Skip to content
Good news! Alsid joins Tenable -> More info |

Alsid SAS
106 Boulevard Haussmann
75008 Paris, France

Stay in touch.

Subscribe to Alsid’s newsletter and receive meaningful intels about latest Active Directory attacks or learn more about Alsid’s latest product features.

Contact us

Welcome to the new definition of Active Directory security

Introducing Alsid for Active Directory, the comprehensive security solution that provides instant peace of mind for your Active Directory teams. Built by and for security professionals, Alsid’s solution is ‘plug and play in a day.’ No agents, no privileges, no nonsense. Just harden, detect, and respond. Discover Alsid’s solutions now.

  • Find existing weaknesses

    Immediately discover, map, and score existing weaknesses. Follow our step-by-step remediation tactics and prevent attacks.

    Learn more >

  • Uncover attack pathways

    Instantly identify new vulnerabilities and misconfigurations. Break attack pathways and keep your threat exposure in check.

    Learn more >

  • Investigate incidents

    Drill down into the most comprehensive security tracker for AD. Search and correlate AD changes at object and attribute levels.

    Learn more >

  • Detect attacks in real time

    Get real-time alerts and actionable remediation plans on AD attacks. Visualize notifications and trigger responses in your SIEM / SOAR / SOC.

    Learn more >

  • Find and fix existing weaknesses

    • Uncover and fix existing weaknesses with 45 Indicators of Exposure, each composed of 100+ security checkers.
    • Identify quick-wins and inform your remediation plans with dynamic threat scoring, complexity rating, and recommended course of action.
    • Track security progress using a baseline score or a custom-made scoring framework.
  • Continuously uncover new attack pathways

    • Keep your security exposure in check by closing new security gaps before they get exploited.
    • Detect new attack pathways in real-time thanks to thousands of security triggers.
    • Spot and fix dangerous ACEs for your Active Directory objects.
    • Go deeper with comprehensive vulnerability details, research links, and embedded remediation tactics.
  • Detect ongoing attacks in real time

    • Spot attacks across all domains and forests in real time and prevent attackers’ lateral movements.
    • Leverage our AD-native hypergraph engine to catch attacks that bypass logs such as DCSync and DCShadow.
    • Beat the best threat actors’ breakout time (~17 minutes) with the only true real-time technology on market.
    • Augment your existing security ecosystem with AD-centric notifications in your SIEM and playbooks for your SOAR.
  • Investigate incidents and hunt for threats

    • Search and correlate AD-native data to uncover suspicious activities and find patient zero.
    • Develop queries and customized rules at object- and attribute-levels.
    • Focus only on meaningful security information with our false-positive proof hypergraph engine.
    • Dissect Active Directory and SYSLOG replication data for breach entry and lateral movement discovery.
    • Forward investigation findings to your SIEM & SOAR for event correlation and automated response.

Stop Reading!

Want to see Alsid for AD in action? Request a demo with an AD native.

Get a demo

The Simplest Possible Architecture

Enjoy a solution that does more than any other, without the need for any painful agent deployments or nonsensical privileges over your AD. Log in to your dedicated cloud platform, set up your VPN, and immediately start reducing your attack surface.

    • Your Alsid dedicated instance lives in the cloud of your choice
    • Benefit from transparent scaling as our platform adapts to meet your needs
    • We’ll take care of pushing security and feature upgrades continuously
    • Roll-out our on-prem platform in your air-gaped infrastructures
    • Simply summon a VPN link to get our hypergraph engine started
    • Your Alsid instance will connect to only 1 Domain Controller per monitored domain
    • Alsid only uses standard protocols to operate, such as LDAP, KERBEROS, DNS, NETBIOS DSRU RPC, etc.
    • Get the value without the pain, with no agent to deploy, and no risk for your operations
    • Our solution does not need any form of privilege over your AD, so your infrastructure is safe with us
    • Our API-based monitoring can handle hundreds of domains and forests without any perceivable footprint on your servers and network

Get in touch?

Demo the solution or discover the latest threat intel, thought leadership, and solutions from the cybersecurity experts at Alsid. Contact us >

Understanding Alsid’s IoE

Our Indicators of Exposure are constantly run against your AD’s hypergraph to uncover weaknesses and attacks.

Privilege attack vectors

These IoE ensure that monitored Active Directory infrastructures cannot be exploited by attackers to gain admin privileges.

Backdooring techniques

These IoE confirm there are no backdoors into your Active Directory environment and ensure the efficiency of deployed security strategies.

Dangerous security models

These IoE ensure that monitored Active Directory infrastructures are implementing recommended security strategies that reinforce information systems against cyberattacks.

Classif. icon + name of IoE Explanation Known offensive tools MITRE ATT&CK Matrix™
(C) Privileged accounts running Kerberos services Highly privileged accounts using a brute-forceable Kerberos Service Principal Name Kerberom Privilege Escalation, Lateral movement, Persistence
(C) Dangerous Kerberos delegation Check that no dangerous delegation (unconstrained, protocol transition, etc.) is authorized Nishang Lateral movement,Persistence, Privilege escalation
(C) Use of weak cryptography algorithms into Active Directory PKI Root certificates deployed on internal Active Directory PKI must not use weak cryptographic algorithms ANSSI-ADCP Persistence, Privilege escalation, Lateral movement
(C) Dangerous access rights delegation on critical objects Some access rights allowing illegitimate users to control critical objects have been found BloodHood Exfiltration, Lateral movement, Command and control, Credential access, Privilege escalation
(U) (M) Multiple issues in the password policy On some specific accounts, the current password policies are insufficient to ensure robust credentials protection Patator Defense evasion, Lateral movement, Credential access, Privilege escalation
(C) Dangerous RODC management accounts The administrative groups in charge of Read-Only Domain Controllers contain abnormal accounts Impacket Credential access, Defense evasion, Privilege escalation
(C) Sensitive GPO linked to critical objects Some GPO managed by non-administrative accounts are linked to sensitive Active Directory objects (e.g. the KDC account, Domain Controllers, administrative groups, etc.) ANSSI-ADCP Command and control, Credential access, Persistence, Privilege escalation
(U) Administrative accounts allowed to connect to other systems than the Domain Controllers The security policies deployed on the monitored infrastructure does not prevent administrative accounts to connect to resources other than DC, leading to sensitive credentials exposure CrackMapExec Defense evasion, Credential access
(C) Dangerous trust relationship Misconfigured trust relationship attributes decrease the security of a directory infrastructure Kekeo Lateral movement, Credential access, Privilege escalation, Defense evasion
(C) Reversible passwords in GPO Verify that no GPO contain passwords stored in a reversible format SMB Password crawler Credential access, Privilege escalation
(M) Computers running an obsolete OS Obsolete systems are not supported by the editor anymore and greatly increase the infrastructure vulnerability Metasploit Lateral movement, Command and control
(U) (M) Accounts using a pre-Windows 2000 compatible access control Account member of the pre-Windows 2000 Compatible Access Group can bypass specific security measures Impacket Lateral movement, Defense evasion
(U) Local administrative account management Ensure local administrative accounts are managed centrally and securely using LAPS CrackMapExec Defense evasion, Credential access, Lateral movement
(U) Dangerous anonymous users configuration Anonymous access is activated on the monitored Active Directory infrastructure leading to sensitive information leak Impacket Exfiltration
(C) Abnormal RODC filtered attributes The filtering policies applied on some Read-Only Domain Controllers can lead to sensitive information caching, allowing privilege escalations Mimikatz (DCShadow) Privilege escalation, Defense evasion
(U) Lacking restriction on lateral movements attack scenario Lateral movement restriction has not been activated on the monitored Active Directory infrastructure, allowing attackers to bounce from machine to machine with the same level of privileges CrackMapExec Lateral movement
(M) Clear-text password stored in DC shares Some files on DC shares, accessible by any authenticated user, are likely to contain clear-text password, allowing privilege escalation SMBSpider Credential access, Privilege escalation, Persistence
(C) Dangerous access control rights on logon scripts Some scripts, run during a computer or a user logon, have dangerous access rights, leading to privilege escalation Metasploit Lateral movement, Privilege escalation, Persistence
(C) Dangerous parameters are used in GPO Some dangerous parameters (e.g. restricted groups, LM hash computation, NTLM authentication level, sensitive parameters, etc.) are set by GPO, creating security breaches Responder Discovery, Credential access, Execution, Persistence, Privilege escalation, Defense evasion
(U) Dangerous parameters defined in the User Account Control configuration The User Account Control attribute of some user accounts defines dangerous parameters (e.g. PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), which endanger the security of said account Mimikatz (LSADump) Persistence, Privilege escalation, Defense evasion
(M) Lacking application of security patches Some server registered in Active Directory did not recently apply security updates Metasploit Command and control Privilege escalation, Defense evasion,
(U) Brute force attempt on user accounts Some user accounts have been targeted by a brute force attempt Patator Credential access
(U) Kerberos configuration on user account Some accounts are using weak Kerberos configuration Mimikatz (Silver Ticket) Credential access, Privilege escalation
(M) Abnormal share or file stored on the DC Some domain controllers are used to host non-necessary files or network shares SMBSpider Discovery, Exfiltration

Classif. icons:

User (U)

Machine (M)

Security Component (C)

Classif. icon + name of IoE Explanation Known offensive tools MITRE ATT&CK Matrix™
(C) Ensure SDProp consistency Control that the adminSDHolder object is in a clean state Mimikatz (Golden Ticket) Privilege escalation, Persistence
(U) (M) User primary group ID Verify that users’ primary group has not been changed BloodHood Privilege escalation, Persistence
(C) Verify root domain object permissions Ensure the permissions set on the root domain object are sane BloodHood Privilege escalation, Persistence
(C) Verify sensitive GPO objects and files permissions Ensure that permissions set on the GPO objects and files linked to sensitive containers (like the Domain Controllers OU) are sane BloodHood Execution, Privilege escalation,


(C) Dangerous access rights on RODC KDC account The KDC account used on some Read-Only Domain Controllers can be controlled by illegitimate user account, leading to credential leaks Mimikatz (DCSync) Privilege escalation, Persistence
(U) (M) Sensitive certificates mapped to user accounts Some X509 certificates are stored in the altSecurityIdentities user account attribute, allowing certificate’s private key owner to authenticate as this user Not implemented (yet) Command and control, Credential access, Privilege escalation, Persistence
(U) Rogue Krbtgt SPN set on regular account The Service Principal Name of the KDC is present on some regular user account, leading to Kerberos tickets forgery Mimikatz (Golden Ticket) Privilege escalation, Persistence
(C) KDC password last change KDC account password must be changed regularly Mimikatz (Golden Ticket) Credential access, Privilege escalation, Persistence
(U) (M) Accounts having a dangerous SID History attribute Check user or computer accounts using a privileged SID in SID history attribute DeathStar Privilege escalation, Persistence
(M) Rogue domain controllers Ensure only legitimate Domain controller servers are registered into Active Directory infrastructure Mimikatz (DCShadow) Execution, Defense evasion, Privilege escalation, Persistence
(C) Illegitimate Bitlocker key access control Some Bitlocker recovery keys stored in Active Directory can be accessed by other people than administrators and linked computers ANSSI-ADCP Credential access, Privilege escalation, Persistence
(C) Abnormal entries in the Schema security descriptor The Active Directory Schema has been modified leading to new standard access rights or objects that can endanger the monitored infrastructure BloodHood Privilege escalation, Persistence
(U) DSRM account activated The Active Directory recovery account has been activated, exposing it to credential theft Mimikatz (LSADump) Credential access, Execution, Defense evasion, Privilege escalation, Persistence
(C) Dangerous caching policy on RODC The caching policy configured on some Read-Only Domain Controllers allows global administrative accounts to have their credentials cached and retrieved by RODC management accounts Mimikatz (DCSync) Privilege escalation, Persistence
(C) Certificate deployed by GPO applied on DC Some GPOs are used to deploy certificates on Domain Controllers, allowing certificate’s private key owner to compromise these servers BloodHood Privilege escalation, Persistence
(U) Authentication hash not renewed when using smartcard Some user accounts using smartcard authentication do not renew their credentials hash frequently enough Mimikatz (LSADump) Persistence
(U) Reversible passwords for User accounts Verify no parameter make passwords stored in a reversible format Mimikatz (DC Sync) Credential access
(C) Use of explicit denied access on containers Some Active Directory containers or OUs define explicit denied access, leading to potential backdoor concealment BloodHood Defense evasion, Persistence

Classif. icons:

User (U)

Machine (M)

Security Component (C)

Classif. icon + name of IoE Explanation Known offensive tools MITRE ATT&CK Matrix™
(U) (M) Native administrative group members Abnormal accounts in the native administrative groups of Active Directory Impacket Persistence, Execution, Privilege escalation, Defense evasion
(U) Accounts with never expiring passwords Accounts with the DONT_EXPIRE property are not affected by password renewal policy Impacket Persistence
(U) Recent use of the default administrator account Built-in administrator account has been used recently Mimikatz (Token Impersonate) Command and control
(C) Protected Users group not created or not used Verify the Protected Users group has been created on the Active Directory forest and is used Mimikatz (Silver Ticket) Credential access
(C) Presence of blocking OU Some organization units are blocking the application of security policies deployed by GPO Responder Persistence
(M) Inappropriate number of Domain Controllers Compared to the monitored Active Directory infrastructures, the number of Domain Controllers seems inappropriate Metasploit Discovery
(C) Unlinked, disabled or orphan GPO Having unlinked, disabled or orphan GPO can lead to administrative errors GPOInjection Defense evasion
(U) (M) Sleeping accounts Unused sleeping accounts are still activated Mimikatz (Token Impersonate) Persistence
(U) (M) AdminCount attribute set on standard users Some decommissioned administrative accounts are not globally manageable CrackMapExec Persistence, Privilege escalation
(U) (M) Disabled accounts in privileged groups Accounts that are not used anymore should not stay in privileged groups Mimikatz (Silver Ticket) Persistence
(C) Domains have an outdated functional level A low functional level prevents the use of advanced functionalities or improvements Patator Defense evasion
(C) Domain using a dangerous backward-compatibility configuration The dSHeuristics attribute can modify AD behavior and have security impacts Enum Credential access, Privilege escalation, Defense evasion
(U) Lacking the use of Managed Service Accounts Some compatible service accounts are not using the Active Directory Managed Service Accounts feature to automatically renew their password Patator Defense evasion
(C) Lacking the use of Advanced Audit Policy The modern Active Directory event logging feature is not used, leading to inappropriate security event monitoring Mimikatz (LSADump) Defense evasion
(C) Lack of Active Directory backups The monitored AD infrastructure does not seem to make regular backups Impacket Defense evasion
(U) (M) Regular users can add new computers into AD domain Regular users are allowed to add new computers in the monitored Active Directory domains without administrative teams approval Mimikatz (DCShadow) Persistence, Privilege escalation
(C) Active Directory event logs not centralized Active Directory event logs do not appear to be centralized and harvested to ensure efficient incident response Metasploit Defense evasion
(U) (M) Account naming convention not fully respected Some accounts do not follow the naming convention defined for the monitored infrastructure Responder Defense evasion
(C) Use of non-canonical ACE Some access control policies set on Active Directory object use non-canonical ACEs which could lead to misleading information Empire Persistence

Classif. icons:

User (U)

Machine (M)

Security Component (C)