Every Obexum release runs against our own AD lab before shipping. The numbers below come from the latest end-to-end engagement: a freshly-promoted Server 2022 forest with synthetic adversary fixtures (vulnerable cert templates, Kerberoastable accounts, ACL backdoors) and a full inject → detect → remediate → re-detect clean round-trip.
Out of the box, a Server 2022 promoted with the default options exposes a large attack surface. The numbers below are typical — we see them on practically every fresh forest that has not been hardened against the CIS Server 2022 baseline.
Each finding ships with a remediation playbook. Click any rule_id to see its detail in the docs.
| Rule ID | Title | Severity | Playbook | Reboot? |
|---|---|---|---|---|
AUD-WIN-ADCS-001 | ESC1: SAN-supply template enrollable by low-priv | CRITICAL | pb-adcs-001 | — |
AUD-WIN-ADCS-002 | ESC2: Any-Purpose EKU template | CRITICAL | pb-adcs-002 | — |
AUD-WIN-ADCS-006 | ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 set on CA | CRITICAL | pb-adcs-006 | — |
AUD-WIN-ADCS-008 | ESC8: web enrollment without HTTPS+EPA | CRITICAL | pb-adcs-008 | — |
AUD-WIN-ADCS-015 | ESC15 / EKUwu (CVE-2024-49019) v1+SAN template | CRITICAL | pb-adcs-015 | — |
AUD-WIN-DCH-001 | Print Spooler running on DC (PrintNightmare) | CRITICAL | pb-dch-001 | — |
AUD-WIN-DCH-010 | WDigest UseLogonCredential = 1 (cleartext in LSASS) | CRITICAL | pb-dch-010 | — |
AUD-WIN-ACL-001 | DCSync extended right granted to non-Tier0 | CRITICAL | pb-acl-001 | — |
AUD-WIN-ACL-009 | Shadow Credentials write granted to non-Tier0 | CRITICAL | pb-acl-009 | — |
AUD-WIN-DC-001 | LDAPServerIntegrity ≠ Required (CVE-2017-8563) | HIGH | pb-dc-001 | — |
AUD-WIN-DC-002 | LdapEnforceChannelBinding ≠ Always | HIGH | pb-dc-002 | — |
AUD-WIN-PRIV-009 | RunAsPPL not enabled (LSASS dump exposure) | HIGH | pb-priv-009 | yes |
AUD-WIN-FH-007 | dSHeuristics anonymous LDAP bind bit set | HIGH | pb-fh-007 | — |
AUD-WIN-PG-006 | Pre-Win2k Compat Access has Authenticated Users | CRITICAL | pb-pg-006 | — |
Want the complete list? Open the live HTML report — all 161 findings are filterable with searchable evidence.
Every check follows the same pericial round-trip before it ships.
Our internal lab harness creates the exact misconfiguration the check is built to detect. ESC1-15 templates, Kerberoastable accounts, ACL backdoors, RBCD configs — every primitive materialised on a controlled DC.
We run the new check. It must fire 1:1 with the injection (no extra findings, no missed ones). We capture full probe output as evidence.
We remove the injection and re-run the check. It must return PASS. If it still fires, the probe has a false-positive and goes back to the bench.
We re-apply the injection and re-run. The check must fire again, identically. This catches checks that pass on accidental state-cleanup, not on actual remediation.
569 / 569 checks have completed this round-trip on the lab DC. Every shipping commit references the lab evidence trail. No false positives means we can put a pericial-grade signature on the report.
Every finding shown above was produced by Obexum's deterministic check engine on a controlled lab DC running Windows Server 2022. The methodology is documented and reproducible — under license agreement we share the lab harness so customers can validate Obexum against their own staging environment before signing off.
Windows Server 2022 promoted to a fresh domain
(obxlab.local) with default policies, no manual
hardening. Same baseline a typical SMB-deployed DC starts from.
Every check was validated under our R1 round-trip protocol: inject the misconfig → detect it → remediate → confirm the detection clears. No baseline-only assumptions.
The same Obexum build that produced these findings is shipped to customers with a SHA-256 manifest. Identical inputs → identical findings.json. Auditors can cross-check.
Customers under enterprise contract receive the lab harness scripts and a step-by-step replication guide as part of the onboarding package — we believe in transparency, but not at the cost of handing detection logic to the threat actors we audit against. Talk to us for the full methodology whitepaper.