adPEAS v2 Episode 4: Security Checks - All Modules at a Glance
Complete overview of adPEAS v2 security check modules: Domain, Accounts, Delegation, Rights, Creds, ADCS, Computer, GPO, and Application checks for Active Directory.
Introduction
The connection is up, authentication is done - now the real work begins. The previous episodes covered how adPEAS connects to Active Directory and which authentication methods are available. This post is all about the core: the security checks.
When you manually analyze an Active Directory, you can easily spend several hours on LDAP filters, ACL parsing, and GPO analysis. adPEAS automates that - but not as a black box. Every check has a clear purpose, and understanding what is being checked helps you better contextualize the results and know where it’s worth digging deeper.
adPEAS organizes the checks into ten modules. Each module covers a specific attack vector or configuration area. You can run all modules at once, or selectively pick individual ones - depending on what the scope of the assessment calls for.
One important detail: adPEAS classifies results by severity. Not every finding is equally critical. Disabled LDAP Signing is a different ballgame than a Kerberoastable service account. The severity levels (Finding, Hint, Note, Secure) help separate the wheat from the chaff and focus on the things that matter most.
Module Overview
adPEAS organizes the security checks into modules. Each module contains multiple individual checks:
+-----------------------------------------------------------------------------+
| adPEAS CHECK MODULES |
+-------------+---------------------------------------------------------------+
| Domain | Password Policy, Trusts, LDAP Configuration, SMB Signing |
+-------------+---------------------------------------------------------------+
| Accounts | Tier-0 Groups, Inactive Admins, Protected Users, SID History |
+-------------+---------------------------------------------------------------+
| Delegation | Unconstrained, Constrained, RBCD |
+-------------+---------------------------------------------------------------+
| Rights | Dangerous ACLs/OUs, Password Reset, Add Computer, LAPS |
+-------------+---------------------------------------------------------------+
| Creds | Kerberoasting, AS-REP Roasting, Credential Exposure, LAPS |
+-------------+---------------------------------------------------------------+
| Computer | Outdated OS, LAPS Configuration, Infrastructure, Owners |
+-------------+---------------------------------------------------------------+
| GPO | GPO Permissions, Local Groups, Scheduled Tasks, Scripts |
+-------------+---------------------------------------------------------------+
| ADCS | Certificate Templates (ESC1-5, ESC8-9, ESC13, ESC15) |
+-------------+---------------------------------------------------------------+
| Application | Exchange, SCCM, SCOM Infrastructure |
+-------------+---------------------------------------------------------------+
| Bloodhound | Data Collection for BloodHound CE |
+-------------+---------------------------------------------------------------+Running Modules
# All modules
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth
# Individual modules
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Module Domain
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Module Domain,Accounts,ADCS
# OPSEC mode
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -OPSECDomain Module
The Domain module is the starting point of every analysis. Before diving into accounts and ACLs, you need to know: How is the domain fundamentally configured? Weak password policies, missing LDAP Signing, or disabled SID Filtering are findings that affect the entire scope of an assessment.
| Check | What is checked |
|---|---|
| Domain Information | DCs, FSMO Roles, Kerberos Policy |
| Password Policy | Min. Length, Complexity, Lockout, History |
| Domain Trusts | Trust Types, SID Filtering |
| LDAP Configuration | LDAP Signing, Channel Binding, Anonymous Access |
| SMB Signing | Signing on all systems |
Accounts Module
Privileged accounts are the primary target of every attacker. This module checks not only who is in the Tier-0 groups, but also whether those accounts are properly configured. A Domain Admin with PasswordNeverExpires and no Protected Users membership - those are the findings that show up in every other assessment.
| Check | What is checked |
|---|---|
| Privileged Groups | Members of Domain Admins, Enterprise Admins, etc. |
| Inactive Admins | Last Logon > 90 days |
| Protected Users | Membership in Protected Users |
| Password Never Expires | Admin accounts with PasswordNeverExpires |
| Reversible Encryption | Admin accounts with Reversible Encryption |
| Managed Service Accounts | gMSA/sMSA Security |
| SID History | Hidden privileges |
| Non-Default Owners | Owners of user objects |
| Password Not Required | PASSWD_NOTREQD Flag |
Delegation Module
Kerberos Delegation is one of the most commonly overlooked attack surfaces in AD. Unconstrained Delegation on a web server? Then a compromised web server is simultaneously a ticket harvester for every admin who connects.
| Check | What is checked |
|---|---|
| Unconstrained | TrustedForDelegation Flag |
| Constrained | msDS-AllowedToDelegateTo |
| RBCD | msDS-AllowedToActOnBehalfOfOtherIdentity |
Rights Module
ACLs are the silent risk in Active Directory. From the outside everything looks clean - but under the hood maybe an IT helpdesk has GenericAll on the Domain Admins group. This module uncovers exactly these kinds of hidden permission issues.
| Check | What is checked |
|---|---|
| Dangerous ACLs | GenericAll, WriteDACL, WriteOwner, DCSync |
| Dangerous OU Permissions | ACLs on OUs (GenericAll, WriteDACL, etc.) |
| Password Reset Rights | ForceChangePassword Extended Right |
| Add Computer Rights | MachineAccountQuota, Create-Child Computer |
| LAPS Permissions | Who can read ms-Mcs-AdmPwd/msLAPS-Password |
Creds Module
Finding credentials in AD is often easier than you’d think. GPP passwords in SYSVOL, cleartext passwords in description fields, Kerberoastable service accounts with weak passwords - this module systematically searches for everything an attacker could use for initial access or privilege escalation.
| Check | What is checked |
|---|---|
| Kerberoasting | Accounts with SPNs |
| AS-REP Roasting | Accounts without Pre-Auth |
| Credential Exposure | SYSVOL Scripts, GPP cpassword, Cleartext |
| Unix Passwords | UnixUserPassword/UserPassword Attributes |
| LAPS Credential Access | Readable ms-Mcs-AdmPwd / msLAPS-Password |
| Passwords in Description | Description/Info Attribute Scan |
ADCS Module
Since the SpecterOps research on “Certified Pre-Owned” (2021), ADCS vulnerabilities have been one of the most reliable paths to privilege escalation. A misconfigured certificate template can make the difference between “Domain User” and “Domain Admin” - with a single certificate request.
| ESC | Problem | Impact |
|---|---|---|
| ESC1 | User can specify SAN themselves | Domain Admin with a single certificate |
| ESC2 | Any Purpose EKU | Certificate usable for Client Auth |
| ESC3 | Enrollment Agent | Request certificates on behalf of others |
| ESC4 | Template ACL | Modify template to ESC1 |
| ESC5 | PKI Container ACL | Manipulate entire PKI infrastructure |
| ESC8 | HTTP Web Enrollment | NTLM Relay to Cert Request (Detection only) |
| ESC9 | No Security Extension + Client Auth | Certificate Mapping Bypass |
| ESC13 | Issuance Policy mapped to AD Group | Certificate inherits group membership |
| ESC15 | Schema v1 + Enrollee-supplied Subject | CVE-2024-49019 |
ESC5 Details: Checks for dangerous permissions (GenericAll, WriteDacl, WriteOwner) on PKI container objects:
CN=Public Key Services(Root PKI Container)CN=Certificate Templates(Template creation/modification)CN=Enrollment Services(Enrollment control)CN=NTAuthCertificates(Trusted CAs for Kerberos)CN=OID(Issuance Policies, ESC13-related)
If unprivileged users have these rights, they can create new vulnerable templates, make existing templates insecure, grant themselves enrollment rights, or manipulate the NTAuth store.
Computer Module
Computer objects reveal a lot about the state of an environment. Outdated operating systems, missing LAPS coverage, non-default owners on server objects - all indicators of potential weaknesses in the infrastructure.
| Check | What is checked |
|---|---|
| Outdated OS | Windows Version |
| LAPS Configuration | LAPS Deployment and GPO Configuration |
| Infrastructure Servers | DCs, Exchange, SQL, SCCM |
| Non-Default Owners | Owners of computer objects |
GPO Module
Group Policies are a double-edged sword: they are the backbone of security configuration, but also an attack vector. If you can edit a GPO that applies to Domain Controllers, you effectively have Domain Admin rights - just through a detour.
| Check | What is checked |
|---|---|
| GPO Permissions | Who can edit GPOs, GPO links |
| Local Group Membership | Restricted Groups/Preferences |
| Scheduled Tasks | GPO-defined Scheduled Tasks |
| Script Paths | Logon/Logoff/Startup/Shutdown Scripts |
Application Module
Enterprise applications like Exchange, SCCM, and SCOM are often highly privileged systems with a direct path to Domain Admin. SCCM in particular is frequently overlooked - a compromised Management Point can execute software on every client in scope.
| Check | What is checked |
|---|---|
| Exchange | Servers, Groups, Permissions |
| SCCM/MECM | Sites, Management Points, Hierarchy, Clients, PXE/WDS, Service Accounts |
| SCOM | Management Server, RunAs Accounts |
Individual Check Functions
After Connect-adPEAS, checks can also be called individually:
# Establish session
Connect-adPEAS -Domain "contoso.com" -UseWindowsAuth
# Individual checks
Get-KerberoastableAccounts # Kerberoastable Service Accounts
Get-ASREPRoastableAccounts # AS-REP Roastable Accounts
Get-UnconstrainedDelegation # Unconstrained Delegation
Get-ConstrainedDelegation # Constrained Delegation
Get-DomainTrusts # Domain Trusts
Get-PrivilegedGroupMembers # Members of privileged groups
Get-DangerousACLs # Dangerous ACLs on domain root
Get-ADCSVulnerabilities # ADCS ESC vulnerabilities
# End session
Disconnect-adPEASUnderstanding Findings
adPEAS uses color-coded symbols in the console output:
| Symbol | Color | Meaning |
|---|---|---|
[!] | Red | Finding - Security issue |
[+] | Yellow | Hint - Interesting, worth investigating |
[*] | Green | Note - Informational |
[#] | Red on Yellow | Secure - Good configuration |
Quick Reference: What to Check?
Standard Scan:
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuthFocused:
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Module ADCS,Domain,Creds← Episode 3: Authentication | Episode 5: Output & Reports — coming soon
About the Author
Related Articles
adPEAS v2 Blog Series: Active Directory Security Analysis with adPEAS
Introducing adPEAS v2 — a complete rewrite of the PowerShell-based Active Directory analysis tool with native Kerberos support, zero dependencies, and over 40 security checks.
adPEAS v2 Episode 2: Under the Hood - Anatomy of a Scan
What happens when adPEAS scans an Active Directory? From authentication and LDAP queries to context-dependent severity ratings and caching -- a look under the hood.
adPEAS v2 Episode 3: Authentication Deep-Dive - From Password to Certificate
Deep dive into adPEAS v2 authentication: Kerberos internals, Pass-the-Hash, Pass-the-Key, PKINIT with certificates, Shadow Credentials, and Pass-the-Cert via Schannel.