Security Guardian Current

The following table lists all Security Guardian indicators Guardian, from most to least severe.

Indicator	Indicator Type	Severity	Source
Possible Golden Ticket Kerberos exploit	Detected TTP	Critical	On Demand Audit
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting)	Detected TTP	Critical	On Demand Audit
Groups with SID from local domain in their SID History	Hygiene	Critical	Assessments
User accounts with SID from local domain in their SID History	Hygiene	Critical	Assessments
Groups with well-known SIDs in their SID History	Hygiene	Critical	Assessments
User accounts with well-known SIDs in their SID History	Hygiene	Critical	Assessments
Potential sIDHistory injection detected	Detected TTP	Critical	On Demand Audit
File changes with suspicious file extensions	Detected TTP	Critical	On Demand Audit
Irregular domain controller registration detected (DCShadow)	Detected TTP	Critical	On Demand Audit
Irregular Active Directory replication activity detected (DCSync)	Detected TTP	Critical	On Demand Audit
AD Database (NTDS.dit) file modification attempt detected	Detected TTP	Critical	On Demand Audit
Active Directory Database (NTDS.dit) access attempt detected	Detected TTP	Critical	On Demand Audit
Inheritance is enabled on the AdminSDHolder container	Hygiene	Critical	Assessments
Non-Tier Zero accounts that can promote a computer to a domain controller	Hygiene	Critical	Assessments
Non-Tier Zero accounts can steal password hashes (DCSync)	Hygiene	Critical	Assessments
Tier Zero users owned by non-Tier Zero accounts	Hygiene	Critical	Assessments
Tier Zero computer is owned by a non-Tier Zero account	Hygiene	Critical	Assessments
User accounts with non-default Primary Group IDs	Hygiene	Critical	Assessments
Computer accounts with non-default Primary Group IDs	Hygiene	Critical	Assessments
User accounts without readable Primary Group ID	Hygiene	Critical	Assessments
Computer accounts without readable Primary Group ID	Hygiene	Critical	Assessments
Managed and Group Managed Service accounts that have not cycled their password recently	Hygiene	Critical	Assessments
Non-Tier Zero users with access to gMSA password	Hygiene	Critical	Assessments
Non-Tier Zero accounts can access the gMSA root key	Hygiene	Critical	Assessments
Non-Tier Zero accounts have access to write properties on certificate templates	Hygiene	Critical	Assessments
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account	Hygiene	Critical	Assessments
Active Directory Operator groups that are not protected by AdminSDHolder	Hygiene	Critical	Assessments
Ordinary user accounts with hidden privileges (SDProp)	Hygiene	Critical	Assessments
User accounts in protected groups that are not protected by AdminSDHolder (SDProp)	Hygiene	Critical	Assessments
KRBTGT accounts with Resource-Based Constrained Delegation	Hygiene	Critical	Assessments
Built-in Administrator account that has been used	Hygiene	Critical	Assessments
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group	Hygiene	Critical	Assessments
Built-in Guest account is enabled	Hygiene	Critical	Assessments
Schema Admins group contains members	Hygiene	Critical	Assessments
Default Active Directory groups which should not be in use contain members	Hygiene	Critical	Assessments
DNSAdmin group contains members	Hygiene	Critical	Assessments
Non-Tier Zero accounts with Reanimate tombstones permission delegation	Hygiene	Critical	Assessments
Non-Tier Zero accounts with Migrate SID history permission delegation	Hygiene	Critical	Assessments
Tier Zero Group Policy allows Recovery Mode to be not password-protected	Hygiene	Critical	Assessments
Tier Zero groups with SID History populated	Hygiene	Critical	Assessments
Tier Zero user accounts with SID History populated	Hygiene	Critical	Assessments
Tier Zero group policy object changes	Detected TTP	Critical	On Demand Audit
Domain level group policy linked changes detected	Detected TTP	Critical	On Demand Audit
Non-Tier Zero accounts can link GPOs to the domain	Hygiene	Critical	Assessments
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU	Hygiene	Critical	Assessments
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site	Hygiene	Critical	Assessments
Security changes to Tier Zero group policy objects	Detected TTP	Critical	On Demand Audit
Tier Zero user accounts with Service Principal Names	Hygiene	Critical	Assessments
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting)	Detected TTP	Critical	On Demand Audit
Non-Tier Zero user accounts with Service Principal Names	Hygiene	Critical	Assessments
Tier Zero group changes	Detected TTP	Critical	On Demand Audit
Unusual increase in failed AD changes	Detected Anomaly	Critical	On Demand Audit
Unusual increase in permission changes to AD objects	Detected Anomaly	Critical	On Demand Audit
Security changes to Tier Zero group objects	Detected TTP	Critical	On Demand Audit
Security changes to Tier Zero user objects	Detected TTP	Critical	On Demand Audit
Administrative privilege elevation detected (adminCount attribute)	Detected TTP	Critical	On Demand Audit
Non-Tier Zero accounts are able to log onto Tier Zero computers	Hygiene	Critical	Assessments
Tier Zero user logons to computers that are not Tier Zero	Detected TTP	Critical	On Demand Audit
Domain Admins can log into computers with non-Tier Zero Group Policy	Hygiene	Critical	Assessments
Unusual increase in failed AD Federation Services sign-ins	Detected Anomaly	Critical	On Demand Audit
Unusual increase in failed on-premises sign-ins	Detected Anomaly	Critical	On Demand Audit
Unusual increase in AD account lockouts	Detected Anomaly	Critical	On Demand Audit
Unusual increase in file renames	Detected Anomaly	Critical	On Demand Audit
Unusual increase in share access permission changes	Detected Anomaly	Critical	On Demand Audit
Unusual increase in file deletes	Detected Anomaly	Critical	On Demand Audit
Unusual increase in successful AD Federation Services sign-in	Detected Anomaly	Critical	On Demand Audit
Unusual increase in successful on-premises sign-ins	Detected Anomaly	Critical	On Demand Audit
Tier Zero domain and forest configuration changes	Detected TTP	Critical	On Demand Audit
Security changes to Tier Zero domain objects	Detected TTP	Critical	On Demand Audit
AD schema configuration changes	Detected TTP	Critical	On Demand Audit
New Tier Zero Domain detected	Tier Zero	High	Security Guardian
Domain trust configured insecurely	Hygiene	High	Assessments
Domain trust without Kerberos AES encryption enabled	Hygiene	High	Assessments
Tier Zero computer accounts that have not cycled their password recently	Hygiene	High	Assessments
Tier Zero computers that have not recently authenticated to the domain	Hygiene	High	Assessments
Protected group credentials exposed on read-only domain controllers	Hygiene	High	Assessments
Tier Zero account token can be stolen from a read-only domain controller	Hygiene	High	Assessments
User accounts do not require a password	Hygiene	High	Assessments
Group Policy allows reversible passwords	Hygiene	High	Assessments
User accounts have a reversible password	Hygiene	High	Assessments
Administrator account can be delegated	Hygiene	High	Assessments
Computer accounts with reversible password	Hygiene	High	Assessments
User accounts with Kerberos pre-authentication disabled	Hygiene	High	Assessments
User accounts with unconstrained delegation	Hygiene	High	Assessments
Computer accounts with unconstrained delegation	Hygiene	High	Assessments
User accounts using DES encryption to log in	Hygiene	High	Assessments
Tier Zero user accounts whose passwords have not changed recently	Hygiene	High	Assessments
Tier Zero user accounts configured for Password Never Expires	Hygiene	High	Assessments
Non-Tier Zero user accounts configured for Password Never Expires	Hygiene	High	Assessments
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access	Hygiene	High	Assessments
Suspicious ESX Admins group found in domain	Hygiene	High	Assessments
Suspicious group ESX Admins created or member added	Detected TTP	High	On Demand Audit
Tier Zero computer can be compromised through Resource-Based Constrained Delegation	Hygiene	High	Assessments
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account	Hygiene	High	Assessments
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation	Hygiene	High	Assessments
Accounts that allow Kerberos protocol transition delegation	Hygiene	High	Assessments
DNS zone configuration allows anonymous record updates	Hygiene	High	Assessments
Tier Zero computer changes	Detected TTP	High	On Demand Audit
Security changes to Tier Zero computer objects	Detected TTP	High	On Demand Audit
Tier Zero user changes	Detected TTP	High	On Demand Audit
Foreign Security Principals are members of a Tier Zero group	Hygiene	High	Assessments
Domain Controller is running SMBv1 protocol	Hygiene	High	Assessments
Non-Tier Zero users can create computer accounts	Hygiene	High	Assessments
Protected Users group is not being used	Hygiene	High	Assessments
Abnormally large number of Tier Zero user accounts in the domain	Hygiene	High	Assessments
Enabled Tier Zero user accounts that are inactive	Hygiene	High	Assessments
Tier Zero groups that have computer accounts as members	Hygiene	High	Assessments
Anonymous access to Active Directory is enabled	Hygiene	High	Assessments
Kerberos KRBTGT account password has not changed recently	Hygiene	Medium	Assessments
New Tier Zero GPO detected	Tier Zero	Medium	Security Guardian
New Tier Zero Group detected	Tier Zero	Medium	Security Guardian
New Tier Zero Computer detected	Tier Zero	Medium	Security Guardian
New Tier Zero User detected	Tier Zero	Medium	Security Guardian
Unprotected Tier Zero Domain	Tier Zero	Medium	Protection
Unprotected Active Directory database	Tier Zero	Medium	Protection
Unprotected Tier Zero Group Policy	Tier Zero	Medium	Protection
Unprotected Tier Zero Group	Tier Zero	Medium	Protection
Unprotected Tier Zero Computer	Tier Zero	Medium	Protection
Unprotected Tier Zero User	Tier Zero	Medium	Protection
Printer Spooler service is enabled on a domain controller	Hygiene	Medium	Assessments
Tier Zero user account is disabled	Hygiene	Medium	Assessments
Domain with obsolete domain functional level	Hygiene	Medium	Assessments
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user	Hygiene	Medium	Assessments
NTLM version 1 authentications	Detected TTP	Medium	On Demand Audit

Security Guardian Current - Release Notes

Indicators by Severity

Veuillez sélectionner votre produit

Afin de mieux répondre à vos besoins, précisez l'objet du tchat:

Solutions recommandées pour votre problème

Security Guardian Current - Release Notes

Indicators by Severity