If you’re an IT admin, I know you’re busy and you likely have negative time for this security stuff, but hear me out real quick.
These are 3 AD security checks you can do in 10 minutes that could be the difference between a threat actor compromising your internal environment or not…
If I had 10 minutes inside your environment this is where I’d start.
Ethical Threat Insight: 3 AD Security Checks in 10 Minutes
Step 1) Check if unsafe groups have unsafe permissions
Use ADeleg for this. Trust me.
How to run it (my method):
Open ADeleg. Click view → index view by trustees.
Then, on the left side, look for these “unsafe groups”:
Domain Users, Domain Computers, Everyone and Authenticated Users
What you’re looking for:
Where any of those unsafe groups have rights like…
WriteProperty / GenericWrite / GenericAll
Reset password
WriteDACL / WriteOwner
Add/Remove members on privileged groups
Or have any other delegations on:
Domain root
OUs that contain servers, admin accounts, service accounts
Tier 0 areas (Domain Controllers OU, privileged admin OUs)
Note: ADeleginator (a tool I made) is the easy button for finding these insecure permissions.
How to fix:
Take a screenshot before you make any changes.
Then remove the unnecessary privileges.
If it’s not required for operations, remove it. If it is required, tighten scope: smaller group + smaller OU + least rights.
Then run ADeleg again to verify those dangerous permissions are gone.
Step 2) Check for Kerberoastable accounts
If an account has an SPN, attackers can request a ticket and try cracking it offline. If that account has a weak password, it’s a quick and easy path to privilege escalation in your domain.
Here’s a quick and easy 1 liner in PowerShell to check for these accounts.
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)(!(samAccountName=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" `
-Properties servicePrincipalName, distinguishedName, SamAccountName |
Select-Object SamAccountName, distinguishedName, @{n="SPNs";e={$_.servicePrincipalName -join "; "}} |
Sort-Object SamAccountNameHow to fix:
Remove SPNs that aren’t needed anymore
Ensure long, unique passwords are being used
Better yet, migrate to Managed Service Accounts
Quick tip:
Check the service account for SPNs and screenshot it before making changes. Use this command from cmd or powershell.
setspn -L svc-legacyapp
Then to remove a specific SPN use this command:
setspn -D HTTP/legacyapp.contoso.com svc-legacyapp
Step 3) Check certificate templates for ESC1 & ESC4
These can be super dangerous because in worst case scenarios they could let any user in Active Directory impersonate any other user, even Domain Admins.
Here’s what you do:
Install and run Locksmith using mode 2 to save a CSV output file, for easier review.
Here’s a powershell snippet for that.
Install-Module Locksmith -Scope CurrentUser -Force
Invoke-Locksmith -Mode 2
What you’re looking for (high level):
ESC1: templates that allow requesting certs in ways that allow users to impersonate other users, even domain admins.
This is thanks to being able to supply a SubjectAlternateName (SAN)
ESC4: templates where permissions let the wrong people modify template settings (attackers change the template, then abuse it)
While these are the two biggest issues, they are not the only issues. So I’d encourage you to study the resulting CSV to understand what other ADCS misconfigurations you may have.
What to do next
Set aside 10 minutes sometime in the next week or two and run through each of these checks.
I promise you this should not take long.
Identify and prioritize remediations of the most serious issues and start knocking these out one by one.
Your environment will be much harder to attack after eliminating this low hanging fruit.
Have you run ADeleg in your environment before? Did it provide you any value? Reply and let me know.
All the best
Spencer Alessi
by the way - I’m speaking in Denver on Saturday at Ilta EVOLVE. It’s a legal tech conference. Giving a 1-hour workshop covering many of tools of the trade I use for pentesting, that IT admins can use themselves to secure their environment. I don’t think it will be recorded, but if this topic interests you, reply and let me know and maybe I can do a webinar on this topic.