Remote Execution Attack Surface Audit Tool for Active Directory
A 100% defensive Blue Team tool for auditing remote execution capabilities in AD environments. Reduces attack surface by identifying exposed services and security misconfigurations.
- Scanner de surface d'attaque : Detection services ouverts (SMB, WMI, WinRM, RDP, SSH, MSSQL), verification configurations (SMB signing, TrustedHosts, PS CLM, JEA, NLA, LAPS)
- Analyse de GPOs : Audit des policies d'execution distante, detection configurations dangereuses, comparaison baseline CIS/ANSSI
- Scoring par machine : Evaluation risque, identification machines exposees, priorisation par criticite
- Rapports : Heat map services, tableau risque, HTML/JSON/CSV
- Attack Surface Scanner: Detects open services (SMB, WMI, WinRM, RDP, SSH, MSSQL), checks configurations (SMB signing, TrustedHosts, PS CLM, JEA, NLA, LAPS)
- GPO Analysis: Audits remote execution policies, detects dangerous configurations, compares against CIS/ANSSI baselines
- Per-Machine Scoring: Risk evaluation, exposed machine identification, criticality-based prioritization
- Reports: Service heat map, risk table, HTML/JSON/CSV
git clone https://github.com/nemusic/RemoteExec-Auditor.git
cd RemoteExec-Auditor
pip install -e ".[dev]"# Scan hosts
remoteexec-auditor scan --hosts hosts.json --dc-hosts DC01,DC02 -o reports/
# Analyze GPOs
remoteexec-auditor analyze-gpo --gpos gpos.json --anssi --remediation
# Full risk assessment
remoteexec-auditor assess --hosts hosts.json --gpos gpos.json -o reports/| Service | Checks | References |
|---|---|---|
| SMB (445) | Signing, SMBv1, Admin Shares | CIS 2.3.9.2, ANSSI R29-R30 |
| WMI (135) | Service exposure | T1047 |
| WinRM (5985/5986) | TrustedHosts, Encryption, JEA | ANSSI R31 |
| RDP (3389) | NLA, Encryption level | CIS 18.9.65, ANSSI R32 |
| LAPS | Deployment, Password age | CIS 18.2.1, ANSSI R33 |
| PowerShell | CLM, Script logging | ANSSI R34 |
pytest tests/ -vAyi NEDJIMI - contact@ayinedjimi-consultants.fr
MIT License - see LICENSE