What does Active Directory security assessment include?

Forest + tenant audit, trust + delegation review, group policy + tier-0 boundary, BloodHound attack-path analysis, Kerberoast / AS-REP / NTLM relay, AD Recycle Bin + DSRM exposure, MachineAccountQuota abuse.

On-prem only or hybrid?

Both. On-prem AD, Entra ID (Azure AD), and hybrid (Azure AD Connect). Covers PHS, PTA, federation, and hybrid attack paths from AD to cloud.

BloodHound graph + attack-path proof at each hop, tier-0 violation findings, AD hardening checklist mapped to Microsoft Security Compliance Toolkit, and CREST-approved report.

Why now

Window from vulnerability discovery to exploitation has gone from weeks to hours.

Active Directory security audit,the chain to Domain Admin.

Kerberoasting, AS-REP roasting, ADCS ESC1-8, LAPS ACL abuse, NTLM relay through mitm6, unconstrained delegation, GPO ownership. We chain six low-severity findings into one proof-of-exploit at Domain Admin. CREST-conducted with a free re-test.

Research-driven testing. Audit-ready reports.

Read the AD kill-chain breakdown

AD kill chain: LLMNR poison, NTLM relay to ADCS ESC8, Kerberoast, LAPS ACL, chain to Domain Admin

Full attack surface coverage

Authentication, business logic, API endpoints, session management, not just OWASP Top 10.

Working proof-of-exploit

Every finding includes a reproducible PoC and video, developer-ready, not just a CVSS score.

Re-test included

We verify your fixes at no extra cost. One engagement, closed-loop, not a revolving invoice.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Scope.

Every AD bug class we test.

Eight surfaces picked per your forest, not a generic checklist.

Kerberos abuse

Kerberoast, AS-REP roast, ticket replay, RC4 hash to offline crack via hashcat, golden and silver ticket forgery.

NTLM relay paths

Responder for NTLMv2 capture, mitm6 IPv6/WPAD, PetitPotam coerce, relay to LDAPS, SMB signing audit, NTLM downgrade through SPN spoof.

ADCS ESC1 to ESC8

Misconfigured templates, EDITF_ATTRIBUTESUBJECTALTNAME2, ENROLLEE_SUPPLIES_SUBJECT, web enrollment endpoint, every ESC path tested.

LAPS and ACL abuse

ms-Mcs-AdmPwd ACL leakage across tier-2, GenericAll over OUs, WriteDACL on object, DCSync rights, dangerous ACEs.

GPO and group nesting

Editable GPOs, nested AdminSDHolder bypass, Authenticated Users with elevated rights, Group Policy Preferences password recovery.

Delegation flaws

Unconstrained delegation with print spooler coerce, constrained delegation S4U2Proxy, resource-based constrained delegation abuse.

Trusts and forest

Cross-domain trust enumeration, SID history abuse, parent and child trust transitive paths, foreign-trust account exploitation.

Hybrid identity

Entra Connect sync account compromise, Pass-through-auth agent attack, PHS abuse, on-prem-to-cloud token theft via PRT.

Accreditations.

AD ATTACK SURFACE.

Eight named bug classes that close the chain to Domain Admin in real engagements.

01
Kerberoast to admin
SPN ticket request, RC4 hash extraction, offline crack via hashcat, reuse against linked SQL.
02
NTLM relay to ADCS
PetitPotam coerce, relay NTLM to ADCS web enrollment, ESC8 web-enrollment for domain admin certificate.
03
ADCS template abuse
ESC1 to ESC8 templates with EDITF or ENROLLEE_SUPPLIES_SUBJECT, certificate impersonation across tiers.
04
LAPS ACL traversal
Misconfigured ms-Mcs-AdmPwd ACL, read plaintext local admin password across the tier-2 fleet.
05
Unconstrained delegation
Print spooler coerce against a host with unconstrained delegation, capture TGT, escalate to DA.
06
GPO ownership
Editable GPO discovery, immediate scheduled-task push to every Authenticated User.
07
Hybrid identity bridge
Entra Connect sync account compromise, Pass-through-auth agent attack, on-prem to cloud admin via PRT theft.

Bug-class depth.

What a scanner sees, and what we exploit.

Every AD engagement we run lands at Domain Admin through one of six chain classes. The diagram below shows what the engagement actually exploits, named primitive by named primitive, so your AD team knows what to expect and what to fix. BugDazz Autonomous keeps watching the same surface between engagements, flagging ACL drift, new ADCS templates, and SPN exposure as they ship.

AD bug-class depth: scanner findings on the left, chained exploits on the right

AD AUDIT METHODOLOGY.

Eight phases. Every finding verified closed-loop.

Scoped to your forest, not a generic checklist.

Forest enumeration

Domain controllers, sites, trusts, GPO inventory, OU hierarchy. AD module + LDAP queries, no auth required.

Credential access

Responder for NTLMv2, mitm6 for IPv6 takeover, AS-REP roast on pre-auth-disabled accounts, Kerberoast on SPN-bound services.

ADCS audit

Every ESC1 to ESC8 template tested. Web enrollment endpoint probed for PetitPotam-to-cert chain. EDITF flag review.

ACL and LAPS

BloodHound + custom queries for GenericAll, WriteDACL, ms-Mcs-AdmPwd read paths. LAPS plaintext extraction across tier-2.

Delegation paths

Unconstrained, constrained, RBCD enumerated. Print spooler coerce, S4U2Proxy, cross-tier abuse simulated.

Trust and hybrid

Cross-domain trust transitivity, SID history abuse, Entra Connect sync account audit, hybrid identity bridge.

Chained findings

Combine low-severity findings into one proof-of-exploit at Domain Admin. Documented step-by-step.

Re-test and closure

Free re-test after fixes. Written attestation per finding, regulator-ready PDF for SOC 2 / ISO 27001 / CERT-In auditors.

BugDazz Autonomous.

Continuous AD posture between engagements.

When the audit closes, BugDazz keeps watching the forest. New ADCS templates, new SPN exposure, ACL drift, GPO ownership changes, all flagged the day they ship.

See the autonomous platform

ADCS template drift

Every new template surfaced and ESC-tested on creation.

ACL changes

WriteDACL, GenericAll, LAPS ACL drift caught at deploy.

SPN exposure

New service-account SPNs surfaced for Kerberoast review.

Re-test on demand

One click to re-verify a finding after your fix lands.

Deliverables.

A report your auditor accepts. Your AD team can act on.

Working step-by-step chain per finding, code-level and config-level remediation, a re-test to confirm the patch. CREST-aligned, accepted by SOC 2, ISO 27001, PCI DSS, HIPAA, and FedRAMP auditors.

CREST-accredited report. Accepted by:

FedRAMP

Reproducible PoC + Video

Every finding ships with a working exploit and screen recording. Your developers see exactly what an attacker sees, no guesswork, no chasing us for clarification.

Code-Level Fix Guidance

Remediation written for engineers, not auditors. Specific code changes, library recommendations, and config fixes, not a list of CWEs to Google.

Re-test Included

Every finding is re-tested once your team ships the fix, at no extra cost. One engagement, closed loop. You get written confirmation, not just a closed ticket.

Compliance-Ready Report

CREST-accredited report accepted by SOC 2, ISO 27001, PCI DSS, and HIPAA auditors out of the box. No re-scoping, no addenda, no extra calls with your audit team.

Insights.

Recent AD research from the SL7 lab.

Published advisories, methodology updates, and write-ups from AD engagements.

Exploring and exploiting Active Directory

What an AD audit actually looks like inside a real forest, from recon through chained findings to Domain Admin.

Active Directory attacks in 2024

The attack classes that landed at Domain Admin most often last year, and what defenders should instrument first.

Setting up Active Directory write-up cover

Setting up Active Directory for testing

How we stand up a representative forest for engagement scoping, with the gotchas to avoid on Server 2022.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AD audits from the buyer's threat model, then carries findings through to detection-engineering handoff. He has led CREST-conducted AD operations against banking, healthcare, government, and enterprise SaaS forests.

Leads CREST-conducted AD audits from scoping to re-test.
Translates ADCS, Kerberos, and ACL findings into board-level risk decisions.
Owns post-engagement handoff to your AD admin and detection team.

SL7 Lab. Published CVE research.

Ready to scope an AD audit? Book a 30-minute call with John.

Book a 30-min call

Common procurement questions.

What buyers askbefore a first AD audit.

Show all 6 questions

Have a procurement question we did not answer?

For startups.

Need this before your next SOC 2 audit.

Five-day AD audit with re-test, CREST-aligned attestation, and a flat startup price. Built for teams that have to close a Series A audit or an enterprise procurement deal next quarter.

See the startup program

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

Domain-trust paths, ADCS ESC, and Tier-0 escalation in regulated banking environments.

See FinTech pentest

HealthTech

AD identity perimeters fronting EHR, HIP/HIU exchanges, and ABDM endpoints.

See HealthTech pentest

Tech SaaS

Hybrid AD + Entra ID tenant boundaries for multi-tenant SaaS shipping into enterprise.

See Tech SaaS pentest

Sample WAPT penetration test report, SecureLayer7

Sample engagement report.

Request a sample AD audit report.

A senior consultant will share a redacted sample after a quick scoping intake. Sent within one business day.