# Movement {% hint style="danger" %} **This is a work-in-progress** {% endhint %} Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter :wink: . ### NTLM configuration * [ ] Obsolete versions of this protocol (LM, LMv2 and NTLM(v1)) are disabled and NTLM (all versions) is disabled when possible. This allows to stay safe from [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0), [NTLM capture](/ad/movement/ntlm/capture.md) and [cracking](/ad/movement/credentials/cracking.md#tips-and-tricks) and [pass-the-hash](broken://pages/6MHzmbXpK7Ge11Xc9oZf) attacks. ### Kerberos configuration * [ ] `krbtgt`'s password has been changed in the last 6 months to prevent [Golden Ticket](/ad/persistence/kerberos/forged-tickets.md) persistence attacks. From UNIX-like systems, this can be checked with [Impacket](https://github.com/SecureAuthCorp/impacket/)'s [Get-ADUsers.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetADUsers.py) script. * [ ] The RC4 `etype` is disabled for Kerberos to prevent [overpass-the-hash](/ad/movement/kerberos/opth.md) and [NTLMv1 capture](/ad/movement/ntlm/capture.md) and [cracking](/ad/movement/credentials/cracking.md#tips-and-tricks) to [Silver Ticket](/ad/persistence/kerberos/forged-tickets.md) attacks. This can be checked by attempting to obtain a TGT with an NT hash. * [ ] No account is configured with `Do not require Kerberos Pre-Authentication` allowing for [ASREProast](broken://pages/aMCfYwIroVqgnglotzZr) attacks, or make sure those account have strong password resistant to [cracking](/ad/movement/credentials/cracking.md). * [ ] User accounts that have at least one `ServicePrincipalName`, hence vulnerable to [Kerberoast](broken://pages/RWjMvoWZjJMlHX6oZQpX), have a strong password, resistant to [cracking.](/ad/movement/credentials/cracking.md) ### Patch management * [ ] Domain Controllers are patched against [ZeroLogon](broken://pages/hDwWgXi9NqIJn2vCBz7Z). * [ ] Domain Controllers are patched against [Kerberos sAMAccountName spoofing](broken://pages/XM7QjeewHFzfHv1QmCdH). * [ ] [MS14-068](/ad/movement/kerberos/forged-tickets.md#ms-14-068-cve-2014-6324) is patched, preventing forging of powerful Kerberos tickets. * [ ] [PrivExchange](/ad/movement/exchange-services/privexchange.md) patches are applied, protecting Exchange servers from [authentication coercion attacks relying on the PushSubscription API](/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md), and [ACE abuse](broken://pages/4BIFRCf5fXqahfOIAeGb) attacks relying on the `EXCHANGE WINDOWS PERMISSION` group having `WriteDacl` permissions against the domain object allowing for [DCSync](/redteam/credentials/os-credentials/windows-and-active-directory/dcsync.md). * [ ] Patches for NTLM tampering vulnerabilities (e.g. CVE-2019-1040, CVE-2019-1019, CVE-2019-1166) are applied to limit [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) attacks. * [ ] Latest security patched are applied (e.g. for ProxyLogon, ProxyShell, PrintNightmare, ...). ### Access Management (IAM/PAM) * [ ] Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting [credential stuffing](/ad/movement/credentials/bruteforcing/stuffing.md) (i.e. trying to log in on other resources with that password/hash). * [ ] Strong [password and lockout policies](broken://pages/bQSuZvmYAABvEBXFB2HB) exist and are applied (complexity enabled, at least 12 chars, 16 for admins, must change every 6 months) and users know not to use simple and guessable passwords (e.g. password == username) limiting credential [bruteforcing](/ad/movement/credentials/bruteforcing.md), [guessing](broken://pages/p6xZMBBcrVRj97LgWIFM), [stuffing](/ad/movement/credentials/bruteforcing/stuffing.md) and [cracking](/ad/movement/credentials/cracking.md) attacks. * [ ] Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential [bruteforcing](/ad/movement/credentials/bruteforcing.md), [guessing](broken://pages/p6xZMBBcrVRj97LgWIFM), [stuffing](/ad/movement/credentials/bruteforcing/stuffing.md) and [cracking](/ad/movement/credentials/cracking.md) attacks. * [ ] Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other [credential-based attacks](/ad/movement/credentials.md). * [ ] No account is configured with [Kerberos Unconstrained Delegation](/ad/movement/kerberos/delegations.md#unconstrained-delegations) capabilities. * [ ] No computer account has admin privileges over another one. This limits [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) attacks. ### Credentials Management * [ ] Caching of domain users is limited on workstations and avoided on servers to prevent [credential dumping](/ad/movement/credentials/dumping.md) of LSA secrets from registry. * [ ] [Group Policy Preferences Passwords](/redteam/credentials/os-credentials/windows-and-active-directory/group-policies-preferences.md) are not used. * [ ] LSA protection are enabled to prevent [LSASS dumping](broken://pages/wAjDzPwV8LLtm6RWJbLf). * [ ] Network shares readable by all domain users don't contain sensitive data like passwords or certificates limiting [credential dumping](/redteam/credentials/unsecured-credentials/network-shares.md). ### Domain-level configuration and best-practices * [ ] The [Machine Account Quota](broken://pages/jXE6Ld8my9DXlAqJGjJn) domain-level attribute is set to 0, preventing domain users from creating domain-joined computer accounts. * [ ] Default [special groups](broken://pages/KBCrHromBogYiIquu36M) are empty, limiting, among other things, out-of-box ACE abuses. ### Networking, protocols and services * [ ] SMB is required when possible, especially on sensitive servers, preventing [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) attacks. * [ ] LDAP signing is required on Domain Controllers, preventing [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) attacks. * [ ] Extended Protection for Authentication (EPA) is required, especially for Domain Controllers supporting LDAPS, preventing [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) attacks. * [ ] IPv6 is either fully configured and used or disabled, preventing [DHCPv6 spoofing with DNS poisoning](/ad/movement/mitm-and-coerced-authentications/dhcpv6-spoofing.md) attacks. * [ ] [LLMNR, NBT-NS and mDNS](/ad/movement/mitm-and-coerced-authentications/llmnr-nbtns-mdns-spoofing.md) are disabled, preventing MITM attacks relying on those multicast/broadcast domain name resolution protocols. * [ ] WPAD is disabled, preventing [WPAD spoofing](/ad/movement/mitm-and-coerced-authentications/wpad-spoofing.md). * [ ] A record exists in ADIDNS for the `*` (wildcard) preventing powerful [ADIDNS poisoning](/ad/movement/mitm-and-coerced-authentications/adidns-spoofing.md#wildcard-records) attacks. Preferably, this is a `TXT` record. * [ ] The print spooler is disabled on Domain Controllers and sensitive servers to prevent the [PrinterBug](/ad/movement/print-spooler-service/printerbug.md) authentication coercion attack. * [ ] The WSUS server (if any) is configured with HTTPS, to prevent ARP poisoning with [WSUS spoofing](/ad/movement/mitm-and-coerced-authentications/wsus-spoofing.md) attacks. * [ ] Set-up packet filtering & inspection and enable port security on network switched to prevent [ARP poisoning](/ad/movement/mitm-and-coerced-authentications/arp-poisoning.md) attacks and [network secrets dumping](/redteam/credentials/unsecured-credentials/network-protocols.md). * [ ] Set-up VLANs, 802.1X or other [NAC (Network Access Control)](https://github.com/v4resk/red-book/blob/main/physical/networking/network-access-control.md) securities to limit the attackers progress within the network. * [ ] Plaintext protocols are avoided when using credentials (HTTP, FTP, ...), in order to minimize the risks of the [capture of credentials transiting on the network](/redteam/credentials/unsecured-credentials/network-protocols.md). ### Active Directory Certificate Services * [ ] The CA is configured correctly (the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is not set). This prevents [the corresponding domain escalation attack](broken://pages/WkprGmwzsAWJY02uYQ0K). * [ ] There are no certificate templates that are badly configured. This prevents [the corresponding domain escalation attack](/ad/movement/ad-cs/certificate-templates.md). * [ ] AD-CS web endpoints are secured against [AD-CS NTLM relay attacks](/ad/movement/ad-cs/unsigned-endpoints.md) (HTTPS and EPA (Extended Protection for Authentication) enforced). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad/movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.