AD Assessments Need a Map, Not a Tool Dump
Active Directory penetration testing spans initial access, privilege escalation, lateral movement, and domain dominance. Without a methodology, teams chase shiny exploits while missing the one misconfigured ACL that actually reaches Domain Admin.
Phase 1: Identity and Attack Path Discovery
- Enumerate users, groups, computers, and trusts (BloodHound, ldapsearch, NetExec)
- Identify Kerberoastable and AS-REP roastable accounts
- Map shortest paths to high-value groups — Enterprise Admins, Domain Admins, backup operators
- Document every hop with timestamps and evidence before exploitation
Phase 2: Exploitation and Lateral Movement
Prioritize low-noise wins: password spraying with lockout awareness, relay attacks where SMB signing is off, delegation misconfigurations, and GPO abuse. Chain steps in Attack Chain Builder so handoffs between testers do not lose context.
Phase 3: Reporting Domain Impact
Clients care about blast radius: which accounts were compromised, which tiers were reachable, and which controls failed. Map findings to MITRE ATT&CK techniques and tie each step to proof — hashes cracked, tickets used, shells obtained.
Plan your AD test: Use HackFast Attack Chains to keep BloodHound paths and execution steps in one workspace.