AD Security Audit

AD Security Audit is a comprehensive auditing platform that performs deep security analysis of your Active Directory environment. It identifies privilege escalation paths, Kerberos delegation issues, ADCS vulnerabilities, and infrastructure misconfigurations.

Key Capabilities

Privilege Analysis

Detect DA equivalence, DCSync rights, Shadow Credentials, and SID History abuse.

ADCS Vulnerabilities

Full ESC1-8 coverage including certificate template abuse detection.

Kerberos Delegation

Analyze unconstrained, constrained, and resource-based constrained delegation.

Risk Scoring

Domain and user risk scores with compliance reporting.

Security Audits

The tool performs eight categories of security analysis:

Audit Category	What It Checks
DA Equivalence	DCSync rights, Shadow Credentials, SID History, AdminSDHolder
ADCS Vulnerabilities	ESC1-8, certificate template misconfigurations
Kerberos Delegation	Unconstrained, constrained, RBCD misconfigurations
Privileged Accounts	Tier 0/1/2 classification, stale admin accounts
Domain Trusts	SID filtering, selective authentication, trust abuse
GPO Security	Dangerous permissions, unlinked GPOs, GPO abuse paths
Permissions/ACLs	AdminSDHolder bypass, dangerous delegations, WriteDACL
Infrastructure	LDAP/SMB signing, NTLM restrictions, DCShadow detection

Attack Detection

The platform identifies common attack vectors: Credential Theft

DCSync attack paths
LAPS password exposure
gMSA password access
AS-REP roastable accounts

Privilege Escalation

WriteSPN (Kerberoasting setup)
Shadow Credentials abuse
RBCD write access
Certificate template abuse

Persistence & Lateral Movement

SID History injection paths
Delegation abuse opportunities
Trust relationship weaknesses

Risk Scoring

Domain Risk Score

The tool calculates a 0-100 aggregate risk score for your domain:

Score Range	Risk Level	Action Required
0-20	Low	Maintain current controls
21-40	Medium	Address findings in normal cycle
41-70	High	Prioritize remediation
71-100	Critical	Immediate action required

Severity Weights

Severity	Point Range	Examples
Critical	25-50	DCSync rights, unconstrained delegation on DCs
High	15-25	ADCS ESC1, RBCD on privileged systems
Medium	8-15	Kerberoastable service accounts
Low	3-8	Missing LDAP signing

Installation

Prerequisites

Rust 1.78 or later
Node.js 18 or later
Windows SDK (for GSSAPI/SSPI support)
Domain-joined machine (optional, for Kerberos authentication)

Build from Source

git clone https://github.com/AlchemicalChef/ADSecurityAudit-Rust.git
cd ADSecurityAudit-Rust
npm install
npm run tauri:build

The compiled binary appears in src-tauri/target/release/.

Development Mode

npm run tauri:dev

Authentication

The tool supports multiple authentication methods:

GSSAPI/Kerberos (Recommended)

Uses Windows integrated authentication via SSPI. No password storage required.

GSSAPI is the most secure option as credentials are handled by Windows and never stored by the application.

Simple Bind

Username and password authentication. Requires LDAPS (port 636) for secure transmission.

Server: ldaps://dc01.domain.com:636
Username: auditor@domain.com
Password: ********

Auto Mode

Automatically selects the best available authentication method based on your environment.

Required Permissions

The service account needs read-only access to:

User, computer, and group objects
userAccountControl attribute
servicePrincipalName attribute
msDS-KeyCredentialLink attribute
nTSecurityDescriptor (for ACL analysis)
Certificate Templates (for ADCS audit)
Group Policy Objects

No write permissions are required. The tool performs read-only analysis.

Compliance Reporting

Generate reports mapped to compliance frameworks:

SOX - Segregation of duties, privileged access controls
HIPAA - Access controls, audit logging requirements
PCI-DSS - Privileged account management, access restrictions
NIST - Identity and access management controls

Export Formats

JSON - Full findings data for integration with other tools
PDF - Executive summaries for management reporting
CSV - Spreadsheet-compatible for detailed analysis

Security Considerations

The tool implements several security measures:

Credentials stored with zeroized memory protection
GSSAPI eliminates password storage entirely
LDAPS (TLS 1.2+) recommended for Simple Bind
All operations logged with timestamps and principals
No plaintext credential storage or logging

Getting started

Active Directory

Tabletop Exercises

Key Capabilities

Privilege Analysis

ADCS Vulnerabilities

Kerberos Delegation

Risk Scoring

Security Audits

Attack Detection

Risk Scoring

Domain Risk Score

Severity Weights

Installation

Prerequisites

Build from Source

Development Mode

Authentication

GSSAPI/Kerberos (Recommended)

Simple Bind

Auto Mode

Required Permissions

Compliance Reporting

Export Formats

Security Considerations

Getting started

Active Directory

Tabletop Exercises

​Key Capabilities

Privilege Analysis

ADCS Vulnerabilities

Kerberos Delegation

Risk Scoring

​Security Audits

​Attack Detection

​Risk Scoring

​Domain Risk Score

​Severity Weights

​Installation

​Prerequisites

​Build from Source

​Development Mode

​Authentication

​GSSAPI/Kerberos (Recommended)

​Simple Bind

​Auto Mode

​Required Permissions

​Compliance Reporting

​Export Formats

​Security Considerations

Key Capabilities

Security Audits

Attack Detection

Risk Scoring

Domain Risk Score

Severity Weights

Installation

Prerequisites

Build from Source

Development Mode

Authentication

GSSAPI/Kerberos (Recommended)

Simple Bind

Auto Mode

Required Permissions

Compliance Reporting

Export Formats

Security Considerations