Security Guardian Current

The following table contains an alphabetical list of all indicators that originate from On Demand Audit.

Indicator	Indicator Type	Severity
Active Directory Database (NTDS.dit) access attempt detected	Detected TTP	Critical
AD Database (NTDS.dit) file modification attempt detected	Detected TTP	Critical
AD schema configuration changes	Detected TTP	Critical
Administrative privilege elevation detected (adminCount attribute)	Detected TTP	Critical
Attempt to access protected Active Directory database detected	Detected TTP	Medium
Attempt to access protected Windows file or folder detected	Detected TTP	Medium
Attempt to edit protected group policy object detected	Detected TTP	Medium
Attempt to modify protected Active Directory object detected	Detected TTP	Medium
Domain level group policy linked changes detected	Detected TTP	Critical
Entra ID Privileged group changes	Detected TTP	Medium
Entra ID Privileged principal logons	Detected TTP	Medium
Entra ID Privileged risk events	Detected TTP	High
Entra ID Privileged role changes	Detected TTP	Medium
Entra ID Privileged service principal changes	Detected TTP	Medium
Entra ID Privileged tenant level and directory activity	Detected TTP	Medium
Entra ID Privileged user changes	Detected TTP	Medium
File changes with suspicious file extensions	Detected TTP	Critical
Group Policy scheduled task section modified	Detected TTP	High
Irregular Active Directory replication activity detected (DCSync)	Detected TTP	Critical
Irregular domain controller registration detected (DCShadow)	Detected TTP	Critical
NTLM version 1 authentications	Detected TTP	Medium
Possible Golden Ticket Kerberos exploit	Detected TTP	Critical
Potential sIDHistory injection detected	Detected TTP	Critical
Replicating Directory Changes All domain permission granted	Detected TTP	High
Security changes to Tier Zero computer objects	Detected TTP	High
Security changes to Tier Zero domain objects	Detected TTP	Critical
Security changes to Tier Zero group objects	Detected TTP	Critical
Security changes to Tier Zero group policy objects	Detected TTP	Critical
Security changes to Tier Zero user objects	Detected TTP	Critical
Suspicious group ESX Admins created or member added	Detected TTP	High
Tier Zero computer changes	Detected TTP	High
Tier Zero domain and forest configuration changes	Detected TTP	Critical
Tier Zero group changes	Detected TTP	Critical
Tier Zero group policy object changes	Detected TTP	Critical
Tier Zero user changes	Detected TTP	High
Tier Zero user logons to computers that are not Tier Zero	Detected TTP	Critical
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting)	Detected TTP	Critical
Unusual increase in AD account lockouts	Detected Anomaly	Critical
Unusual increase in failed AD changes	Detected Anomaly	Critical
Unusual increase in failed AD Federation Services sign-ins	Detected Anomaly	Critical
Unusual increase in failed on-premises sign-ins	Detected Anomaly	Critical
Unusual increase in file deletes	Detected Anomaly	Critical
Unusual increase in file renames	Detected Anomaly	Critical
Unusual increase in permission changes to AD objects	Detected Anomaly	Critical
Unusual increase in share access permission changes	Detected Anomaly	Critical
Unusual increase in successful AD Federation Services sign-in	Detected Anomaly	Critical
Unusual increase in successful on-premises sign-ins	Detected Anomaly	Critical
Unusual increase in successful tenant sign-ins	Detected Anomaly	Critical
Unusual increase in tenant sign-in failures	Detected Anomaly	Critical
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting)	Detected TTP	Critical

The following table contains an alphabetical list of all indicators that originate from Security Guardian Assessments,

Indicator	Type	Severity
Abnormally large number of Tier Zero user accounts in the domain	Hygiene	High
Accounts that allow Kerberos protocol transition delegation	Hygiene	High
Active Directory Tier Zero object synchronized to Entra ID	Hygiene	Medium
Active Directory Operator groups that are not protected by AdminSDHolder	Hygiene	Critical
Administrators are not enabled for self service password recovery	Hygiene	Medium
All domain users can create computer accounts	Hygiene	High
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group	Hygiene	Critical
Anonymous access to Active Directory is enabled	Hygiene	High
Built-in Guest account is enabled	Hygiene	Critical
Built-in Administrator account that has been used	Hygiene	Critical
Computer accounts with non-default Primary Group IDs	Hygiene	Critical
Computer accounts with reversible password	Hygiene	High
Computer accounts with unconstrained delegation	Hygiene	High
Computer accounts without readable Primary Group ID	Hygiene	Critical
Default Active Directory groups which should not be in use contain members	Hygiene	Critical
Delegated Managed Service Account (dMSA) with a suspicious configuration (BadSuccessor)	Hygiene	Critical
DnsAdmins group contains members	Hygiene	Critical
DNS zone configuration allows anonymous record updates	Hygiene	High
Domain trust configured insecurely	Hygiene	High
Domain trust without Kerberos AES encryption enabled	Hygiene	High
Domain with obsolete domain functional level	Hygiene	Medium
Domain Controller is running SMBv1 protocol	Hygiene	High
Enabled privileged Entra ID user accounts that are inactive	Hygiene	Medium
Enabled non-privileged Entra ID user accounts that are inactive	Hygiene	Medium
Enabled Tier Zero user accounts that are inactive	Hygiene	High
Entra ID cloud applications that are not included in a conditional access policy	Hygiene	Medium
Entra ID Conditional Access policies do not block legacy authentication for all users	Hygiene	High
Entra ID Conditional Access policies do not protect all non-privileged users with multi-factor authentication (MFA)	Hygiene	High
Entra ID Conditional Access policies do not protect all privileged users with multi-factor authentication (MFA)	Hygiene	High
Entra ID Conditional Access policies do not protect all users from high user risk	Hygiene	High
Entra ID Conditional Access policies do not protect all users from risky sign-ins	Hygiene	High
Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation	Hygiene	High
Entra ID Conditional Access policies do not require token protection for sign-in sessions for users	Hygiene	Medium
Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users	Hygiene	Critical
Entra ID guest user accounts that are inactive	Hygiene	Medium
Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users	Hygiene	Medium
Entra ID Privileged accounts that are not secured by multi-factor authentication (MFA)	Hygiene	High
Entra ID privileged role members whose passwords have not changed recently	Hygiene	Medium
Entra ID users are allowed to consent for all applications	Hygiene	Medium
Foreign Security Principals are members of a Tier Zero group	Hygiene	High
Group Policy does not enforce built-in Administrator account lockout on all computers	Hygiene	Medium
Group Policy does not prevent Domain Admins from logging onto non-Tier Zero computer	Hygiene	Critical
Group Policy allows reversible passwords	Hygiene	High
Groups with SID from local domain in their SID History	Hygiene	Critical
Groups with well-known SIDs in their SID History	Hygiene	Critical
Guest accounts assigned to the Global Administrator role	Hygiene	High
Inheritance is enabled on the AdminSDHolder container	Hygiene	Critical
Kerberos KRBTGT account password that has not changed recently	Hygiene	Medium
KRBTGT accounts with Resource-Based Constrained Delegation	Hygiene	Critical
Managed and Group Managed Service accounts that have not cycled their password recently	Hygiene	Critical
Microsoft Entra seamless single sign-on (AzureADSSOACC) account password has not changed recently	Hygiene	Medium
More than recommended number of Global Administrators in the organization	Hygiene	Medium
More than recommended number of privileged role assignments	Hygiene	Medium
Non-default configuration of the Microsoft Local Administrator Password	Hygiene	High
Non-privileged accounts are able to log onto privileged computers	Hygiene	Critical
Non-Tier Zero accounts are able to log onto Tier Zero computers	Hygiene	Critical
Non-Tier Zero accounts can link GPOs to the domain	Hygiene	Critical
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site	Hygiene	Critical
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU	Hygiene	Critical
Non-Tier Zero accounts have access to write properties on certificate templates	Hygiene	Critical
Non-Tier Zero accounts that can promote a computer to a domain controller	Hygiene	Critical
Non-Tier Zero account with write or extended permission on Tier Zero object	Hygiene	High
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation	Hygiene	High
Non-Tier Zero user accounts configured for Password Never Expires	Hygiene	High
Non-Tier Zero user accounts with Service Principal Names	Hygiene	Critical
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account	Hygiene	Critical
Non-Tier Zero users with access to gMSA password	Hygiene	Critical
Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2)	Hygiene	High
Non-Tier Zero accounts can access the gMSA root key	Hygiene	Critical
Non-Tier Zero account can create Delegated Managed Service Accounts (dMSA) in an OU or container	Hygiene	High
Non-Tier Zero accounts can steal password hashes (DCSync)	Hygiene	Critical
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access	Hygiene	High
Non-Tier Zero accounts with Reanimate tombstones permission delegation	Hygiene	Critical
Non-Tier Zero Group policy contains a scheduled task	Hygiene	Medium
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user	Hygiene	High
Non Tier-Zero accounts with Unexpire password permission delegation	Hygiene	Critical
Non Tier-Zero accounts with Migrate SID history permission delegation	Hygiene	Critical
Ordinary user accounts with hidden privileges (SDProp)	Hygiene	Critical
Password hash synchronization with on-premises Active Directory is delayed	Hygiene	Medium
Password hash synchronization with on-premises Active Directory is not enabled	Hygiene	Medium
Printer Spooler service is enabled on a domain controller	Hygiene	Medium
Protected group credentials exposed on read-only domain controllers	Hygiene	High
Protected Users group is not being used	Hygiene	High
Schema Admins group contains members	Hygiene	Critical
Security defaults are enabled	Hygiene	Medium
Suspicious ESX Admins group detected in domain	Hygiene	High
Synchronization with on-premises Active Directory is delayed	Hygiene	Medium
Synchronized Active Directory user is assigned an Entra ID privileged role	Hygiene	Medium
Tier Zero account token can be stolen from a read-only domain controller	Hygiene	High
Tier Zero computer accounts that have not cycled their password recently	Hygiene	High
Tier Zero computer can be compromised through Resource-Based Constrained Delegation	Hygiene	High
Tier Zero computer is owned by a non-Tier Zero account	Hygiene	Critical
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account	Hygiene	High
Tier Zero computers that have not recently authenticated to the domain	Hygiene	High
Tier Zero Group Policy allows Recovery Mode to be not password-protected	Hygiene	Critical
Tier Zero groups that have computer accounts as members	Hygiene	High
Tier Zero groups with SID History populated	Hygiene	Critical
Tier Zero object migrated to a Delegated Managed Service Account (dMSA)	Hygiene	High
Tier Zero user account is disabled	Hygiene	Medium
Tier Zero user accounts configured for Password Never Expires	Hygiene	High
Tier Zero user accounts whose passwords have not changed recently	Hygiene	High
Tier Zero user accounts with Service Principal Names	Hygiene	Critical
Tier Zero user accounts with SID History populated	Hygiene	Critical
Tier Zero users owned by non-Tier Zero accounts	Hygiene	Critical
Tier Zero account can be delegated	Hygiene	High
Tier Zero Group Policy allows Authenticated Users to add computers to the domain	Hygiene	Medium
Tier Zero Group Policy contains a scheduled task	Hygiene	High
User accounts with Kerberos pre-authentication disabled	Hygiene	High
User accounts do not require a password	Hygiene	High
User accounts have a reversible password	Hygiene	High
User accounts in protected groups that are not protected by AdminSDHolder (SDProp)	Hygiene	Critical
User accounts using DES encryption to log in	Hygiene	High
User accounts with non-default Primary Group IDs	Hygiene	Critical
User accounts with SID from local domain in their SID History	Hygiene	Critical
User accounts with unconstrained delegation	Hygiene	High
User accounts with well-known SIDs in their SID History	Hygiene	Critical
User accounts without readable Primary Group ID	Hygiene	Critical

Security Guardian Current - User Guide

Indicators from On Demand Audit

Indicators from Security Guardian Assessments

Indicators from Security Guardian and Protection for Tier Zero Objects

Appendix - Data Collection Details

Indicator	Indicator Type	Severity	Source
New Privileged Entra ID Group Detected	Tier Zero	High	Security Guardian
New Privileged Entra ID Role Detected	Tier Zero	Medium	Security Guardian
New Privileged Entra ID Service Principal Detected	Tier Zero	Medium	Security Guardian
New Privileged Entra ID Tenant Detected	Tier Zero	Medium	Security Guardian
New Privileged Entra ID User Detected	Tier Zero	Medium	Security Guardian
New Tier Zero Domain detected	Tier Zero	High	Security Guardian
New Tier Zero GPO detected	Tier Zero	Medium	Security Guardian
New Tier Zero Group detected	Tier Zero	Medium	Security Guardian
New Tier Zero Computer detected	Tier Zero	Medium	Security Guardian
New Tier Zero User detected	Tier Zero	Medium	Security Guardian
Unprotected Tier Zero Domain	Tier Zero	Medium	Protection
Unprotected Active Directory Database	Tier Zero	Medium	Protection
Unprotected Tier Zero Computer	Tier Zero	Medium	Protection
Unprotected Tier Zero Group	Tier Zero	Medium	Protection
Unprotected Tier Zero Group Policy	Tier Zero	Medium	Protection
Unprotected Tier Zero User	Tier Zero	Medium	Protection

Seleziona il prodotto:

Per una maggiore efficacia, compilare l'Obiettivo della chat:

Soluzioni consigliate per il problema

Security Guardian Current - User Guide

Indicators from On Demand Audit

Indicators from Security Guardian Assessments

Indicators from Security Guardian and Protection for Tier Zero Objects

Appendix - Data Collection Details