How do I prioritize my Active Directory findings?

This article explains how to prioritize and triage findings from Active Directory (AD) assessments. It covers the recommended triage order and which findings to escalate even when their assigned severity appears lower than expected.

Tier 1: Critical & high

Review every finding in this tier. These map to attack techniques actively used in the wild, including:

• Kerberos delegation abuse
• Group Policy Preferences plaintext password (cpassword) exposure
• DCSync via Exchange WriteDACL
• ADCS ESC1 and ESC4 certificate template abuse
• AdminSDHolder persistence
• Lateral movement via end-of-life operating systems

Each finding in this tier should be assigned an owner and a remediation deadline before moving on.

Tier 2: Tier 0 exposure

Tier 0 refers to your most critical Active Directory assets: Domain Controllers, krbtgt, AdminSDHolder, and the Domain, Enterprise, and Schema Admins groups. A Medium-severity finding that affects any of these assets outweighs a High-severity finding elsewhere in your environment.

The following findings warrant escalation despite a Medium classification:

Tier 3: Identity-plane weaknesses

These findings are typically low-cost to remediate and yield a substantial reduction in blast radius. Address them after Tier 0 exposure has been resolved.

Tier 4: Operational drift

Findings in this tier represent genuine risk but are typically addressed through scheduled cleanup work rather than emergency response. This includes:

• Stale or inactive accounts
• Missing Local Administrator Password Solution (LAPS) deployment
• Missing or incomplete audit policies

Tier 5: Trust hygiene

Findings that reference trusts or SID history may require coordination with the owner of the corresponding domain or forest. Allow time for cross-team planning before scheduling remediation.