How to configure Attack Surface Analyzer for Active Directory

How to configure Attack Surface Analyzer for Active Directory

In this article:  

 

  • Objective

  • Prerequisites

  • Steps to follow

  • Validation and confirmation

  • Tips

  • Related topics and articles

Objective

This article provides a step-by-step guide to configure the Attack Surface Analyzer for Active Directory environments. It helps security administrators identify and assess changes in the system's attack surface, detect potential vulnerabilities, and ensure the AD configuration aligns with security best practices.

Prerequisites

  • ADAudit Plus build 8000 or later for Azure.

Steps to follow

  1. Open your browser and log in to the ADAudit Plus web console using an account with administrative or delegated access.

  2. Go to the Active Directory tab on the top navigation bar.

  3. Click on Attack Surface Analyzer in the left pane.

  4. All Active Directory domains that are already configured and audited in ADAudit Plus will be automatically added to the Attack Surface Analyzer.

  5. No additional setup is required for domain inclusion.

  6. The Attack Surface Analyzer includes 25+ security-centric reports designed to detect common and advanced AD attack vectors.

    • Pass the ticket

    • Pass the hash

    • DCShadow

    • DCSync

    • AdminSDHolder ACL tampering

    • RID hijacking

    • AS-REP roasting

    • Kerberoasting

    • Recent use of default admin

    • Shadow admin

    • Primary Group ID

    • Golden Ticket

    • Silver Ticket

    • Security log killer

    • PowerShell script block logging

    • Constrained delegation

    • Unconstrained delegation

    • Password extraction

    • Password spray

    • Reversible password encryption

    • Plaintext password in GPO

    • Brute-force password detection

    • Brute-force username detection

    • DSRM password change

    • DNS admin escalation

    • Suspicious process

    • Remote thread

    • Ransomware attack

 

Validation and confirmation

  • Navigate to Admin > Domain Settings and verify that all relevant Domain Controllers are added and collecting logs in real-time.

  • On the Attack Surface Analyzer page, review the last updated timestamp to confirm the data is up to date.

  • Simulate controlled scenarios, such as adding a Shadow Admin or using unconstrained delegation in a lab environment to validate detection.

Tips

  • Focus on high-risk detections like Golden Ticket, DCSync, Kerberoasting, and Password Spray.

  • Regularly review analyzer reports (e.g., weekly or monthly) as part of your internal security audits.

  • Link alerts from the analyzer to your ticketing system or SIEM to ensure quick response to threats.

  • Ensure you're running build 8500 or above, as older builds may not support all attack detections.

 

Related topics and articles

  • How to configure Attack Surface Analyzer for Azure


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products