AD Tier-0 · BloodHound · PingCastle

Active Directory Security Assessment Malaysia — Tier-0 Hardening

Specialist on-prem AD and Entra ID assessment by CRT-led consultants. Kerberoasting, AD CS ESC1-13, BloodHound graph analysis, hybrid identity attack paths — and a Tier-0 hardening roadmap your IR team can actually execute.

Get a Scope Talk to an Expert

Why Active Directory is the #1 ransomware pivot

Mandiant's M-Trends 2024 reporting consistently names Active Directory as the most-abused identity layer in human-operated ransomware intrusions. The pattern is well-documented: initial access via phishing, valid account, or exposed RDP; rapid privilege escalation through a Kerberoasted service account; lateral movement via legitimate admin protocols; objective achieved through Domain Admin, then ransomware deployment via GPO or PsExec across thousands of endpoints in hours.

The reason AD is so productive for adversaries is structural: it is old, it is complex, it accumulates ACL debt over decades of operation, and it is rarely subjected to specialist review. Most enterprises run a network pentest annually that touches AD for a day; almost none subject AD to the multi-week, focused review that the asset deserves.

This engagement closes that gap. It dedicates 2-4 weeks of CRT-led consultant time exclusively to identity — on-prem AD, Entra ID, and the hybrid surface between them.

What we test

Kerberos & credential attacks

Kerberoasting, AS-REP roasting, Silver Ticket, Golden Ticket simulation, Pass-the-Hash and Pass-the-Ticket validation, DCSync permission audit, NTLM relay exposure.

AD Certificate Services

ESC1 through ESC13 — vulnerable certificate templates, EDITF_ATTRIBUTESUBJECTALTNAME2 misconfig, NTLM relay to ADCS HTTP enrolment, certificate-based domain takeover paths. Often the fastest path to Domain Admin in modern environments.

Delegation abuse

Unconstrained delegation enumeration, constrained delegation S4U abuse, resource-based constrained delegation (RBCD) attack paths, printer bug exposure for forced authentication.

ACL & trust analysis

Full BloodHound graph collection and analysis. Shortest-path-to-Domain-Admin enumeration. AdminSDHolder integrity. GPO permission review. Cross-forest and cross-domain trust security.

Tier-0 sprawl

Inventory of every account and system with effective Tier-0 reach. Often reveals 10-50x more privileged access than the customer realised. Roadmap for collapsing sprawl into governed Tier-0 boundary.

Entra ID / Azure AD

Conditional Access policy gap analysis, Privileged Identity Management (PIM) hygiene, app-registration permission abuse, Primary Refresh Token (PRT) theft surface, Pass-the-PRT, AAD Connect / Entra Connect server compromise paths.

Tooling

We combine commercial and open-source tools chosen for evidence quality and minimal production impact:

BloodHound CE / Enterprise — ACL graph analysis & shortest-path enumeration

PingCastle — health scoring and historical baseline diff

Purple Knight (Semperis) — second-opinion AD security assessment

ADRecon — comprehensive AD object enumeration

Locksmith — AD CS misconfiguration discovery (ESC1-13)

Certify — manual AD CS exploitation validation

Rubeus — Kerberos abuse demonstration in controlled scope

ROADtools / AADInternals — Entra ID enumeration and analysis

Methodology — 5 phases

Scope & baseline

Joint scoping with the identity team. Inventory of forests, domains, trust relationships, AD CS deployment, Entra ID tenancy, AAD Connect topology. Read-only PingCastle baseline established.

Authenticated recon

BloodHound collection from a low-privilege user. ADRecon full object enumeration. Locksmith AD CS template audit. Hybrid identity surface mapping with ROADtools.

Exploitation simulation

Controlled-window validation of Kerberoasting, AS-REP roasting, AD CS ESC paths, delegation abuse. Destructive techniques replicated in lab; production validated read-only via permission inspection.

AD CS & hybrid audit

Deep-dive ESC1-13 review. Entra Conditional Access gap analysis. PIM hygiene. App registration permission audit. AAD Connect / Entra Connect server posture.

Hardening roadmap

Prioritised findings with effort/impact scoring. IR runbook updates for AD-specific scenarios. Quarterly AD baseline diff schedule. Board-ready summary mapped to RMiT, ISO 27001 Annex A.5.15-A.5.18.

Engagement size & outcomes

Typical engagements run 2-4 weeks of consultant time. Smaller single-domain on-prem environments land at 2 weeks; large multi-forest hybrid environments with mature AD CS deployments and complex Entra tenancies run 4 weeks plus a 1-week hardening-validation re-test.

Outcomes delivered:

• Prioritised findings register, severity-rated, with reproduction evidence and remediation guidance
• Tier-0 sprawl inventory and collapse roadmap
• AD CS template hardening playbook
• IR runbook updates: Kerberoasting, Golden Ticket, AD CS abuse, AAD Connect compromise, ransomware-via-GPO
• Quarterly baseline-diff schedule so regression is caught early
• Board summary mapped to RMiT, ISO 27001, NIST CSF

Frequently asked questions

How is this different from a full network penetration test?

A network pentest casts a wide net across many systems and services with finite hours per asset. An AD-focused assessment dedicates the entire engagement budget to Active Directory and Entra ID — domain controller hygiene, Kerberos misconfigurations, AD Certificate Services, ACL graph analysis, Tier-0 boundary integrity, hybrid identity attack paths. The depth on AD is roughly 5-10x what a generalist pentest reaches in the same week. Both are valuable; if AD is your crown jewel (and for ransomware-targeted orgs it is), this assessment is mandatory.

Tier-0 — what counts?

Tier-0 is everything that, if compromised, gives an attacker the keys to the entire forest. That includes: Domain Admins, Enterprise Admins, Schema Admins; the domain controllers themselves; AD CS Certificate Authorities; AAD Connect / Entra Connect servers; Tier-0 jump hosts and PAW workstations; backup infrastructure with restore rights to DCs; the credential vault servicing privileged accounts. Tier-0 sprawl — accounts or systems that effectively have Tier-0 reach but aren't governed as such — is the single most common finding we report.

Kerberoasting — does that really still work in 2026?

Yes. The technique requires only an authenticated user account and works against any service principal name (SPN) registered to a user account with a weak password. We see it succeed on the majority of Malaysian AD environments we assess, frequently yielding service accounts with effective Tier-0 reach. AS-REP roasting (against accounts with pre-authentication disabled) is rarer but still found. Mitigations are well-known — Group Managed Service Accounts, password length policies for service accounts, monitoring for TGS-REQ anomalies — but adoption lags badly.

Will testing crash AD?

No. The assessment uses authenticated, low-impact reconnaissance and offline analysis. BloodHound collection runs as an authenticated user (no privileged actions). PingCastle and Purple Knight are read-only health checks. Exploitation simulation is performed in a controlled manner with pre-agreed change windows and rollback plans, and we never execute destructive techniques (DCSync against production is replicated in a lab, then validated read-only via permission inspection). Production AD remains untouched in operation.

Does this assessment satisfy BNM RMiT pentest requirements?

It complements but does not replace the broader RMiT 10.49 intelligence-led pentest obligation, which expects scope across initial access through objectives. Many of our FSI customers run an AD assessment as a precursor 4-8 weeks before the intelligence-led exercise — so the obvious AD wins are remediated first and the intel-led test can spend its hours on detection-and-response validation rather than easy AD escalation paths.

Ready to harden the crown jewel?

Scoping calls take 30 minutes. Most engagements deliver the Tier-0 sprawl inventory in week one — the finding most CISOs want on day one.

Get a Scope