Active Directory Attack Simulation
Comprehensive AD attack simulation including Kerberoasting, Pass-the-Hash, and privilege escalation.
Active Directory Attack Simulation
Active Directory (AD) is the backbone of identity and access management in over 90% of enterprise environments — and it is the primary target of every sophisticated attacker who gains a foothold on your network. From ransomware groups to nation-state actors, the path to domain dominance consistently runs through misconfigurations, over-privileged accounts, weak Kerberos settings, and legacy authentication protocols that have been present in AD environments for years. Intelliroot's AD attack simulation exposes every viable path to domain compromise using the same tools and techniques employed by real threat actors: BloodHound graph analysis, Impacket, Rubeus, CrackMapExec, and custom tooling developed by our red team operators.
Assessments cover both on-premises Active Directory and hybrid/cloud environments — including Azure Active Directory (Entra ID), Azure AD Connect exploitation, and federated identity attacks. Intelliroot's operators map every attack path to MITRE ATT&CK, quantify the business risk of each privilege escalation route, and provide a prioritised hardening roadmap that addresses the root causes — not just the symptoms. For organisations undergoing AD consolidation, forest migration, or cloud adoption, this assessment provides an authoritative security baseline before architectural changes are finalised.
BloodHound Attack Path Analysis: Intelliroot's AD simulation includes full BloodHound graph database analysis of your domain — visualising every privilege escalation path from any standard user account to Domain Admin. This produces an unambiguous picture of your AD attack surface that no manual review or configuration scan can match, and drives a precise prioritisation of the 20% of fixes that eliminate 80% of viable attack paths.
Why AD Is Every Attacker's Primary Target
AD Controls Everything
Domain Admin in Active Directory means unrestricted access to every server, workstation, file share, and application in your environment. Every significant breach ultimately targets AD — it is the master key to your entire enterprise.
Attack Paths Are Invisible Without Testing
BloodHound path analysis regularly reveals 5-7 hop attack chains from a standard user account to Domain Admin that no configuration review, audit, or scanner would discover — paths that have existed, undetected, for years.
Ransomware Relies on AD Compromise
Every major ransomware group — LockBit, BlackCat, Cl0P — uses AD compromise as the prerequisite for mass deployment. Without domain dominance, attackers cannot encrypt the thousands of endpoints required for a viable ransom demand.
Hybrid AD Massively Expands the Attack Surface
Azure AD Connect misconfiguration, pass-through authentication abuse, and Entra ID privilege escalation paths create entirely new attack surfaces that traditional AD assessments miss — requiring operators with dedicated hybrid identity expertise.
Attack Techniques We Simulate
Credential & Kerberos Attacks
- Kerberoasting of service accounts with weak passwords
- AS-REP Roasting of accounts with pre-auth disabled
- Pass-the-Hash using NTLM credential material
- Pass-the-Ticket and Overpass-the-Hash with Kerberos tickets
- Golden Ticket and Silver Ticket forging using KRBTGT hash
Enumeration & Lateral Movement
- LDAP enumeration of users, groups, GPOs, and ACLs
- BloodHound attack path mapping from standard user to DA
- SMB relay and LLMNR/NBT-NS poisoning attacks
- DCSync simulation to extract domain credential material
- LSASS credential dumping and DPAPI secret extraction
Privilege Escalation & Persistence
- ACL/ACE abuse (WriteDACL, GenericAll, GenericWrite, AddMember)
- GPO abuse for privilege escalation and backdoor deployment
- AdminSDHolder and SDProp manipulation
- Forest trust abuse and cross-forest privilege escalation
- SID History injection for persistent privileged access
Azure AD & Hybrid Identity
- Azure AD Connect account compromise and password writeback abuse
- PRT (Primary Refresh Token) theft and session hijacking
- Entra ID privilege escalation via role assignments and app permissions
- Conditional Access policy bypass and MFA evasion techniques
- Service principal and managed identity abuse for cloud privilege escalation
Assessment Approach
Scoping & Access Provisioning
Define assessment scope (on-prem AD, Azure AD, hybrid), agree on starting position (unauthenticated, standard domain user, or specific role), and provision required network access. Agree on out-of-bounds targets (e.g., production systems that must not be disrupted) and notification protocols for the white cell team.
Domain Enumeration & Attack Path Mapping
Conduct comprehensive LDAP enumeration of the domain, collecting user accounts, group memberships, GPO configurations, ACL entries, and Kerberos delegation settings. Ingest data into BloodHound to generate a complete attack path graph — identifying every viable route to Domain Admin and highlighting the highest-risk escalation chains by hop count and exploitability.
Credential Attack Simulation
Execute Kerberoasting, AS-REP Roasting, and LLMNR/NBT-NS poisoning to harvest and crack credential material. Assess password spray viability, NTLM relay opportunities, and lateral movement paths using harvested credentials. All credential material is handled under strict data handling protocols and destroyed after engagement completion.
Privilege Escalation & Domain Dominance
Exploit identified attack paths — ACL abuse, GPO manipulation, forest trust traversal, DCSync, or Golden/Silver Ticket attacks — to achieve the highest feasible privilege level within scope. Demonstrate domain dominance by accessing agreed crown-jewel assets as proof of impact, without performing any destructive actions on production infrastructure.
Hardening Roadmap Delivery & Technical Debrief
Deliver a prioritised hardening roadmap that addresses root causes: tiered administration model gaps, legacy protocol disablement, ACL remediation, GPO hardening, Kerberos delegation cleanup, and Azure AD security baseline. Present findings to your AD and identity team with hands-on technical Q&A to ensure each remediation action is clearly understood and actionable.
Frequently Asked Questions
Deliverables
BloodHound Attack Path Report
Exported BloodHound graph data with annotated attack path diagrams showing every viable escalation route to Domain Admin, ranked by hop count, exploitability, and business impact.
Executive Risk Summary
Board-ready narrative covering the simulated attacker's path to domain dominance, the business consequence of a real compromise, and strategic investment priorities for AD security hardening.
Technical Findings Report
Comprehensive documentation of every vulnerability, misconfiguration, and attack technique exploited — with ATT&CK mapping, CVSS risk ratings, proof-of-concept evidence, and detailed remediation guidance for each finding.
AD Hardening Roadmap
Prioritised 30/60/90-day remediation plan covering tiered administration model implementation, legacy protocol disablement, ACL remediation, Kerberos delegation cleanup, and GPO hardening — with effort estimates and quick-win identification.
Azure AD / Entra ID Security Baseline Report
Dedicated findings and recommendations for hybrid identity and cloud AD exposures — including Conditional Access gaps, service principal risks, PIM misconfiguration, and Azure AD Connect security posture.
CERT-In Compliant Audit Certificate
Signed assessment certificate from a CERT-In empanelled organisation, accepted for regulatory compliance submissions and internal audit requirements.
Request a Security Assessment
Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.