Todos los checks que ejecuta ADscan, mapeados a MITRE ATT&CK.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

The User-Force-Change-Password extended right in Active Directory allows a principal to reset another user's password without knowing the current password.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

NoPac chains two Active Directory vulnerabilities to achieve domain compromise from any standard domain user account.

If the Domain Controller authenticates back using NTLMv1 during a coerced callback, the environment still permits a legacy NTLM mode with materially weaker cryptographic protections.

Domain Administrator sessions were discovered on workstations, member servers, or other non-Tier 0 hosts.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

The DCSync attack exploits Active Directory's directory replication protocol (MS-DRSR) to simulate the behavior of a Domain Controller requesting credential replication.

One or more domain-joined hosts do not have a managed local administrator password solution deployed.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

Resource-Based Constrained Delegation (RBCD) is a Kerberos mechanism configured via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects that controls which principals may impersonate users to that computer.

WebDAV (Web Distributed Authoring and Versioning) support is enabled on detected hosts via the Windows WebClient service.

Zerologon (CVE-2020-1472, CVSS 10.0) is a cryptographic flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker to forge a valid Netlogon session with a Domain Controller.

Files accessible over SMB shares were found to contain sensitive data such as plaintext credentials, API keys, private keys, or configuration artifacts that include authentication material.

Group Policy Preferences (GPP) support autologin configurations that store credentials in XML policy files under the SYSVOL share on Domain Controllers.

The Local Administrator Password Solution (LAPS) stores per-machine local administrator credentials in the ms-Mcs-AdmPwd attribute of computer objects in Active Directory.

When Domain Controllers do not require LDAP signing or do not enforce channel binding, attackers can relay coerced or captured NTLM authentication to LDAP and perform directory operations in the victim context.

When Domain Controllers do not require LDAP signing or do not enforce channel binding, attackers can relay coerced or captured NTLM authentication to LDAP and perform directory operations in the victim context.

NoPac chains two Active Directory vulnerabilities to achieve domain compromise from any standard domain user account.

The KRBTGT account is the built-in service account used by the Kerberos Distribution Center (KDC) to encrypt and sign all Kerberos Ticket-Granting Tickets (TGTs) issued in the domain.

In an Active Directory (AD) environment, Service Principal Names (SPNs) are used to uniquely identify instances of a Windows service.

Preauthentication offers protection against offline Password Cracking.

One or more Active Directory objects have existing msDS-KeyCredentialLink attribute values.

ADCS ESC1 occurs when a certificate template is configured to allow requesters to specify a Subject Alternative Name (SAN) in their certificate request, combined with an authentication-capable Extended Key Usage (EKU) such as Client Authentication, Smart Card Logon, or PKINIT.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

Lightweight Directory Access Protocol (LDAP) supports anonymous bind operations, which permit unauthenticated clients to connect and query directory information from a Domain Controller without presenting any credentials.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

Credential material (passwords, tokens, or similar secrets) was detected in cleartext LDAP attributes such as description, info, unixUserPassword, or userPassword.

The krbtgt account password has not been changed in more than 180 days.

The ms-DS-MachineAccountQuota attribute is set to a value greater than 0.

One or more domain-joined systems appear to be running obsolete Windows versions identified through LDAP inventory.

One or more accounts do not have AES encryption types configured (msDS-SupportedEncryptionTypes bits 2-4 are all zero).

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

One or more hosts accepted SMB guest session authentication and exposed accessible shares.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.

ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain.