities permit, full demonstration of domain compromise via DCSync, Golden Ticket, or ADCS abuse — with the complete attack chain documented and mapped to MITRE ATT&CK. Technical and executive reporting with prioritised remediation.
We use the same tooling and techniques as real threat actors — BloodHound, Impacket, Rubeus, and custom scripts — and we think in attack graphs, not checklists. Every engagement produces a clear narrative of the path from low-privileged user to domain compromise.
Our operators specialise in on-premises Active Directory and have performed AD assessments across organisations ranging from SMEs to large enterprises. We consistently find privilege escalation paths that internal teams and automated scanners miss.