This appendix provides details of all indicators in Security Guardian, listed both by severity and by source.
|
|
NOTE: For the general criteria Security Guardian uses to determine severity levels, refer to the topic Managing Indicators. |
This appendix provides details of all indicators in Security Guardian, listed both by severity and by source.
|
|
NOTE: For the general criteria Security Guardian uses to determine severity levels, refer to the topic Managing Indicators. |
The following table lists all Security Guardian indicators, from most to least severe.
| Indicator | Type | Severity | Source |
|---|---|---|---|
| Possible Golden Ticket Kerberos exploit | Detected Anomaly | Critical | On Demand Audit |
| Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) | Detected TTP | Critical | On Demand Audit |
| Groups with SID from local domain in their SID History | Hygiene | Critical | Assessments |
| User accounts with SID from local domain in their SID History | Hygiene | Critical | Assessments |
| Groups with well-known SIDs in their SID History | Hygiene | Critical | Assessments |
| User accounts with well-known SIDs in their SID History | Hygiene | Critical | Assessments |
| Potential sIDHistory injection detected | Detected Anomaly | Critical | On Demand Audit |
| File changes with suspicious file extensions | Detected Anomaly | Critical | On Demand Audit |
| Irregular domain controller registration detected (DCShadow) | Detected Anomaly | Critical | On Demand Audit |
| Irregular Active Directory replication activity detected (DCSync) | Detected Anomaly | Critical | On Demand Audit |
| AD Database (NTDS.dit) file modification attempt detected | Detected Anomaly | Critical | On Demand Audit |
| Inheritance is enabled on the AdminSDHolder container | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts that can promote a computer to a domain controller | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts can steal password hashes (DCSync) | Hygiene | Critical | Assessments |
| Tier Zero users owned by non-Tier Zero accounts | Hygiene | Critical | Assessments |
| Tier Zero computer is owned by a non-Tier Zero account | Hygiene | Critical | Assessments |
| User accounts with non-default Primary Group IDs | Hygiene | Critical | Assessments |
| Computer accounts with non-default Primary Group IDs | Hygiene | Critical | Assessments |
| User accounts without readable Primary Group ID | Hygiene | Critical | Assessments |
| Computer accounts without readable Primary Group ID | Hygiene | Critical | Assessments |
| Delegated Managed Service Account (dMSA) with a suspicious configuration (BadSuccessor) | Hygiene | Critical | Assessments |
| Managed and Group Managed Service accounts that have not cycled their password recently | Hygiene | Critical | Assessments |
| Non-Tier Zero users with access to gMSA password | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts can access the gMSA root key | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts have access to write properties on certificate templates | Hygiene | Critical | Assessments |
| Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account | Hygiene | Critical | Assessments |
| Active Directory Operator groups that are not protected by AdminSDHolder | Hygiene | Critical | Assessments |
| Ordinary user accounts with hidden privileges (SDProp) | Hygiene | Critical | Assessments |
| User accounts in protected groups that are not protected by AdminSDHolder (SDProp) | Hygiene | Critical | Assessments |
| KRBTGT accounts with Resource-Based Constrained Delegation | Hygiene | Critical | Assessments |
| Built-in Administrator account that has been used | Hygiene | Critical | Assessments |
| Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group | Hygiene | Critical | Assessments |
| Built-in Guest account is enabled | Hygiene | Critical | Assessments |
| Schema Admins group contains members | Hygiene | Critical | Assessments |
| Default Active Directory groups which should not be in use contain members | Hygiene | Critical | Assessments |
| DnsAdmins group contains members | Hygiene | Critical | Assessments |
| Non Tier-Zero accounts with Reanimate tombstones permission delegation | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts with Migrate SID history permission delegation | Hygiene | Critical | Assessments |
| Non Tier-Zero accounts with Unexpire password permission delegation | Hygiene | Critical | Assessments |
| Tier Zero Group Policy allows Recovery Mode to be not password-protected | Hygiene | Critical | Assessments |
| Tier Zero groups with SID History populated | Hygiene | Critical | Assessments |
| Tier Zero group policy object changes | Detected TTP | Critical | On Demand Audit |
| Domain level group policy linked changes detected | Detected TTP | Critical | On Demand Audit |
| Non-Tier Zero accounts can link GPOs to the domain | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU | Hygiene | Critical | Assessments |
| Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site | Hygiene | Critical | Assessments |
| Security changes to Tier Zero group policy objects | Detected TTP | Critical | On Demand Audit |
| Tier Zero user accounts with Service Principal Names | Hygiene | Critical | Assessments |
| User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) | Detected TTP | Critical | On Demand Aud |
| Non-Tier Zero user accounts with Service Principal Names | Hygiene | Critical | Assessments |
| Tier Zero group changes | Detected TTP | Critical | On Demand Audit |
| Unusual increase in failed AD changes | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in permission changes to AD objects | Detected Anomaly | Critical | On Demand Audit |
| Security changes to Tier Zero group objects | Detected TTP | Critical | On Demand Audit |
| Security changes to Tier Zero user objects | Detected TTP | Critical | On Demand Audit |
| Administrative privilege elevation detected (adminCount attribute) | Detected TTP | Critical | On Demand Audit |
| Non-Tier Zero accounts are able to log onto Tier Zero computers | Hygiene | Critical | Assessments |
| Tier Zero user logons to computers that are not Tier Zero | Detected TTP | Critical | On Demand Audit |
| Group Policy does not prevent Domain Admins from logging onto non-Tier Zero computer | Hygiene | Critical | Assessments |
| Unusual increase in failed AD Federation Services sign-ins | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in failed on-premises sign-ins | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in tenant sign-in failures | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in AD account lockouts | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in file renames | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in share access permission changes | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in file deletes | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in successful AD Federation Services sign-in | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in successful on-premises sign-ins | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in successful tenant sign-ins | Detected Anomaly | Critical | On Demand Audit |
| Unusual increase in successful tenant sign-ins | Detected Anomaly | Critical | On Demand Audit |
| Tier Zero domain and forest configuration changes | Detected TTP | Critical | On Demand Audit |
| Security changes to Tier Zero domain objects | Detected TTP | Critical | On Demand Audit |
| AD schema configuration changes | Detected TTP | Critical | On Demand Audit |
| Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users | Hygiene | Critical | Assessments |
| Entra ID Privileged risk events | Detected TTP | High | On Demand Audit |
| Replicating Directory Changes All domain permission granted | Detected TTP | High | On Demand Audit |
| New Tier Zero Domain detected | Tier Zero | High | Security Guardian |
| Non-Tier Zero account can use a misconfigured certificate template to impersonate any user | Hygiene | High | Assessments |
| Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2) | Hygiene | High | Assessments |
| Domain trust configured insecurely | Hygiene | High | Assessments |
| Domain trust without Kerberos AES encryption enabled | Hygiene | High | Assessments |
| Tier Zero computer accounts that have not cycled their password recently | Hygiene | High | Assessments |
| Tier Zero computers that have not recently authenticated to the domain | Hygiene | High | Assessments |
| Protected group credentials exposed on read-only domain controllers | Hygiene | High | Assessments |
| Tier Zero account token can be stolen from a read-only domain controller | Hygiene | High | Assessments |
| User accounts do not require a password | Hygiene | High | Assessments |
| Group Policy allows reversible passwords | Hygiene | High | Assessments |
| User accounts have a reversible password | Hygiene | High | Assessments |
| Computer accounts with reversible password | Hygiene | High | Assessments |
| Tier Zero account can be delegated | Hygiene | High | Assessments |
| User accounts with Kerberos pre-authentication disabled | Hygiene | High | Assessments |
| User accounts with unconstrained delegation | Hygiene | High | Assessments |
| Computer accounts with unconstrained delegation | Hygiene | High | Assessments |
| User accounts using DES encryption to log in | Hygiene | High | Assessments |
| Entra ID privileged role members whose passwords have not changed recently | Hygiene | Medium | Assessments |
| Tier Zero user accounts whose passwords have not changed recently | Hygiene | High | Assessments |
| Tier Zero user accounts configured for Password Never Expires | Hygiene | High | Assessments |
| Non-Tier Zero user accounts configured for Password Never Expires | Hygiene | High | Assessments |
| Non-default configuration of the Microsoft Local Administrator Password | Hygiene | High | Assessments |
| Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access | Detected TTP | High | Assessments |
| Group Policy scheduled task section modified | Detected TTP | High | On Demand Audit |
| Suspicious ESX Admins group detected in domain | Hygiene | High | Assessments |
| Suspicious group ESX Admins created or member added | Detected TTP | High | On Demand Audit |
| Tier Zero computer can be compromised through Resource-Based Constrained Delegation | Hygiene | High | Assessments |
| Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account | Hygiene | High | Assessments |
| Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation | Hygiene | High | Assessments |
| Tier Zero object migrated to a Delegated Managed Service Account (dMSA) | Hygiene | HIgh | Assessments |
| Accounts that allow Kerberos protocol transition delegation | Hygiene | High | Assessments |
| DNS zone configuration allows anonymous record updates | Hygiene | High | Assessments |
| Non-Tier Zero account with write or extended permission on Tier Zero object | Hygiene | High | Assessments |
| Security changes to Tier Zero computer objects | Detected TTP | High | On Demand Audit |
| Tier Zero user changes | Detected TTP | High | On Demand Audit |
| Foreign Security Principals are members of a Tier Zero group | Hygiene | High | Assessments |
| Guest accounts assigned to the Global Administrator role | Hygiene | High | Assessments |
| Domain Controller is running SMBv1 protocol | Hygiene | High | Assessments |
| Non-Tier Zero account can create Delegated Managed Service Accounts (dMSA) in an OU or container | Hygiene | High | Assessments |
| All domain users can create computer accounts | Hygiene | High | Assessments |
| Protected Users group is not being used | Hygiene | High | Assessments |
| Abnormally large number of Tier Zero user accounts in the domain | Hygiene | High | Assessments |
| Enabled Tier Zero user accounts that are inactive | Hygiene | High | Assessments |
| Tier Zero groups that have computer accounts as members | Hygiene | High | Assessments |
| Anonymous access to Active Directory is enabled | Hygiene | High | Assessments |
| Tier Zero Group Policy contains a scheduled task | Hygiene | High | Assessments |
| Entra ID Conditional Access policies do not protect all users from high user risk | Hygiene | High | Assessments |
| Entra ID Conditional Access policies do not protect all users from risky sign-ins | Hygiene | High | Assessments |
| Entra ID Privileged accounts that are not secured by multi-factor authentication (MFA) | Hygiene | High | Assessments |
| Entra ID Conditional Access policies do not protect all privileged users with multi-factor authentication (MFA) | Hygiene | High | Assessments |
| Entra ID Conditional Access policies do not protect all non-privileged users with multi-factor authentication (MFA) | Hygiene | High | Assessments |
| Entra ID Conditional Access policies do not block legacy authentication for all users | Hygiene | High | Assessments |
| Entra ID Privileged principal logons | Detected TTP | Medium | On Demand Audit |
| Synchronized Active Directory user is assigned an Entra ID privileged role | Hygiene | Medium | Assessments |
| Active Directory Tier Zero object synchronized to Entra ID | Hygiene | Medium | Assessments |
| Attempt to access protected Active Directory database detected | Detected TTP | Medium | On Demand Audit |
| Attempt to access protected Windows file or folder detected | Detected TTP | Medium | On Demand Audit |
| Attempt to edit protected group policy object detected | Detected TTP | Medium | On Demand Audit |
| Attempt to modify protected Active Directory object detected | Detected TTP | Medium | On Demand Audit |
| Entra ID Privileged service principal changes | Detected TTP | Medium | On Demand Audit |
| More than recommended number of Global Administrators in the organization | Hygiene | Medium | Assessments |
| More than recommended number of privileged role assignments | Hygiene | Medium | Assessments |
| Non-Tier Zero Group policy contains a scheduled task | Hygiene | Medium | Assessments |
| Microsoft Entra seamless single sign-on (AzureADSSOACC) account password has not changed recently | Hygiene | Medium | Assessments |
| Kerberos KRBTGT account password has not changed recently | Hygiene | Medium | Assessments |
| Entra ID users are allowed to consent for all applications | Hygiene | Medium | Assessments |
| Entra ID Privileged tenant level and directory activity | Detected TTP | Medium | On Demand Audit |
| Password hash synchronization with on-premises Active Directory is not enabled | Hygiene | Medium | Assessments |
| Administrators are not enabled for self service password recovery | Hygiene | Medium | Assessments |
| Entra ID Privileged role changes | Detected TTP | Medium | On Demand Audit |
| New Privileged Entra ID Role Detected | Tier Zero | Medium | Security Guardian |
| Security defaults are enabled | Hygiene | Medium | Assessments |
| Group Policy does not enforce built-in Administrator account lockout on all computers | Hygiene | Medium | Assessments |
| New Tier Zero GPO detected | Tier Zero | Medium | Security Guardian |
| Tier Zero Group Policy allows Authenticated Users to add computers to the domain | Hygiene | Medium | Assessments |
| New Privileged Entra ID Service Principal Detected | Tier Zero | Medium | Security Guardian |
| Entra ID Privileged group changes | Detected TTP | Medium | On Demand Audit |
| New Tier Zero Group detected | Tier Zero | Medium | Security Guardian |
| New Privileged Entra ID Group detected | Tier Zero | Medium | Security Guardian |
| New Tier Zero Computer detected | Tier Zero | Medium | Security Guardian |
| Entra ID Privileged user changes | Detected TTP | Medium | On Demand Audit |
| New Tier Zero User detected | Tier Zero | Medium | Security Guardian |
| Enabled privileged Entra ID user accounts that are inactive | Hygiene | Medium | Assessments |
| New Privileged Entra ID User Detected | Tier Zero | Medium | Security Guardian |
| Entra ID guest user accounts that are inactive | Hygiene | Medium | Assessments |
| Enablednon- privileged Entra ID user accounts that are inactive | Hygiene | Medium | Assessments |
| Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users | Hygiene | Medium | Assessments |
| Password hash synchronization with on-premises Active Directory is delayed | Hygiene | Medium | Assessments |
| Synchronization with on-premises Active Directory is delayed | Hygiene | Medium | Assessments |
| Unprotected Tier Zero Domain | Tier Zero | Medium | Protection |
| Entra ID cloud applications that are not included in a conditional access policy | Hygiene | Medium | Assessments |
| Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation | Hygiene | Medium | Assessments |
| Entra ID Conditional Access policies do not require token protection for sign-in sessions for users | Hygiene | Medium | Assessments |
| Unprotected Tier Zero Group Policy | Tier Zero | Medium | Protection |
| Unprotected Tier Zero Group | Tier Zero | Medium | Protection |
| Unprotected Tier Zero Computer | Tier Zero | Medium | Protection |
| Unprotected Tier Zero User | Tier Zero | Medium | Protection |
| Printer Spooler service is enabled on a domain controller | Hygiene | Medium | Assessments |
| Tier Zero user account is disabled | Hygiene | Medium | Assessments |
| Domain with obsolete domain functional level | Hygiene | Medium | Assessments |
| NTLM version 1 authentications | Detected TTP | Medium | On Demand Audit |
Security Guardian Indicators originate from the following sources:
The following table contains an alphabetical list of all indicators that originate from On Demand Audit.
| Indicator | Indicator Type | Severity |
|---|---|---|
| Active Directory Database (NTDS.dit) access attempt detected | Detected TTP | Critical |
| AD Database (NTDS.dit) file modification attempt detected | Detected TTP | Critical |
| AD schema configuration changes | Detected TTP | Critical |
| Administrative privilege elevation detected (adminCount attribute) | Detected TTP | Critical |
| Attempt to access protected Active Directory database detected | Detected TTP | Medium |
| Attempt to access protected Windows file or folder detected | Detected TTP | Medium |
| Attempt to edit protected group policy object detected | Detected TTP | Medium |
| Attempt to modify protected Active Directory object detected | Detected TTP | Medium |
| Domain level group policy linked changes detected | Detected TTP | Critical |
| Entra ID Privileged group changes | Detected TTP | Medium |
| Entra ID Privileged principal logons | Detected TTP | Medium |
| Entra ID Privileged risk events | Detected TTP | High |
| Entra ID Privileged role changes | Detected TTP | Medium |
| Entra ID Privileged service principal changes | Detected TTP | Medium |
| Entra ID Privileged tenant level and directory activity | Detected TTP | Medium |
| Entra ID Privileged user changes | Detected TTP | Medium |
| File changes with suspicious file extensions | Detected TTP | Critical |
| Group Policy scheduled task section modified | Detected TTP | High |
| Irregular Active Directory replication activity detected (DCSync) | Detected TTP | Critical |
| Irregular domain controller registration detected (DCShadow) | Detected TTP | Critical |
| NTLM version 1 authentications | Detected TTP | Medium |
| Possible Golden Ticket Kerberos exploit | Detected TTP | Critical |
| Potential sIDHistory injection detected | Detected TTP | Critical |
| Replicating Directory Changes All domain permission granted | Detected TTP | High |
| Security changes to Tier Zero computer objects | Detected TTP | High |
| Security changes to Tier Zero domain objects | Detected TTP | Critical |
| Security changes to Tier Zero group objects | Detected TTP | Critical |
| Security changes to Tier Zero group policy objects | Detected TTP | Critical |
| Security changes to Tier Zero user objects | Detected TTP | Critical |
| Suspicious group ESX Admins created or member added | Detected TTP | High |
| Tier Zero computer changes | Detected TTP | High |
| Tier Zero domain and forest configuration changes | Detected TTP | Critical |
| Tier Zero group changes | Detected TTP | Critical |
| Tier Zero group policy object changes | Detected TTP | Critical |
| Tier Zero user changes | Detected TTP | High |
| Tier Zero user logons to computers that are not Tier Zero | Detected TTP | Critical |
| Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) | Detected TTP | Critical |
| Unusual increase in AD account lockouts | Detected Anomaly | Critical |
| Unusual increase in failed AD changes | Detected Anomaly | Critical |
| Unusual increase in failed AD Federation Services sign-ins | Detected Anomaly | Critical |
| Unusual increase in failed on-premises sign-ins | Detected Anomaly | Critical |
| Unusual increase in file deletes | Detected Anomaly | Critical |
| Unusual increase in file renames | Detected Anomaly | Critical |
| Unusual increase in permission changes to AD objects | Detected Anomaly | Critical |
| Unusual increase in share access permission changes | Detected Anomaly | Critical |
| Unusual increase in successful AD Federation Services sign-in | Detected Anomaly | Critical |
| Unusual increase in successful on-premises sign-ins | Detected Anomaly | Critical |
| Unusual increase in successful tenant sign-ins | Detected Anomaly | Critical |
| Unusual increase in tenant sign-in failures | Detected Anomaly | Critical |
| User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) | Detected TTP | Critical |
