Security Guardian Current

Security Guardian Current - Release Notes

New Features Known Issues Release History Incident response management System Requirements Product licensing Third Party Contributions

Discovery for Persistence Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Persistence.

NOTE: Persistence techniques are used by adversaries to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Vulnerability Template	Vulnerability	Risk	What to find
Foreign Security Principals Tier Zero group membership status	Name: Foreign Security Principals are members of a Tier Zero group Default scope: All Foreign Security Principals	A Foreign Security Principal (FSP) is an object created by the system to represent a security principal in a trusted external forest. They can also represent special identities, such as Authenticated Users, Anonymous Logon, and Enterprise Domain Controllers. The FSP for a special identity is created when the special identity is added to a group. Foreign security principals can be added to Tier Zero groups in the local domain but because they do not have the adminCount attribute, their origin can be difficult to audit. Thus adversaries can abuse this relationship to proceed without being detected. Remediation: Investigate Foreign Security Principals that are members of the protected groups and remove the membership if appropriate.	Foreign Security Principals in scope that are members of a Tier Zero group
Group Policy contains Scheduled Task status	Non-Tier Zero Group policy contains a scheduled task Default scope: All non-Tier Zero Group Policies	While there are legitimate uses for defining a scheduled task in a group policy, adversaries may abuse task scheduling registered in a group policy to facilitate initial or recurring execution of malicious code. Remediation: In Group Policy Management, review the settings of the defined scheduled task to confirm it is valid and configured correctly. Setting to pay special attention to are Author (if applicable), user account running the task, and the process configured in Run field or Actions tab.	Group Policy objects in scope with Scheduled Task configured
Tier Zero Group Policy contains a scheduled task Default scope: All Tier Zero Group Policies	While there are legitimate uses for defining a scheduled task in a group policy, adversaries may use task scheduling registered in a group policy to facilitate initial or recurring execution of malicious code. Scheduled tasks defined in Tier Zero group policies should be strictly monitored. Remediation: In Group Policy Management, review the settings of the defined scheduled task to confirm it is valid and configured correctly. Setting to pay special attention to are Author (if applicable), user account running the task, and the process configured in Run field or Actions tab.	Group Policy objects in scope with Scheduled Task configured

Vulnerability Template

Vulnerability

Risk

What to find

Foreign Security Principals Tier Zero group membership status

Name:

Foreign Security Principals are members of a Tier Zero group

Default scope:

All Foreign Security Principals

A Foreign Security Principal (FSP) is an object created by the system to represent a security principal in a trusted external forest. They can also represent special identities, such as Authenticated Users, Anonymous Logon, and Enterprise Domain Controllers. The FSP for a special identity is created when the special identity is added to a group.

Foreign security principals can be added to Tier Zero groups in the local domain but because they do not have the adminCount attribute, their origin can be difficult to audit. Thus adversaries can abuse this relationship to proceed without being detected.

Remediation:

Investigate Foreign Security Principals that are members of the protected groups and remove the membership if appropriate.

Foreign Security Principals in scope that are members of a Tier Zero group

Group Policy contains Scheduled Task status

Non-Tier Zero Group policy contains a scheduled task

Default scope:

All non-Tier Zero Group Policies

While there are legitimate uses for defining a scheduled task in a group policy, adversaries may abuse task scheduling registered in a group policy to facilitate initial or recurring execution of malicious code.

Remediation:

In Group Policy Management, review the settings of the defined scheduled task to confirm it is valid and configured correctly. Setting to pay special attention to are Author (if applicable), user account running the task, and the process configured in Run field or Actions tab.

Group Policy objects in scope with Scheduled Task configured

Tier Zero Group Policy contains a scheduled task

Default scope:

All Tier Zero Group Policies

While there are legitimate uses for defining a scheduled task in a group policy, adversaries may use task scheduling registered in a group policy to facilitate initial or recurring execution of malicious code. Scheduled tasks defined in Tier Zero group policies should be strictly monitored.

Remediation:

Group Policy objects in scope with Scheduled Task configured

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Security Guardian Current - Release Notes

Discovery for Persistence Vulnerabilities

Bitte wählen Sie Ihr Produkt aus: