How to Attack-Test Your Own Domain Controllers Before an Adversary Does

Most organizations wait for a penetration test to find out how exposed their domain controllers are. Annual or biannual testing creates a 300-plus-day window during which new misconfigurations accumulate, group memberships drift, and GPOs get exceptions that never get cleaned up. The gap between tests is where attackers operate.

The tools in this guide are designed for exactly this problem: they let your internal team run an attacker's-eye-view of your domain — consistently, without specialized offensive security expertise, and at no licensing cost. This isn't a replacement for a professional red team assessment, but it's a disciplined baseline that catches the majority of what we find in those assessments. For understanding the underlying attack techniques these tools surface, see our AD misconfigurations guide. This article focuses entirely on the assessment tooling.

Tool 1: PingCastle — Risk Scoring and Prioritization

PingCastle is the fastest way to get a scored, prioritized view of your AD security posture. It runs without administrative privileges (uses LDAP queries), generates an HTML report in under 10 minutes for most domains, and scores your environment across four risk categories: Stale Objects, Privileged Accounts, Trusts, and Anomalies. Each category scores 0–100, with the overall domain risk level being the maximum of the four.

Running PingCastle

# Download from https://www.pingcastle.com/download/
# Run as a domain-joined user (no admin required for basic scan):
.\PingCastle.exe --healthcheck --server yourdomain.com

# For a full interactive menu:
.\PingCastle.exe

# Scan all domains in a forest:
.\PingCastle.exe --healthcheck --server forest-root.com --recurse

# Export to specific output directory:
.\PingCastle.exe --healthcheck --server yourdomain.com --out C:\Reports\PingCastle\

Interpreting PingCastle Results

The output HTML report color-codes findings by severity. Focus your remediation on findings flagged in the Privileged Accounts and Anomalies categories first — these directly map to attacker-exploitable conditions. Key findings to prioritize:

• AdminCount = 1 on unexpected accounts: Indicates accounts historically in privileged groups, now potentially orphaned
• Golden Ticket indicators: KRBTGT password not rotated in 180+ days
• DCSync-capable accounts: Non-DC accounts with replication rights
• Kerberoastable accounts with weak encryption: Service accounts using RC4 rather than AES
• Old trust protocols: Trusts that allow SID history without filtering

PingCastle produces a score of 0 (clean) to 100 (maximum risk). A score above 25 in any category warrants attention. Run it weekly — the tool's maturity model recommends weekly scans to catch new trust relationships and configuration drift quickly.

Tool 2: Purple Knight — Indicators of Compromise and Exposure

Purple Knight from Semperis goes beyond configuration scoring. It scans for both Indicators of Exposure (IoEs — risky configurations an attacker could exploit) and Indicators of Compromise (IoCs — evidence that an attack may already be in progress). It covers AD, Entra ID, and Okta in a single run, making it particularly valuable for hybrid environments.

Running Purple Knight

# Download from https://www.purple-knight.com/ (free, requires registration)
# Run as a domain admin or with delegated read permissions:
.\PurpleKnight.exe

# The tool launches a GUI — select your assessment scope:
# - Active Directory
# - Azure AD / Entra ID (requires additional permissions)
# - Okta (requires API key)

# For AD-only assessment, domain read access is sufficient
# For Entra ID assessment, you need Global Reader or Security Reader role

What Purple Knight Looks For

Purple Knight checks over 185 security indicators. In our experience, the highest-value findings include:

• Admin accounts with passwords unchanged for 90+ days: Common in service accounts and break-glass accounts
• Enabled but inactive admin accounts: Accounts in privileged groups that haven't logged in recently — prime targets for credential reuse
• Unconstrained delegation configured on non-DC accounts: Any computer or user with unconstrained Kerberos delegation is effectively a DC impersonation vector
• LAPS not deployed on workstations: Without LAPS, local admin passwords are frequently shared across machines, enabling lateral movement
• Protected Users security group under-utilization: Privileged accounts not enrolled in the Protected Users group lack critical Kerberos hardening

Purple Knight generates a report card with scores across five security categories. The remediation guidance is specific and actionable — each finding includes the exact attribute or permission to change. Unlike PingCastle, which is almost entirely LDAP-based, Purple Knight also performs some behavioral analysis and cross-references findings against MITRE ATT&CK techniques.

Tool 3: BloodHound Community Edition — Attack Path Visualization

BloodHound CE is the most powerful of the five tools and the one that most closely mirrors what an attacker actually does in your environment. It ingests domain data and builds a graph database of all relationships — group memberships, delegation rights, ACL permissions, session data — then lets you query attack paths between any two nodes.

Setting Up BloodHound CE

# BloodHound CE requires Docker for the server component:
# https://github.com/SpecterOps/BloodHound

# Quick start with Docker Compose:
curl -L https://ghst.ly/getbhce | docker compose -f - up

# BloodHound CE runs at http://localhost:8080 by default
# Default credentials are printed to the console on first run

# Data collection with SharpHound (run on a domain-joined machine):
# Download SharpHound from the BloodHound CE releases page
.\SharpHound.exe -c All --zipfilename domain-collection.zip

# Collection flags:
# -c All               — collect all available data types
# --stealth            — slower but generates fewer logs
# --excludedcs         — skip DC-only collection (useful for noise reduction)
# --outputdirectory    — specify output path for ZIP file

Key Queries to Run After Ingestion

After importing the SharpHound ZIP into BloodHound CE, run these pre-built queries immediately:

• Shortest Paths to Domain Admins: Shows every attack path from any node to Domain Admins. This is the single most important query.
• Find All Domain Admin Sessions: Identifies machines where Domain Admin credentials are currently or recently cached — the lateral movement starting points
• Principals with DCSync Rights: Surfaces every account with replication permissions — cross-reference this with your PingCastle output
• Find Computers with Unsupported Operating Systems: Outdated DCs or members that can't be hardened with modern controls
• Kerberoastable Accounts in High-Value Groups: Service accounts with SPNs that are members of privileged groups

# BloodHound CE also supports custom Cypher queries:
# Find all users with GenericAll on any group:
MATCH p=(u:User)-[:GenericAll]->(g:Group) RETURN p

# Find attack paths from Domain Users to Domain Admins:
MATCH p=shortestPath((n:Group {name:"DOMAIN USERS@YOURDOMAIN.COM"})
  -[*1..]->(m:Group {name:"DOMAIN ADMINS@YOURDOMAIN.COM"})) RETURN p

# Find computers where Domain Admins have sessions:
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group)
WHERE g.name =~ "(?i)domain admins.*" RETURN c.name, u.name

Tool 4: Testimo — Domain Controller Health Checks

Testimo is a PowerShell module by Evotec IT that automates a broad set of AD health and security checks across your entire forest, all domains, and every domain controller simultaneously. It is particularly useful for operational health validation — catching DCs that are out of sync, have disabled services, or have drifted from expected configurations.

# Install Testimo from the PowerShell Gallery:
Install-Module -Name Testimo -Force

# Run a full assessment (outputs HTML report):
Import-Module Testimo
Invoke-Testimo -ShowReport

# Run specific security-relevant sources only:
Invoke-Testimo -Sources `
  'DCServicePrintSpooler',     # Verifies Print Spooler is disabled on all DCs
  'DCSMBProtocols',            # Checks SMBv1 is disabled
  'DCRDPSecurity',             # Verifies NLA is enforced on all DCs
  'DCWindowsUpdates',          # Checks patch currency
  'DomainPasswordComplexity',  # Validates password policy settings
  'ForestOrphanedAdmins',      # Finds orphaned admin accounts
  'DomainGroupPolicyMissingPermissions' `
  -ShowReport

Testimo is particularly useful for catching DC-specific issues that PingCastle and BloodHound don't surface — things like a DC that hasn't synced time correctly, has a disk that's 90% full, or has SMBv1 still enabled. Run it monthly as a health baseline and after any change windows that touch DC configurations.

Tool 5: AD ACL Scanner — Permission Archaeology

AD ACL Scanner, written by Robin Granberg (canix1 on GitHub), is a PowerShell GUI tool that generates detailed reports of all DACLs and SACLs across your Active Directory hierarchy. It's the right tool for the question: "Who has what permissions, on what objects, across the entire domain?"

# Download from https://github.com/canix1/ADACLScanner
# Run as a domain admin for complete coverage:
.\ADACLScan.ps1

# Command-line mode (for scripted/scheduled runs):
.\ADACLScan.ps1 -Base (Get-ADDomain).DistinguishedName `
  -Scope subtree `
  -Output HTML `
  -HTMLFile C:\Reports\ACLReport.html

# Filter for critical permission types:
.\ADACLScan.ps1 -Base (Get-ADDomain).DistinguishedName `
  -Scope subtree `
  -Filter "GenericAll,WriteDACL,WriteOwner,GenericWrite" `
  -Output CSV `
  -CSVFile C:\Reports\CriticalACLs.csv

The most dangerous permissions to hunt for are GenericAll, WriteDACL, WriteOwner, and GenericWrite on high-value objects: Domain root, AdminSDHolder, Domain Controllers OU, and privileged group objects. AD ACL Scanner also flags GPO permissions — a vector where an attacker who can write a GPO linked to the Domain Controllers OU can effectively execute code on every DC.

A Quarterly Assessment Cadence

Running these tools once produces a point-in-time snapshot. Running them on a schedule produces a security trend that catches drift before attackers find it. Here's a cadence that works for most enterprise environments:

• Weekly: PingCastle automated scan — track score trends, alert on new findings (particularly new trusts and new DCSync-capable accounts)
• Monthly: Testimo health check across all DCs — validate patch status, service states, and configuration drift
• Quarterly: Full BloodHound CE collection and attack path review — re-run after any major changes to group memberships or service accounts. Also run Purple Knight for IoC detection.
• Semi-annually: AD ACL Scanner full permission report — compare against previous baseline to identify permission creep

Prioritizing Findings Across All Tools

When all five tools generate findings simultaneously, use this prioritization framework:

1. Critical: Any BloodHound attack path from Domain Users to Domain Admins in five hops or fewer; any DCSync-capable non-DC account; unconstrained delegation on non-DCs
2. High: PingCastle anomaly score above 50; Purple Knight IoC findings (evidence of active compromise); KRBTGT password not rotated in 180+ days
3. Medium: Kerberoastable service accounts with RC4 encryption; AD ACL Scanner findings of GenericAll on non-critical OUs; Testimo findings of SMBv1 enabled on member servers
4. Low: Stale accounts, inactive computers, password policy deviations — important hygiene but not immediately exploitable

The goal is not a perfect score on every tool — it's eliminating the paths that lead directly to domain compromise. BloodHound's attack path visualization is the clearest way to see exactly which misconfigurations enable complete domain takeover. Start there, fix the paths, then work your way through the scoring tools.