> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alchemicalchef.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AD Security Audit

> Comprehensive Active Directory security auditing for privilege escalation, Kerberos, ADCS, and misconfigurations

AD Security Audit is a comprehensive auditing platform that performs deep security analysis of your Active Directory environment. It identifies privilege escalation paths, Kerberos delegation issues, ADCS vulnerabilities, and infrastructure misconfigurations.

## Key Capabilities

<CardGroup cols={2}>
  <Card title="Privilege Analysis" icon="user-shield">
    Detect DA equivalence, DCSync rights, Shadow Credentials, and SID History abuse.
  </Card>

  <Card title="ADCS Vulnerabilities" icon="certificate">
    Full ESC1-8 coverage including certificate template abuse detection.
  </Card>

  <Card title="Kerberos Delegation" icon="ticket">
    Analyze unconstrained, constrained, and resource-based constrained delegation.
  </Card>

  <Card title="Risk Scoring" icon="gauge-high">
    Domain and user risk scores with compliance reporting.
  </Card>
</CardGroup>

## Security Audits

The tool performs eight categories of security analysis:

| Audit Category           | What It Checks                                                |
| ------------------------ | ------------------------------------------------------------- |
| **DA Equivalence**       | DCSync rights, Shadow Credentials, SID History, AdminSDHolder |
| **ADCS Vulnerabilities** | ESC1-8, certificate template misconfigurations                |
| **Kerberos Delegation**  | Unconstrained, constrained, RBCD misconfigurations            |
| **Privileged Accounts**  | Tier 0/1/2 classification, stale admin accounts               |
| **Domain Trusts**        | SID filtering, selective authentication, trust abuse          |
| **GPO Security**         | Dangerous permissions, unlinked GPOs, GPO abuse paths         |
| **Permissions/ACLs**     | AdminSDHolder bypass, dangerous delegations, WriteDACL        |
| **Infrastructure**       | LDAP/SMB signing, NTLM restrictions, DCShadow detection       |

## Attack Detection

The platform identifies common attack vectors:

**Credential Theft**

* DCSync attack paths
* LAPS password exposure
* gMSA password access
* AS-REP roastable accounts

**Privilege Escalation**

* WriteSPN (Kerberoasting setup)
* Shadow Credentials abuse
* RBCD write access
* Certificate template abuse

**Persistence & Lateral Movement**

* SID History injection paths
* Delegation abuse opportunities
* Trust relationship weaknesses

## Risk Scoring

### Domain Risk Score

The tool calculates a 0-100 aggregate risk score for your domain:

| Score Range | Risk Level | Action Required                  |
| ----------- | ---------- | -------------------------------- |
| 0-20        | Low        | Maintain current controls        |
| 21-40       | Medium     | Address findings in normal cycle |
| 41-70       | High       | Prioritize remediation           |
| 71-100      | Critical   | Immediate action required        |

### Severity Weights

| Severity | Point Range | Examples                                       |
| -------- | ----------- | ---------------------------------------------- |
| Critical | 25-50       | DCSync rights, unconstrained delegation on DCs |
| High     | 15-25       | ADCS ESC1, RBCD on privileged systems          |
| Medium   | 8-15        | Kerberoastable service accounts                |
| Low      | 3-8         | Missing LDAP signing                           |

## Installation

### Prerequisites

* Rust 1.78 or later
* Node.js 18 or later
* Windows SDK (for GSSAPI/SSPI support)
* Domain-joined machine (optional, for Kerberos authentication)

### Build from Source

```bash theme={null}
git clone https://github.com/AlchemicalChef/ADSecurityAudit-Rust.git
cd ADSecurityAudit-Rust
npm install
npm run tauri:build
```

The compiled binary appears in `src-tauri/target/release/`.

### Development Mode

```bash theme={null}
npm run tauri:dev
```

## Authentication

The tool supports multiple authentication methods:

### GSSAPI/Kerberos (Recommended)

Uses Windows integrated authentication via SSPI. No password storage required.

<Tip>
  GSSAPI is the most secure option as credentials are handled by Windows and never stored by the application.
</Tip>

### Simple Bind

Username and password authentication. Requires LDAPS (port 636) for secure transmission.

```text theme={null}
Server: ldaps://dc01.domain.com:636
Username: auditor@domain.com
Password: ********
```

### Auto Mode

Automatically selects the best available authentication method based on your environment.

## Required Permissions

The service account needs read-only access to:

* User, computer, and group objects
* `userAccountControl` attribute
* `servicePrincipalName` attribute
* `msDS-KeyCredentialLink` attribute
* `nTSecurityDescriptor` (for ACL analysis)
* Certificate Templates (for ADCS audit)
* Group Policy Objects

<Info>
  No write permissions are required. The tool performs read-only analysis.
</Info>

## Compliance Reporting

Generate reports mapped to compliance frameworks:

* **SOX** - Segregation of duties, privileged access controls
* **HIPAA** - Access controls, audit logging requirements
* **PCI-DSS** - Privileged account management, access restrictions
* **NIST** - Identity and access management controls

## Export Formats

* **JSON** - Full findings data for integration with other tools
* **PDF** - Executive summaries for management reporting
* **CSV** - Spreadsheet-compatible for detailed analysis

## Security Considerations

The tool implements several security measures:

* Credentials stored with zeroized memory protection
* GSSAPI eliminates password storage entirely
* LDAPS (TLS 1.2+) recommended for Simple Bind
* All operations logged with timestamps and principals
* No plaintext credential storage or logging
