The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Lateral Movement.

Vulnerability Template Vulnerability Risk What to find
Account Trusted for Delegation attribute status

Name:

User accounts with unconstrained delegation

Default scope: All users

The Kerberos TGT ticket can be captured when unconstrained delegation is enabled and then used to elevate the adversary's privileges to any service the TGT ticket has access to.

Remediation:

To resolve vulnerability, remove the TRUSTED_FOR_DELEGATION flag in userAccountControl attribute. This can be performed in the account's Delegation tab - Account options. Make sure “Trust this user for delegation to any service (Kerberos only)” is not selected. If a Kerberos delegation is required, use one that is constrained.

Accounts in scope that have Trusted for Delegation enabled

Name:

Computer accounts with unconstrained delegation

Default scope:

All computers except domain controllers

The Kerberos TGT ticket can be captured when unconstrained delegation is enabled and then used to elevate the adversary's privileges to any service the TGT ticket has access to.

Remediation:

Remove unconstrained delegation on the computer object from the computer’s Properties - Delegation tab by ensuring “Trust this computer for delegation to any service (Kerberos only)” is not selected. If required, constrained delegation can be used by selecting the "Trust this computer for delegation to specified services only" option.

Accounts in scope that have Trusted for Delegation enabled
Users Password Not Required attribute status

Name:

User accounts do not require a password

Default scope:

All users

An adversary can easily compromise a user account that does not require a password and find an attack path from that account to escalate their privileges.

Remediation:

To resolve vulnerability, in the account’s Attribute Editor tab, select userAccountControl and remove the PASSWD_NOTREQD value.

User accounts in scope that have “Password not required” enabled
Domain Add computers to domain value

Name:

All domain users can create computer accounts

Default scope:

N/A

Without hardening, all domain users have the ability to create computer accounts in the domain. Improperly configured computer accounts are exposed to Kerberos authentication attacks. Only administrators should be able to add new computer accounts.

Remediation:

In Active Directory Users and Computers Attribute Editor tab for the domain object, change the value of the ms-DS-MachineAccountQuota attribute (which is 10 by default) to a value of 0. This will prevent non-administrative users from being able to register new computer accounts within the domain.

Domain has the “ms-DS-MachineAccountQuota” attribute set to more than 0

NOTE: The operator and quota attribute value are editable.

Account "Use any authentication protocol" status

Name:

Accounts that allow Kerberos protocol transition delegation

Default scope:

All users and computers

A service configured to allow Kerberos protocol transition will allow a delegated service to use any available authentication protocol. This can result in reduced authentication security and increase the chance of services being compromised by an adversary.

Remediation:

In the account Properties -Delegation tab, ensure configured delegation is not set to “Use any authentication protocol.”

Accounts in scope which have “Use any authentication protocol” enabled in delegation
Domain Unexpire Password permission delegation

Name:

Non-Tier Zero accounts with Unexpire password permission delegation

Default scope: All except Tier Zero users and groups

If the “Unexpire password” permission is delegated an adversary could use it to restore the password of a Tier Zero principal.

 

This vulnerability will not generate a Finding in Security Guardian.

 

Remediation:

Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence.

Domain has “Unexpire password” set to Allow for any accounts in scope
Domain Migrate SID history permission delegation

Name:

Non-Tier Zero accounts with Migrate SID history permission

delegation

Default scope:

All except Tier Zero users and groups

If the “Migrate SID history” permission is delegated an adversary can use it to elevate their privileges by adding a Tier Zero account to their sIDHistory attribute and obscuring the exploit.

Remediation:

Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence.

Domain has “Migrate SID history” set to Allow for any accounts in scope
Domain Reanimate tombstones permission delegation

Name:

Non-Tier Zero accounts with Reanimate tombstones permission delegation

Default scope:

All except Tier Zero users and groups

If the “Reanimate tombstones” control access right is delegated an adversary could use it to restore and take control of a Tier Zero object.

Remediation:

Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence.

Domain has “Reanimate tombstones” set to Allow for any accounts in scope
Group Policy "Add workstations to domain" setting Authenticated User status

Name:

Tier Zero Group Policy allows Authenticated Users to add computers to the domain

Default scope:

All Tier Zero Group Policies

Without hardening, any authenticated user has permissions to create up to 10 computer accounts in the domain. Improperly configured computer accounts are exposed to Kerberos authentication attacks. Only administrators or other authorized users should have the ability to add new computer accounts.

Remediation:

There are two methods to address this vulnerability.

The first method is, in the Active Directory Users and Computers Attribute Editor tab for the domain object, change the value of the ms-DS-MachineAccountQuota attribute (which is 10 by default) to a value of 0. This will prevent non-administrative users from being able to register new computer accounts within the domain.

The second method is to edit the "Add workstations to domain" setting located in "Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment" section of the Group Policy and remove “Authenticated Users”.

Group Policy objects in scope with Authenticated Users configured in "Add workstations to domain" setting