{"id":46225,"date":"2026-07-06T17:24:29","date_gmt":"2026-07-06T15:24:29","guid":{"rendered":"https:\/\/www.pentestfactory.de\/securing-active-directory-attack-vectors-hardening-penetration-testing-2026\/"},"modified":"2026-07-08T16:35:13","modified_gmt":"2026-07-08T14:35:13","slug":"securing-active-directory-attack-vectors-hardening-penetration-testing-2026","status":"publish","type":"post","link":"https:\/\/www.pentestfactory.de\/en\/securing-active-directory-attack-vectors-hardening-penetration-testing-2026\/","title":{"rendered":"Securing Active Directory: Attack Vectors, Hardening &#038; Penetration Testing 2026"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"46225\" class=\"elementor elementor-46225 elementor-46154\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-2a95081a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"15889\" data-id=\"2a95081a\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-234f26b5\" data-eae-slider=\"46658\" data-id=\"234f26b5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-427cffb4 elementor-widget elementor-widget-text-editor\" data-id=\"427cffb4\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A single user account. No admin privileges, no special rights\u2014obtained through a phishing email sent to the accounting department. In many of our internal penetration tests, this is the starting point\u2014and in an alarmingly high percentage of environments, it\u2019s enough to become a domain administrator within a few hours. Not through a spectacular zero-day vulnerability, but through configurations that have remained unchanged in the directory for years.   <\/p><p>Active Directory (AD) is the world&#8217;s leading directory service for managing Windows networks. Adoption figures vary depending on the source: <em>Frost &#038; Sullivan<\/em> estimates that approximately 90 percent of Global Fortune 1000 companies use AD as their primary means of authentication and authorization; older figures from Microsoft put the number even higher, at 93 to 95 percent. The exact current number of installations is difficult to determine\u2014however, industry observers assume that the percentage has not decreased significantly since then. AD is also the de facto standard in the DACH region: Some industry sources estimate that around 80 percent of German companies with more than 50 employees rely on Windows Server systems, and that a large proportion of SMEs use AD or its cloud counterpart, Microsoft Entra ID\u2014however, no reliable primary statistics specifically for Germany are available on this topic.   <\/p><p>In practice, this widespread use means that AD manages identities, authenticates users and services, and determines who is allowed to access which resources. It is precisely this central role that makes it the most valuable target. Whoever controls the domain controls practically everything.  <\/p><p>This article shows, from an attacker\u2019s perspective, what a typical path from a standard user to <em>a domain admin<\/em> looks like, which techniques will actually work in 2025 and 2026\u2014including the very latest ones like <strong>BadSuccessor<\/strong> \u2014and what hardening measures you can use to close these paths. Finally, we\u2019ll assess what a professional <strong>Active Directory penetration test<\/strong> can achieve and where its limitations lie. <\/p><h2 class=\"wp-block-heading\">Why Active Directory Is the Main Target<\/h2><p>In September 2024, the <em>Five Eyes<\/em> agencies\u2014including the U.S. CISA, the NSA, and the U.K.\u2019s NCSC\u2014published a joint guideline titled <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/detecting-and-mitigating-active-directory-compromises\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">\u201cDetecting and Mitigating Active Directory Compromises,\u201d<\/a> which describes 17 of the most commonly observed attack techniques targeting AD. Their key message: Active Directory is the most widely used authentication solution in corporate networks worldwide\u2014and is routinely targeted by attackers to escalate privileges and take over the most valuable accounts. <\/p><p>The <a href=\"https:\/\/www.sophos.com\/en-us\/blog\/2026-sophos-active-adversary-report\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Sophos Active Adversary Report 2026<\/a>, which analyzes 661 incident response and MDR cases from 70 countries, highlights just how central Active Directory is to real-world attacks. In about two-thirds of the incidents examined (67 percent), the cause was related to identity\u2014compromised credentials, brute-force attacks, and phishing. And attackers are moving faster: The median time from initial access to reaching Active Directory was most recently just <strong>3.4 hours<\/strong> \u2014about 70 percent shorter than a year earlier. The trend is clear: Attackers who want to move laterally and ultimately encrypt data almost always use Active Directory as their pathway.   <\/p><p>There are two fundamentally different reasons for this. The first is historical baggage: AD has grown over two decades in many organizations and carries a corresponding amount of baggage\u2014generous default settings, legacy protocols that are still supported for compatibility reasons, and permission chains that have developed over the years that no one can fully understand anymore. These weaknesses are the result of configuration and historical circumstances and can, in principle, be resolved.  <\/p><p>The second reason is inherent in the design, which is precisely why it is so sensitive: AD concentrates the most valuable secrets in one place. Through multimaster replication, every writable domain controller maintains a complete replica of the central database <code>ntds.dit<\/code> \u2014including the password hashes for all accounts. Anyone who compromises a single one of these domain controllers potentially gains access to the login credentials for the entire domain. The BSI addresses this specific security requirement in its IT-Grundschutz module <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Grundschutz\/IT-GS-Kompendium_Einzel_PDFs_2023\/06_APP_Anwendungen\/APP_2_2_Active_Directory_Domain_Services_Edition_2023.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">APP.2.2 Active Directory Domain Services<\/a>, which consistently classifies domain controllers and the AD infrastructure as requiring a high level of protection.   <\/p><h2 class=\"wp-block-heading\">An Overview of the Typical Attack Path<\/h2><p>An internal attack on AD almost always follows the same pattern. The individual stages are interlinked, and at several points, a single misconfiguration is enough to bypass a stage: <\/p><ol><li><strong>Reconnaissance<\/strong> \u2013 The directory is scanned: users, groups, service accounts, permissions, and trusts.<\/li><li><strong>Credential Access<\/strong> \u2013 Initial credentials or password hashes are compromised, for example, through kerberoasting or password spraying.<\/li><li><strong>Privilege Escalation<\/strong> \u2013 An unprivileged account is elevated to a privileged one, often due to misconfigurations in certificate services or permissions.<\/li><li><strong>Lateral Movement<\/strong> \u2013 The attacker moves sideways across the net, from one side to the other.<\/li><li><strong>Domain Dominance<\/strong> \u2013 Complete control over the domain, usually achieved by extracting all password hashes.<\/li><li><strong>Persistence<\/strong> \u2013 Long-term, stealthy access that is not eliminated even by a password change.<\/li><\/ol><p>The following sections walk through the most important techniques along this path\u2014each with <em>an explanation of how it works<\/em>, <em>its prerequisites<\/em>, <em>its effects<\/em>, and <em>countermeasures<\/em>.<\/p><p><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-46209 size-large\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/angriffspfad-779x1024.png\" alt=\"\" width=\"779\" height=\"1024\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/angriffspfad-779x1024.png 779w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/angriffspfad-228x300.png 228w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/angriffspfad-768x1010.png 768w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/angriffspfad.png 1080w\" sizes=\"(max-width: 779px) 100vw, 779px\" \/><\/p><h2 class=\"wp-block-heading\">Reconnaissance: Reading the Directory Like an Attacker<\/h2><p>Before an attacker takes action, they assess the situation. Tools like <strong>BloodHound<\/strong>, using the <em>SharpHound<\/em> collector, query LDAP information and represent Active Directory as a graph: users, groups, computers, and permissions become nodes, and the relationships between them become edges. From this graph, privilege escalation appears to be a simple pathfinding problem\u2014the shortest path from a compromised account to the <em>Domain Admins<\/em> becomes visible, even if it involves over a dozen intermediate steps and nested group memberships.  <\/p><p><em>Prerequisite:<\/em> In the default configuration, any valid domain account is sufficient to read large portions of the directory. <em>Impact:<\/em> The attacker often knows the attack surface better than the internal IT team. <em>Countermeasure:<\/em> Restrict anonymous and unnecessary read access, regularly audit permissions\u2014and use the same tools defensively. BloodHound, <strong>PingCastle<\/strong>, and <strong>Purple Knight<\/strong> are excellent tools for identifying risky paths before an attacker does. <\/p><p>However, it\u2019s nearly impossible to prevent simple read access\u2014every authenticated account is allowed to read large portions of the directory. The focus therefore shifts to <em>detection<\/em>, and this is precisely where XDR (Extended Detection and Response) solutions come in. They correlate telemetry from endpoints, identities, and the network, and detect enumeration based on behavior rather than individual signatures. Tools like SharpHound leave a characteristic footprint: high-volume, widely distributed LDAP queries, massive SAMR enumeration, and unusual access patterns to the domain controllers. An identity-focused XDR component\u2014such as <em>Microsoft Defender for Identity<\/em> as part of Defender XDR\u2014reports such activities via detections like <em>Security Principal Reconnaissance (LDAP)<\/em> or <em>User and Group Membership Reconnaissance (SAMR)<\/em>.    <\/p><p>This can be effectively supplemented by deception: deliberately placed decoy or honeypot accounts\u2014such as dummy accounts with \u201cAdmin\u201d in their names\u2014trigger an alert as soon as they are queried, because regular operations never access them. However, detection is not a panacea. Attackers find ways around it, for example by shifting data collection from LDAP to Active Directory Web Services (ADWS) to blend in with normal web traffic. Therefore, only a combination of restricted read access, behavior-based monitoring, and deception can provide robust protection.   <\/p><h2 class=\"wp-block-heading\">Credential Access: Kerberoasting and AS-REP Roasting<\/h2><p><strong>Kerberoasting<\/strong> is one of the most reliable techniques out there because it exploits a legitimate Kerberos mechanism. Any account with a <em>Service Principal Name<\/em> (SPN)\u2014typically service accounts for databases, web servers, or applications\u2014can be requested by any authenticated user. The domain controller issues a service ticket encrypted with the service account\u2019s password hash. The attacker takes this ticket and cracks it <em>offline<\/em>, leaving no further traces on the network. If the service account has a weak password\u2014and this is usually the case with service accounts that have been in use for years\u2014it can be compromised in minutes.    <\/p><p><strong>AS-REP Roasting<\/strong> works in a similar way, but targets accounts where <em>Kerberos pre-authentication<\/em> is disabled. For such accounts, an encrypted server response can be requested and also cracked offline\u2014in this case, not even a password is required. <\/p><p><em>Impact:<\/em> At first, both techniques only yield a crackable hash, not a complete password. Only successful offline cracking can turn it into a plaintext password, and that works only with weak passwords. If a service account cracked in this way is also part of a privileged group, the attacker can gain direct access to the target. A sufficiently long, random password, on the other hand, renders the attack ineffective. <em>Countermeasure:<\/em> The most effective defense is strong, random passwords\u2014ideally <em>(group\/delegated) Managed Service Accounts<\/em> with automatic key management. This includes avoiding privileged service accounts and maintaining good SPN hygiene, i.e., removing unnecessary SPNs. Enforcing AES instead of RC4 significantly reduces the likelihood of a successful attack but does not eliminate Kerberoasting: The service ticket remains protected by the account\u2019s long-term key and can still be attacked offline. Enabling pre-authentication also helps protect against AS-REP Roasting. When it comes to monitoring, Event 4769 is not a reliable alarm indicator, as service ticket requests are part of normal operation and RC4 is not inherently malicious in legacy environments. The signal only becomes meaningful in context\u2014for example, when a single account requests tickets for many different SPNs within a short period of time. A targeted <a href=\"https:\/\/www.pentestfactory.de\/en\/password-audit\/\">password audit<\/a> reveals precisely those weak service accounts that make Kerberoasting worthwhile.         <\/p><h2 class=\"wp-block-heading\">Password Spraying: One Password, Many Accounts<\/h2><p>Instead of attacking an account with many passwords and triggering account locks, <strong>password spraying<\/strong> tries a few likely passwords against many accounts\u2014such as the current quarter plus the year. The <em>Five Eyes guidelines<\/em> recommend, among other things, locking an account after a maximum of five failed login attempts, as well as actively scanning the web at least once a month for login credentials stored in plain text. Effective protection also includes multi-factor authentication and the use of blacklists for obviously weak passwords.  <\/p><h2 class=\"wp-block-heading\">Privilege Escalation via Certificate Services (ADCS \/ ESC)<\/h2><p><em>Active Directory Certificate Services<\/em> (ADCS) are used in many companies\u2014and are often misconfigured. In 2021, SpecterOps described the first eight escalation classes (ESC1 through ESC8) in its research paper <a href=\"https:\/\/posts.specterops.io\/certified-pre-owned-d95910965cd2\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">\u201cCertified Pre-Owned\u201d<\/a>; the <em>Certipy<\/em> tool automates their detection and exploitation and now covers the entire known range from ESC1 to ESC17. The classes beyond ESC8 were identified by other researchers and were added by 2025.  <\/p><p>Two classic examples illustrate the problem:<\/p><ul><li><strong>ESC1<\/strong>: If a certificate template allows a regular user to specify the applicant (<em>Enrollee Supplies Subject<\/em>) and issues the certificate for client authentication, then an unprivileged user can have a certificate issued in the name of a domain administrator. Privilege escalation in just a few minutes, without an exploit. <\/li><li><strong>ESC8<\/strong>: Here, a forced authentication of a domain controller via NTLM is<em>relayed<\/em> to the CA&#8217;s Web Enrollment Interface. The attacker obtains a machine certificate for the DC, uses it to authenticate, and can then read the entire domain. This chain does not require any domain privileges at the outset.  <\/li><\/ul><p><em>Countermeasure:<\/em> Systematically review and clean up templates; remove the \u201cEnrollee Supplies Subject\u201d right; set enrollment permissions restrictively; secure web enrollment (HTTPS with <em>Extended Protection for Authentication<\/em>) or disable it if it is not needed. Events <strong>4886<\/strong> and <strong>4887<\/strong> are relevant for monitoring. The BSI also classifies the CA as part of the Tier 0 environment\u2014its security is inextricably linked to that of Active Directory.  <\/p><h2 class=\"wp-block-heading\">NTLM Relay and Coercion: They&#8217;re Not Dead Yet<\/h2><p>Microsoft has signaled the end of NTLM, but in practice, the protocol remains a reliable attack vector. Using so-called <em>coercion techniques<\/em>\u2014known by names such as <em>PetitPotam<\/em> or <em>PrinterBug<\/em> \u2014a domain controller can be tricked into actively authenticating itself to a system controlled by the attacker. This authentication is then forwarded to a valuable target, such as LDAP or the ADCS Web Enrollment interface (see ESC8).  <\/p><p>The vulnerability demonstrated in 2025 showed that this is not just a theoretical residual risk <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-24054\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><strong>CVE-2025-24054<\/strong><\/a>: An NTLM hash disclosure that, <a href=\"https:\/\/research.checkpoint.com\/2025\/cve-2025-24054-ntlm-exploit-in-the-wild\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">according to security research<\/a>, was actively exploited in attack campaigns against government agencies within days of the patch being released\u2014triggered simply by viewing a specially crafted directory. Although Windows Server 2025 introduced useful default hardening measures, it shifted the attack surface rather than eliminating it. <\/p><p><em>Countermeasures:<\/em> Enforce SMB signing, enable LDAP signing along with <em>channel binding<\/em>, and gradually reduce and disable NTLM on Web Enrollment endpoints. In <em>APP.2.2<\/em>, the BSI explicitly requires signed SMB traffic, the deactivation of LM and NTLMv1, and signed LDAP sessions with channel binding tokens. <\/p><h2 class=\"wp-block-heading\">Domain Dominance: DCSync<\/h2><p>If an account with the <em>DS-Replication-Get-Changes<\/em> and <em>\u2026-All<\/em> replication rights is accessible, <strong>DCSync<\/strong> is used. Instead of logging on to a domain controller, the attacker sends a standard replication request via the DRS protocol\u2014just as domain controllers do among themselves. The DC willingly responds with the requested data, including all password hashes and the particularly valuable ` <code>krbtgt<\/code>` key. The result: all login credentials for the domain, extracted remotely without ever having directly accessed a DC.   <\/p><p>Important to understand: DCSync exploits legitimate replication permissions; it does not exploit a software vulnerability. A patch alone, therefore, does not prevent this technique. <a href=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Microsoft\u2019s own AD Threat Guidance from December 2025<\/a> lists DCSync as one of the most frequently observed techniques following a compromise. <em>Countermeasure:<\/em> Grant replication permissions strictly according to the least-privilege principle and audit them quarterly; consistently implement tiering. In monitoring, event <strong>4662<\/strong> with the replication GUID is the key indicator.  <\/p><h2 class=\"wp-block-heading\">Persistence: Gold and Silver Tickets<\/h2><p>Anyone who possesses the &#8221; <code>krbtgt<\/code>&#8221; hash can issue themselves a <strong>&#8220;Golden Ticket<\/strong> &#8220;\u2014a self-generated Ticket-Granting Ticket that allows the attacker to impersonate any identity, including a domain administrator. A <strong>Silver Ticket<\/strong> is more limited in scope and forges a service ticket for a specific service. Both are persistence techniques: even after compromised user passwords have been reset, access remains intact.  <\/p><p><em>Countermeasure:<\/em> Protect the <code>krbtgt<\/code> password and rotate it regularly\u2014 <em>twice<\/em>, with sufficient time between rotations so that the old keys become completely invalid. An unscheduled rotation should be performed whenever an employee with Tier 0 access leaves the company. A useful rule of thumb from real-world experience: If you don\u2019t know when the <code>krbtgt<\/code> password was last changed, you should assume that an attacker knows it.  <\/p><h2 class=\"wp-block-heading\">New and Relevant: BadSuccessor and dMSA Abuse<\/h2><p>With Windows Server 2025, Microsoft introduced <em>Delegated Managed Service Accounts<\/em> (dMSA)\u2014a new account type designed to simplify the migration of legacy service accounts. In May 2025, Akamai researcher <em>Yuval Gordon<\/em> demonstrated, under the name <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/abusing-dmsa-for-privilege-escalation-in-active-directory\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><strong>BadSuccessor<\/strong><\/a>, how this migration mechanism could be exploited. <\/p><p>The crux of the problem: An attacker with the right to create objects (<em>CreateChild<\/em>) in any organizational unit (OU) can create a dMSA and, using two attributes\u2014 <code>msDS-ManagedAccountPrecededByLink<\/code> and <code>msDS-DelegatedMSAState<\/code> \u2014 <em>simulate<\/em> a migration from any account. The Key Distribution Center then treats the dMSA as the legitimate successor and transfers the privileges and keys of the target account to it\u2014including those of a domain administrator. What\u2019s particularly concerning: By default, the attack works as long as there is even a single Windows Server 2025 domain controller in the forest, even if dMSAs are not used at all. Akamai found the necessary permissions in <em>91 percent<\/em> of the environments examined for accounts other than domain administrators.   <\/p><p>Microsoft initially classified the vulnerability as <em>moderate<\/em> and did not release an immediate patch\u2014an assessment that Akamai publicly disputed. On August 12, 2025, a patch was finally released under the identifier <strong>CVE-2025-53779<\/strong>. Important to note: While the patch closes the direct escalation path, the BadSuccessor <em>technique<\/em> remains relevant\u2014for example, as a means of obtaining credentials if an attacker already controls a dMSA and a target object.  <\/p><p><em>Countermeasure:<\/em> Patch Windows Server 2025 DCs, check permissions on OUs and containers, strictly limit the creation and modification of dMSAs to Tier 0, and monitor write access to the specified attributes (events <strong>5136\/5137<\/strong> with SACLs set accordingly). The simple principle: Treat dMSA creation with the same care as other highly sensitive operations. <\/p><h2 class=\"wp-block-heading\">Why Standard Hardening Isn&#8217;t Enough<\/h2><p>Most AD environments are stable\u2014but stability does not equal security. Over the years, configurations that were acceptable ten years ago have accumulated and now represent an open door: RC4 enabled, <code>krbtgt<\/code> passwords that have never been rotated, lack of tier separation, and overprivileged accounts. In many environments, the number of privileged accounts is many times higher than the necessary minimum\u2014and every unnecessary privileged account is a potential point of entry.  <\/p><p>The tricky thing about the techniques described is that none of them exploits a \u201cvulnerability\u201d in the traditional sense. Kerberoasting, DCSync, and ADCS abuse all use legitimate mechanisms. A standard vulnerability scan that looks for missing patches will therefore not detect them. What is needed is a systematic review of permissions, configurations, and attack vectors.   <\/p><h2 class=\"wp-block-heading\">Resilience: The Five Pillars of Resilient AD Security<\/h2><p>The Microsoft Tier Model, which the BSI also adopts as a recommendation in its IT-Grundschutz framework, forms the foundation. It separates administrative identities based on security requirements: <strong>Tier 0<\/strong> includes domain controllers and the AD infrastructure; <strong>Tier 1<\/strong> includes critical servers and applications; and <strong>Tier 2<\/strong> includes workstations and end users. The ironclad rule is: A Tier 0 account must never log in to a Tier 1 or Tier 2 system. Any domain administrator who opens their email inbox is handing over the highest privilege to the very first phishing link.   <\/p><p><img decoding=\"async\" class=\"aligncenter wp-image-46208 size-large\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/tier-modell-1024x777.png\" alt=\"\" width=\"1024\" height=\"777\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/tier-modell-1024x777.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/tier-modell-300x228.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/tier-modell-768x583.png 768w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/tier-modell.png 1080w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p><p>Five practical pillars rest on this foundation:<\/p><ol><li><strong>Segregation of Accounts and PAW.<\/strong>  Dedicated administrator accounts for each tier; block cross-tier logins via Group Policy; secure the built-in administrator. Privileged administration is performed exclusively via <em>Privileged Access Workstations<\/em> \u2014dedicated devices without email, a browser, or Office. <\/li><li><strong>Harden Kerberos.<\/strong> Enforce AES instead of RC4, rotate the <code>krbtgt<\/code> password twice, and schedule this rotation on a quarterly basis. Do not use SPNs on privileged accounts to prevent Kerberoasting. <\/li><li><strong>Phase out legacy protocols.<\/strong> Reduce and disable NTLM, sign SMB, disable SMBv1, enable LDAP signing with channel binding, and disable LM and NTLMv1\u2014in accordance with BSI <em>APP.2.2.A8<\/em>.<\/li><li><strong>Protect credentials.<\/strong> Use LAPS for local administrator accounts, the <em>Protected Users<\/em> group for critical accounts, <em>Credential Guard<\/em>, and <em>LSA Protection<\/em> on all current Windows systems to prevent credentials from being read from memory. For Tier 0 and Tier 1 accounts, use phishing-resistant multi-factor authentication such as FIDO2, smart cards, or <em>Windows Hello for Business<\/em>. <\/li><li><strong>Continuous monitoring.<\/strong>  Hardening without monitoring is like a lock without an alarm system. In addition to the events already mentioned (4769, 4662, 4886\/4887, 5136\/5137), 4672 and changes to privileged groups (4728\/4756) deserve special attention. A regular BloodHound or PingCastle scan will reveal whether new risky paths have emerged.  <\/li><\/ol><p><img decoding=\"async\" class=\"aligncenter wp-image-46214 size-large\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/haertung-saeulen-1024x624.png\" alt=\"\" width=\"1024\" height=\"624\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/haertung-saeulen-1024x624.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/haertung-saeulen-300x183.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/haertung-saeulen-768x468.png 768w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/haertung-saeulen.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p><h2 class=\"wp-block-heading\">Compliance Requirements: NIS-2, ISO 27001, and BSI Basic Protection<\/h2><p>Since December 6, 2025, the German <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Regulierte-Wirtschaft\/NIS-2-regulierte-Unternehmen\/nis-2-regulierte-unternehmen_node.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><strong>NIS-2 Implementation Act<\/strong><\/a> has been in effect and has significantly expanded the group of companies subject to its requirements. Several of the core measures required by \u00a7 30 BSIG\u2014access control, cryptography, multi-factor authentication, and secure authentication\u2014can be directly mapped to the AD hardening described here. When it comes to the obligation to provide evidence, precision is key: Section 39 of the BSIG applies only to operators of critical infrastructure, who must provide evidence of implementation to the BSI for the first time no earlier than three years after classification and every three years thereafter. Facilities classified as \u201cparticularly important\u201d and \u201cimportant\u201d are subject to the risk management obligations under the BSIG but are not automatically covered by \u00a7 39 solely based on this classification; the BSI may order audits of these facilities on a case-by-case basis (\u00a7 61, \u00a7 62 BSIG). Which regime applies depends on the sector, size, and classification and must be assessed on a case-by-case basis.    <\/p><p>The advantage from a compliance perspective: AD hardening can be <em>documented<\/em>. The Tier model, LAPS, NTLM restrictions, Kerberos-AES, and LDAP and SMB hardening are measures whose implementation status can be verified and documented\u2014both to a BSI auditor and as part of an ISO 27001certification, which addresses, among other things, privileged access and secure authentication. The BSI module <em>APP.2.2<\/em> provides the specific requirements framework for this. A penetration test, in turn, provides proof of effectiveness: It demonstrates not only <em>that<\/em> measures are in place, but also <em>whether<\/em> they can withstand a real-world attack.   <\/p><h2 class=\"wp-block-heading\">How an Active Directory Penetration Test Is Conducted<\/h2><p>The most meaningful <strong>scenario<\/strong> for Active Directory is an <strong>\u201cassumed breach\u201d scenario<\/strong> in a gray-box variant: The tester starts with a standard domain user account\u2014exactly the situation that actually exists after a successful phishing email or a compromised endpoint. This is significantly more realistic and efficient than first having an attacker laboriously breach the perimeter, and it reveals exactly the internal paths that are relevant here. <\/p><p>The process follows the attack path outlined above: After the scoping phase, the tester enumerates the directory, identifies attack paths, demonstrates their exploitability in a controlled manner, and documents where the chain leads to domain takeover. The result is not a generic PDF, but a prioritized report with concrete, actionable recommendations. Such an <a href=\"https:\/\/www.pentestfactory.de\/en\/active-directory-assessment\/\">Active Directory penetration test<\/a> is typically part of an audit of the <a href=\"https:\/\/www.pentestfactory.de\/en\/internal-it-infrastructure\/\">internal IT infrastructure<\/a>.  <\/p><p>This should be distinguished from <a href=\"https:\/\/www.pentestfactory.de\/en\/red-teaming\/\">red teaming<\/a>: While a penetration test identifies and documents vulnerabilities as comprehensively as possible within a fixed time frame, a red team operation pursues a specific goal under realistic conditions and places particular emphasis on remaining undetected. Both use the same penetration testing techniques; the difference lies in the mission and approach. <\/p><p>A word on the significance of qualifications: Certifications such as <em>OSCP<\/em> for testers or <em>ISO 27001 certification<\/em> for the service provider are useful minimum indicators of quality and a structured approach\u2014but they are not an end in themselves and do not replace either experience or a sound methodology. Ultimately, what matters is whether a test identifies the actual attack vectors and presents them in a clear and understandable way. An automated <a href=\"https:\/\/www.pentestfactory.de\/en\/automated-vulnerability-scan\/\">vulnerability scan<\/a> is a useful supplement to this, but not a substitute: it does not detect the misconfigurations described here.  <\/p><h2 class=\"wp-block-heading\">Conclusion<\/h2><p>In many environments, the path from standard user to domain administrator is shorter than those in charge would like\u2014and it rarely involves spectacular vulnerabilities, but rather configurations that have accumulated over the years. The good news: Nearly all of the paths described can be closed using known, documentable measures. Tiering, Kerberos hardening, phasing out NTLM, protecting credentials, and consistent monitoring form the framework. A regular Active Directory penetration test ensures that this framework isn\u2019t just on paper.   <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-558cacd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"64717\" data-id=\"558cacd\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-04ab2cc\" data-eae-slider=\"6914\" data-id=\"04ab2cc\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8ce26a4 elementor-widget elementor-widget-heading\" data-id=\"8ce26a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Frequent questions regarding penetration tests (FAQ)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-1d3cb20 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"18869\" data-id=\"1d3cb20\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6220b49\" data-eae-slider=\"65005\" data-id=\"6220b49\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-851f782 elementor-widget elementor-widget-elementskit-faq\" data-id=\"851f782\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"elementskit-faq.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"ekit-wid-con\" >\n                <div class=\"elementskit-single-faq elementor-repeater-item-7d35538\">\n            <div class=\"elementskit-faq-header\">\n                <h2 class=\"elementskit-faq-title\">Was bedeutet \u201eActive Directory absichern&quot; konkret?<\/h2>\n            <\/div>\n            <div class=\"elementskit-faq-body\">\n                Es umfasst die systematische H\u00e4rtung des Verzeichnisdienstes: die Trennung administrativer Identit\u00e4ten nach dem Tier-Modell, die H\u00e4rtung von Kerberos, das Zur\u00fcckdr\u00e4ngen veralteter Protokolle wie NTLM, den Schutz von Anmeldeinformationen sowie eine kontinuierliche \u00dcberwachung. Ziel ist es, die typischen Angriffspfade vom unprivilegierten Konto zum Dom\u00e4nenadministrator zu unterbrechen.            <\/div>\n        <\/div>\n                <div class=\"elementskit-single-faq elementor-repeater-item-db969f7\">\n            <div class=\"elementskit-faq-header\">\n                <h2 class=\"elementskit-faq-title\">Wie lange dauert ein Active-Directory-Pentest?<\/h2>\n            <\/div>\n            <div class=\"elementskit-faq-body\">\n                Das h\u00e4ngt von der Gr\u00f6\u00dfe und Komplexit\u00e4t der Umgebung ab \u2013 von der Anzahl der Dom\u00e4nen und Dom\u00e4nencontroller bis zur Zahl der Konten und Systeme. Eine belastbare Aussage ergibt sich erst nach dem Scoping. Als Anhaltspunkt bewegen sich interne AD-Pr\u00fcfungen h\u00e4ufig im Bereich weniger Tage; gro\u00dfe, verschachtelte Gesamtstrukturen entsprechend l\u00e4nger.            <\/div>\n        <\/div>\n                <div class=\"elementskit-single-faq elementor-repeater-item-14e196a\">\n            <div class=\"elementskit-faq-header\">\n                <h2 class=\"elementskit-faq-title\">Reicht ein Schwachstellenscan nicht aus?<\/h2>\n            <\/div>\n            <div class=\"elementskit-faq-body\">\n                Nein. Ein Schwachstellenscan sucht prim\u00e4r nach fehlenden Patches und bekannten Schwachstellen. Techniken wie Kerberoasting, DCSync oder ADCS-Missbrauch nutzen jedoch *legitime* Mechanismen und Fehlkonfigurationen, die ein Scanner nicht als Verwundbarkeit erkennt. F\u00fcr diese Pfade ist eine manuelle, methodische Pr\u00fcfung n\u00f6tig.            <\/div>\n        <\/div>\n                <div class=\"elementskit-single-faq elementor-repeater-item-78d2ff8\">\n            <div class=\"elementskit-faq-header\">\n                <h2 class=\"elementskit-faq-title\">Ist unser Active Directory durch NIS-2 betroffen?<\/h2>\n            <\/div>\n            <div class=\"elementskit-faq-body\">\n                Wenn Ihr Unternehmen in den Anwendungsbereich des NIS-2-Umsetzungsgesetzes f\u00e4llt, betreffen mehrere der in \u00a7 30 BSIG geforderten Ma\u00dfnahmen unmittelbar Active Directory \u2013 etwa Zugriffskontrolle, Kryptografie und Authentifizierung. Ob Ihr Unternehmen betroffen ist, richtet sich nach Sektor, Gr\u00f6\u00dfe und Umsatz; die Pr\u00fcfung muss jedes Unternehmen selbst vornehmen.            <\/div>\n        <\/div>\n                <div class=\"elementskit-single-faq elementor-repeater-item-ef38084\">\n            <div class=\"elementskit-faq-header\">\n                <h2 class=\"elementskit-faq-title\">Was ist der Unterschied zwischen einem Pentest und Red Teaming?<\/h2>\n            <\/div>\n            <div class=\"elementskit-faq-body\">\n                Ein Pentest deckt in einem definierten Zeitfenster m\u00f6glichst umfassend Schwachstellen auf und dokumentiert sie. Red Teaming simuliert einen realen Angriff mit einem konkreten Ziel und legt besonderen Wert darauf, unentdeckt zu bleiben. F\u00fcr eine grundlegende Bestandsaufnahme der AD-Sicherheit ist der Pentest meist der passende Einstieg.            <\/div>\n        <\/div>\n                <div class=\"elementskit-single-faq elementor-repeater-item-8d55e3f\">\n            <div class=\"elementskit-faq-header\">\n                <h2 class=\"elementskit-faq-title\">Wie oft sollte Active Directory gepr\u00fcft werden?<\/h2>\n            <\/div>\n            <div class=\"elementskit-faq-body\">\n                Sinnvoll ist eine Pr\u00fcfung nach gr\u00f6\u00dferen \u00c4nderungen an der AD-Struktur, nach der Einf\u00fchrung neuer Dom\u00e4nencontroller \u2013 etwa unter Windows Server 2025 \u2013 sowie in regelm\u00e4\u00dfigen Abst\u00e4nden, da sich Berechtigungsketten im laufenden Betrieb st\u00e4ndig ver\u00e4ndern. Erg\u00e4nzend liefern regelm\u00e4\u00dfige, auch automatisierte Analysen mit Werkzeugen wie PingCastle oder BloodHound einen laufenden \u00dcberblick.            <\/div>\n        <\/div>\n                                <script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"Was bedeutet \u201eActive Directory absichern&quot; konkret?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Es umfasst die systematische H\u00e4rtung des Verzeichnisdienstes: die Trennung administrativer Identit\u00e4ten nach dem Tier-Modell, die H\u00e4rtung von Kerberos, das Zur\u00fcckdr\u00e4ngen veralteter Protokolle wie NTLM, den Schutz von Anmeldeinformationen sowie eine kontinuierliche \u00dcberwachung. Ziel ist es, die typischen Angriffspfade vom unprivilegierten Konto zum Dom\u00e4nenadministrator zu unterbrechen.\"}},{\"@type\":\"Question\",\"name\":\"Wie lange dauert ein Active-Directory-Pentest?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Das h\u00e4ngt von der Gr\u00f6\u00dfe und Komplexit\u00e4t der Umgebung ab \u2013 von der Anzahl der Dom\u00e4nen und Dom\u00e4nencontroller bis zur Zahl der Konten und Systeme. Eine belastbare Aussage ergibt sich erst nach dem Scoping. Als Anhaltspunkt bewegen sich interne AD-Pr\u00fcfungen h\u00e4ufig im Bereich weniger Tage; gro\u00dfe, verschachtelte Gesamtstrukturen entsprechend l\u00e4nger.\"}},{\"@type\":\"Question\",\"name\":\"Reicht ein Schwachstellenscan nicht aus?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Nein. Ein Schwachstellenscan sucht prim\u00e4r nach fehlenden Patches und bekannten Schwachstellen. Techniken wie Kerberoasting, DCSync oder ADCS-Missbrauch nutzen jedoch *legitime* Mechanismen und Fehlkonfigurationen, die ein Scanner nicht als Verwundbarkeit erkennt. F\u00fcr diese Pfade ist eine manuelle, methodische Pr\u00fcfung n\u00f6tig.\"}},{\"@type\":\"Question\",\"name\":\"Ist unser Active Directory durch NIS-2 betroffen?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Wenn Ihr Unternehmen in den Anwendungsbereich des NIS-2-Umsetzungsgesetzes f\u00e4llt, betreffen mehrere der in \u00a7 30 BSIG geforderten Ma\u00dfnahmen unmittelbar Active Directory \u2013 etwa Zugriffskontrolle, Kryptografie und Authentifizierung. Ob Ihr Unternehmen betroffen ist, richtet sich nach Sektor, Gr\u00f6\u00dfe und Umsatz; die Pr\u00fcfung muss jedes Unternehmen selbst vornehmen.\"}},{\"@type\":\"Question\",\"name\":\"Was ist der Unterschied zwischen einem Pentest und Red Teaming?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Ein Pentest deckt in einem definierten Zeitfenster m\u00f6glichst umfassend Schwachstellen auf und dokumentiert sie. Red Teaming simuliert einen realen Angriff mit einem konkreten Ziel und legt besonderen Wert darauf, unentdeckt zu bleiben. F\u00fcr eine grundlegende Bestandsaufnahme der AD-Sicherheit ist der Pentest meist der passende Einstieg.\"}},{\"@type\":\"Question\",\"name\":\"Wie oft sollte Active Directory gepr\u00fcft werden?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Sinnvoll ist eine Pr\u00fcfung nach gr\u00f6\u00dferen \u00c4nderungen an der AD-Struktur, nach der Einf\u00fchrung neuer Dom\u00e4nencontroller \u2013 etwa unter Windows Server 2025 \u2013 sowie in regelm\u00e4\u00dfigen Abst\u00e4nden, da sich Berechtigungsketten im laufenden Betrieb st\u00e4ndig ver\u00e4ndern. Erg\u00e4nzend liefern regelm\u00e4\u00dfige, auch automatisierte Analysen mit Werkzeugen wie PingCastle oder BloodHound einen laufenden \u00dcberblick.\"}}]}<\/script>\n                \n    <\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>How Attackers Become Domain Administrators in Active Directory\u2014and How to Prevent It. An Overview of Attack Vectors, BSI-Compliant Hardening, and the AD Penetration Test. <\/p>\n","protected":false},"author":4,"featured_media":46224,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[22],"tags":[138,140,139,137],"class_list":["post-46225","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-specialist-article","tag-active-directory-penetration-test","tag-active-directory-security","tag-hardening-active-directory","tag-securing-active-directory"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts\/46225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/comments?post=46225"}],"version-history":[{"count":1,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts\/46225\/revisions"}],"predecessor-version":[{"id":46227,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts\/46225\/revisions\/46227"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/media\/46224"}],"wp:attachment":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/media?parent=46225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/categories?post=46225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/tags?post=46225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}