Ok you need to do some AD Security Auditing or Security Testing/Exploitation, great. Let’s look at some of the common misconfigurations and some tools to help you, a list of things will obviously not be the answer, you will need a method and process to go through from recon/enumeration through to exploitation and impact (effects), but that’s what google is for (and CTFs/Labs)! This post is just me jotting down some notes, hopefully they help defenders think about improving their posture.

Common Misconfigurations

  1. NULL bind to LDAP
  2. Weak passwords
  3. Passwords in scripts
  4. Users have local administrator access.
  5. Standard Users can join machines to the domain.
  6. Password in Group Policy
  7. Insecure Group Policy Permissions
  8. Vulnerable to Kerberoasting
  9. Vulnerable to AESRepRoast
  10. Lateral movement via RDP/WINRM/SMB
  11. Domain Joined Backup Servers
  12. Unpatched domain controllers
  13. Unpatched servers
  14. Printer Nightmare
  15. Unpatched Exchange Servers
  16. Overly permissions accounts
  17. Lack of dedicated admin workstation/PAWS
  18. LLMNR/MDNS not disabled.
  19. Overly permissive firewalls
  20. Lack of AV on Domain Controllers
  21. Lack of Proactive Security monitoring
  22. Credentials in SMB Shares
  23. Credentials in SharePoint
  24. Insecure Backups/AD backups in SMB Shares
  25. LAPS is not deployed
  26. Local administrator passwords are the same on servers/workstations to PTH attacks work


There’s a shed load of tools, I’m not going to list them all, but here are some useful ones.

  • Adalanche
  • Pingcastle
  • Bloodhound
  • Mimikatz
  • Printer Nightmare
  • Eternal Blue (MS17-010)
  • Bluekeep (realistically this is a very low likelihood method to use)
  • SysInernals
    • ADExplorer
  • Responder/Inveigh
  • Impacket
  • CrackMapExec
  • LDAPSearch
  • ADfind
  • PowerShell AD Modules/Exchange Modules

Member Servers

  • Cached Credentials
  • Insecure Credential Storage
  • Lack of Least Privilege Access
  • Unpatched Software Vulnerabilities
  • Insecure applications

Active Directory Certificate Services



This is a huge subject so I’m going to just touch on some common areas I find in the field:

  • Overly permissive egress (e.g., egress via NAT on any port to the internet)
  • Lack of DNS Monitoring
  • Lack of segmentation
  • Management interfaces accessible on device networks
  • Lack of Centralised Logging/Security Monitoring
  • Weak DMZ ACLs
  • Unpatched Known Software Vulnerabilities
  • Insecurely Stored Configuration Backups
  • Insecure Protocols (e.g. TELNET)


This is just a few notes, there’s loads of materials out there including a nice new blog from MS DART