| |
Name:
Computer accounts with non-default Primary Group IDs Default scope: All computers |
Computer accounts whose Primary Group IDs have been modified may have elevated privileges which are difficult to see and therefore easier to exploit within detection.
Remediation:
-
The Primary Group ID should be reset to its default value. The default primary group for computer accounts is:
-
"Domain Computers" (515)
-
for domain controller accounts, "Domain Controllers" (516)
-
for read-only domain controllers, "Read-only Domain Controllers" (521). |
Accounts in scope that have a “Primary Group” that is not Domain Computers or Domain Controllers or Read-Only Domain Controllers |
| Users Service Principal Name status |
Name:
Tier Zero user accounts with Service Principal Names
Default scope:
Tier Zero users |
Tier Zero user accounts with Service Principal Names (SPNs) defined are exposed to Kerberos-based authentication attacks, enabling an adversary to escalate their privileges within the directory.
Remediation:
To resolve vulnerability, remove the Service Principal Name from the user object, if possible. If the Service Principal Name cannot be removed, enforce a very strong password on the user object which contains 32 characters with upper case, lower case, numeral, and special characters. |
User accounts in scope that have “Service Principal Name” not empty |
| Number of Tier Zero user accounts |
Name:
Abnormally large number of Tier Zero user accounts in the domain
Default scope:
N/A |
The number of Tier Zero accounts in a domain should be limited and closely monitored. An abnormally high number of Tier Zero accounts could indicate loose permissioning or group nesting which should be addressed. Tier Zero user accounts are being evaluated for this vulnerability.
Remediation:
To resolve vulnerability, identify accounts that should not have Tier Zero user credentials and remove those credentials. Resolve any group nesting issues. |
Total number of Tier Zero user accounts within a domain is more than 20 |
| Account SID History status |
Name: Tier Zero user accounts with SID History populated
Default scope: Tier Zero users |
If a user account's sIDHistory attribute is populated, then the account has all the privileges that belong to the SID History as well. Tier Zero user accounts with SID History are particularly concerning as they may have more privilege than is visible and likely indicates an adversary has compromised the account and established a backdoor for persistence.
Remediation:
To resolve vulnerability, remove the references in SID History if the user no longer requires the permissions assigned to the security groups listed. If the permissions are required, add the permission or group membership directly to the user object. |
Accounts in scope that have SID History not empty |
|
Name:
Tier Zero groups with SID History populated
Default scope: Tier Zero groups |
If a group's sIDHistory attribute is populated, the group members have the privileges that belong to the SID History as well. Tier Zero groups with SID History are particularly concerning as they may have more privilege than is visible and likely indicates an adversary has compromised the account and established a backdoor for persistence.
Remediation:
To resolve vulnerability, remove the references in sIDHistory if the group no longer requires the permissions assigned to the security groups listed. If the permissions are required, add the permission or group membership directly to the group object. |
| Account SID History local SID status |
Name:
User accounts with SID from local domain in their SID History
Default scope:
All users |
If a user account's sIDHistory attribute is populated, the account has all the privileges that belong to the SID History as well. While user accounts that were previously migrated may have a SID History from an external domain, the presence of a SID from the same domain is an indication an adversary has compromised the account and granted themselves more privilege than is immediately visible.
Remediation:
To resolve vulnerability, immediately remove the local SID from the compromised user's sIDHistory attribute and investigate who modified the attribute and when. |
Accounts in scope that have SID from local domain in their SID History |
|
Name:
Groups with SID from local domain in their SID History
Default scope:
All groups |
If a group account's sIDHistory attribute is populated, the group members have all the privileges that belong to the SID History as well. While group accounts that were previously migrated may have a SID History from an external domain, the presence of a SID History from the same domain is an indication an adversary has compromised the account and granted themselves more privilege than is immediately visible.
Remediation:
To resolve vulnerability, immediately remove the local SID from the compromised group's sIDHistory attribute and investigate who modified the attribute and when. |
| User account status |
Name:
Tier Zero user account is disabled
Default scope:
Tier Zero users
|
The number of Tier Zero accounts in a domain should be limited and closely monitored. A Tier Zero account that is disabled but still contains privileges through Tier Zero group membership can be compromised by an adversary and used to elevate privileges.
Remediation:
Remove Tier Zero group membership from user accounts that are disabled. |
Users in scope that are disabled |
| Group Members Count |
Name:
Default Active Directory groups which should not be in use contain members
Default scope:
Account Operators
Backup Operators
Cryptographic Operators
Hyper-V Administrators
Network Configuration Operators
Print Operators
Remote Desktop Users
Replicator
Server Operators |
Default Active Directory groups have elevated privileges and indirect control over vital aspects of Active Directory. These groups should typically have no members, so the presence of any memberships is a possible sign of an adversary using the group to elevate their privileges.
Remediation:
Remove the members within default Active Directory groups:
-
Account Operators
(S-1-5-32-548)
-
Backup Operators
(S-1-5-32-551)
-
Cryptographic Operators
(S-1-5-32-569)
-
Hyper-V Administrators*
(S-1-5-32-578)
-
Network Configuration Operators
(S-1-5-32-556)
-
Print Operators
(S-1-5-32-550)
-
Remote Desktop Users
(S-1-5-32-555)
-
Replicator
(S-1-5-32-552)
-
Server Operators
(S-1-5-32-549)
* NOTE: The Hyper-V Administrators group may have members If a Hyper-V environment is used. |
Groups in scope that have more than 0 members
NOTE: The operator and number of days are editable. |
| Schema Admins Group Member Count |
Name:
Schema Admins group contains members
Default scope:
N/A |
Schema Admins group has elevated privileges and indirect control over vital aspects of Active Directory. This group should typically have no members, so the presence of any memberships is a possible sign of an adversary using the group to elevate their privileges.
Remediation:
Remove the members within Schema Admins. |
Schema Admins group has more than 0 members
NOTE: The operator and number of days are editable. |
| Non-members of protected groups adminCount attribute value |
Name:
Ordinary user accounts with hidden privileges (SDProp)
Default scope:
All users |
Microsoft uses the adminCount attribute to indicate an object has had its ACL modified by the system to be more secure as it was a member of one of the administrative groups. An adversary who has breached the directory may try to remain undetected by removing accounts they leveraged to escalate their privileges, and the admincount attribute is evidence of that cover-up. Protected groups include:
- Account Operators
(S-1-5-32-548)
- Administrators
(S-1-5-32-544)
- Backup Operators
(S-1-5-32-551)
- Cert Publishers
(S-1-5-21-<domain>-517)
- Domain Admins
(S-1-5-21-<domain>-512 )
- Domain Controllers
(S-1-5-21-<domain>-516 )
- Enterprise Admins
(S-1-5-21-<root_domain>-519)
- Read-only Domain Controllers
(only since Windows Server 2008)
(S-1-5-21-<domain>-521)
- Replicator
(S-1-5-32-552)
- Schema Admins
(S-1-5-21-<root_domain>-518 )
- Server Operators
(S-1-5-32-549)
Remediation:
Investigate accounts that are not members of the protected groups whose adminCount attribute is set to 1 to determine if the user account was recently removed from a protected group and that action was expected. The adminCount attribute should then be manually set back to 0 in the Attribute Editor tab of the user object. |
User objects in scope that are not members of protected groups and have adminCount attribute set to 1 |
| Verify group membership of DnsAdmins group |
Name:
DnsAdmins group contains members
Default scope:
All users |
DNS is an appealing target for adversaries as it can be used to redirect domain queries or launch a denial of service. Members of the DnsAdmins group which are not highly Tier Zero Active Directory administrators are suspicious and increase the attack surface.
Remediation:
Review the members of the DnsAdmins group, determine if any members are not highly Tier Zero Active Directory administrators, and remove them if appropriate. |
DnsAdmins group has more than 0 members |
| Anonymous Logon and Everyone groups are members of Pre-Windows 2000 Compatible Access group |
Name:
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group
Default scope:
N/A |
The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. If wide-open groups such as Everyone (S-1-1-0) or Anonymous Logon (S-1-5-7) are members of the Pre-Windows 2000 Compatible Access group, it creates exposure for an adversary to escalate their privileges.
Remediation:
Remove wide open groups Everyone (S-1-1-0) and Anonymous Logon (S-1-5-7) from the Pre-Windows 2000 Compatible Access group (S-1-5-32-554).
|
Pre-Windows 2000 Compatible Access group contains Anonymous Logon and Everyone groups |
| Tier Zero user account ownership |
Name:
Tier Zero users owned by non-Tier Zero accounts
Default scope: N/A |
The owner of an object can take control over the object and have all of its permissions. A non-Tier Zero user having ownership over a Tier Zero account can be evidence of tampering and represents an abusable attack path for an adversary.
Remediation:
Remove the non-Tier Zero user ownership on the Tier Zero user account and investigate who modified the owner and when. |
Tier Zero user accounts that are owned by a non-Tier Zero account |
| Tier Zero computer account ownership |
Name:
Tier Zero computer is owned by a non-Tier Zero account
Default scope:
N/A
|
Remediation:
Update the owner of the Domain Controller to the Domain Admins group or update other Tier Zero computers to Tier Zero owners. |
Tier Zero computer accounts that are owned by a non-Tier Zero account |
| Account password last changed |
Name:
Tier Zero computer accounts that have not cycled their password recently
Default scope:
Tier Zero computers |
Tier Zero computers such as domain controllers will change their computer account password periodically (30 days by default). Domain controllers that have older password could be offline and susceptible to having password hashes stolen or used to introduce nefarious changes to the directory.
Remediation:
The reason that prevents servers from changing their password should be investigated. Verify if the computer is offline. If online, check the values of the following registry entries:
If these values are incorrect, they should be reset to the default values and ensure that they are not set by a GPO. |
Accounts in scope that have not updated its password within last 30 days.
NOTE: The number of days is editable. |
| Group Policy "Recovery console: Allow automatic administrative logon" setting |
Name:
Tier Zero Group Policy allows Recovery mode to be not password-protected
Default scope:
Tier Zero Group Policies |
An unprotected Recovery Mode allows an adversary with physical access to a domain controller the ability to gain access to the Active Directory database.
Remediation:
Configure the "Recovery console: Allow automatic administrative logon" setting located in “Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options” section of the Group Policy to “disabled” |
Group Policy objects in scope "Recovery console: Allow automatic administrative logon" is enabled |
| Tier Zero computer Group Policy "Allow log on” settings |
Name:
Non-Tier Zero accounts are able to log onto Tier Zero computers
Default scope: All except Tier Zero users, groups and computers |
If a non-Tier Zero user is able to log onto a Tier Zero computer, such as a Domain Controller, locally or by remote session, they can execute code or obtain a copy of all password hashes.
Remediation:
Prevent non-Tier Zero users from logging into Tier Zero computers by removing the "Allow log on locally" and "Allow log on through Remote Desktop Services" rights for any non-Tier Zero group. These settings are located in Computer configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment. |
Accounts in scope added to Allow log on locally or Allow log on through Remote Desktop Services in Tier Zero Group Policy |
| Non-Tier Zero Group Policy "Deny log on” for Domain Admin status |
Name:
Domain Admins can log into computers with non-Tier Zero Group Policy
Default scope:
All except Tier Zero Group Policies |
When a Tier Zero account logs into a non-Tier Zero computer, their password hash remains in memory and can be harvested by an adversary. If Group Policies do not prevent Domain Admin logons to lower tiers, Tier Zero credentials could be exposed.
Remediation:
Restrict logons to all non-Tier Zero computers for Domain Admins by configuring the "Deny log on locally" and "Deny logon through Remote Desktop Services" in the Group Policy. These settings are located in Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment. |
Group Policies in scope that do not have Domain Admins group added to the Deny log on locally or Deny log on through Remote Desktop Services setting |
|
DNS zone dynamic updates status
|
|
NOTE: For vulnerabilities that use this template, the hybrid agent service account must be a member of the Domain Admins group. | |
Name:
DNS zone configuration allows anonymous record updates
Default scope:
N/A |
Dynamic DNS records are created by DNS clients or systems on behalf of DNS clients (Example: DHCP servers). On Microsoft DNS servers, there are three possible configurations for dynamic updates: "None", "Nonsecure and secure", "Secure only". The "Nonsecure and secure" setting allows dynamic updates to be accepted without checking if the source of updates is trusted or not. DNS zones configured to allow anonymous record updates can be exploited by adversaries to receive incoming queries and harvest credentials.
Remediation:
If enabling dynamic updates is required for an organization, it is highly recommended to use “Secure only” dynamic updates option which ensures dynamic updates are accepted only from trusted sources. This option is available only if your primary DNS zone is hosted on a domain controller and is an AD-integrated DNS zone. |
DNS zone dynamic updates set to Nonsecure and secure |
| Computer Resource-Based Constrained Delegation status |
Name:
Tier Zero computer can be compromised through Resource-Based Constrained Delegation
Default scope:
Tier Zero computers |
If Kerberos Resource-Based Constrained Delegation (RBCD) is enabled on a Tier Zero computer such as a domain controller, an adversary can leverage this to elevate from a system under their control to a Tier Zero computer and take effective control over the entire domain.
Remediation:
To resolve vulnerability, in the impacted computer’s Delegation tab, select “Do not trust this computer for delegation”.
The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the impacted computer account (Note: The “Identity” portion of the command will need to be updated to reflect the display name of the computer account being checked):
Get-ADComputer -Identity <computer>
-Properties PrincipalsAllowedToDelegateToAccount |
Computer accounts in scope that have Resource-Based Constrained Delegation configured |
|
Name:
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation
Default scope:
All except Tier Zero computers |
If Kerberos Resource-Based Constrained Delegation (RBCD) is enabled on a computer, an adversary can leverage this to elevate from a system under their control to another system it has delegation.
Remediation:
To resolve vulnerability, in the impacted computer’s Delegation tab, select “Do not trust this computer for delegation”.
The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the impacted computer account (Note: The “Identity <computer>” portion of the command will need to be updated to reflect the display name of the computer account being checked):
Get-ADComputer -Identity <computer> -Properties PrincipalsAllowedToDelegateToAccount |
| Domain Write Group Policy Object link delegation |
Name:
Non-Tier Zero accounts can link GPOs to the domain
Default scope:
All except Tier Zero users and groups
|
Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) at the domain level they can effectively take over the entire domain.
Remediation:
These delegations should be removed for any non-Tier Zero account unless there is a compelling reason for their existence. |
Domain has the “Write gPLink” set to Allow for any accounts in scope |
| Domain promote a computer to a domain controller delegation |
Name:
Non-Tier Zero accounts that can promote a computer to a domain controller
Default scope:
All except Tier Zero users and groups
|
The "Add/remove replica in domain" permission on the domain coupled with the SERVER_TRUST_ACCOUNT attribute in userAccountControl can allow an adversary to promote any computer they reach to a domain controller. This would allow them to move laterally across the directory and take advantage of DC-based attacks to harvest credentials.
Remediation:
The "Add/remove replica in domain" delegation should be removed from any non-Tier Zero account unless there is a compelling reason for its existence. |
Domain has “Add/remove replica in domain” set to Allow for any account in scope |
| Active Directory Site Write gPLink delegation |
Name:
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site
Default scope:
All except Tier Zero users and groups
|
Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) to an Active Directory site, they can directly control all objects it contains.
Remediation:
These delegations should be removed unless there is a compelling reason for their existence. |
Active Directory Site has “Write gPLink” set to Allow for any accounts in scope |
| Domain Controller OU Write gPLink delegation |
Name:
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU
Default scope:
All except Tier Zero users and groups
|
Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) to the Domain Controller OU they can directly control the domain controllers.
Remediation:
These delegations should be removed unless there is a compelling reason for their existence. |
Domain Controllers OU has “Write gPLink” set to Allow for any accounts in scope |
| Computer account group membership status |
Name:
Tier Zero groups that have computer accounts as members
Default scope:
Tier Zero groups
|
If a computer account is a member of a Tier Zero group, an adversary who compromises the computer will also elevate their privileges to the Tier Zero group the computer belongs to.
Vulnerable objects will not be returned when any computer is a member of Cert Publishers or when a DC or RODC is a member of Domain Controllers, Enterprise Domain Controllers, Read-only Domain Controllers, or Enterprise Read-only Domain Controllers.
Remediation:
Review computer account Tier Zero group membership to determine if the computer should be a member of the Tier Zero group. If not required, remove the account from the group.
|
Groups in scope that have computer accounts as members |
| KRBTGT account resource-based constrained delegation status |
Name:
KRBTGT accounts with Resource-Based Constrained Delegation
Default scope:
N/A |
Any delegations against the KRBTGT accounts are highly suspicious. If an adversary gains control over the KRBTGT account, they can use this to take control over the entire directory.
Remediation:
To resolve vulnerability, in the KRBTGT account’s Account tab, check “Account is sensitive and cannot be delegated.” The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the KRBTGT account (Note: The “Identity KRBTGT” portion of the command will need to be updated to reflect the name of the KRBTGT account being checked): Get-ADuser -Identity KRBTGT -Properties PrincipalsAllowedToDelegateToAccount |
KRBTGT accounts that have Resource-Based Constrained Delegation configured |
| Domain trust configured insecure status |
Name:
Domain trust configured insecurely
Default scope:
Dependent on the domain(s) selected when an Assessment is created. If a selected domain does not have a trust relationship, it will not be assessed for the vulnerability. |
Trusts that have insecure settings are exposed to Kerberos-based authentication vulnerabilities or reduced protection against imposter identities.
Remediation:
|
Domain trust in scope has EnableTgtDelegation or EnablePIMTrust configured in the trustAttribute |
| Active Directory group existence in domain |
Name:
Suspicious ESX Admins group detected in domain
Default scope:
ESX Admins |
Microsoft has identified vulnerability CVE-2024-37085 where ESXi hypervisors can be exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. A threat actor can create a group named “ESX Admins” in the domain and add users to it, which will grant full administrative access on the ESXi hypervisor. “ESX Admins” group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that the group exists when the server is joined to a domain but considers any members of a group with this name as having full administrative access, even if the group did not originally exist. The membership in the group is determined by group name and not by security identifier (SID).
Remediation
Ensure the latest security updates released by VMware are installed on all domain-joined ESXi hypervisors. If installing software updates is not possible, perform the following to reduce the risk:
Validate the group “ESX Admins” exists in the domain and is hardened.
Manually deny access by this group by changing settings in the ESXi hypervisor. If full admin access for the Active Directory ESX admins group is not desired, disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.
Change the admin group to a different group in the ESXi hypervisor. |
Active Directory group in scope is detected |
| Account ability to specify a certificate subjectAltName (SAN) in a certificate request |
Name:
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user
Default scope:
All except Tier Zero users and groups
|
Certificate template settings determine the characteristics for the derived certificates and the parameters required for a certificate request. A certificate template is considered “misconfigured” if the combination of settings defined can expose an organization to an attacker. A certificate template that meets the following criteria will allow a non-Tier Zero attacker to request a certificate that can be used to authenticate to the domain as a Tier Zero user: Subject Name set to “Supply in the request”, “CA certificate manager approval” is not required, “Authorized signatures” is not required, Extended Key Usage (EKU) facilitates authentication, non-Tier Zero account can enroll (or can grant themselves permission to enroll) in a certificate.
Remediation:
Configure the certificate template Subject Name setting to “Build from this Active Directory information” and set the Issuance Requirements to require “CA certificate manager approval”. In addition, ensure non-Tier Zero accounts do not have Enroll or Full Control permissions granted on the certificate template. It is also recommended that the certificates issued by the certificate authority be reviewed to confirm if the identified non-Tier zero account requested a certificate using the misconfigured certificate template and what Subject Name is used in the request. |
Accounts in scope can request a certificate that allows the subjectAltName (SAN) to be specified |
| Account ability to request an overly permissive certificate with privileged EKU |
Name:
Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2)
Default scope:
All except Tier Zero users and groups |
Certificate template settings determine the characteristics for the derived certificates and the parameters required for a certificate request. A certificate template is considered “overly permissive” if the combination of settings defined can expose an organization to an attacker. A certificate template that has either no Extended Key Usage (EKU) defined or has the EKU “Any Purpose” is considered privileged.
Remediation:
Ensure non-Tier Zero accounts do not have Enroll or Full Control permissions granted on the certificate template. It is also recommended to enforce extra security such as like adding Manager approval and signing requirements, if possible. |
Accounts in scope can request a certificate that has either no EKU defined or has the “Any Purpose” EKU |
