name: performing-active-directory-vulnerability-assessment
description: Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations,
privilege escalation paths, and attack vectors.
domain: cybersecurity
subdomain: vulnerability-management
tags:
- active-directory
- pingcastle
- bloodhound
- purple-knight
- ad-security
- privilege-escalation
- ldap
- kerberos
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Object
- Network Traffic Policy Mapping
- Restore Configuration
- Access Modeling
- Operational Activity Mapping
nist_csf:
- ID.RA-01
- ID.RA-02
- ID.IM-02
- ID.RA-06
Performing Active Directory Vulnerability Assessment
Overview
Active Directory (AD) is the primary identity and access management system in most enterprise environments, making it a critical attack target. This skill covers comprehensive AD security assessment using PingCastle for health checks, BloodHound for attack path analysis, and Purple Knight for security posture scoring. These tools identify misconfigurations, excessive privileges, Kerberos weaknesses, and lateral movement opportunities.
When to Use
- When conducting security assessments that involve performing active directory vulnerability assessment
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Domain-joined workstation or domain admin access for scanning
- PingCastle (https://github.com/netwrix/pingcastle)
- BloodHound Community Edition with SharpHound collector
- Purple Knight from Semperis (free community tool)
- Python 3.9+ for analysis scripts
- .NET Framework 4.7+ for PingCastle on Windows
Tool 1: PingCastle Health Check
| Tool |
Purpose |
| Platform-specific tools |
See the workflow steps for recommended tools |
| Standard utilities |
sha256sum, grep, awk for data processing |
Installation and Execution
# Download PingCastle
Invoke-WebRequest -Uri "https://github.com/netwrix/pingcastle/releases/latest/download/PingCastle.zip" `
-OutFile "PingCastle.zip"
Expand-Archive PingCastle.zip -DestinationPath C:\Tools\PingCastle
# Run health check against current domain
cd C:\Tools\PingCastle
.\PingCastle.exe --healthcheck
# Run health check against specific domain
.\PingCastle.exe --healthcheck --server dc01.corp.local --user CORP\scanner_account --password P@ssw0rd
# Run in scanner mode for multiple domains
.\PingCastle.exe --scanner --scannerlp
# Generate consolidated report
.\PingCastle.exe --healthcheck --level Full
PingCastle Scoring Categories
| Category |
Description |
Risk Areas |
| Stale Objects |
Inactive accounts, old passwords, obsolete OS |
Ghost accounts, expired credentials |
| Privileged Accounts |
Excessive admin rights, nested groups |
Domain Admin sprawl, SID history |
| Trusts |
Forest and domain trust configurations |
Transitive trust abuse, SID filtering |
| Anomalies |
Security setting deviations |
GPO misconfigurations, schema issues |
Key PingCastle Checks
# Critical items to review in PingCastle report:
- Accounts with "Password Never Expires" flag
- Accounts with Kerberos pre-authentication disabled (AS-REP roastable)
- Accounts with Kerberos delegation (unconstrained/constrained)
- Domain Controllers running unsupported OS versions
- AdminSDHolder permission modifications
- Accounts in privileged groups (Domain Admins, Enterprise Admins, Schema Admins)
- Trust relationships with SID filtering disabled
- GPO vulnerabilities allowing privilege escalation
Tool 2: BloodHound Attack Path Analysis
| Tool |
Purpose |
| Platform-specific tools |
See the workflow steps for recommended tools |
| Standard utilities |
sha256sum, grep, awk for data processing |
SharpHound Data Collection
# Download SharpHound collector
# https://github.com/SpecterOps/BloodHound/tree/main/packages/csharp/SharpHound
# Run SharpHound collection (all methods)
.\SharpHound.exe --collectionmethods All --domain corp.local --zipfilename bloodhound_data.zip
# Stealthy collection (minimal noise)
.\SharpHound.exe --collectionmethods Session,LoggedOn --domain corp.local --stealth
# Collection with specific domain controller
.\SharpHound.exe --collectionmethods All --domain corp.local --domaincontroller dc01.corp.local
# Run via PowerShell
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain corp.local -OutputDirectory C:\BH_Data
BloodHound CE Setup
# Deploy BloodHound Community Edition with Docker
curl -L https://ghst.ly/getbhce -o docker-compose.yml
docker compose up -d
# Access BloodHound CE at http://localhost:8080
# Default credentials shown in docker compose logs
# Upload SharpHound data through web UI or API
curl -X POST "http://localhost:8080/api/v2/file-upload/start" \
-H "Authorization: Bearer $BH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"fileName": "bloodhound_data.zip"}'
Critical BloodHound Queries
# Find shortest path to Domain Admin
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"}))
WHERE u.name <> "ADMINISTRATOR@CORP.LOCAL"
RETURN p
# Find Kerberoastable accounts with admin privileges
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group)
WHERE g.name CONTAINS "ADMIN"
RETURN u.name, u.serviceprincipalnames
# Find computers where Domain Admins are logged in
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})
RETURN c.name, u.name
# Find AS-REP roastable accounts
MATCH (u:User {dontreqpreauth:true})
RETURN u.name, u.description
# Find unconstrained delegation hosts
MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name CONTAINS "DC"
RETURN c.name
# Find GPO abuse paths
MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO)
RETURN p
Tool 3: Purple Knight Assessment
# Download Purple Knight from https://www.purple-knight.com/
# Run as domain admin or with appropriate read permissions
.\PurpleKnight.exe
# Purple Knight checks 130+ security indicators across:
# - Account Security (password policies, privileged accounts)
# - AD Infrastructure (replication, DNS, LDAP signing)
# - Group Policy (GPO permissions, security settings)
# - Kerberos Security (delegation, encryption types, SPN)
# - AD Delegation (AdminSDHolder, OU permissions)
Purple Knight Score Categories
| Score Range |
Rating |
Action Required |
| 90-100 |
Excellent |
Maintain current posture |
| 75-89 |
Good |
Address high-risk findings |
| 60-74 |
Fair |
Prioritize remediation plan |
| 40-59 |
Poor |
Immediate remediation required |
| 0-39 |
Critical |
Emergency response needed |
Common AD Vulnerabilities
This section covers common ad vulnerabilities for performing active directory vulnerability assessment.
- Ensure all prerequisites are met before proceeding
- Follow the documented workflow steps in sequence
- Record results and any anomalies encountered during this phase
1. Kerberoasting Exposure
# Find SPNs assigned to user accounts (Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
Select-Object Name, ServicePrincipalName, PasswordLastSet, Enabled
2. AS-REP Roasting Exposure
# Find accounts with pre-auth disabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth |
Select-Object Name, DoesNotRequirePreAuth, Enabled
3. LLMNR/NBT-NS Poisoning Risk
# Check if LLMNR is disabled via GPO
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast -ErrorAction SilentlyContinue
4. Excessive Privileged Group Membership
# Count members in critical groups
$groups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Account Operators", "Backup Operators")
foreach ($group in $groups) {
$count = (Get-ADGroupMember -Identity $group -Recursive).Count
Write-Output "$group : $count members"
}
Remediation Priorities
| Finding |
Risk |
Remediation |
| Kerberoastable admin accounts |
Critical |
Remove SPNs or use MSA/gMSA |
| Unconstrained delegation on non-DCs |
Critical |
Switch to constrained/RBCD |
| Password Never Expires on admins |
High |
Enable password rotation policy |
| AS-REP roastable accounts |
High |
Enable Kerberos pre-authentication |
| AdminSDHolder modification |
High |
Audit and restore default ACLs |
| Stale computer accounts (90+ days) |
Medium |
Disable and move to quarantine OU |
| LDAP signing not enforced |
Medium |
Enable via GPO on all DCs |
When NOT to Use
- You don't have explicit written authorization to test
- Task is about defense/detection, not offense (use detection skills)
- You need to implement security controls (use implementing-* skills)
- Task requires compliance auditing (use auditing-* skills)
- You're investigating an incident (use incident response skills)
- Target is out of scope for your engagement
- Task is about vulnerability scanning only (use scanning tools)
Red Flags
- Performing actions without explicit written authorization from the asset owner
- Testing against production systems without a defined scope and rules of engagement
- Sharing sensitive findings or credentials in unencrypted communications
- Failing to properly scope and contain the assessment before starting
Verification
- All steps executed successfully against a test environment before production use
- Output documented with screenshots or logs demonstrating expected behavior
- Results validated against known-good baselines or reference implementations
- Documentation complete enough for another analyst to reproduce findings
References
Process
- Analyze the task requirements
- Apply domain expertise
- Verify output quality
Anti-Rationalization
| Rationalization |
Reality |
| "We are too small to be targeted" |
Automated attacks target everyone. Size does not matter. |
| "Security slows us down" |
A breach slows you down 100x more. Build security in from the start. |
| "We will fix it after launch" |
Vulnerabilities in production are exploited within hours. Fix before deploy. |
By