Possible Golden Ticket Kerberos exploit |
Detected Anomaly |
Critical |
On Demand Audit |
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) |
Detected TTP |
Critical |
On Demand Audit |
Groups with SID from local domain in their SID History |
Hygiene |
Critical |
Assessments |
User accounts with SID from local domain in their SID History |
Hygiene |
Critical |
Assessments |
Groups with well-known SIDs in their SID History |
Hygiene |
Critical |
Assessments |
User accounts with well-known SIDs in their SID History |
Hygiene |
Critical |
Assessments |
Potential sIDHistory injection detected |
Detected Anomaly |
Critical |
On Demand Audit |
File changes with suspicious file extensions |
Detected Anomaly |
Critical |
On Demand Audit |
Irregular domain controller registration detected (DCShadow) |
Detected Anomaly |
Critical |
On Demand Audit |
Irregular Active Directory replication activity detected (DCSync) |
Detected Anomaly |
Critical |
On Demand Audit |
AD Database (NTDS.dit) file modification attempt detected |
Detected Anomaly |
Critical |
On Demand Audit |
Inheritance is enabled on the AdminSDHolder container |
Hygiene |
Critical |
Assessments |
Non-Tier Zero accounts that can promote a computer to a domain controller |
Hygiene |
Critical |
Assessments |
Non-Tier Zero accounts can steal password hashes (DCSync) |
Hygiene |
Critical |
Assessments |
Tier Zero users owned by non-Tier Zero accounts |
Hygiene |
Critical |
Assessments |
Tier Zero computer is owned by a non-Tier Zero account |
Hygiene |
Critical |
Assessments |
User accounts with non-default Primary Group IDs |
Hygiene |
Critical |
Assessments |
Computer accounts with non-default Primary Group IDs |
Hygiene |
Critical |
Assessments |
User accounts without readable Primary Group ID |
Hygiene |
Critical |
Assessments |
Computer accounts without readable Primary Group ID |
Hygiene |
Critical |
Assessments |
Managed and Group Managed Service accounts that have not cycled their password recently |
Hygiene |
Critical |
Assessments |
Non-Tier Zero users with access to gMSA password |
Hygiene |
Critical |
Assessments |
Non-Tier Zero accounts can access the gMSA root key |
Hygiene |
Critical |
Assessments |
Non-Tier Zero accounts have access to write properties on certificate templates |
Hygiene |
Critical |
Assessments |
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account |
Hygiene |
Critical |
Assessments |
Active Directory Operator groups that are not protected by AdminSDHolder |
Hygiene |
Critical |
Assessments |
Ordinary user accounts with hidden privileges (SDProp) |
Hygiene |
Critical |
Assessments |
User accounts in protected groups that are not protected by AdminSDHolder (SDProp) |
Hygiene |
Critical |
Assessments |
KRBTGT accounts with Resource-Based Constrained Delegation |
Hygiene |
Critical |
Assessments |
Built-in Administrator account that has been used |
Hygiene |
Critical |
Assessments |
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group |
Hygiene |
Critical |
Assessments |
Built-in Guest account is enabled |
Hygiene |
Critical |
Assessments |
Schema Admins group contains members |
Hygiene |
Critical |
Assessments |
Default Active Directory groups which should not be in use contain members |
Hygiene |
Critical |
Assessments |
DnsAdmins group contains members |
Hygiene |
Critical |
Assessments |
Non Tier-Zero accounts with Reanimate tombstones permission delegation |
Hygiene |
Critical |
Assessments |
Non-Tier Zero accounts with Migrate SID history permission delegation |
Hygiene |
Critical |
Assessments |
Non Tier-Zero accounts with Unexpire password permission delegation |
Hygiene |
Critical |
Assessments |
Tier Zero Group Policy allows Recovery Mode to be not password-protected |
Hygiene |
Critical |
Assessments |
Tier Zero groups with SID History populated |
Hygiene |
Critical |
Assessments |
Tier Zero group policy object changes |
Detected TTP |
Critical |
On Demand Audit |
Domain level group policy linked changes detected |
Detected TTP |
Critical |
On Demand Audit |
Non-Tier Zero accounts can link GPOs to the domain |
Hygiene |
Critical |
Assessments |
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU |
Hygiene |
Critical |
Assessnebts |
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site |
Hygiene |
Critical |
Assessments |
Security changes to Tier Zero group policy objects |
Detected TTP |
Critical |
On Demand Audit |
Tier Zero user accounts with Service Principal Names |
Hygiene |
Critical |
Assessments |
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) |
Detected TTP |
Critical |
On Demand Aud |
Non-Tier Zero user accounts with Service Principal Names |
Hygiene |
Critical |
Assessments |
Tier Zero group changes |
Detected TTP |
Critical |
On Demand Audit |
Unusual increase in failed AD changes |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in permission changes to AD objects |
Detected Anomaly |
Critical |
On Demand Audit |
Security changes to Tier Zero group objects |
Detected TTP |
Critical |
On Demand Audit |
Security changes to Tier Zero user objects |
Detected TTP |
Critical |
On Demand Audit |
Administrative privilege elevation detected (adminCount attribute) |
Detected TTP |
Critical |
On Demand Audit |
Non-Tier Zero accounts are able to log onto Tier Zero computers |
Hygiene |
Critical |
Assessments |
Tier Zero user logons to computers that are not Tier Zero |
Detected TTP |
Critical |
On Demand Audit |
Domain Admins can log into computers with non-Tier Zero group policy |
Hygiene |
Critical |
Assessments |
Unusual increase in failed AD Federation Services sign-ins |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in failed on-premises sign-ins |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in tenant sign-in failures |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in AD account lockouts |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in file renames |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in share access permission changes |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in file deletes |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in successful AD Federation Services sign-in |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in successful on-premises sign-ins |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in successful tenant sign-ins |
Detected Anomaly |
Critical |
On Demand Audit |
Unusual increase in successful tenant sign-ins |
Detected Anomaly |
Critical |
On Demand Audit |
Tier Zero domain and forest configuration changes |
Detected TTP |
Critical |
On Demand Audit |
Security changes to Tier Zero domain objects |
Detected TTP |
Critical |
On Demand Audit |
AD schema configuration changes |
Detected TTP |
Critical |
On Demand Audit |
Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users |
Hygiene |
Critical |
Assessments |
Entra ID Privileged risk events |
Detected TTP |
High |
On Demand Audit |
New Tier Zero Domain detected |
Tier Zero |
High |
Security Guardian |
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user |
Hygiene |
High |
Assessments |
Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2) |
Hygiene |
High |
Assessments |
Domain trust configured insecurely |
Hygiene |
High |
Assessments |
Domain trust without Kerberos AES encryption enabled |
Hygiene |
High |
Assessments |
Tier Zero computer accounts that have not cycled their password recently |
Hygiene |
High |
Assessments |
Tier Zero computers that have not recently authenticated to the domain |
Hygiene |
High |
Assessments |
Protected group credentials exposed on read-only domain controllers |
Hygiene |
High |
Assessments |
Tier Zero account token can be stolen from a read-only domain controller |
Hygiene |
High |
Assessments |
User accounts do not require a password |
Hygiene |
High |
Assessments |
Group Policy allows reversible passwords |
Hygiene |
High |
Assessments |
User accounts have a reversible password |
Hygiene |
High |
Assessments |
Computer accounts with reversible password |
Hygiene |
High |
Assessments |
Tier Zero account can be delegated |
Hygiene |
High |
Assessments |
User accounts with Kerberos pre-authentication disabled |
Hygiene |
High |
Assessments |
User accounts with unconstrained delegation |
Hygiene |
High |
Assessments |
Computer accounts with unconstrained delegation |
Hygiene |
High |
Assessments |
User accounts using DES encryption to log in |
Hygiene |
High |
Assessments |
Entra ID privileged role members whose passwords have not changed recently |
Hygiene |
Medium |
Assessments |
Tier Zero user accounts whose passwords have not changed recently |
Hygiene |
High |
Assessments |
Tier Zero user accounts configured for Password Never Expires |
Hygiene |
High |
Assessments |
Non-Tier Zero user accounts configured for Password Never Expires |
Hygiene |
High |
Assessments |
Non-default configuration of the Microsoft Local Administrator Password |
Hygiene |
High |
Assessments |
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access |
Detected TTP |
High |
Assessments |
Group Policy scheduled task section modified |
Detected TTP |
High |
On Demand Audit |
Suspicious ESX Admins group detected in domain |
Hygiene |
High |
Assessments |
Suspicious group ESX Admins created or member added |
Detected TTP |
High |
On Demand Audit |
Tier Zero computer can be compromised through Resource-Based Constrained Delegation |
Hygiene |
High |
Assessments |
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account |
Hygiene |
High |
Assessments |
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation |
Hygiene |
High |
Assessments |
Accounts that allow Kerberos protocol transition delegation |
Hygiene |
High |
Assessments |
DNS zone configuration allows anonymous record updates |
Hygiene |
High |
Assessments |
Security changes to Tier Zero computer objects |
Detected TTP |
High |
On Demand Audit |
Tier Zero user changes |
Detected TTP |
High |
On Demand Audit |
Foreign Security Principals are members of a Tier Zero group |
Hygiene |
High |
Assessments |
Guest accounts assigned to the Global Administrator role |
Hygiene |
High |
Assessments |
Domain Controller is running SMBv1 protocol |
Hygiene |
High |
Assessments |
All domain users can create computer accounts |
Hygiene |
High |
Assessments |
Protected Users group is not being used |
Hygiene |
High |
Assessments |
Abnormally large number of Tier Zero user accounts in the domain |
Hygiene |
High |
Assessments |
Enabled Tier Zero user accounts that are inactive |
Hygiene |
High |
Assessments |
Tier Zero groups that have computer accounts as members |
Hygiene |
High |
Assessments |
Anonymous access to Active Directory is enabled |
Hygiene |
High |
Assessments |
Entra ID Conditional Access policies do not protect all users from high user risk |
Hygiene |
High |
Assessments |
Entra ID Conditional Access policies do not protect all users from risky sign-ins |
Hygiene |
High |
Assessments |
Entra ID Privileged accounts that are not secured by multi-factor authentication (MFA) |
Hygiene |
High |
Assessments |
Entra ID Conditional Access policies do not protect all privileged users with multi-factor authentication (MFA) |
Hygiene |
High |
Assessments |
Entra ID Conditional Access policies do not protect all non-privileged users with multi-factor authentication (MFA) |
Hygiene |
High |
Assessments |
Entra ID Conditional Access policies do not block legacy authentication for all users |
Hygiene |
High |
Assessments |
Entra ID Privileged principal logons |
Detected TTP |
Medium |
On Demand Audit |
Synchronized Active Directory user is assigned an Entra ID privileged role |
Hygiene |
Medium |
Assessments |
Active Directory Tier Zero object synchronized to Entra ID |
Hygiene |
Medium |
Assessments |
Attempt to access protected Active Directory database detected |
Detected TTP |
Medium |
On Demand Audit |
Attempt to access protected Windows file or folder detected |
Detected TTP |
Medium |
On Demand Audit |
Attempt to edit protected group policy object detected |
Detected TTP |
Medium |
On Demand Audit |
Attempt to modify protected Active Directory object detected |
Detected TTP |
Medium |
On Demand Audit |
Entra ID Privileged service principal changes |
Detected TTP |
Medium |
On Demand Audit |
More than recommended number of Global Administrators in the organization |
Hygiene |
Medium |
Assessments |
More than recommended number of privileged role assignments |
Hygiene |
Medium |
Assessments |
Kerberos KRBTGT account password has not changed recently |
Hygiene |
Medium |
Assessments |
Entra ID users are allowed to consent for all applications |
Hygiene |
Medium |
Assessments |
Entra ID Privileged tenant level and directory activity |
Detected TTP |
Medium |
On Demand Audit |
Password hash synchronization with on-premises Active Directory is not enabled |
Hygiene |
Medium |
Assessments |
Administrators are not enabled for self service password recovery |
Hygiene |
Medium |
Assessments |
Entra ID Privileged role changes |
Detected TTP |
Medium |
On Demand Audit |
New Privileged Entra ID Role Detected |
Tier Zero |
Medium |
Security Guardian |
Security defaults are enabled |
Hygiene |
Medium |
Assessments |
Group Policy does not enforce built-in Administrator account lockout on all computers |
Hygiene |
Medium |
Assessments |
New Tier Zero GPO detected |
Tier Zero |
Medium |
Security Guardian |
Tier Zero Group Policy allows Authenticated Users to add computers to the domain |
Hygiene |
Medium |
Assessments |
New Privileged Entra ID Service Principal Detected |
Tier Zero |
Medium |
Security Guardian |
Entra ID Privileged group changes |
Detected TTP |
Medium |
On Demand Audit |
New Tier Zero Group detected |
Tier Zero |
Medium |
Security Guardian |
New Privileged Entra ID Group detected |
Tier Zero |
Medium |
Security Guardian |
New Tier Zero Computer detected |
Tier Zero |
Medium |
Security Guardian |
Entra ID Privileged user changes |
Detected TTP |
Medium |
On Demand Audit |
New Tier Zero User detected |
Tier Zero |
Medium |
Security Guardian |
New Privileged Entra ID User Detected |
Tier Zero |
Medium |
Security Guardian |
Entra ID guest user accounts that are inactive |
Hygiene |
Medium |
Assessments |
Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users |
Hygiene |
Medium |
Assessments |
Password hash synchronization with on-premises Active Directory is delayed |
Hygiene |
Medium |
Assessments |
Synchronization with on-premises Active Directory is delayed |
Hygiene |
Medium |
Assessments |
Unprotected Tier Zero Domain |
Tier Zero |
Medium |
Protection |
Entra ID cloud applications that are not included in a conditional access policy |
Hygiene |
Medium |
Assessments |
Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation |
Hygiene |
Medium |
Assessments |
Entra ID Conditional Access policies do not require token protection for sign-in sessions for users |
Hygiene |
Medium |
Assessments |
Unprotected Tier Zero Group Policy |
Tier Zero |
Medium |
Protection |
Unprotected Tier Zero Group |
Tier Zero |
Medium |
Protection |
Unprotected Tier Zero Computer |
Tier Zero |
Medium |
Protection |
Unprotected Tier Zero User |
Tier Zero |
Medium |
Protection |
Printer Spooler service is enabled on a domain controller |
Hygiene |
Medium |
Assessments |
Tier Zero user account is disabled |
Hygiene |
Medium |
Assessments |
Domain with obsolete domain functional level |
Hygiene |
Medium |
Assessments |
NTLM version 1 authentications |
Detected TTP |
Medium |
On Demand Audit |