A red team operator drops a foothold on a domain-joined workstation Monday morning. By Monday afternoon they hold a Domain Admin certificate signed by the target’s own CA. No zero-day, no public exploit code beyond what’s been on GitHub for three years. Just BloodHound mapping the relationship graph, Coercer triggering an authentication, and ntlmrelayx forwarding it to an HTTP enrollment endpoint that nobody remembered was still listening.
This pattern hasn’t changed in five years. What has changed is the surface: BloodHound Community Edition shipped v8.9 this month with OpenGraph extensions reaching into GitHub, Jamf, Okta, and Snowflake. Certipy now covers ESC1 through ESC16. Microsoft’s October 2026 NTLM enforcement deadline is six months out, and CVE-2025-33073 — an NTLM reflection bug — is still producing fresh exploitation primitives in 2026 research. This guide walks the modern AD pentest end-to-end: enumeration, graph analysis, coercion, relay, certificate abuse, and the controls that actually break the chain.
What the 2026 AD Attack Surface Actually Looks Like
Active Directory hasn’t gotten less central — it’s gotten more entangled. The same domain that authenticates desktop logons now backs Entra ID Connect, federates SaaS, brokers tokens to Snowflake, and links GitHub Enterprise via SSO. SpecterOps shipped BloodHound CE 8.0 and OpenGraph in mid-2025 specifically because attack paths now traverse identity systems rather than living entirely inside one forest. A GenericWrite ACE on an on-prem service account can become a path through Entra ID into a GitHub maintainer role and back down into a misconfigured MS SQL Server with xp_cmdshell enabled.
The classic on-prem chain still works because the protocols haven’t changed. NTLM is being deprecated, not removed: Microsoft’s three-phase plan automatically blocks NTLMv1 SSO in October 2026, but NTLMv2 is only “deprecated,” and Windows Server 2025’s hardening — EPA on by default for ADCS, channel binding for LDAP — only protects new installs of one server SKU. The existing fleet remains exposed. CVE-2025-24054, an NTLM hash-disclosure bug triggered by navigating to a folder containing a malicious .library-ms file, was added to CISA’s KEV catalog in March 2025 after Check Point Research observed exploitation against Polish and Romanian government targets eight days after the patch. CVE-2025-54918 followed in September 2025: a coercion-plus-relay primitive that bypasses LDAP signing and channel binding by tampering with NTLM message fields. CVE-2026-32202, disclosed by Akamai in April 2026, is a zero-click coercion via auto-parsed LNK files — an incomplete patch of an APT28 zero-day from earlier in the year.
The pentest workflow tracks this. Enumerate the graph, find a privileged identity within reach, get a hash or a coerced authentication, relay it somewhere useful, escalate via certificates or DCSync.
How BloodHound CE 8 Maps the Domain
BloodHound treats AD privilege escalation as a graph traversal problem. Every user, computer, group, GPO, and OU becomes a node. Every group membership, ACL grant, session, and trust becomes a directed edge. The question “can this low-privileged user reach Domain Admin?” stops being a manual ACL audit and becomes a Cypher query.
SpecterOps deprecated BloodHound Legacy in 2025. The current product is BloodHound Community Edition — a multi-container deployment with the BloodHound application server, PostgreSQL for configuration, and Neo4j as the graph database. The recommended install path is bloodhound-cli, a wrapper around Docker Compose. Kali Linux 2025.3 (released August 2025) was the first Kali release to package CE rather than the three-year-old Legacy v4. According to SpecterOps’ own April 2026 audit, four out of five training courses they reviewed were still teaching BloodHound Legacy, which is a useful tell when evaluating any AD pentesting course or certification.
The collector is SharpHound, a compiled C# binary that runs on a domain-joined Windows host, queries AD over LDAP, optionally enumerates active sessions on remote computers via SAMR or RPC, and emits a ZIP file you upload to BloodHound. From a low-privileged shell, the typical invocation is SharpHound.exe -c All for full collection, or SharpHound.exe -c DCOnly if you want to stay quieter and skip session enumeration. Stealth-conscious operators use --Stealth and --ExcludeDCs to dodge endpoint detection that watches for SharpHound-style LDAP query patterns.
The 2026 step-change is OpenGraph. BloodHound CE 8.0 added the ability to ingest identity data from GitHub, Snowflake, 1Password, Jamf, Microsoft SQL Server, and AWS, weaving them into the same graph as AD. A maintainer account in a GitHub org with deploy keys to production now sits in the same graph as the Tier 0 domain admin, with edges showing how one becomes the other. This is the model defenders should be planning around: assume attack paths cross identity silos, not just OUs.
The Cypher Queries That Actually Matter
The first thing to do after ingestion isn’t to click around. It’s to run the saved Cypher queries on the Cypher tab — Find Shortest Paths to Domain Admins, Find AS-REP Roastable Users (DontReqPreAuth), Find Kerberoastable Users with Most Privileges, Find Computers with Unconstrained Delegation. These four answer the most common “where do I go next?” questions in seconds.
The path you want, almost always, is from your owned principal to the Domain Admins group or the domain node itself. Mark your foothold as Owned (right-click the node), pathfind to a Tier 0 group, and read the edges. MemberOf is structural. GenericAll, GenericWrite, WriteDACL, and WriteOwner are direct ACE abuse paths. AddSelf lets you join a group. ForceChangePassword lets you reset a target user. AllowedToDelegate and AllowedToAct are constrained and resource-based delegation primitives. HasSession is a session edge — a credential is sitting on that machine right now.
Where BloodHound is misleading is on edges that depend on protocol-level state. A CanRDP edge means an ACL grant exists; whether the firewall allows TCP/3389 is an entirely separate question. The graph also shows static structure — it doesn’t tell you that the domain admin who logged into a workstation last Tuesday left a Kerberos TGT in lsass that’s now expired. Treat BloodHound as the map, not the terrain.
How Coercion and Relay Still Win in 2026
The graph tells you who you want to become. Coercion and relay are how you get there when no direct ACL path exists. The pattern: trick a privileged machine — usually a domain controller, sometimes any server — into authenticating to your attacker host, then forward that authentication to a service that doesn’t enforce signing or channel binding.
The classic coercion vectors remain live. PrinterBug (MS-RPRN, the print spooler RPC interface) was disclosed by Lee Christensen in 2018 and still works on any DC running the spooler. PetitPotam abuses MS-EFSRPC and triggers authentication with no credentials at all on unpatched hosts (CVE-2021-36942) or with low-priv credentials elsewhere. Coercer by p0dalirius bundles 17+ coercion methods across multiple RPC interfaces — when one is patched, another usually isn’t. WebDAV-based coercion, where a searchConnector or .library-ms file forces authentication over HTTP via the WebClient service, sidesteps SMB signing entirely.
The relay tool of choice is ntlmrelayx.py from Impacket. The interesting targets are LDAP (for granting yourself rights, dumping the domain, or writing a Shadow Credentials msDS-KeyCredentialLink entry), MSSQL (for xp_cmdshell execution), SMB (where signing isn’t enforced), and most reliably the ADCS HTTP web enrollment endpoint at /certsrv/. That last one is the ESC8 chain.
CVE-2025-33073, the NTLM reflection vulnerability disclosed by Synacktiv in mid-2025, sharpened the primitive further. The original advisory described it as SMB-to-SMB privilege escalation. By January 2026, Depth Security published a fork of Impacket that strips NTLMSSP SIGN and SEAL flags while preserving the MIC, extending reflection to LDAP/LDAPS and partially to RPC services like the task scheduler. The takeaway: relay attacks aren’t a 2010s problem with a 2025 fix. They’re an ongoing research area producing new primitives every quarter.
The ADCS ESC8 Chain Step by Step
Active Directory Certificate Services is what SpecterOps researchers have called “privilege escalation as a service.” Their 2021 Certified Pre-Owned paper introduced the ESC1–ESC8 taxonomy. Certipy v5, maintained by Oliver Lyak (ly4k), now covers ESC1 through ESC16. The two most commonly found in real engagements are ESC1 (template misconfiguration with EnrolleeSuppliesSubject plus a Client Authentication EKU, exploitable by any Domain User) and ESC8 (HTTP web enrollment with NTLM, exploitable by anyone who can coerce a privileged authentication).
ESC8 is the canonical relay payoff. Run certipy find -u user@domain -p pass -dc-ip <DC> -vulnerable -stdout to enumerate the AD CS infrastructure and flag misconfigured templates and CAs. If web enrollment is exposed at http://ca-server/certsrv/ and EPA isn’t enabled — the default on anything older than Windows Server 2025 — relay PetitPotam-coerced DC authentication to that endpoint with ntlmrelayx.py -t http://ca-server/certsrv/certfnsh.asp -smb2support --adcs --template DomainController. The relay yields a PFX certificate issued to the DC’s machine account. Feed it to certipy auth -pfx dc.pfx to retrieve a Kerberos TGT and the NT hash via UnPAC-the-hash. With the DC’s machine hash, run secretsdump.py -hashes <hash> -just-dc domain/dc\$@dc-ip for a full DCSync.
End to end, this is under five minutes in a vulnerable environment, and most environments are vulnerable.
AD Pentesting Command Reference
Where the 2026 Defenses Actually Bite
Patching is the easy part of the conversation. The harder part is that AD’s exposure is mostly configuration, and the configurations that matter rarely show up on a vulnerability scan. CVE-2025-24054 is a CVSS 6.5 hash-disclosure bug that became a CISA KEV entry inside ten days because the underlying NTLM-over-UNC behavior is a feature, not a bug. CVE-2025-54918 in September 2025 demonstrated that even LDAP signing and channel binding — the controls Microsoft has been telling everyone to enable for half a decade — can be bypassed by tampering with NTLM authentication packet fields.
The controls that actually break the chains in this article: enable EPA on ADCS web enrollment in IIS Manager (default in Windows Server 2025, manually enableable on 2019/2022), enforce LDAP signing and channel binding via Group Policy on all DCs, disable the print spooler on every DC and tier-0 server, block outbound SMB and WebDAV from DCs to non-DCs, and audit every certificate template with certipy find -vulnerable on a recurring basis. For NTLM specifically, configure Network security: Restrict NTLM in audit mode first, identify the legacy callers, and migrate them before October 2026’s automatic NTLMv1 SSO block flips on.
Detection-side, the events that matter for this kill chain are Event ID 4886 and 4887 (ADCS certificate request received and issued — without these enabled, ESC8 relay is invisible), 4769 (Kerberos TGS requests, useful for spotting Kerberoasting sweeps and PKINIT abuse), and 4624 type-3 logons with NTLM SSPI showing relayed authentications. Most SOC pipelines collect 4624 and 4625 by default and ignore the rest.
Pitfalls and Common Mistakes
The most common pentest failure on AD engagements isn’t a technical block — it’s stale tooling. As of April 2026, BloodHound v8.9 is current; if your distribution is shipping v4.x (Legacy), your Cypher queries, edge types, and analysis model are three years out of date and will miss attack paths the modern engine surfaces. The same applies to Certipy v5: if you’re still running v4, you don’t have ESC9–ESC16 detection. Pin your tooling to a known-current version per engagement.
The second most common failure is ignoring the EDR. SharpHound, Mimikatz, and Rubeus all have Defender and CrowdStrike signatures from years of red team usage. Modern engagements run BloodHound-Python (bloodhound.py) from Linux against the DC over LDAP rather than dropping a binary on a Windows host. Coercion tools like Coercer trip network-side detections. Plan for noise; assume the SOC is watching, even when they’re not.
The third trap is treating relay as a guaranteed win. Microsoft’s Windows Server 2025 default-on EPA for ADCS and channel binding for LDAP genuinely close the ESC8 chain on fresh installs. CVE-2025-54918 reopened part of that surface, but well-hardened environments will bounce the relay. Have a backup plan — Kerberoasting still works against weak service account passwords, AS-REP roasting still works against accounts with DontReqPreauth, and unconstrained delegation is still a thing.
FAQ
Is BloodHound legal to run on a network I don’t own? No. SpecterOps’ own documentation is explicit: BloodHound is for systems you own or have explicit written permission to audit. Using it against networks without authorization is unauthorized access under most computer-misuse statutes, including the U.S. CFAA. Get a signed scope before you collect.
Will Microsoft’s October 2026 NTLM enforcement kill these attacks? Not all of them. The October 2026 milestone automatically enforces blocking of NTLMv1 SSO. NTLMv2 is deprecated but not blocked. Kerberos relay attacks — including the ones Elad Shamir documented and the ongoing CVE-2025-33073 follow-on research — operate independently of NTLM status. Plan for an 18–22 month migration window minimum, and assume relay-class attacks persist after the deadline.
Is Certipy’s BloodHound integration still useful with OpenGraph? Yes. certipy find -bloodhound still emits a ZIP that ingests directly into BloodHound CE, adding ADCS-specific edges (Enroll, AutoEnroll, WriteOwner on templates) to the graph. OpenGraph extends the graph outward; Certipy fills in the AD CS layer specifically. Both run in the same engagement.
What’s the minimum lab to practice this safely? GOAD (Game of Active Directory) and GOAD-Mini by Orange Cyberdefense ship a vulnerable multi-domain AD lab with ADCS, Kerberos delegation, and ACL paths preconfigured. HackTheBox’s Pro Labs (Dante, Offshore, Cybernetics) offer larger commercial environments. For solo practice, GOAD-Mini on a single host with 16GB RAM is the standard starting point.
What This Looks Like Going Forward
Microsoft’s posture is clear: NTLM is being deprecated, EPA is becoming default, and the ADCS templates that have been “low-hanging fruit” for half a decade will eventually be tightened in default installs. None of that retires the techniques in this article. The protocols underneath — Kerberos delegation, certificate-based authentication, ACL inheritance, RPC interfaces with optional signing — remain the structural attack surface, and BloodHound’s OpenGraph expansion shows where the next wave of paths lives: across identity systems rather than within one forest.
For pentesters, the practical move is to keep tooling current to within one minor version, follow SpecterOps and Synacktiv research as it ships, and treat every engagement as graph-first. For defenders, the move is to stop treating NTLM deprecation as a fix and start treating it as a deadline. The chain in this article was working in 2019 and works in 2026. It will work in 2027 unless something concrete changes between now and then.
