Active Directory Credential Posture Auditor — A 100% defensive security auditing tool that audits the credential management posture in Active Directory, including password policies, credential hygiene, and compliance with CIS, ANSSI, and NIST frameworks.
DISCLAIMER: For authorized security auditing only. This tool performs READ-ONLY LDAP queries and does NOT extract, crack, or exploit any credentials. Unauthorized use is strictly prohibited.
CredentialAudit-AD est un outil d'audit de securite 100% defensif qui evalue la posture de gestion des credentials dans Active Directory.
- Politique de mots de passe : Audit de la politique du domaine (longueur, complexite, historique, age, verrouillage)
- Fine-Grained Password Policies : Detection et evaluation des PSO
- LAPS : Verification du deploiement LAPS par OU/machine
- gMSA : Audit de l'utilisation des comptes de service gMSA
- Hygiene des credentials :
- Detection de comptes partages
- Comptes Kerberoastable (SPN + mots de passe faibles)
- Comptes AS-REP Roastable (sans pre-authentication)
- Comptes admin sans MFA
- Groupe Protected Users
- Delegation Kerberos non contrainte
- Compatibilite Credential Guard
- Conformite :
- CIS Benchmark v3 (sections 1.1 et 1.2)
- ANSSI - Recommandations mots de passe AD
- NIST 800-63B - Guidelines mots de passe
- Scoring global par referentiel
- Rapports : HTML, JSON, Markdown, CSV avec dashboard et scoring
# Audit complet
credentialaudit-ad audit -s dc01.corp.local -d corp.local -u CORP\\admin -p password
# Verification d'hygiene uniquement
credentialaudit-ad hygiene -s dc01.corp.local -d corp.local -u CORP\\admin -p password
# Verification de conformite
credentialaudit-ad compliance -s dc01.corp.local -d corp.local -u CORP\\admin -p password --framework all
# Generation de rapport HTML
credentialaudit-ad report -s dc01.corp.local -d corp.local -u CORP\\admin -p password --format htmlCredentialAudit-AD is a 100% defensive security auditing tool that evaluates the credential management posture in Active Directory.
- Password Policy: Domain password policy audit (length, complexity, history, age, lockout)
- Fine-Grained Password Policies: PSO detection and evaluation
- LAPS: LAPS deployment verification by OU/machine
- gMSA: Group Managed Service Account usage audit
- Credential Hygiene:
- Shared account detection
- Kerberoastable accounts (SPNs with weak passwords)
- AS-REP Roastable accounts (no pre-authentication)
- Admin accounts without MFA
- Protected Users group membership
- Unconstrained Kerberos delegation
- Credential Guard readiness
- Compliance:
- CIS Benchmark v3 (sections 1.1, 1.2)
- ANSSI - AD password recommendations
- NIST 800-63B - Password guidelines
- Global scoring by framework
- Reports: HTML, JSON, Markdown, CSV with dashboard and scoring
# Full audit
credentialaudit-ad audit -s dc01.corp.local -d corp.local -u CORP\\admin -p password
# Hygiene checks only
credentialaudit-ad hygiene -s dc01.corp.local -d corp.local -u CORP\\admin -p password
# Compliance verification
credentialaudit-ad compliance -s dc01.corp.local -d corp.local -u CORP\\admin -p password --framework all
# HTML report generation
credentialaudit-ad report -s dc01.corp.local -d corp.local -u CORP\\admin -p password --format htmlgit clone https://github.com/ayinedjimi/CredentialAudit-AD.git
cd CredentialAudit-AD
pip install -e .- Python 3.8+
- ldap3
- rich
- pandas
- openai
CredentialAudit-AD/
├── src/credentialaudit_ad/
│ ├── __init__.py # Package initialization
│ ├── models.py # Data models
│ ├── policy_auditor.py # Password policy auditor
│ ├── hygiene_checker.py # Credential hygiene checker
│ ├── compliance.py # CIS/ANSSI/NIST compliance
│ ├── reporter.py # Report generation
│ └── cli.py # Command-line interface
├── tests/
│ ├── test_policy_auditor.py # Policy auditor tests
│ ├── test_hygiene_checker.py # Hygiene checker tests
│ └── test_compliance.py # Compliance tests
├── setup.py
├── requirements.txt
├── LICENSE
└── README.md
| Technique | ID | Detection |
|---|---|---|
| Kerberoasting | T1558.003 | Identifies Kerberoastable accounts |
| AS-REP Roasting | T1558.004 | Identifies AS-REP roastable accounts |
| Credential Dumping | T1003 | Checks Protected Users & Credential Guard |
| Brute Force | T1110 | Evaluates lockout policy effectiveness |
- CIS Benchmark v3 for Windows Server - Sections 1.1, 1.2
- ANSSI Recommendations for AD Security - R37, R39, R68, R69, R70
- NIST 800-63B Digital Identity Guidelines
pip install pytest pytest-cov
pytest tests/ -v --cov=credentialaudit_adAyi NEDJIMI — contact@ayinedjimi-consultants.fr
This project is licensed under the MIT License - see the LICENSE file for details.
DISCLAIMER: This tool is intended for authorized security auditing only. It performs read-only analysis and does NOT extract, crack, or exploit any credentials. Always obtain proper authorization before auditing any system. Unauthorized use is strictly prohibited and may violate applicable laws.