Entra ID & Active Directory
Hardening & Attack Path Analysis

Deep technical assessment of your identity infrastructure using BloodHound, manual analysis and adversary tradecraft — identifying the privilege escalation paths that lead to domain compromise.

Entra ID and Active Directory Attack Path Analysis
Identity Security

Active Directory Attack Path Analysis

Active Directory remains the backbone of enterprise authentication — and the primary target for threat actors seeking domain dominance. A single misconfigured delegation, an over-privileged service account or a stale nested group membership can create an unbroken attack path from standard user to Domain Admin.

We use BloodHound — the industry-standard graph-based attack path mapping tool — combined with manual exploitation techniques to enumerate every relationship in your directory and surface the paths that matter. Our assessments go beyond automated scans to validate real-world exploitability.

Assessment Scope

  • BloodHound Attack Path Mapping
  • Kerberos Security (AS-REP, Kerberoasting)
  • AD Delegation & ACL Abuse
  • Entra ID Conditional Access Review
  • Tier Model & Privilege Isolation
  • GPO Security Assessment
BloodHound Analysis

Visualising Attack Paths in Your Directory

BloodHound ingests Active Directory and Entra ID data to build a graph of every user, group, computer, GPO and trust relationship. Our analysts then query this graph to identify the shortest and most dangerous paths to your highest-value targets.

Attack Path: Standard User → Domain Admin via Nested Group Membership
BloodHound attack path showing privilege escalation from standard user to domain admin through nested group memberships

A common finding: a standard user account holds membership in a group that is nested three levels deep into Domain Admins. The user — and often the IT team — has no visibility of this inherited privilege. BloodHound surfaces these hidden relationships instantly.

Kerberoasting: Service Account Credential Extraction via SPN
BloodHound Kerberoasting attack path showing SPN-based credential extraction

Kerberoasting targets service accounts with registered Service Principal Names (SPNs). Any authenticated domain user can request a Kerberos service ticket for these accounts and crack the hash offline. When the service account has Domain Admin privileges — a depressingly common misconfiguration — the entire domain falls.

Lateral Movement: Workstation Hopping to Domain Controller via DCSync
BloodHound lateral movement map showing path from compromised workstation to domain controller

Lateral movement chains are the bread and butter of post-compromise operations. An attacker compromises a single workstation, harvests cached credentials, moves to the next machine, and repeats — until they reach an account with Replicating Directory Changes rights, enabling a DCSync attack that extracts every password hash in the domain.

Kerberos Hardening

Identifying and remediating AS-REP Roastable accounts, Kerberoastable SPNs, unconstrained delegation and golden/silver ticket attack surfaces across your domain.

Tier Model Implementation

Designing and validating AD administrative tier models (Tier 0/1/2) to prevent credential theft cascading from workstations to domain controllers. Includes PAW guidance and LAPS deployment review.

Entra ID & Conditional Access

Reviewing Entra ID (Azure AD) Conditional Access policies, PIM role assignments, app registrations, consent grants and hybrid join trust boundaries for misconfigurations that bypass MFA or grant excessive privilege.

Common Findings

Across hundreds of AD assessments, we consistently find the same critical misconfigurations that enable domain compromise. These are not theoretical risks — they are the exact paths ransomware groups and APT actors exploit in the wild:

  • Service accounts with Domain Admin privileges and weak passwords
  • Unconstrained delegation on member servers
  • Stale admin accounts with passwords unchanged for years
  • GPO permissions allowing unprivileged modification
  • Missing LAPS deployment on workstations
  • Conditional Access policies with device-trust gaps

Our Toolkit

  • BloodHound CE & SharpHound
  • Impacket Suite
  • Rubeus & Certify
  • Mimikatz
  • PingCastle
  • Purple Knight

Harden Your Identity Infrastructure

Book an AD & Entra ID security assessment with our identity security specialists.

AD Security Review +44 20 8044 5767