Every internal pentest we run, the same five or six findings show up. Different industries, different sizes, different IT teams. The same AD problems keep surfacing.

A recent engagement: domain with about 450 user accounts. Inside two hours we had three Kerberoastable service accounts (one cracked to a weak password in minutes), AS-REP roastable accounts on two legacy service identities, an ADCS template that any authenticated user could enrol in with Client Authentication extended key usage enabled, and a BloodHound path to Domain Admin that went through an ACL misconfiguration on a helpdesk group.

The domain had passed its most recent external audit.

This is not unusual. A proper Active Directory security assessment looks at the identity plane the way an attacker does, and finds the paths that do not show up in whatever baseline scan the IT team is already running.

Why AD is the target

Active Directory is where business logic meets operating-system trust. Accounts, groups, policies, DNS, Kerberos tickets, certificate templates, computer objects, delegation rules. If an attacker owns AD, they own the enterprise.

Ransomware groups know this. Mandiant’s M-Trends 2026 reporting on 2025 incident data shows that while attacker dwell time in compromised environments still measures in days, the handoff from initial access to the operator who will exfiltrate or encrypt has collapsed from hours in 2022 to seconds now. That handoff is almost always the moment the attacker starts doing AD reconnaissance, because AD is the shortest path to the data they want to encrypt or exfiltrate.

The defender side is harder. Microsoft’s own hardening work has been accelerating (see the 2026 deprecation clock below), but most of what we find on assessments is not zero-day vulnerabilities. It is configuration drift in an identity system that has been running since 2014, inherited by three generations of sysadmins, and never had a thorough security review.

The attacks we find on nearly every assessment

Six techniques that show up on almost every internal engagement. All are MITRE ATT&CK-catalogued. All are still front-line in 2026.

Kerberoasting (T1558.003)

Any domain user can request a Kerberos TGS ticket for any service with a registered SPN. The ticket is encrypted with the service account’s password hash. Crack the hash offline, you have the service account password. If that service account is a member of Domain Admins (which you see more often than you should), you have the domain.

What we look for: service accounts with weak passwords, service accounts in privileged groups, and service accounts still using RC4 encryption (etype 23) which cracks fastest. Microsoft is deprecating RC4 through 2026 but it remains widely enabled for backward compatibility.

AS-REP Roasting (T1558.004)

Accounts with “Do not require Kerberos preauthentication” set can be targeted without authenticating first. Request an AS-REP, get a portion encrypted with the account’s password hash, crack offline. Same process as Kerberoasting but against regular user accounts rather than service accounts.

We see this on old service identities and on user accounts where someone unchecked the preauth requirement a decade ago to make a legacy app work. Nobody remembered to set it back.

DCSync (T1003.006)

DCSync impersonates a domain controller and requests password hashes via the directory replication service (DRS) protocol. Remote. No code execution on the DC. Any principal with Replicating Directory Changes and Replicating Directory Changes All rights can perform it: Domain Admins, Enterprise Admins, built-in Administrators, the DCs themselves, and anyone those groups have delegated rights to.

Microsoft has not changed this default-enabled behaviour. DCSync remains the standard credential-extraction path once initial AD foothold is established. The assessment question is who else has those rights, beyond the expected groups. The answer is usually more people than the blue team realised.

NTLM Relay (T1557.001)

LLMNR, NBT-NS and mDNS are name-resolution protocols that fall back when DNS fails. A machine on the same broadcast domain can respond to those queries and harvest the victim’s NTLM credentials, then relay them to another system to authenticate as the victim.

NTLM relay had a revival in 2025 with CVE-2025-54918, an NTLM LDAP authentication bypass that bypasses channel binding and LDAP signing protections. CrowdStrike published technical analysis. Channel binding and LDAP signing were the last defensive lines Microsoft recommended. They are not sufficient on their own.

Pass-the-Hash and Pass-the-Ticket (T1550.002, T1550.003)

If you have the NTLM hash of an account, you can authenticate as that account without knowing the password. If you have a Kerberos TGT or TGS, you can use it directly. Credential Guard and LSA protection mitigate some of this on Windows 11 and Server 2022 onwards, but older domain-joined systems (Windows 10 still widely deployed, Server 2016/2019 still in production at most SA mid-market firms) remain exposed.

ACL abuse

The forgotten attack surface. BloodHound’s primary value is enumerating the graph of who has write access to what across the entire domain. Every GenericAll, WriteDACL, AddMember, ForceChangePassword, WriteOwner and AllExtendedRights relationship is a potential privilege-escalation edge.

Helpdesk groups with ACL rights they did not need. Service accounts with AddMember rights on privileged groups they should not control. Users who were promoted a decade ago, demoted later, but never had their ACL grants reverted. We find all of this on every engagement.

ADCS: the quiet escalation path

Active Directory Certificate Services (ADCS) is often the fastest path to domain compromise, and often the least-well-understood by internal teams.

The SpecterOps “Certified Pre-Owned” catalogue, first published in 2021, now spans ESC1 through ESC16 misconfigurations. Additions since 2021 include:

• ESC14 (SpecterOps, February 2024): explicit certificate mapping abuse via altSecurityIdentities
• ESC15 / CVE-2024-49019 “EKUwu”: V1 certificate template Application Policies override, patched by Microsoft late 2024
• ESC16: CA-side misconfiguration where the SID security extension (szOID_NTDS_CA_SECURITY_EXT) is not embedded in issued certificates, breaking the authentication strong-mapping enforcement added after CVE-2022-26923

Microsoft shipped strong certificate mapping changes after CVE-2022-26923, with domain controllers moved to full enforcement in February 2025. Those changes closed some escalation paths. Most of the ESC1-ESC13 catalogue remains customer-side misconfiguration that still needs manual review. A real AD assessment enumerates every certificate template and every CA configuration setting against the full ESC catalogue.

The tool of choice in 2026 is Certipy (ly4k) for cross-platform enumeration. SpecterOps released Certify 2.0 in August 2025 with updated parsing for ESC11, ESC15 and ESC16 for Windows-native use.

One finding we keep seeing: a certificate template called something like “SmartcardLogon” that was enabled during a pilot project, never used in production, and left with Client Authentication EKU, low-privileged Enroll rights, and EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA. Any authenticated user can enrol as Domain Admin.

What BloodHound shows

BloodHound converts AD permissions and trust relationships into a graph and lets you ask questions like “shortest path from any Domain User to Domain Admin.” We run BloodHound Community Edition (current release v8.9, April 2026) on every engagement. BloodHound 8.0 introduced OpenGraph on 29 July 2025 which extends the graph to Entra, GitHub, Okta, Snowflake and other non-AD platforms. That matters once you start assessing hybrid environments.

The value is not the tool. It is the pattern. On internal engagements we consistently find multiple viable paths to Domain Admin from a standard user account. The best-case paths involve multiple hops and specific conditions. The worst-case paths are two edges: a service account cracked from Kerberoasting and a group membership that should not exist. The assessment job is to find every path, prioritise them, and give the remediation team enough context to kill the critical ones without breaking production access.

The 2026 deprecation clock

Microsoft has been shipping meaningful AD hardening. Most SA enterprises are not on top of the timeline.

NTLM

Three-phase deprecation. Phase 1 (now) is auditing in Windows Server 2025 and Windows 11 24H2. Phase 2 (H2 2026) introduces IAKerb and Local KDC as Kerberos alternatives for scenarios that previously required NTLM. Phase 3 disables network NTLM by default in the next major Windows Server release after 2025. NTLMv1 is already removed in Server 2025 and Windows 11 24H2. In October 2026 the BlockNTLMv1SSO default flips to Enforce.

If you have applications that still need NTLM, now is the time to inventory them. Next year is too late.

RC4 Kerberos encryption

Microsoft’s “Beyond RC4 for Windows authentication” guidance (December 2025) set the RC4 deprecation schedule. January 2026: audit phase. April 2026: enforcement phase, domain controllers begin blocking implicit RC4 via assumed encryption types, DefaultDomainSupportedEncTypes defaults to AES-SHA1. July 2026: the RC4DefaultDisablementPhase registry workaround is removed. Associated advisory: CVE-2026-20833.

DES encryption is fully removed in Server 2025 and Windows 11 24H2. RC4 is heavily restricted but not yet fully gone.

Kerberoastable service accounts still using RC4 become audit failures first, and broken authentications second, as the 2026 enforcement phases roll out. Assessment should identify every account with msds-supportedencryptiontypes not set to AES-only.

LDAP hardening

Windows Server 2025 enables LDAP signing and channel binding by default for new AD deployments, killing naive LDAP and LDAPS relay scenarios. Combined with channel binding enforcement from the 2024 LdapEnforceChannelBinding changes, and CVE-2025-54918 fixes, the surface for LDAP credential-relay attacks is narrower than it was. Still not zero.

Windows LAPS

The native Windows LAPS (released April 2023) replaces the legacy Microsoft LAPS MSI. The legacy MSI is now blocked from installing on Windows 11 23H2 and later. Windows Server 2025 supports Windows LAPS natively. If your environment is still on legacy LAPS, migration is overdue.

Machine Account Quota

ms-DS-MachineAccountQuota still defaults to 10 in 2026. Microsoft has not changed this. Any authenticated domain user can add up to 10 computer objects to the domain, which feeds Resource-Based Constrained Delegation and Shadow Credentials attack chains. Recommended setting is 0.

Hybrid Entra ID considerations

Most SA mid-market enterprises run hybrid AD, synchronising on-prem AD to Entra ID (formerly Azure AD) via Entra Connect or Cloud Sync. This creates risks that a pure on-prem assessment misses.

The hard deadline worth noting: Entra Connect Sync versions older than v2.5.79.0 stop syncing after 30 September 2026. Azure AD Connect V1 was fully cut off October 2023. Running older versions means syncing stops, accounts get stale, and things break in ways that are difficult to diagnose.

The risks we look at on hybrid assessments:

• On-prem AD compromise pivoting to Entra. If the AD Connect or Cloud Sync server is compromised, the attacker can extract the service credentials used to write to Entra. BeyondTrust demonstrated this end-to-end at SO-CON 2025.
• AD Connect server tiering. The sync server should be treated as Tier 0 (Control Plane in the current Enterprise Access Model). Most of the time it sits in Tier 1 or Tier 2 with standard backup and helpdesk access.
• Seamless SSO computer account (AZUREADSSOACC$). The NTLM hash of this account, if extracted, lets an attacker forge Silver Tickets for Entra. The recommended mitigation is to rotate this account’s password every 30 days. Most organisations have not touched it since initial deployment.
• Federation trust abuse. The Solorigate pattern (2020) demonstrated that a compromised on-prem AD FS server can forge SAML tokens for any Entra user. Microsoft now actively discourages AD FS in favour of Password Hash Sync plus Seamless SSO, or Pass-Through Authentication. If you are still on AD FS, it is the highest-priority item to migrate.

What a real assessment delivers

A finding report is necessary but not sufficient. What we deliver:

• The full finding set with severity, exploitability context, and reproduction steps
• A BloodHound export (legally and reasonably scoped, not shared beyond the engagement)
• A prioritised remediation roadmap that accounts for operational impact. Removing a Domain Admin group membership during business hours is not a remediation, it is an outage.
• Detection rules for the blue team. If we used a technique to escalate, there should be a Sigma rule, a KQL query, or an alert that fires next time. Half the value of an assessment is giving the defender-side the detection coverage they were missing.
• A tier-model alignment assessment against Microsoft’s current Enterprise Access Model (Control Plane / Management Plane / Data Plane / User Access Plane). EAM replaced the classic Tier 0/1/2 model as Microsoft’s canonical privileged access guidance.

Compliance mapping

POPIA (South Africa)

AD access controls map to Condition 7 (Security Safeguards), sections 19 to 22 of the Act. Section 19 requires appropriate, reasonable technical and organisational measures against loss, damage, unauthorised destruction, unlawful access or unauthorised processing. Privileged access and credential management sit squarely inside this. The maximum administrative fine is ZAR 10 million. The Information Regulator launched its mandatory eServices Portal for reporting security compromises on 7 April 2025. A domain compromise that exposes personal information is a reportable breach.

PCI DSS 4.0.1

Requirement 8 (Identify Users and Authenticate Access) is the AD-relevant family:

• 8.2 Account lifecycle and management
• 8.3 Strong authentication (12-character minimum, rotation requirements)
• 8.4 MFA for non-console access into the cardholder data environment
• 8.5 MFA configuration requirements
• 8.6 Application and system accounts

Requirement 7 (Restrict Access by Business Need-to-Know) covers least-privilege. Requirement 10 covers audit logging on authentication and privileged commands. Logging retention is 12 months, with at least three months immediately available.

ISO 27001:2022

Annex A was reduced from 114 to 93 controls across four themes (Organisational, People, Physical, Technological). The AD-relevant controls:

• A.5.15 Access control (master)
• A.5.16 Identity management
• A.5.17 Authentication information
• A.5.18 Access rights
• A.8.2 Privileged access rights (central to any AD assessment)
• A.8.3 Information access restriction
• A.8.5 Secure authentication

If your last ISO 27001 audit used the 2013 mapping, your Statement of Applicability is out of date.

NIST SP 800-63 Revision 4

Revision 4 is final (August 2025), superseding Revision 3. Introduces the Digital Identity Risk Management framework, formal support for phishing-resistant authentication (including passkeys), and refined assurance levels (IAL, AAL, FAL). Federal-adjacent and financial-services clients should cite 800-63-4 directly. South African enterprises targeting US or EU business should align.

Blind spots we see in SA environments

A few patterns that show up specifically in SA mid-market assessments:

• Hybrid AD deployed quickly in 2020, never reviewed since. Cloud Sync or Connect server sitting in the corporate OU with no tier isolation.
• Service accounts with never_expire passwords last rotated in 2018. Cracked in minutes.
• ADCS deployed for a single use case (often internal web services TLS) with default templates left enabled. ESC1 and ESC4 waiting.
• Inherited AD from acquisitions. Company B’s domain trust still exists, still has SID history enabled, nobody remembers why.
• Legacy Windows 2012 R2 domain controllers still running in production. Support ended October 2023. Extended Security Updates expired October 2026.
• Outsourced IT or MSP partners with persistent privileged access from years ago. Often the MSP’s own admin accounts sit in Domain Admins with no MFA, no password rotation, and no monitoring on their logins.
• Backup platforms (Veeam, Commvault, Rubrik) running service accounts with full domain privileges. A compromised backup platform means a compromised domain, and backup servers are chronically under-monitored.

If you saw yourself in more than one of these patterns, that is the gap between your last audit and what an attacker would find today.

If you want this done properly

$ ironsky audit --ad yourdomain.local