Todos los checks que ejecuta ADscan, mapeados a MITRE ATT&CK.
Sin afirmaciones de marketing. Cada entrada está respaldada por catálogo y agrupada por táctica ATT&CK, para que un revisor de compras la cruce con un control sin dar por buena ni una sola línea.
entradas respaldadas por catálogo
tácticas ATT&CK cubiertas
Generan hallazgos en el informe
Estas entradas producen un hallazgo escrito en el informe técnico. El resto se muestran en el mapa de calor kill-chain y en la matriz de cobertura cuando se observan en el dominio objetivo.
Initial Access
2 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
External Remote Services ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1133 External Remote Services | T1133External Remote Services | Soporte |
Exploit Public-Facing Application ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1190 Exploit Public-Facing Application | T1190Exploit Public-Facing Application | Soporte |
Persistence
2 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
Force Change Password Rights AssignedEn informe Permissions The User-Force-Change-Password extended right in Active Directory allows a principal to reset another user's password without knowing the current password. T1098 Account Manipulation | T1098Account Manipulation | Core |
Create Account ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1136 Create Account | T1136Create Account | Soporte |
Privilege Escalation
3 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
noPac/sAMAccountName Spoofing (CVE-2021-42278 + CVE-2021-42287)En informe CVE NoPac chains two Active Directory vulnerabilities to achieve domain compromise from any standard domain user account. T1068 Exploitation for Privilege Escalation | T1068Exploitation for Privilege Escalation | Crítico |
Domain Controller Accepts NTLMv1 AuthenticationEn informe Authentication If the Domain Controller authenticates back using NTLMv1 during a coerced callback, the environment still permits a legacy NTLM mode with materially weaker cryptographic protections. T1078 Valid Accounts | T1078Valid Accounts | Alto |
Domain Admin Sessions on Non-Privileged HostsEn informe Privilege Domain Administrator sessions were discovered on workstations, member servers, or other non-Tier 0 hosts. T1078.002 Domain Accounts | T1078.002Domain Accounts | Alto |
Defense Evasion
3 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
Obfuscated Files or Information ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1027 Obfuscated Files or Information | T1027Obfuscated Files or Information | Soporte |
Indicator Removal ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1070 Indicator Removal | T1070Indicator Removal | Soporte |
Hybrid Identity ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1556.007 Hybrid Identity | T1556.007Hybrid Identity | Soporte |
Credential Access
20 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
OS Credential Dumping ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1003 OS Credential Dumping | T1003OS Credential Dumping | Soporte |
LSASS Memory ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1003.001 LSASS Memory | T1003.001LSASS Memory | Soporte |
DCSync Privilege AbuseEn informe Active Directory The DCSync attack exploits Active Directory's directory replication protocol (MS-DRSR) to simulate the behavior of a Domain Controller requesting credential replication. T1003.006 DCSync | T1003.006DCSync | Crítico |
LAPS Not Deployed on Domain Hosts (Posture)En informe Posture/Hygiene One or more domain-joined hosts do not have a managed local administrator password solution deployed. T1078.003 Valid Accounts: Local Accounts | T1078.003Valid Accounts: Local Accounts | Core |
Password Guessing ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1110.001 Password Guessing | T1110.001Password Guessing | Soporte |
Password Spraying ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1110.003 Password Spraying | T1110.003Password Spraying | Soporte |
Resource-Based Constrained Delegation MisconfigurationEn informe Delegation Resource-Based Constrained Delegation (RBCD) is a Kerberos mechanism configured via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects that controls which principals may impersonate users to that computer. T1134.001 Access Token Manipulation: Token Impersonation/Theft | T1134.001Access Token Manipulation: Token Impersonation/Theft | Alto |
WebDAV Coercion Attack Surface DetectedEn informe CVE WebDAV (Web Distributed Authoring and Versioning) support is enabled on detected hosts via the Windows WebClient service. T1187 Forced Authentication | T1187Forced Authentication | Core |
ZeroLogon (CVE-2020-1472)En informe CVE Zerologon (CVE-2020-1472, CVSS 10.0) is a cryptographic flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker to forge a valid Netlogon session with a Domain Controller. T1210 Exploitation of Remote Services | T1210Exploitation of Remote Services | Crítico |
Sensitive Data Found in SMB SharesEn informe SMB Files accessible over SMB shares were found to contain sensitive data such as plaintext credentials, API keys, private keys, or configuration artifacts that include authentication material. T1552.001 Credentials in Files | T1552.001Credentials in Files | Alto |
GPP Autologin Credentials ExposedEn informe GPP Group Policy Preferences (GPP) support autologin configurations that store credentials in XML policy files under the SYSVOL share on Domain Controllers. T1552.006 Group Policy Preferences | T1552.006Group Policy Preferences | Alto |
LAPS Password Readable by Non-AdminsEn informe LAPS The Local Administrator Password Solution (LAPS) stores per-machine local administrator credentials in the ms-Mcs-AdmPwd attribute of computer objects in Active Directory. T1555 Credentials from Password Stores | T1555Credentials from Password Stores | Alto |
LDAP Signing / Channel Binding Not HardenedEn informe LDAP When Domain Controllers do not require LDAP signing or do not enforce channel binding, attackers can relay coerced or captured NTLM authentication to LDAP and perform directory operations in the victim context. T1557 Adversary-in-the-Middle | T1557Adversary-in-the-Middle | Alto |
LDAP Signing / Channel Binding Not HardenedEn informe LDAP When Domain Controllers do not require LDAP signing or do not enforce channel binding, attackers can relay coerced or captured NTLM authentication to LDAP and perform directory operations in the victim context. T1557.001 LLMNR/NBT-NS Poisoning + SMB Relay | T1557.001LLMNR/NBT-NS Poisoning + SMB Relay | Alto |
noPac/sAMAccountName Spoofing (CVE-2021-42278 + CVE-2021-42287)En informe CVE NoPac chains two Active Directory vulnerabilities to achieve domain compromise from any standard domain user account. T1558 Steal or Forge Kerberos Tickets | T1558Steal or Forge Kerberos Tickets | Crítico |
KRBTGT Password Exposure DetectedEn informe Privilege The KRBTGT account is the built-in service account used by the Kerberos Distribution Center (KDC) to encrypt and sign all Kerberos Ticket-Granting Tickets (TGTs) issued in the domain. T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket | T1558.001Steal or Forge Kerberos Tickets: Golden Ticket | Crítico |
KerberoastingEn informe Kerberos In an Active Directory (AD) environment, Service Principal Names (SPNs) are used to uniquely identify instances of a Windows service. T1558.003 Kerberoasting | T1558.003Kerberoasting | Core |
AS-REP RoastingEn informe Kerberos Preauthentication offers protection against offline Password Cracking. T1558.004 AS-REP Roasting | T1558.004AS-REP Roasting | Core |
Shadow Credentials (msDS-KeyCredentialLink) PresentEn informe Credential Access One or more Active Directory objects have existing msDS-KeyCredentialLink attribute values. T1606.002 Forge Web Credentials: SAML Tokens | T1606.002Forge Web Credentials: SAML Tokens | Alto |
ADCS ESC1 - Misconfigured Certificate TemplateEn informe ADCS ADCS ESC1 occurs when a certificate template is configured to allow requesters to specify a Subject Alternative Name (SAN) in their certificate request, combined with an authentication-capable Extended Key Usage (EKU) such as Client Authentication, Smart Card Logon, or PKINIT. T1649 Steal or Forge Authentication Certificates | T1649Steal or Forge Authentication Certificates | Crítico |
Discovery
10 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
Remote System Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1018 Remote System Discovery | T1018Remote System Discovery | Soporte |
Permission Groups Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1069 Permission Groups Discovery | T1069Permission Groups Discovery | Soporte |
Account Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1087 Account Discovery | T1087Account Discovery | Soporte |
LDAP Anonymous Bind EnabledEn informe LDAP Lightweight Directory Access Protocol (LDAP) supports anonymous bind operations, which permit unauthenticated clients to connect and query directory information from a Domain Controller without presenting any credentials. T1087.002 Account Discovery: Domain Account | T1087.002Account Discovery: Domain Account | Core |
Domain Trust Discovery ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1482 Domain Trust Discovery | T1482Domain Trust Discovery | Soporte |
Credentials Found in LDAP AttributesEn informe Credential Exposure Credential material (passwords, tokens, or similar secrets) was detected in cleartext LDAP attributes such as description, info, unixUserPassword, or userPassword. | Alto | |
krbtgt Account Password Not RotatedEn informe Kerberos Security The krbtgt account password has not been changed in more than 180 days. | Alto | |
Machine Account Quota Allows Domain JoinEn informe Domain Configuration The ms-DS-MachineAccountQuota attribute is set to a value greater than 0. | Core | |
Obsolete Operating SystemsEn informe Asset Hygiene One or more domain-joined systems appear to be running obsolete Windows versions identified through LDAP inventory. | Alto | |
RC4-Only Kerberos Accounts (No AES Support)En informe Kerberos Security One or more accounts do not have AES encryption types configured (msDS-SupportedEncryptionTypes bits 2-4 are all zero). | Core |
Lateral Movement
5 checks| Check | Técnica ATT&CK | Severidad |
|---|---|---|
Remote Services: RDP ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1021.001 Remote Services: RDP | T1021.001Remote Services: RDP | Soporte |
SMB Guest Session Share AccessEn informe SMB One or more hosts accepted SMB guest session authentication and exposed accessible shares. T1021.002 Remote Services: SMB/Windows Admin Shares | T1021.002Remote Services: SMB/Windows Admin Shares | Alto |
Pass the Hash ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1550.002 Pass the Hash | T1550.002Pass the Hash | Soporte |
Pass the Ticket ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1550.003 Pass the Ticket | T1550.003Pass the Ticket | Soporte |
Lateral Tool Transfer ATT&CK technique surfaced by ADscan in the kill-chain heatmap and coverage matrix when observed in the target domain. T1570 Lateral Tool Transfer | T1570Lateral Tool Transfer | Soporte |
Genera un hallazgo en el informe técnico. Se muestra en el mapa de calor kill-chain y la matriz de cobertura cuando se observa. Generado 2026-05-02.
¿Quieres esto cruzado con tu marco de cumplimiento?
Cada hallazgo mapeado a ENS Alto, NIS2, ISO 27001, DORA y PCI DSS. Listo para el consejo, sin barrera de correo. O míralo ejecutarse sobre tu propio Active Directory, gratis, entregado el mismo día.