Unconstrained Kerberos delegation is one of the most dangerous misconfigurations in Active Directory — and one of the most common. Any server with this flag set is silently caching TGTs for every privileged user who connects to it. Here's how to find every account configured for unconstrained delegation in your environment and fix it with PowerShell.

DCSync doesn't require a foothold on a domain controller, just one account with the right to replicate directory data. Here's how to find who has those rights in your environment, remove what doesn't belong, and detect if someone is already using this technique against you.

AS-REP Roasting requires no domain credentials and leaves most environments completely exposed. Any attacker with network access to a Domain Controller can request an encrypted hash for any account with Kerberos pre-authentication disabled and crack it offline at their leisure. Here's how to find every vulnerable account in your environment, fix the ones that matter most, and detect if someone is already taking advantage.