Security audit - what it is and how it works
Security audit: what it covers, how it unfolds across five phases, and how it differs from a penetration test.
Read
Active Directory penetration testing is a controlled attack on your domain environment in which an ethical hacker attempts to move from an ordinary user account to full control over the domain, exactly the way a real attacker would. The goal is not to break the system but to find the path: where ACLs are misconfigured, which service accounts can be Kerberoasted, where privilege escalation is possible and how an attacker moves laterally across the network. In companies across the region, Active Directory is almost always the central target because it holds the keys to everything: logins, shared folders, email, ERP. If the domain falls, the entire infrastructure falls with it.
Our solution
Penetration testing - we uncover vulnerabilities before hackers do. You do not have to handle it alone; we take care of it for your company. Request a free assessment.
Most of the breaches we read about do not begin with some exotic zero-day attack. They begin with phishing or a stolen password, and then the attacker exploits what already exists in the domain: forgotten service accounts, passwords left unchanged for far too long, administrators who are at the same time ordinary users, and ACLs that no one has reviewed for years. Active Directory penetration testing exists precisely to break that chain before someone with malicious intent exploits it.
Why Active Directory is the prime target for attackers
Active Directory is designed to simplify the management of users and resources, and that same flexibility is what makes it attractive to attack. A single compromised account in an average company has access to dozens of systems. When an attacker gets in, they are not just looking for data - they are looking for a path to the Domain Admins group, because whoever controls the domain controls everything.
The problem is that AD environments accumulate over the years. Old servers are never shut down, former employees remain in groups, test accounts with strong privileges are left forgotten, and delegated permissions are added ad hoc and never removed. Each of those leftovers is a potential step in the attack chain. Active Directory penetration testing does exactly that: it connects those seemingly harmless details into a real attack path and shows you just how short it is.
A typical attacker path through the domain
- Initial access: phishing, a weak password exposed on the internet, a vulnerable service or a VPN without multi-factor authentication.
- Reconnaissance: mapping the domain with tools such as BloodHound, which visually reveals the shortest path to the Domain Admins group.
- Privilege escalation: exploiting weak ACLs, vulnerable GPOs, ADCS certificate templates or local admin passwords that are identical everywhere.
- Lateral movement: moving from machine to machine using stolen hashes (pass-the-hash), Kerberos tickets or legitimate remote access tools.
- Domain dominance: extracting the ntds database, creating a Golden Ticket and gaining persistent access that is almost impossible to detect without detailed monitoring.
What Active Directory penetration testing specifically tests
A quality AD test is not a vulnerability scan and a 300-page report that no one reads. It is a targeted search for concrete, exploitable weaknesses. Here are the ones we find most often in practice.
Kerberoasting
Kerberoasting is an attack on service accounts. Any user in the domain can request a Kerberos service ticket for any account that has an SPN set, and that ticket is encrypted with that account's password. The attacker extracts it and tries to crack the password offline - without a single failed login that would trigger an alarm. Service accounts often have old, manually set passwords and high privileges, which makes them an ideal target. The solution is long, random passwords or gMSA (group Managed Service Accounts), but someone has to verify this.
Weak ACLs and delegations
Access Control Lists determine who is allowed to do what to which object in the domain. Over the years, dangerous combinations pile up: an ordinary group allowed to reset an administrator's password, a user who can change membership in a privileged group, or a GenericAll permission over an account that effectively means full control. Such flaws are invisible to the naked eye, but tools that analyze the relationship graph find them in a matter of minutes and turn them into an escalation chain.
Privilege escalation and lateral movement
We check whether an ordinary account can reach local admin privileges, whether local admin passwords are the same on every machine (a common problem solved with LAPS), and how easily an attacker moves between systems once inside. We also test for Active Directory Certificate Services misconfigurations (ESC1-ESC8), which in recent years have become one of the most common and most dangerous paths to domain dominance.
Account hygiene and least privilege
The biggest gain is often not some sophisticated vulnerability but basic hygiene. How many accounts have a password that never expires? How many are in the Domain Admins group that should not be? Are there administrators who read email and browse the internet with their daily account? The principle of least privilege means that every account has exactly as much access as it needs and not an ounce more. It is a thankless but the most effective job in protecting the domain.
The most common AD weaknesses and their impact
| Weakness | How an attacker exploits it | Recommended measure |
|---|---|---|
| Kerberoasting on service accounts | Offline password cracking from the ticket, quiet and without alarms | gMSA or long random passwords (25+ characters) |
| Weak ACLs and delegations | Escalation chain to privileged groups | Regular permission reviews, removal of excess rights |
| Identical local admin passwords | Pass-the-hash and lateral movement to all machines | Microsoft LAPS (unique passwords per device) |
| Misconfigured ADCS templates (ESC1-ESC8) | Issuing certificates for someone else's identity, domain dominance | Review and lock down certificate templates |
| Too many members in the Domain Admins group | A single compromised account means the fall of the entire domain | Least privilege, tiered model, separate admin accounts |
| Passwords that never expire | Old, forgotten accounts remain a permanent entry point | Password policy, disabling inactive accounts |
How NeoBit tests your Active Directory
At NeoBit, we approach an AD penetration test as a real attack, but under full control and in agreement with you. We do not run random scans; instead, we follow a methodology that mimics real attackers while remaining safe for your production environment.
- Scope and rules of engagement: we define what is tested, when, to what depth and which systems are out of scope. Everything is documented and signed before anything begins.
- Internal access (assumed breach): we most often start from the position of an ordinary employee or a compromised machine, because that is what most real attacks look like. This shows how much damage an attacker can do after the initial entry.
- Mapping and analysis: we use the same tools as attackers (BloodHound, PowerView and similar) to find the shortest paths to domain dominance.
- Controlled exploitation: we prove that the path is real, but without crashing the system and without touching your data.
- A clear report: you receive concrete findings ranked by priority, with technical details for your IT team and a summary for management, along with clear remediation steps.
- Retest: once you fix the findings, we verify whether the gaps have actually been closed.
Our goal is not to scare you with a thick report but to give you a realistic picture of your domain's resilience and a concrete plan for strengthening it. We work with companies in Bosnia and Herzegovina, Croatia and Serbia that want to know whether their domain can be brought down by a single phishing email, before they find out the hard way.
If you want to check how resilient your Active Directory really is, contact NeoBit for a free introductory assessment. We will agree on a test scope tailored to your environment and show you where the real weaknesses are, not the theoretical ones.
Frequently asked questions
Will penetration testing crash our production environment?
No. The test is performed according to pre-agreed rules and scope, with careful selection of techniques that do not jeopardize system availability. The goal is to prove the existence of vulnerabilities, not to cause damage. All potentially risky activities are agreed with your team before they are carried out.
How long does Active Directory penetration testing take?
It depends on the size of the domain and the number of systems, but a typical test takes one to two weeks, including execution, report writing and presentation of the findings. Smaller environments can be covered faster, while large domains with multiple forests and trusts require more time.
What do we get after the test?
You receive a detailed report with concrete findings ranked by priority, a technical description of each vulnerability, proof of exploitability and clear remediation steps. It also includes a summary for management and, if needed, a retest after you fix the identified flaws.
Do we need an internal security team for the test to make sense?
You do not. Many companies in the region do not have a dedicated security team, and it is precisely they who benefit the most from the test, because it reveals weaknesses that otherwise remain invisible. NeoBit explains the findings in language that both your IT and your management understand, and assists with remediation if needed.
Related guides: Cyber security in Bosnia and Herzegovina - the complete guide · Security audit - what it is and how it works · Red team, blue team and purple team - the differences
