When a standard user becomes a danger - Active Directory targeted protection

  1. An internal user with standard rights, no administrator access and no special knowledge. And yet: in one of our tests, precisely this initial situation was enough to

  2. to gain complete control over the Windows domain within a few hours through incorrect authorizations, unsecured protocols and a lack of segmentation.

    <p

  3. Without malware. Without exploits. Only with the possibilities that real attackers use every day.

  4. Active Directory is at the heart of many corporate networks and a popular target. This is precisely why a targeted AD penetration test is crucial.</p

What is an AD penetration test?

An Active Directory penetration test is a targeted security check of your Windows domain structure, as is typically used in corporate networks.

We simulate the path of an internal attacker, for example via a compromised employee device, and analyze how far they could move through the Active Directory.

could move through the Active Directory. The aim is to uncover vulnerabilities in authorizations, user structures, group policies, network services and internal communication before they are exploited in reality.

Because Active Directory forms the backbone of user management and rights assignment in almost every company and yet is often neglected.

In many cases, the AD structure grows over the years. New users, old groups and temporary authorizations accumulate. Much of this remains in place, even if it is no longer needed. This is precisely what creates attack paths that are not visible in any diagram, but can be exploited in practice.

An AD penetration test helps you to uncover outdated structures, correct misconfigurations and permanently secure your domain structure before small weaknesses become major security vulnerabilities.

We analyze, among other things: 

  • User & group permissions: 
    Weak passwords, privileged groups, role abuse
  • Attack graphs: 
    Calculating attack paths to privileged accounts (BloodHound)
  • GPO vulnerabilities: 
    Insecure group policies or scripts
  • Pass-the-Hash & Credential Reuse: 
    Reused or storable credentials
  • Kerberos abuse: 
    Kerberoasting, AS-REP Roasting, Overpass-the-Hash
  • Network shares & vulnerabilities: 
    Uncontrolled access to internal resources
  • Protocol analysis: 
    Insecure protocols such as SMBv1, NTLMv1, LDAP without TLS

In hardly any other environment are authorizations, group policies and roles as closely intertwined as in an Active Directory. This is precisely why it is not enough to just check individual systems. A structured approach is required that takes relationships, side effects and potential attack paths into account holistically.

Our approach is targeted, comprehensible and secure: 

Scoping & preparation 

  • Clear demarcation of the test environment
  • Common definition of user roles & visibility 

Initial access & enumeration 

  • Use of a standard user account
  • Collection of information: Users, groups, systems, policies 

Identify attack paths 

  • Calculation of possible paths to higher rights (with BloodHound)
  • Identification of weak configurations and access rights 

Exploitation (controlled) 

  • Traceable attack simulation for vulnerabilities (e.g. privilege escalation, pass-the-hash)
  • No damage: no changes to the system state 

Report & Conclusion 

  • Executive summary
  • Technical report incl. risk classification (CVSS)
  • Recommendations for immediate measures & sustainable improvements
  • On request: Joint final discussion & retest to confirm closed gaps