Active Directory Attack Paths Your Annual Pentest Misses
Most internal pentest engagements at mid-to-large enterprises follow an annual cadence. That cadence creates a structural gap: the active directory attack path annual pentest cycle leaves a 12-month window during which new service accounts, certificate templates, and GPO changes accumulate, opening fresh routes to domain admin that never appear in last year’s report. CTDefense engineers find the same four misconfiguration classes in nearly every engagement that follows a 12-month gap, and they map cleanly to techniques already documented in ATT&CK and reproduced in the wild by named threat actors.
The framing matters for CISOs and IT directors who are heading into an ISO 27001 or NIS2 audit. An annual pentest satisfies the compliance line. It does not close the drift window between tests.
Why AD Configuration Drifts Between Tests
Active Directory configuration drift is not a single event. It is the steady accumulation of small operational changes, each individually defensible, that together create new attack chains. A new business unit gets a service account with broad permissions because that was the fastest way to ship. A certificate template gets edited to support a new application. A group policy is loosened to unblock a project. None of these changes trigger an alert in the SIEM, because none of them are an attack. They are just configuration.
The 2026 Verizon DBIR (published May 2026), summarised in SpyCloud’s coverage, reports that “stolen credentials appear in 39% of all breaches and remain the primary method attackers use to move laterally, escalate privileges, and monetize access.” Credentials, in practice, mostly means Active Directory. And the routes attackers use to get from a single foothold to domain admin are well-documented; they just need a misconfiguration to land on.
A useful test for the buyer side: ask when the last AD configuration audit was completed, then ask when the last service account was created. If the second date is more recent than the first, drift is already in the environment.
Kerberoastable Service Accounts: The Silent Accumulator
The first class of drift CTDefense finds is service accounts that allow Kerberoasting. A service principal name (SPN) is registered against a user account; that account becomes Kerberoastable, meaning any authenticated user can request a service ticket and crack it offline against the account’s password. MITRE ATT&CK technique T1558.003 describes the outcome plainly: “Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.”
The drift dynamic is operational. SPNs are added when new services are deployed. If the password policy for service accounts is weaker than for human users (a common compromise, because rotating service account passwords breaks applications), each new SPN registered after the last pentest is a new offline cracking opportunity. Kerberoasting detection at the SIEM layer helps, but it does not change the underlying exposure; the service ticket request itself is a routine event in any AD environment.
What an internal pentest catches that a vulnerability scanner cannot: the chain from “this SPN exists” to “this SPN’s password cracks in under six hours on a single GPU” to “this account is a member of a group that has write access to a sensitive OU.” That chain requires authenticated enumeration and offline cracking, and it is the work that defines an internal network security assessment.
ADCS Certificate Template Drift and ESC1 Exposure
The second class is Active Directory Certificate Services. ESC1 through ESC8 are a family of certificate template misconfigurations that allow an attacker to request a certificate impersonating a higher-privileged user, then authenticate as that user. ESC1 in particular, where a template allows the requester to supply an arbitrary Subject Alternative Name, is found often enough that experienced internal pentest leads check for it within the first hour of an engagement.
Semperis documents named threat-actor activity behind this technique: “The following threat actors have been executing ESC1 attacks in the wild: UNC5330.” This is not a theoretical CVE. It is a misconfiguration class that real adversaries exploit when they reach a foothold in an enterprise network.
ADCS misconfiguration is a particularly clean example of drift, because certificate templates are usually owned by the PKI team rather than the AD team. Edits made to support a new application, often weeks or months after a pentest, can introduce ESC1 exposure without anyone in the security team being aware of the change. The fix is straightforward once the template is identified; the problem is identification cadence.
Stale BloodHound Paths and Membership Creep
The third class is the slow accumulation of new attack paths visible only through graph analysis. BloodHound, the canonical AD attack-path tool from SpecterOps, has, according to the SpecterOps team, “been downloaded over 1.5M times and is used in over 95% of pen tests.” Every internal pentest produces a graph of who can compromise whom; the value of that graph decays as soon as memberships in AD change.
A single newly added security principal nested into Domain Admins via a routine change request can open dozens of new shortest paths to domain admin. Routine help-desk ticket fulfilment (adding a user to a group that turns out to be transitively privileged) can reset the entire attack surface. None of these are individual security incidents; they are operational changes. They show up only when the next graph is built.
This is also where AD attack paths sit outside the field of view of endpoint detection. CTDefense covered this in why EDR alone misses credential-based lateral movement: the request for a service ticket, the LDAP query, the certificate enrolment, all look like legitimate AD traffic. Identity-aware detection helps; an updated graph helps more.
NTLM Relay Opportunities From New Service Deployments
The fourth class is NTLM relay. New services deployed into the network, particularly print servers, internal web applications, and file shares, often default to NTLM authentication and to settings that allow relay attacks. Combined with LLMNR or mDNS poisoning on the same broadcast segment, a tester (or attacker) can capture and relay authentication to a higher-privileged endpoint and execute commands as the relayed user.
This is the class that ties most directly to perimeter posture. Attackers who land an internal foothold through what attackers find on your perimeter, an exposed VPN appliance, a forgotten subdomain, a public RDP, then pivot into the AD environment using exactly these relay techniques. The internal pentest is the engagement that demonstrates whether that pivot succeeds in practice.
The compliance overlay is real here as well. A NIS2 ISO 27001 internal audit increasingly expects evidence that the AD environment has been tested for relay exposure, not just that NTLM has been “configured securely” on paper. Auditors are getting more specific about cadence.
Closing the Drift Window: Cadence and Continuous Validation
The practical question for the buyer is not whether to run an internal pentest. It is how often. Most compliance frameworks (NIS2, ISO 27001, PCI DSS) require at least annual testing, but AD environments accumulate exploitable misconfigurations within weeks of any infrastructure change, making quarterly cadence the practical floor for environments with active AD operations. The 12-month cycle satisfies auditors; the 12-month cycle does not satisfy attackers.
A common follow-up question is whether automated tooling can replace the engagement. The honest answer: automated assessment platforms that run the full AD enumeration and exploitation chain can surface new ESC misconfigs and Kerberoastable accounts within days of a configuration change, rather than at the next scheduled engagement. They are not a substitute for a senior tester chasing a novel business-logic attack path; they are the right tool for catching drift in the well-known misconfiguration classes. A vulnerability scanner flags known CVEs against patch levels; an internal pentest exercises AD attack chains, Kerberoasting, certificate abuse, BloodHound path chaining, that scanners cannot reach because they require authenticated enumeration and chained exploitation logic.
The pattern CTDefense recommends to mid-market and enterprise organisations: a deep human-led internal network penetration testing engagement once a year for depth, then continuous automated validation between engagements to catch the four drift classes above. For organisations whose internal team or MSSP partner runs the continuous side, an autonomous AI pentest platform like PentX closes the cadence gap without adding headcount, which is the economic constraint that drives most annual-only schedules in the first place.
Similar organisations in finance, manufacturing, healthcare, and technology are encouraged to map their last AD configuration change against their last pentest date. If there has been a service account, certificate template, or privileged-group change since the last engagement, the report on the shelf is already incomplete.