Find Active Directory attack paths before an adversary does
EtcSec runs 340 named detections across 14 Active Directory categories. The coverage is built around the control failures that repeatedly show up in real compromise chains: Kerberos abuse, stale Tier 0 accounts, ACL takeover paths, unsafe GPO settings, trust exposure, and ADCS certificate escalation.
Collection stays read-only. ETC Collector queries LDAP or LDAPS, reads SYSVOL over SMB for GPO analysis, and can add opt-in network probes for DNS, HTTP and TLS posture. No agents are installed on domain controllers and no directory object is modified.
The audit names the concrete findings behind the risk: PASSWORD_NOT_REQUIRED, REVERSIBLE_ENCRYPTION, PASSWORD_NEVER_EXPIRES, ADMIN_ASREP_ROASTABLE, KERBEROASTING_RISK, GOLDEN_TICKET_RISK, WEAK_ENCRYPTION_DES, and delegation findings on both users and computers.
Instead of one privileged-accounts bucket, the platform separates stale admins, orphaned adminCount flags, service accounts in sensitive groups, foreign security principals, operator groups, DCSync-capable principals, and Protected Users gaps.
ACL_GENERICALL, ACL_WRITEDACL, ACL_WRITEOWNER, ACL_SELF_MEMBERSHIP, WRITESPN_ABUSE, ForceChangePassword, and related ACE patterns are surfaced as individual findings so operators can see which object, which trustee, and why the permission matters.
The Pro tier adds ESC1 through ESC11 certificate abuse checks, three graph-based attack path detectors, and compliance mappings for CIS, NIST SP 800-53, ANSSI, and DISA STIG. Those additions matter when your audit must explain escalation routes and not just hygiene issues.
The 14 categories map directly to how AD environments are actually compromised
The detector catalogue is broad, but it is not random. Each category closes a specific blind spot in the attack chain, from weak passwords and Kerberos configuration through to certificate infrastructure and monitoring gaps.
Privileged accounts and Tier 0
33 detections covering stale admins, service accounts in privileged groups, SID history abuse, shadow credentials, Protected Users gaps, and foreign security principals.
Kerberos and delegation
14 detections covering AS-REP roasting, Kerberoasting, unconstrained and constrained delegation, krbtgt age, RC4 and DES downgrade conditions, and unknown delegation targets.
Passwords and authentication
10 detections for cleartext storage, reversible encryption, password age, dictionary attack risk, and accounts where users cannot rotate their own passwords.
GPO and workstation hardening
33 detections covering SYSVOL passwords, WDigest, Zerologon enforcement, PrintNightmare, UNC hardening, LSA protection, Firewall, Defender ASR, RDP, and privilege rights abuse.
ADCS certificate escalation
11 detections covering the ESC1-ESC11 taxonomy: template abuse, CA ACL issues, SAN configuration, mapping weakness, and HTTP or RPC relay surfaces.
Permissions, trusts, monitoring, network, and compliance
ACL analysis, trust boundaries, audit policy coverage, LDAP or SMB signing, DNS zone issues, and framework-aligned findings are all part of the same output rather than separate tools.
Why security teams use EtcSec for recurring AD reviews
Most AD audit tools still optimize for a one-off HTML report. EtcSec is built for repeated execution, concrete remediation lists, and a collection model that security teams can defend operationally.
Read-only collection
ETC Collector authenticates with a read-only directory account and SMB read access for SYSVOL. It does not change users, groups, GPOs, or PKI objects.
Fast enough for operational cadence
The documented side-by-side domain with 546 users, 100 computers, and 154 groups completed in 6.58 seconds with network probes enabled. Small and medium domains can be re-audited after role changes or maintenance windows instead of quarterly only.
Named findings instead of one opaque number
Operators receive concrete findings with severity and object context. That matters when the next step is to assign work to identity, messaging, workstation, or PKI owners.
One workflow for standalone and SaaS use
The same collector can be run locally in standalone server mode or enrolled as a daemon that reports into EtcSec for dashboards, trending, and multi-site follow-up.
What a complete Active Directory audit should explain to operators
A landing page about AD security only becomes useful when it explains how the data is collected, which categories matter, and how the findings connect to remediation and governance. The sections below use the published detector catalogue and the collector documentation as the source of truth.
Collection model, evidence sources, and runtime expectations
The Active Directory audit starts with parallel LDAP collection of users, groups, computers, OUs, domain settings, trust relationships, and security descriptors. GPO analysis reads SYSVOL over SMB so the engine can parse registry.pol, GptTmpl.inf, and script references. If Azure or Entra data is configured, that remains separate and does not alter the AD collection path.
The key operational point is that the collector does not need to install anything on a domain controller. The workflow is collection, parsing, analysis, graph construction, and response. That makes the evidence path explainable during internal reviews: you can point to which protocol was used, which object class was queried, and why a finding was emitted.
The 14 categories and what each one proves
| Category | Checks | What it tells the operator |
|---|---|---|
| Password | 10 | Whether account-level password settings already expose cleartext, reversible, stale, or weakly managed credentials. |
| Kerberos | 14 | Whether ticketing, pre-auth, delegation, encryption, or krbtgt hygiene enable roasting, downgrade, or impersonation paths. |
| Accounts | 33 | Whether privileged and service accounts drifted into states that increase persistence or takeover risk. |
| Groups | 15 | Whether dangerous built-in or privileged group memberships create hidden power concentration. |
| Computers | 31 | Whether workstation and server posture leaves lateral movement or delegated impersonation surfaces open. |
| Advanced | 50 | Whether LDAP or SMB signing, DCSync rights, quota abuse, AdminSDHolder, or metadata-level issues enable deeper compromise. |
| Permissions | 21 | Whether ACLs grant enough control to reset passwords, modify SPNs, rewrite DACLs, or take ownership of sensitive objects. |
| ADCS | 11 | Whether certificate infrastructure enables ESC-style abuse and certificate-based privilege escalation. |
| GPO | 33 | Whether domain-wide policy distribution is leaking passwords or disabling core Windows hardening controls. |
| Trusts | 7 | Whether trust boundaries lack SID filtering, selective authentication, or modern Kerberos protections. |
| Attack Paths | 3 | Whether graph analysis can show explicit escalation routes into Domain Admin or equivalent privilege. |
| Monitoring | 9 | Whether audit policy is strong enough to support detection and incident response. |
| Compliance | 23 | Whether the same findings can be reused as evidence across CIS, NIST, ANSSI, and DISA programs. |
| Network | 15 | Whether LDAP, SMB, DNS, and related infrastructure settings still expose relay or weak transport surfaces. |
Detection families that repeatedly drive remediation work
Credential exposure and weak password handling
The password category names the issues the helpdesk and IAM teams must actually clean up: PASSWORD_NOT_REQUIRED, REVERSIBLE_ENCRYPTION, PASSWORD_CLEARTEXT_STORAGE, UNIX_USER_PASSWORD, PASSWORD_IN_DESCRIPTION, and PASSWORD_VERY_OLD.
- Separates account configuration from policy-level weakness.
- Flags risky descriptions and Unix attributes instead of only UAC flags.
- Gives object-level lists for action, not just category scores.
Kerberos abuse paths
ADMIN_ASREP_ROASTABLE, ASREP_ROASTING_RISK, GOLDEN_TICKET_RISK, UNCONSTRAINED_DELEGATION, KERBEROASTING_RISK, KERBEROS_AES_DISABLED, and DELEGATION_UNKNOWN_TARGET explain why the environment is vulnerable, not just that Kerberos is “weak”.
- Highlights privileged AS-REP cases separately from general user exposure.
- Covers both encryption downgrade and delegation targeting mistakes.
- Makes krbtgt hygiene visible as a named persistence risk.
Tier 0 account and service-account drift
Privileged exposure is spread across multiple findings such as SERVICE_ACCOUNT_PRIVILEGED, SERVICE_ACCOUNT_INTERACTIVE, ADMIN_COUNT_ORPHANED, PRIVILEGED_ACCOUNT_STALE, NOT_IN_PROTECTED_USERS, and FOREIGN_SECURITY_PRINCIPALS.
- Useful when ownership is split between IAM, messaging, and application teams.
- Supports cleanup of stale or residual privilege, not just detection.
- Makes operator groups and overlooked built-ins visible.
ACL takeover and DCSync conditions
Permissions findings surface GenericAll, WriteDACL, WriteOwner, self-membership, ForceChangePassword, and replication rights outside normal DC accounts, with the object and trustee that create the risk.
- The output is designed for remediation, not just graph generation.
- DCSync-capable identities are highlighted directly.
- WriteSPN and password-reset rights are separated because their abuse paths differ.
GPO and workstation hardening failures
GPO_PASSWORD_IN_SYSVOL, HARDENED_UNC_PATHS_WEAK, WDIGEST_ENABLED, LSA_PROTECTION_DISABLED, ZEROLOGON_PATCH_ENFORCEMENT, PRINTNIGHTMARE_VULNERABLE, and privilege-right abuse findings bridge identity security with Windows hardening.
- Important when AD risk lives in policy, not only in identity objects.
- Covers both credential theft and domain-wide remote execution surfaces.
- Maps naturally to workstation or server engineering owners.
Certificate escalation and graph analysis
ADCS findings such as ESC1_VULNERABLE_TEMPLATE, ESC4_VULNERABLE_TEMPLATE_ACL, ESC8_HTTP_ENROLLMENT, and ESC10_WEAK_CERTIFICATE_MAPPING complement the three attack-path findings that model privilege escalation through graph relationships.
- Useful for environments that already know PKI is business-critical.
- Shows where certificate infrastructure creates privilege, not just issuance hygiene.
- Pairs raw findings with path-level explanation.
Severity distribution matters because remediation is usually cross-functional
The catalogue weights critical findings at 10, high at 3, medium at 1, and low at 0.2. That scoring model is useful internally, but the more important operator outcome is the severity distribution: a handful of critical issues often deserve immediate containment, while the larger high and medium layers define the hardening backlog that can be scheduled.
In practice, remediation rarely sits with one team. Identity owners handle privileged groups and password policy, Windows engineering owns GPO hardening and workstation settings, PKI owners take the ADCS backlog, and governance or compliance functions care about the framework mapping. A useful AD audit therefore has to separate the findings in a way that is assignable.
- Use critical findings to define immediate containment or emergency hardening.
- Group high findings by owner: IAM, Windows, PKI, or infrastructure.
- Use medium findings to build recurring hygiene work and evidence for quarterly review.
- Keep low findings visible, but do not let them hide higher-impact privilege paths.
Where the open-source collector stops and where EtcSec adds more
The collector is the evidence engine. It handles collection, parsing, detection, optional graph analysis, and JSON output. In standalone server mode, everything can stay on your infrastructure with a local GUI and REST API on port 8443. In daemon mode, the same binary can enroll into the SaaS platform and poll for commands every 30 seconds while still keeping directory collection local.
EtcSec builds on that collection layer by adding dashboards, historical trending, multi-site orchestration, and remediation workflow. That distinction is important for SEO as well as for procurement: the landing page is not promising a mysterious black box, but a specific collection engine plus an optional SaaS operating layer.
Frequently asked questions
What does an Active Directory security audit with EtcSec include?
The published catalogue currently lists 340 detections across 14 categories: Password (11), Kerberos (14), Accounts (34), Groups (17), Computers (33), Advanced (50), Permissions (21), ADCS (11), GPO (34), Trusts (7), Attack Paths (3), Monitoring (9), Compliance (81), and Network (15).
That mix matters because it spans both identity objects and the surrounding Windows controls that make identity compromise practical.
Does the audit require privileged credentials or an agent on domain controllers?
No. The documented collection model is read-only LDAP or LDAPS plus SMB read access for SYSVOL. No agent is installed on a domain controller and the collector does not modify the directory.
How quickly can the audit produce a usable report?
The published benchmark domain with 546 users, 100 computers, and 154 groups completed in 6.58 seconds with network probes enabled. Smaller and medium-sized environments are fast enough to support recurring review after change windows instead of only annual or quarterly assessment.
How does EtcSec compare to PingCastle for AD-focused reviews?
The side-by-side documentation shows ETC Collector covering 59 of 61 PingCastle rules and 876 of 896 risk points on the published test domain, while also adding ADCS ESC analysis, attack-path modelling, Entra ID coverage, and compliance mappings that PingCastle does not include.
Related identity security pages
See how the same collector audits Conditional Access, MFA, PIM, app permissions, and guest governance in Microsoft Entra ID.
Inspect the named detections and categories that power the AD and Entra audit pages.
Understand the standalone server mode, daemon mode, local GUI, REST API, and open-source footprint.
Compare the open-source collector with the SaaS operating layer for dashboards, scheduling, and tracking.
Start your Active Directory security audit
Deploy the collector, run the audit with read-only credentials, and get a finding set that identity, Windows, PKI, and governance teams can actually action.