Home
/Checklists
/Active Directory Security Checklist

Infrastructure28 items

Active Directory Security Checklist

A targeted penetration testing checklist for Microsoft Active Directory environments. Covers domain enumeration, Kerberos attacks, ACL abuse, Group Policy exploitation, lateral movement, and domain dominance techniques used by real-world threat actors.

MITRE ATT&CKNIST SP 800-115CIS BenchmarksPTES

Progress: 0 of 28 items

Obtain domain-joined workstation or VPN access for testinginfo

Secure a testing position within the domain network with standard user credentials.

Identify domain controllers, forests, and trust relationships in scope

Document all AD domains, forests, and trust configurations included in the assessment.

Agree on testing boundaries for domain admin compromise attempts

Clarify whether achieving Domain Admin and demonstrating impact is in scope.

Confirm monitoring and detection capabilities are operational

Optionally coordinate with the SOC to evaluate detection of AD attack techniques.

Set up testing tools (BloodHound, Rubeus, Impacket, PowerView)

Prepare the AD attack toolkit and verify operational security for testing.

Collect domain topology using BloodHound/SharpHoundinfo

Run SharpHound collectors to map users, groups, computers, ACLs, and sessions.

Enumerate privileged groups (Domain Admins, Enterprise Admins, Schema Admins)high

Identify all members of high-privilege groups and nested group memberships.

Identify service accounts and their SPN registrationshigh

Enumerate accounts with ServicePrincipalNames set for Kerberoasting targets.

Map Group Policy Objects and identify security-relevant settingsmedium

Review GPOs for password policies, user rights assignments, and script deployments.

Enumerate LAPS deployment and password retrieval permissionshigh

Check which accounts can read Local Administrator passwords managed by LAPS.

Identify computers with unconstrained delegation configuredcritical

Find systems with unconstrained or constrained delegation that could be abused for escalation.

Perform Kerberoasting against discovered service accountscritical

Request TGS tickets for SPNs and crack them offline to recover service account passwords.

Attempt AS-REP Roasting on accounts without pre-authenticationhigh

Identify and exploit accounts with DONT_REQUIRE_PREAUTH flag set.

Test for Pass-the-Hash and Pass-the-Ticket attackscritical

Use harvested NTLM hashes and Kerberos tickets to authenticate to other systems.

Check for password spraying opportunities against domain accountshigh

Test common passwords against all domain accounts while respecting lockout policies.

Test for NTLM relay and coercion attacks (PetitPotam, PrinterBug)critical

Coerce authentication from domain controllers and relay to AD CS or LDAP services.

Assess LSASS credential protection (Credential Guard, PPL)high

Determine if credentials can be dumped from memory using Mimikatz or similar tools.

Exploit ACL misconfigurations for privilege escalationcritical

Abuse GenericAll, WriteDacl, WriteOwner, and other dangerous ACEs identified by BloodHound.

Test for AD Certificate Services (AD CS) abuse pathscritical

Check for vulnerable certificate templates (ESC1-ESC8) using Certify or Certipy.

Attempt to extract NTDS.dit for offline credential analysiscritical

Use DCSync, Volume Shadow Copy, or ntdsutil to extract the AD database.

Test for cross-domain and cross-forest trust abusecritical

Exploit trust relationships using SID history injection or foreign group memberships.

Verify Golden Ticket and Silver Ticket attack feasibilitycritical

Assess whether KRBTGT hash extraction would allow forged Kerberos ticket creation.

Test GPO abuse for code execution on domain-joined systemshigh

Check for GPO creation rights or modification permissions that could push malicious policies.

Create BloodHound attack path visualizations for stakeholders

Generate clear attack path graphs showing the chain from initial user to Domain Admin.

Document all credential exposure and password quality findings

Report on cracked passwords, password reuse, and policy compliance statistics.

Provide AD hardening recommendations with implementation priority

Recommend tiered administration, credential protection, and ACL remediation steps.

Map attack techniques to MITRE ATT&CK framework

Reference specific ATT&CK technique IDs for each attack used during the assessment.

Remove all persistence mechanisms and reset compromised credentials

Ensure all forged tickets, implants, and test accounts are removed and passwords are reset.

Related Vulnerabilities

Broken Access Control

critical

Identification and Authentication Failures

high

Security Misconfiguration

medium

Cryptographic Failures

high

Industries Using This Checklist

Financial Services & Banking

Government & Public Sector

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

Active Directory Security Checklist

Pre-Engagement

Domain Enumeration

Kerberos & Credential Attacks

Privilege Escalation & Domain Dominance

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy