23views
BEYOND
THE PERIMETER
ACTIVE DIRECTORY
SECURITY AUDIT
How ADPulse’s 35-point automated scan turns hours of manual AD auditing into minutes — and what those checks actually find inside your domain.
Introduction
WHAT IS ADPULSE?
An open-source Python tool that connects to your domain controller via LDAP(S), runs a comprehensive battery of security checks, and delivers actionable findings — all without touching a single AD object.
Active Directory is the crown jewel of virtually every enterprise Windows environment. It controls authentication, authorization, group policies, DNS, and certificate services. Yet AD is also one of the most historically misconfigured components in corporate infrastructure — making it the #1 lateral movement target in modern ransomware and APT campaigns.
ADPulse was created to close the gap between “we have AD” and “we know our AD is secure.” Designed by security researcher Joe Helle (dievus), it is a read-only, open-source Python tool that binds to a domain controller over LDAP/LDAPS, executes 35 carefully designed security checks, scores the overall posture, and produces Console, JSON, and HTML reports.
The tool is targeted at IT administrators, penetration testers, and blue teams who need a fast point-in-time snapshot of their AD attack surface without running a full pentest.
Read-Only by Design
ADPulse never modifies any AD object, group membership, GPO, or ACL. Every operation is purely observational — ideal for scheduled audits or pre-pentest reconnaissance.
35
Security Checks
100
Starting Score
4
Severity Levels
3
Report Formats
636
LDAPS Port (primary)
0
AD Objects Modified
Architecture
HOW IT WORKS
ADPulse follows a clean four-stage pipeline from connection to final report.
01
Connect
LDAPS :636
→ fallback LDAP :389
NTLM + SIMPLE bind
→ fallback LDAP :389
NTLM + SIMPLE bind
02
Scan
35 LDAP queries
+ SMB probes :445
+ SYSVOL traversal
+ SMB probes :445
+ SYSVOL traversal
03
Score
CRITICAL→INFO
point deductions
score = max(0, 100−Σ)
point deductions
score = max(0, 100−Σ)
04
Report
Console output
JSON export
HTML dark report
JSON export
HTML dark report
🎯 What Attackers Actually Target in AD
Phishing
initial access
⟶
Domain User
low-privilege
⟶
Kerberoast
SPN attack
⟶
Svc Account
cracked hash
⟶
Domain Admin
full compromise
⟶
DCSync / GoldenTicket
persistence
ADPulse checks for weak points at every stage of this attack chain.
The Full Checklist
ALL 35 SECURITY CHECKS
Each check targets a specific attack vector or misconfiguration. Cards are color-coded by potential impact.
● Critical Impact
● High Impact
● Medium Impact
● Low / Hygiene
#3
Kerberos Attack Surface
Kerberoastable accounts (SPN on users), AS-REP roastable accounts, DES-only encryption, and high-value targets combining adminCount=1 + SPN + PasswordNeverExpires.
Critical
#25
GPP / cpassword (MS14-025)
Walks SYSVOL for Group Policy Preferences XML files containing
Critical
cpassword attributes and decrypts them using Microsoft’s publicly known AES key.#27
SID History Injection
Detects accounts with sIDHistory populated; escalates to CRITICAL if any injected SID maps to a privileged group — a classic persistence technique after domain compromise.
Critical
#35
RBCD on Domain Object / DCs
Checks msDS-AllowedToActOnBehalfOfOtherIdentity on the domain NC head and all DCs — either configuration grants effective Domain Admin to permitted principals via S4U2Proxy.
Critical
#6
ADCS / PKI Vulnerabilities
Checks ESC1, ESC2, ESC3, ESC6, ESC8, ESC9, ESC10, ESC11, ESC13, ESC15, weak key sizes, and enrollee ACL enumeration across all certificate templates.
Critical
#15
ACL / DCSync Rights
ESC4, ESC5, ESC7, DCSync rights on non-privileged principals, Protected Users group membership, and delegation ACLs. A misconfigured ACL is a direct path to domain takeover.
Critical
#4
Unconstrained Delegation
Non-DC computers and user accounts trusted for unconstrained Kerberos delegation — attackers can force DC authentication to these systems and extract TGTs.
High
#5
Constrained Delegation
Accounts with protocol transition (S4U2Self) and standard constrained delegation targets — especially dangerous when combined with sensitive service classes.
High
#26
AdminSDHolder ACL Abuse
Reads the binary DACL on CN=AdminSDHolder. Non-privileged principals with write access here auto-propagate to ALL protected accounts every 60 minutes via SDProp.
High
#28
Shadow Credentials
Flags unexpected msDS-KeyCredentialLink entries, enabling certificate-based authentication without knowing the account password — a post-compromise persistence technique.
High
#32
Dangerous Delegation Targets
Flags accounts delegating to high-value service classes (ldap/, cifs/, host/, gc/, krbtgt/) on Domain Controllers — these are prime escalation paths.
High
#22
Exchange Privilege Escalation
Exchange Windows Permissions group (PrivExchange / CVE-2019-0686) and Exchange Trusted Subsystem — both have historically allowed NTLM relay to AD for DCSync.
High
#2
Privileged Account Hygiene
Domain Admins, Enterprise Admins, Schema Admins membership; stale members, non-expiring passwords, passwords in descriptions, built-in Administrator status, and krbtgt age.
High
#30
Foreign Security Principals
Flags any FSP from a trusted domain that is a member of a sensitive local group — a subtle but effective cross-domain privilege path attackers exploit in trust relationships.
High
#1
Password Policy
Minimum length, history, complexity, lockout threshold, reversible encryption, and fine-grained PSOs across the domain.
Medium
#7
Domain Trusts
Bidirectional trusts without SID filtering, forest trusts, and external trusts — each type has unique escalation implications that are often overlooked.
Medium
#9
Protocol Security
LDAP signing/channel binding status, DC OS versions, domain/forest functional level, and NTLMv1/WDigest guidance for reducing relay attack exposure.
Medium
#21
Legacy Protocol Detection
Live SMBv1 detection, SMB signing enforcement checks, and null session acceptance probes via actual network connections to discovered domain members.
Medium
#29
RC4 / Legacy Kerberos Encryption
Checks msDS-SupportedEncryptionTypes to find accounts still permitting RC4-HMAC — the weak enctype attackers specifically request in Kerberoasting for faster offline cracking.
Medium
#11
LAPS Deployment
Legacy LAPS and Windows LAPS schema detection; identifies computers without LAPS-managed passwords — leaving local admin accounts at risk of lateral movement via pass-the-hash.
Medium
#12
LAPS Coverage Percentage
Percentage-based coverage metric across all non-DC computers — gives an at-a-glance view of how much of the estate is protected by automated local admin password rotation.
Medium
#31
Pre-Windows 2000 Compatible Access
Checks whether Everyone or Anonymous Logon are members of this group, enabling unauthenticated SAMR/LSARPC enumeration from anywhere on the network.
Medium
#24
Passwords in Descriptions
Keyword-based detection of credentials stored in the Description field of users, admins, and computers — a surprisingly common finding in real environments.
Medium
#23
Protected Admin Users (adminCount=1)
Inventories orphaned, ghost (disabled), and stale adminCount=1 accounts — these bypass standard OU-level ACLs and are easy to miss in day-to-day administration.
Medium
#8
Account Hygiene
Stale users/computers, never-logged-in accounts, PASSWD_NOTREQD flag, reversible encryption per-account, old passwords, and duplicate SPNs.
Low
#10
Group Policy Objects
Disabled, orphaned, unlinked, and empty GPOs; excessive GPO count — bloated GPO environments create blind spots and increase attack surface.
Low
#13
DNS & Infrastructure
Wildcard DNS records and LLMNR/NetBIOS-NS poisoning guidance — classic vectors for credential interception via Responder-style attacks on the local network.
Low
#14
Domain Controllers
Single-DC detection, legacy OS on DCs, FSMO roles inventory, and RODC password replication policy review.
Low
#16
Optional Features
AD Recycle Bin and Privileged Access Management (PAM) enablement checks — often overlooked capabilities that improve recovery options and security posture.
Low
#17
Replication Health
Site count, site link replication intervals, and nTDSDSA objects — replication issues can mask security events and lead to inconsistent policy application.
Low
#18
Service Accounts
gMSA adoption rate, regular user accounts used as service accounts, and service accounts with adminCount=1 — a leading source of Kerberoasting targets.
Low
#19
Miscellaneous Hardening
Machine account quota (ms-DS-MachineAccountQuota), tombstone lifetime, Schema/Enterprise Admin membership, Guest account status, and audit policy guidance.
Low
#20
Deprecated Operating Systems
Enabled computer accounts reporting end-of-life Windows versions — unpatched legacy systems are magnets for lateral movement and local privilege escalation.
Low
#33
Orphaned AD Subnets
Finds subnets with no siteObject assignment, causing clients to receive a random DC and potentially routing authentication traffic across WAN links.
Low
#34
Legacy FRS SYSVOL Replication
Detects whether SYSVOL is still replicating via the deprecated File Replication Service instead of DFSR, and flags stalled mid-migration states.
Low
Risk Scoring
THE SCORING SYSTEM
ADPulse starts every scan at 100. Each finding deducts points based on severity. The final score categorizes your domain’s overall security posture.
Check Categories
COVERAGE BY ATTACK CATEGORY
Kerberos Attacks
Checks #3, #5, #29, #32
ADCS / PKI (ESC)
Checks #6, #15
Privileged Access
Checks #2, #18, #23, #30
Delegation Abuse
Checks #4, #5, #32, #35
Persistence
Checks #26, #27, #28
Protocol / Network
Checks #9, #13, #21, #31
Policy & Hygiene
Checks #1, #8, #10, #19
Infra & Legacy
Checks #14, #20, #34, #33
Credentials
Checks #24, #25, #11, #12
Getting Started
INSTALLATION & USAGE
ADPulse requires Python 3.8+, network access to a Domain Controller, and a standard read-only domain account.
bash — Installation
# Clone the repository
$ git clone https://github.com/dievus/ADPulse.git
$ cd ADPulse
# Create a virtual environment (recommended)
$ python -m venv venv
$ source venv/bin/activate
# Install dependencies
$ pip install -r requirements.txt
bash — Running a Scan
# Basic scan — auto-resolves DC via DNS
$ python ADPulse.py –domain corp.local –user jsmith –password ‘P@ssw0rd!’
# Specify DC IP explicitly
$ python ADPulse.py –domain corp.local –user jsmith –password ‘P@ssw0rd!’ –dc-ip 10.0.0.1
# HTML report only, custom output dir
$ python ADPulse.py –domain corp.local –user jsmith –password ‘P@ssw0rd!’ –report html –output-dir /tmp/scans
# Pass-the-hash (NTLM hash instead of password)
$ python ADPulse.py –domain corp.local –user jsmith –hash aad3b435b51404eeaad3b435b51404ee:NTLMHASH
| Argument | Required | Default | Description |
|---|---|---|---|
| –domain | Yes | — | Target AD domain (e.g. corp.local) |
| –user | Yes | — | Domain username (no admin rights needed) |
| –password | Yes* | — | Domain password |
| –hash | Alt. to –password | — | NTLM hash for pass-the-hash auth |
| –dc-ip | No | Auto-resolved | Domain Controller IP address |
| –report | No | all | console | json | html | all |
| –output-dir | No | . (current dir) | Parent directory for Reports/ folder |
| –no-color | No | false | Disable colored console output |
Output
THREE REPORT FORMATS
Every scan produces all three formats by default, giving you flexibility for human review, automation, and management reporting.
Console
Colour-coded terminal output with at-a-glance critical findings, key metrics, and real-time progress as each check completes. Perfect for interactive scans and quick triage.
JSON
Machine-readable export of all findings, severities, and metadata. Ideal for integration with SIEMs, ticketing systems (Jira, ServiceNow), or custom dashboards like Grafana.
HTML
Self-contained dark-themed report with collapsible sections, severity badges, stat cards, scoring legend, and a full ADCS template inventory. Share with management or the security team without installing anything.
Sensitive Data Warning
HTML and JSON reports may contain account names, group memberships, SPN details, and decrypted GPP passwords. Treat all report formats as confidential, store securely, and share only over encrypted channels.
Considerations
LIMITATIONS & BEST PRACTICES
Known Limitations
📋
Registry-only settingsNTLMv1, WDigest, LDAP signing and channel binding cannot be read via LDAP — flagged as manual verification items.
🖧
SMB ProbesFirewalls or host-based rules may block port 445, causing false negatives for SMBv1/signing/null session checks.
📁
SYSVOL AccessCheck #25 requires filesystem access to SYSVOL. On Linux/macOS the share must be mounted via Samba.
📊
Size LimitsLDAP queries are capped at 10,000 results per search — very large domains may require increased server-side limits.
Best Practices
✅
Get Written AuthorizationAlways obtain explicit written permission before scanning. ADPulse performs network probes — treat it like a pentest engagement.
✅
Run from a Trusted WorkstationExecute ADPulse from a hardened, trusted host on the target network — not a compromised machine.
✅
Secure CredentialsUse a dedicated read-only audit account. Never hardcode credentials in scripts or commit them to version control.
✅
Schedule Regular ScansAD security posture degrades over time. Automate quarterly or monthly ADPulse runs and track score trends.
Wrap-Up
THE BOTTOM LINE
Active Directory is where most modern attacks end up — whether through Kerberoasting, ADCS exploitation, delegation abuse, or ACL misconfigurations. ADPulse gives you a fast, automated, read-only snapshot of exactly how exposed your domain is across 35 of the most exploited attack vectors.
It won’t replace a full red team engagement, but it’s the ideal first step — run it before every internal pentest, after major AD changes, and on a scheduled basis as part of your security hygiene program. A score above 80 means you’ve done the basics right. Anything below 60 means there are paths to your Domain Controller that need closing today.
Disclaimer
ADPulse is provided for authorized security assessments only. Always obtain written permission before scanning any Active Directory environment you do not own. This post is for educational purposes only.
add a comment
IPFire 2.29 Core Update 200 Ships Linux Kernel 6.18 LTS
IPFire has released version 2.29 Core Update 200, delivering a range of platform improvements, security patches, and component upgrades for...
Arch Linux March ISO Is Out With Kernel, Desktop, and Security Updates
Arch Linux has released its March 2026 installation image, labeled 2026.03.01. This ISO bundles all package updates delivered to the...
Pangolin 1.16 Tunneled Reverse Proxy Adds SSH Auth Daemon
The open-source remote access platform Pangolin has introduced version 1.16, bringing several enhancements focused on identity-driven access and platform usability....
Wireshark 4.6.4 Packet Analyzer Fixes USB HID Memory Exhaustion
Wireshark, the widely used open-source tool for packet capture and network analysis, has released version 4.6.4, bringing a mix of...
