ACTIVE DIRECTORY TESTS
Kerberos, ACLs,ADCSand what's behind it.
Active Directory remains the central nervous system of most enterprise networks and therefore the primary target of any serious attacker. Our AD tests are dedicated, BloodHound-driven and follow the established attack paths against Kerberos, ACLs, ADCS and delegation.
01 · KERBEROS
AS-REP, Kerberoasting, delegation.
We check for AS-REP roastable accounts, kerberoastable service accounts with weak passwords, unconstrained delegation on non-DC hosts, constrained delegation with protocol transition and resource-based constrained delegation as the current abuse path. Using concrete BloodHound graphs we show the shortest path from a standard user to Tier-0.
02 · ADCS
ESC1 through ESC15, end to end.
Active Directory Certificate Services is the most underestimated part of every AD environment. We review all known ESC misconfigurations from ESC1 (template misissuance) to ESC11 (relay to HTTP enrollment) and newer variants. Often a single poorly configured certificate template allows direct domain takeover by any authenticated user.
03 · TIER-0
GPOs, ACLs, LAPS, gMSA.
We evaluate adherence to the tier model: who can administer Tier-0 objects? Which GPOs link to domain controllers? Which ACL paths lead from Tier-2 into Tier-0? Is LAPS rolled out everywhere? Is gMSA used correctly? We also analyse DCSync rights, AdminSDHolder anomalies and shadow admins that are not members of the well-known privileged groups.
READY
Find an AD path before someone else does.
We work BloodHound-based, reproducible and with clear recommendations for a containment strategy. No Kerberoast dump without context.