Every check ADscan runs, mapped to MITRE ATT&CK.
No marketing-only claims. Each entry below is catalog-backed and grouped by ATT&CK tactic, so a procurement reviewer can cross-walk it to a control without taking a single line on faith.
catalog-backed entries
ATT&CK tactics covered
Emit findings in the report
These entries produce a written finding in the technical report. The rest are surfaced in the kill-chain heatmap and coverage matrix when observed in the target domain.
Initial Access
2 checks| Check | ATT&CK technique | Severity |
|---|---|---|
External Remote Services ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1133 External Remote Services | T1133External Remote Services | Supporting |
Exploit Public-Facing Application ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1190 Exploit Public-Facing Application | T1190Exploit Public-Facing Application | Supporting |
Persistence
2 checks| Check | ATT&CK technique | Severity |
|---|---|---|
Force Change Password Rights AssignedReported Permissions The User-Force-Change-Password extended right in Active Directory allows a principal to reset another user's password without knowing the current password. T1098 Account Manipulation | T1098Account Manipulation | Core |
Create Account ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1136 Create Account | T1136Create Account | Supporting |
Privilege Escalation
3 checks| Check | ATT&CK technique | Severity |
|---|---|---|
noPac/sAMAccountName Spoofing (CVE-2021-42278 + CVE-2021-42287)Reported CVE NoPac chains two Active Directory vulnerabilities to achieve domain compromise from any standard domain user account. T1068 Exploitation for Privilege Escalation | T1068Exploitation for Privilege Escalation | Critical |
Domain Controller Accepts NTLMv1 AuthenticationReported Authentication If the Domain Controller authenticates back using NTLMv1 during a coerced callback, the environment still permits a legacy NTLM mode with materially weaker cryptographic protections. T1078 Valid Accounts | T1078Valid Accounts | High |
Domain Admin Sessions on Non-Privileged HostsReported Privilege Domain Administrator sessions were discovered on workstations, member servers, or other non-Tier 0 hosts. T1078.002 Domain Accounts | T1078.002Domain Accounts | High |
Defense Evasion
3 checks| Check | ATT&CK technique | Severity |
|---|---|---|
Obfuscated Files or Information ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1027 Obfuscated Files or Information | T1027Obfuscated Files or Information | Supporting |
Indicator Removal ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1070 Indicator Removal | T1070Indicator Removal | Supporting |
Hybrid Identity ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1556.007 Hybrid Identity | T1556.007Hybrid Identity | Supporting |
Credential Access
20 checks| Check | ATT&CK technique | Severity |
|---|---|---|
OS Credential Dumping ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1003 OS Credential Dumping | T1003OS Credential Dumping | Supporting |
LSASS Memory ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1003.001 LSASS Memory | T1003.001LSASS Memory | Supporting |
DCSync Privilege AbuseReported Active Directory The DCSync attack exploits Active Directory's directory replication protocol (MS-DRSR) to simulate the behavior of a Domain Controller requesting credential replication. T1003.006 DCSync | T1003.006DCSync | Critical |
LAPS Not Deployed on Domain Hosts (Posture)Reported Posture/Hygiene One or more domain-joined hosts do not have a managed local administrator password solution deployed. T1078.003 Valid Accounts: Local Accounts | T1078.003Valid Accounts: Local Accounts | Core |
Password Guessing ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1110.001 Password Guessing | T1110.001Password Guessing | Supporting |
Password Spraying ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1110.003 Password Spraying | T1110.003Password Spraying | Supporting |
Resource-Based Constrained Delegation MisconfigurationReported Delegation Resource-Based Constrained Delegation (RBCD) is a Kerberos mechanism configured via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects that controls which principals may impersonate users to that computer. T1134.001 Access Token Manipulation: Token Impersonation/Theft | T1134.001Access Token Manipulation: Token Impersonation/Theft | High |
WebDAV Coercion Attack Surface DetectedReported CVE WebDAV (Web Distributed Authoring and Versioning) support is enabled on detected hosts via the Windows WebClient service. T1187 Forced Authentication | T1187Forced Authentication | Core |
ZeroLogon (CVE-2020-1472)Reported CVE Zerologon (CVE-2020-1472, CVSS 10.0) is a cryptographic flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker to forge a valid Netlogon session with a Domain Controller. T1210 Exploitation of Remote Services | T1210Exploitation of Remote Services | Critical |
Sensitive Data Found in SMB SharesReported SMB Files accessible over SMB shares were found to contain sensitive data such as plaintext credentials, API keys, private keys, or configuration artifacts that include authentication material. T1552.001 Credentials in Files | T1552.001Credentials in Files | High |
GPP Autologin Credentials ExposedReported GPP Group Policy Preferences (GPP) support autologin configurations that store credentials in XML policy files under the SYSVOL share on Domain Controllers. T1552.006 Group Policy Preferences | T1552.006Group Policy Preferences | High |
LAPS Password Readable by Non-AdminsReported LAPS The Local Administrator Password Solution (LAPS) stores per-machine local administrator credentials in the ms-Mcs-AdmPwd attribute of computer objects in Active Directory. T1555 Credentials from Password Stores | T1555Credentials from Password Stores | High |
LDAP Signing / Channel Binding Not HardenedReported LDAP When Domain Controllers do not require LDAP signing or do not enforce channel binding, attackers can relay coerced or captured NTLM authentication to LDAP and perform directory operations in the victim context. T1557 Adversary-in-the-Middle | T1557Adversary-in-the-Middle | High |
LDAP Signing / Channel Binding Not HardenedReported LDAP When Domain Controllers do not require LDAP signing or do not enforce channel binding, attackers can relay coerced or captured NTLM authentication to LDAP and perform directory operations in the victim context. T1557.001 LLMNR/NBT-NS Poisoning + SMB Relay | T1557.001LLMNR/NBT-NS Poisoning + SMB Relay | High |
noPac/sAMAccountName Spoofing (CVE-2021-42278 + CVE-2021-42287)Reported CVE NoPac chains two Active Directory vulnerabilities to achieve domain compromise from any standard domain user account. T1558 Steal or Forge Kerberos Tickets | T1558Steal or Forge Kerberos Tickets | Critical |
KRBTGT Password Exposure DetectedReported Privilege The KRBTGT account is the built-in service account used by the Kerberos Distribution Center (KDC) to encrypt and sign all Kerberos Ticket-Granting Tickets (TGTs) issued in the domain. T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket | T1558.001Steal or Forge Kerberos Tickets: Golden Ticket | Critical |
KerberoastingReported Kerberos In an Active Directory (AD) environment, Service Principal Names (SPNs) are used to uniquely identify instances of a Windows service. T1558.003 Kerberoasting | T1558.003Kerberoasting | Core |
AS-REP RoastingReported Kerberos Preauthentication offers protection against offline Password Cracking. T1558.004 AS-REP Roasting | T1558.004AS-REP Roasting | Core |
Shadow Credentials (msDS-KeyCredentialLink) PresentReported Credential Access One or more Active Directory objects have existing msDS-KeyCredentialLink attribute values. T1606.002 Forge Web Credentials: SAML Tokens | T1606.002Forge Web Credentials: SAML Tokens | High |
ADCS ESC1 - Misconfigured Certificate TemplateReported ADCS ADCS ESC1 occurs when a certificate template is configured to allow requesters to specify a Subject Alternative Name (SAN) in their certificate request, combined with an authentication-capable Extended Key Usage (EKU) such as Client Authentication, Smart Card Logon, or PKINIT. T1649 Steal or Forge Authentication Certificates | T1649Steal or Forge Authentication Certificates | Critical |
Discovery
10 checks| Check | ATT&CK technique | Severity |
|---|---|---|
Remote System Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1018 Remote System Discovery | T1018Remote System Discovery | Supporting |
Permission Groups Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1069 Permission Groups Discovery | T1069Permission Groups Discovery | Supporting |
Account Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1087 Account Discovery | T1087Account Discovery | Supporting |
LDAP Anonymous Bind EnabledReported LDAP Lightweight Directory Access Protocol (LDAP) supports anonymous bind operations, which permit unauthenticated clients to connect and query directory information from a Domain Controller without presenting any credentials. T1087.002 Account Discovery: Domain Account | T1087.002Account Discovery: Domain Account | Core |
Domain Trust Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1482 Domain Trust Discovery | T1482Domain Trust Discovery | Supporting |
Credentials Found in LDAP AttributesReported Credential Exposure Credential material (passwords, tokens, or similar secrets) was detected in cleartext LDAP attributes such as description, info, unixUserPassword, or userPassword. | High | |
krbtgt Account Password Not RotatedReported Kerberos Security The krbtgt account password has not been changed in more than 180 days. | High | |
Machine Account Quota Allows Domain JoinReported Domain Configuration The ms-DS-MachineAccountQuota attribute is set to a value greater than 0. | Core | |
Obsolete Operating SystemsReported Asset Hygiene One or more domain-joined systems appear to be running obsolete Windows versions identified through LDAP inventory. | High | |
RC4-Only Kerberos Accounts (No AES Support)Reported Kerberos Security One or more accounts do not have AES encryption types configured (msDS-SupportedEncryptionTypes bits 2-4 are all zero). | Core |
Lateral Movement
5 checks| Check | ATT&CK technique | Severity |
|---|---|---|
Remote Services: RDP ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1021.001 Remote Services: RDP | T1021.001Remote Services: RDP | Supporting |
SMB Guest Session Share AccessReported SMB One or more hosts accepted SMB guest session authentication and exposed accessible shares. T1021.002 Remote Services: SMB/Windows Admin Shares | T1021.002Remote Services: SMB/Windows Admin Shares | High |
Pass the Hash ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1550.002 Pass the Hash | T1550.002Pass the Hash | Supporting |
Pass the Ticket ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1550.003 Pass the Ticket | T1550.003Pass the Ticket | Supporting |
Lateral Tool Transfer ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1570 Lateral Tool Transfer | T1570Lateral Tool Transfer | Supporting |
Emits a finding in the technical report. Surfaced in the kill-chain heatmap and coverage matrix when observed. Generated 2026-05-02.
Want this cross-walked to your compliance framework?
Every finding mapped to ENS Alto, NIS2, ISO 27001, DORA and PCI DSS. Board-ready, no email gate. Or see it run on your own Active Directory, free, delivered the same day.