At a Glance
- Industry: Manufacturing
- Engagement type: Active Directory Security Audit
- Tech stack: Single forest with 3 child domains, ~1,800 user accounts, 600 computer objects, hybrid Azure AD Connect to M365 E3, Veeam backup integration
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: Manufacturing
Product: Multi-plant Windows enterprise with OT/IT convergence
Tech stack: Single forest with 3 child domains, ~1,800 user accounts, 600 computer objects, hybrid Azure AD Connect to M365 E3, Veeam backup integration
The client is a mid-size Indian manufacturer operating 4 plants across India with corporate HQ in Pune. Their Active Directory forest had been in operation for 12 years with no formal security audit since 2018.
Challenge
Three factors drove the urgency of this engagement:
- Ransomware risk awareness. Recent ransomware attacks on peer Indian manufacturers had elevated AD security as a board-level concern
- OT/IT convergence. Plant SCADA systems were increasingly integrated with corporate AD, creating attack paths between domains
- Legacy delegation. 12 years of Active Directory operation had accumulated legacy permissions, delegations and group memberships with unclear ownership
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- BloodHound enumeration mapping every attack path from low-privilege accounts to Domain Admin
- Kerberos abuse testing (Kerberoasting, AS-REP roasting, golden/silver ticket prerequisites)
- NTLM relay and Pass-the-Hash testing across the domain controllers and member servers
- ACL and DACL abuse analysis on protected objects and AdminSDHolder
- GPO security review covering Restricted Groups, scheduled tasks and GPP cpassword
- Delegation analysis (unconstrained, constrained, resource-based constrained delegation)
- Tier-0 separation review and admin workstation enforcement evaluation
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Path to Domain Admin in 1 hour 47 minutes from a standard user account via Kerberoasting of a service account with SPN
- Unconstrained delegation on a backup server allowing TGT theft, enabling full domain compromise from any user authentication
- AdminSDHolder ACL abuse path through a misconfigured permission allowing modification of all protected accounts
High & Medium Severity
GPP cpassword in SYSVOL exposing local admin credentials, NTLMv1 still enabled domain-wide, 23 user accounts with passwords not changed in 5+ years, password policy at 8 chars minimum with no complexity, 47 service accounts with SPNs and weak passwords, 12 computers with unconstrained delegation, dormant admin accounts not used in 18+ months.
Before vs. After
Before Engagement
- Domain Admin reachable in <2 hours
- Unconstrained delegation on backup server
- GPP cpassword in SYSVOL
- NTLMv1 enabled domain-wide
- No tier-0 separation
- 23 accounts with stale passwords (5+ years)
After Remediation
- Tiered admin model with PAW workstations
- Constrained delegation only, with allowlist
- SYSVOL cleaned, GPP migrated
- NTLM disabled, Kerberos-only authentication
- Tier-0 PAWs deployed for all DAs
- Quarterly stale-account review automated
"BloodHound showed us a path from any factory floor PC to Domain Admin in under 2 hours. We had no idea unconstrained delegation was even configured on that backup server. The remediation roadmap was specific enough that our IT team executed it without external help."
Anonymous, IT Manager, mid-size Indian manufacturer
Key Lessons
What Other Teams Can Take Away
- BloodHound is the AD attacker's friend. Every Indian enterprise should run BloodHound on their own AD periodically; if you don't, attackers will.
- Kerberoasting works in most AD environments. Service accounts with SPNs and weak passwords remain the easiest path to Domain Admin.
- Unconstrained delegation is a backdoor. Constrained or RBCD delegation only, with explicit allowlists. Audit annually.
- Tier-0 separation prevents ransomware. Domain Admins on dedicated workstations, never on user laptops, ever.
Conclusion
Active Directory compromise is the ransomware path. Real ransomware attacks against Indian manufacturers consistently show: phished workstation, AD enumeration, Domain Admin within 24-72 hours, full encryption. The window to detect and respond is the time between initial foothold and AD compromise. Hardening AD shrinks that window dramatically.
For Indian manufacturers, banks, healthcare providers and any enterprise running Windows-heavy infrastructure, AD audit is a baseline expectation. Codesecure delivers OSCP/OSEP/CRTP-certified AD security testing with attack-path documentation and tier-0 protection recommendations.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
