Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter
- PrivExchange patches are applied, protecting Exchange servers from authentication coercion attacks relying on the PushSubscription API, and ACE abuse attacks relying on the
EXCHANGE WINDOWS PERMISSIONgroup having
WriteDaclpermissions against the domain object allowing for DCSync.
- Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...).
- Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting credential stuffing (i.e. trying to log in on other resources with that password/hash).
- Strong password and lockout policies exist and are applied (complexity enabled, at least 12 chars, 16 for admins, must change every 6 months) and users know not to use simple and guessable passwords (e.g. password == username) limiting credential bruteforcing, guessing, stuffing and cracking attacks.
- Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential bruteforcing, guessing, stuffing and cracking attacks.