Vulnerability Template Vulnerability Risk What to find
 

Name:

Computer accounts with non-default Primary Group IDs Default scope: All computers

Computer accounts whose Primary Group IDs have been modified may have elevated privileges which are difficult to see and therefore easier to exploit within detection.

Remediation:

  • The Primary Group ID should be reset to its default value. The default primary group for computer accounts is:

  • "Domain Computers" (515)

  • for domain controller accounts, "Domain Controllers" (516)

  • for read-only domain controllers, "Read-only Domain Controllers" (521).

Accounts in scope that have a “Primary Group” that is not Domain Computers or Domain Controllers or Read-Only Domain Controllers
Users Service Principal Name status

Name:

Tier Zero user accounts with Service Principal Names

Default scope:

Tier Zero users

Tier Zero user accounts with Service Principal Names (SPNs) defined are exposed to Kerberos-based authentication attacks, enabling an adversary to escalate their privileges within the directory.

Remediation:

To resolve vulnerability, remove the Service Principal Name from the user object, if possible. If the Service Principal Name cannot be removed, enforce a very strong password on the user object which contains 32 characters with upper case, lower case, numeral, and special characters.

User accounts in scope that have “Service Principal Name” not empty
Number of Tier Zero user accounts

Name:

Abnormally large number of Tier Zero user accounts in the domain

Default scope:

N/A

The number of Tier Zero accounts in a domain should be limited and closely monitored. An abnormally high number of Tier Zero accounts could indicate loose permissioning or group nesting which should be addressed. Tier Zero user accounts are being evaluated for this vulnerability.

Remediation:

To resolve vulnerability, identify accounts that should not have Tier Zero user credentials and remove those credentials. Resolve any group nesting issues.

Total number of Tier Zero user accounts within a domain is more than 20
Account SID History status

Name: Tier Zero user accounts with SID History populated

Default scope: Tier Zero users

If a user account's sIDHistory attribute is populated, then the account has all the privileges that belong to the SID History as well. Tier Zero user accounts with SID History are particularly concerning as they may have more privilege than is visible and likely indicates an adversary has compromised the account and established a backdoor for persistence.

Remediation:

To resolve vulnerability, remove the references in SID History if the user no longer requires the permissions assigned to the security groups listed. If the permissions are required, add the permission or group membership directly to the user object.

Accounts in scope that have SID History not empty

Name:

Tier Zero groups with SID History populated

Default scope: Tier Zero groups

If a group's sIDHistory attribute is populated, the group members have the privileges that belong to the SID History as well. Tier Zero groups with SID History are particularly concerning as they may have more privilege than is visible and likely indicates an adversary has compromised the account and established a backdoor for persistence.

Remediation:

To resolve vulnerability, remove the references in sIDHistory if the group no longer requires the permissions assigned to the security groups listed. If the permissions are required, add the permission or group membership directly to the group object.

Account SID History local SID status

Name:

User accounts with SID from local domain in their SID History

Default scope:

All users

If a user account's sIDHistory attribute is populated, the account has all the privileges that belong to the SID History as well. While user accounts that were previously migrated may have a SID History from an external domain, the presence of a SID from the same domain is an indication an adversary has compromised the account and granted themselves more privilege than is immediately visible.

Remediation:

To resolve vulnerability, immediately remove the local SID from the compromised user's sIDHistory attribute and investigate who modified the attribute and when.

Accounts in scope that have SID from local domain in their SID History

Name:

Groups with SID from local domain in their SID History

Default scope:

All groups

If a group account's sIDHistory attribute is populated, the group members have all the privileges that belong to the SID History as well. While group accounts that were previously migrated may have a SID History from an external domain, the presence of a SID History from the same domain is an indication an adversary has compromised the account and granted themselves more privilege than is immediately visible.

Remediation:

To resolve vulnerability, immediately remove the local SID from the compromised group's sIDHistory attribute and investigate who modified the attribute and when.

User account status

Name:

Tier Zero user account is disabled

Default scope:

Tier Zero users

 

The number of Tier Zero accounts in a domain should be limited and closely monitored. A Tier Zero account that is disabled but still contains privileges through Tier Zero group membership can be compromised by an adversary and used to elevate privileges.

Remediation:

Remove Tier Zero group membership from user accounts that are disabled.

Users in scope that are disabled
Group Members Count

Name:

Default Active Directory groups which should not be in use contain members

Default scope:

Account Operators

Backup Operators

Cryptographic Operators

Hyper-V Administrators

Network Configuration Operators

Print Operators

Remote Desktop Users

Replicator

Server Operators

Default Active Directory groups have elevated privileges and indirect control over vital aspects of Active Directory. These groups should typically have no members, so the presence of any memberships is a possible sign of an adversary using the group to elevate their privileges.

Remediation:

Remove the members within default Active Directory groups:

  • Account Operators
    (S-1-5-32-548)

  • Backup Operators
    (S-1-5-32-551)

  • Cryptographic Operators
    (S-1-5-32-569)

  • Hyper-V Administrators*
    (S-1-5-32-578)

  • Network Configuration Operators
    (S-1-5-32-556)

  • Print Operators
    (S-1-5-32-550)

  • Remote Desktop Users
    (S-1-5-32-555)

  • Replicator
    (S-1-5-32-552)

  • Server Operators
    (S-1-5-32-549)

* NOTE: The Hyper-V Administrators group may have members If a Hyper-V environment is used.

Groups in scope that have more than 0 members

NOTE: The operator and number of days are editable.

Schema Admins Group Member Count

Name:

Schema Admins group contains members

Default scope:

N/A

Schema Admins group has elevated privileges and indirect control over vital aspects of Active Directory. This group should typically have no members, so the presence of any memberships is a possible sign of an adversary using the group to elevate their privileges.

Remediation:

Remove the members within Schema Admins.

Schema Admins group has more than 0 members

 

NOTE: The operator and number of days are editable.

Non-members of protected groups adminCount attribute value

Name:

Ordinary user accounts with hidden privileges (SDProp)

Default scope:

All users

Microsoft uses the adminCount attribute to indicate an object has had its ACL modified by the system to be more secure as it was a member of one of the administrative groups. An adversary who has breached the directory may try to remain undetected by removing accounts they leveraged to escalate their privileges, and the admincount attribute is evidence of that cover-up. Protected groups include:

  • Account Operators
    (S-1-5-32-548)
  • Administrators
    (S-1-5-32-544)
  • Backup Operators
    (S-1-5-32-551)
  • Cert Publishers
    (S-1-5-21-<domain>-517)
  • Domain Admins
    (S-1-5-21-<domain>-512 )
  • Domain Controllers
    (S-1-5-21-<domain>-516 )
  • Enterprise Admins
    (S-1-5-21-<root_domain>-519)
  • Read-only Domain Controllers
    (only since Windows Server 2008)
    (S-1-5-21-<domain>-521)
  • Replicator
    (S-1-5-32-552)
  • Schema Admins
    (S-1-5-21-<root_domain>-518 )
  • Server Operators
    (S-1-5-32-549)

Remediation:

Investigate accounts that are not members of the protected groups whose adminCount attribute is set to 1 to determine if the user account was recently removed from a protected group and that action was expected. The adminCount attribute should then be manually set back to 0 in the Attribute Editor tab of the user object.

User objects in scope that are not members of protected groups and have adminCount attribute set to 1
Verify group membership of DnsAdmins group

Name:

DnsAdmins group contains members

Default scope:

All users

DNS is an appealing target for adversaries as it can be used to redirect domain queries or launch a denial of service. Members of the DnsAdmins group which are not highly Tier Zero Active Directory administrators are suspicious and increase the attack surface.

Remediation:

Review the members of the DnsAdmins group, determine if any members are not highly Tier Zero Active Directory administrators, and remove them if appropriate.

DnsAdmins group has more than 0 members
Anonymous Logon and Everyone groups are members of Pre-Windows 2000 Compatible Access group

Name:

Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group

Default scope:

N/A

The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. If wide-open groups such as Everyone (S-1-1-0) or Anonymous Logon (S-1-5-7) are members of the Pre-Windows 2000 Compatible Access group, it creates exposure for an adversary to escalate their privileges.

Remediation:

Remove wide open groups Everyone (S-1-1-0) and Anonymous Logon (S-1-5-7) from the Pre-Windows 2000 Compatible Access group (S-1-5-32-554).

 

Pre-Windows 2000 Compatible Access group contains Anonymous Logon and Everyone groups
Tier Zero user account ownership

Name:

Tier Zero users owned by non-Tier Zero accounts

Default scope: N/A

The owner of an object can take control over the object and have all of its permissions. A non-Tier Zero user having ownership over a Tier Zero account can be evidence of tampering and represents an abusable attack path for an adversary.

Remediation:

Remove the non-Tier Zero user ownership on the Tier Zero user account and investigate who modified the owner and when.

Tier Zero user accounts that are owned by a non-Tier Zero account
Tier Zero computer account ownership

Name:

Tier Zero computer is owned by a non-Tier Zero account

Default scope:

N/A

 

Remediation:

Update the owner of the Domain Controller to the Domain Admins group or update other Tier Zero computers to Tier Zero owners.

Tier Zero computer accounts that are owned by a non-Tier Zero account
Account password last changed

Name:

Tier Zero computer accounts that have not cycled their password recently

Default scope:

Tier Zero computers

Tier Zero computers such as domain controllers will change their computer account password periodically (30 days by default). Domain controllers that have older password could be offline and susceptible to having password hashes stolen or used to introduce nefarious changes to the directory.

Remediation:

The reason that prevents servers from changing their password should be investigated. Verify if the computer is offline. If online, check the values of the following registry entries:

  • HKLM\System\CurrentControlSet\
    Services\Netlogon\Parameters\
    DisablePasswordChange must be 0 or not exist

  • HKLM\System\CurrentControlSet
    \Services\Netlogon\Parameters
    \MaximumPasswordAge should be 30

If these values are incorrect, they should be reset to the default values and ensure that they are not set by a GPO.

Accounts in scope that have not updated its password within last 30 days.

 

NOTE: The number of days is editable.

Group Policy "Recovery console: Allow automatic administrative logon" setting

Name:

Tier Zero Group Policy allows Recovery mode to be not password-protected

Default scope:

Tier Zero Group Policies

An unprotected Recovery Mode allows an adversary with physical access to a domain controller the ability to gain access to the Active Directory database.

Remediation:

Configure the "Recovery console: Allow automatic administrative logon" setting located in “Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options” section of the Group Policy to “disabled”

Group Policy objects in scope "Recovery console: Allow automatic administrative logon" is enabled
Tier Zero computer Group Policy "Allow log on” settings

Name:

Non-Tier Zero accounts are able to log onto Tier Zero computers

Default scope: All except Tier Zero users, groups and computers

If a non-Tier Zero user is able to log onto a Tier Zero computer, such as a Domain Controller, locally or by remote session, they can execute code or obtain a copy of all password hashes.

Remediation:

Prevent non-Tier Zero users from logging into Tier Zero computers by removing the "Allow log on locally" and "Allow log on through Remote Desktop Services" rights for any non-Tier Zero group. These settings are located in Computer configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment.

Accounts in scope added to Allow log on locally or Allow log on through Remote Desktop Services in Tier Zero Group Policy
Non-Tier Zero Group Policy "Deny log on” for Domain Admin status

Name:

Domain Admins can log into computers with non-Tier Zero Group Policy

Default scope:

All except Tier Zero Group Policies

When a Tier Zero account logs into a non-Tier Zero computer, their password hash remains in memory and can be harvested by an adversary. If Group Policies do not prevent Domain Admin logons to lower tiers, Tier Zero credentials could be exposed.

Remediation:

Restrict logons to all non-Tier Zero computers for Domain Admins by configuring the "Deny log on locally" and "Deny logon through Remote Desktop Services" in the Group Policy. These settings are located in Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment.

Group Policies in scope that do not have Domain Admins group added to the Deny log on locally or Deny log on through Remote Desktop Services setting

DNS zone dynamic updates status

NOTE: For vulnerabilities that use this template, the hybrid agent service account must be a member of the Domain Admins group.

Name:

DNS zone configuration allows anonymous record updates

Default scope:

N/A

Dynamic DNS records are created by DNS clients or systems on behalf of DNS clients (Example: DHCP servers). On Microsoft DNS servers, there are three possible configurations for dynamic updates: "None", "Nonsecure and secure", "Secure only". The "Nonsecure and secure" setting allows dynamic updates to be accepted without checking if the source of updates is trusted or not. DNS zones configured to allow anonymous record updates can be exploited by adversaries to receive incoming queries and harvest credentials.

Remediation:

If enabling dynamic updates is required for an organization, it is highly recommended to use “Secure only” dynamic updates option which ensures dynamic updates are accepted only from trusted sources. This option is available only if your primary DNS zone is hosted on a domain controller and is an AD-integrated DNS zone.

DNS zone dynamic updates set to Nonsecure and secure
Computer Resource-Based Constrained Delegation status

Name:

Tier Zero computer can be compromised through Resource-Based Constrained Delegation

Default scope:

Tier Zero computers

If Kerberos Resource-Based Constrained Delegation (RBCD) is enabled on a Tier Zero computer such as a domain controller, an adversary can leverage this to elevate from a system under their control to a Tier Zero computer and take effective control over the entire domain.

Remediation:

To resolve vulnerability, in the impacted computer’s Delegation tab, select “Do not trust this computer for delegation”.

The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the impacted computer account (Note: The “Identity” portion of the command will need to be updated to reflect the display name of the computer account being checked):

Get-ADComputer -Identity <computer>
-Properties PrincipalsAllowedToDelegateToAccount

Computer accounts in scope that have Resource-Based Constrained Delegation configured

Name:

Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation

Default scope:

All except Tier Zero computers

If Kerberos Resource-Based Constrained Delegation (RBCD) is enabled on a computer, an adversary can leverage this to elevate from a system under their control to another system it has delegation.

Remediation:

To resolve vulnerability, in the impacted computer’s Delegation tab, select “Do not trust this computer for delegation”.

The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the impacted computer account (Note: The “Identity <computer>” portion of the command will need to be updated to reflect the display name of the computer account being checked):

Get-ADComputer -Identity <computer> -Properties PrincipalsAllowedToDelegateToAccount

Domain Write Group Policy Object link delegation

Name:

Non-Tier Zero accounts can link GPOs to the domain

Default scope:

All except Tier Zero users and groups

 

 

Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) at the domain level they can effectively take over the entire domain.

Remediation:

These delegations should be removed for any non-Tier Zero account unless there is a compelling reason for their existence.

Domain has the “Write gPLink” set to Allow for any accounts in scope
Domain promote a computer to a domain controller delegation

Name:

Non-Tier Zero accounts that can promote a computer to a domain controller

Default scope:

All except Tier Zero users and groups

 

The "Add/remove replica in domain" permission on the domain coupled with the SERVER_TRUST_ACCOUNT attribute in userAccountControl can allow an adversary to promote any computer they reach to a domain controller. This would allow them to move laterally across the directory and take advantage of DC-based attacks to harvest credentials.

Remediation:

The "Add/remove replica in domain" delegation should be removed from any non-Tier Zero account unless there is a compelling reason for its existence.

Domain has “Add/remove replica in domain” set to Allow for any account in scope
Active Directory Site Write gPLink delegation

Name:

Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site

Default scope:

All except Tier Zero users and groups

 

Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) to an Active Directory site, they can directly control all objects it contains.

Remediation:

These delegations should be removed unless there is a compelling reason for their existence.

Active Directory Site has “Write gPLink” set to Allow for any accounts in scope
Domain Controller OU Write gPLink delegation

Name:

Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU

Default scope:

All except Tier Zero users and groups

 

 

Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) to the Domain Controller OU they can directly control the domain controllers.

Remediation:

These delegations should be removed unless there is a compelling reason for their existence.

Domain Controllers OU has “Write gPLink” set to Allow for any accounts in scope
Computer account group membership status

Name:

Tier Zero groups that have computer accounts as members

Default scope:

Tier Zero groups

 

If a computer account is a member of a Tier Zero group, an adversary who compromises the computer will also elevate their privileges to the Tier Zero group the computer belongs to.

Vulnerable objects will not be returned when any computer is a member of Cert Publishers or when a DC or RODC is a member of Domain Controllers, Enterprise Domain Controllers, Read-only Domain Controllers, or Enterprise Read-only Domain Controllers.

Remediation:

Review computer account Tier Zero group membership to determine if the computer should be a member of the Tier Zero group. If not required, remove the account from the group.

 

 

Groups in scope that have computer accounts as members
KRBTGT account resource-based constrained delegation status

Name:

KRBTGT accounts with Resource-Based Constrained Delegation

Default scope:

N/A

Any delegations against the KRBTGT accounts are highly suspicious. If an adversary gains control over the KRBTGT account, they can use this to take control over the entire directory.

Remediation:

To resolve vulnerability, in the KRBTGT account’s Account tab, check “Account is sensitive and cannot be delegated.” The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the KRBTGT account (Note: The “Identity KRBTGT” portion of the command will need to be updated to reflect the name of the KRBTGT account being checked): Get-ADuser -Identity KRBTGT -Properties PrincipalsAllowedToDelegateToAccount

KRBTGT accounts that have Resource-Based Constrained Delegation configured
Domain trust configured insecure status

Name:

Domain trust configured insecurely

Default scope:

Dependent on the domain(s) selected when an Assessment is created. If a selected domain does not have a trust relationship, it will not be assessed for the vulnerability.

Trusts that have insecure settings are exposed to Kerberos-based authentication vulnerabilities or reduced protection against imposter identities.

  • A domain trust is considered insecure if it has the trustAttribute TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_
    TGT_DELEGATION (0x00000800) bit enabled.

  • A domain trust is considered insecure if it has the trustAttribute TRUST_ATTRIBUTE_PIM_TRUST (0x00000400) bit set.

Remediation:

  • Evaluate if EnableTgtDelegation is required and, if not, disable it on your domain trust.

  • Evaluate if EnablePIMTrust is required and, if not, disable it on your domain PAM trust.

Domain trust in scope has EnableTgtDelegation or EnablePIMTrust configured in the trustAttribute
Active Directory group existence in domain Name:

Suspicious ESX Admins group detected in domain

Default scope:

ESX Admins

Microsoft has identified vulnerability CVE-2024-37085 where ESXi hypervisors can be exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. A threat actor can create a group named “ESX Admins” in the domain and add users to it, which will grant full administrative access on the ESXi hypervisor. “ESX Admins” group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that the group exists when the server is joined to a domain but considers any members of a group with this name as having full administrative access, even if the group did not originally exist. The membership in the group is determined by group name and not by security identifier (SID).

Remediation

Ensure the latest security updates released by VMware are installed on all domain-joined ESXi hypervisors. If installing software updates is not possible, perform the following to reduce the risk:

Validate the group “ESX Admins” exists in the domain and is hardened.

Manually deny access by this group by changing settings in the ESXi hypervisor. If full admin access for the Active Directory ESX admins group is not desired, disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.

Change the admin group to a different group in the ESXi hypervisor.

Active Directory group in scope is detected
Account ability to specify a certificate subjectAltName (SAN) in a certificate request

Name:

Non-Tier Zero account can use a misconfigured certificate template to impersonate any user

Default scope:

All except Tier Zero users and groups

 

Certificate template settings determine the characteristics for the derived certificates and the parameters required for a certificate request. A certificate template is considered “misconfigured” if the combination of settings defined can expose an organization to an attacker. A certificate template that meets the following criteria will allow a non-Tier Zero attacker to request a certificate that can be used to authenticate to the domain as a Tier Zero user: Subject Name set to “Supply in the request”, “CA certificate manager approval” is not required, “Authorized signatures” is not required, Extended Key Usage (EKU) facilitates authentication, non-Tier Zero account can enroll (or can grant themselves permission to enroll) in a certificate.

Remediation:

Configure the certificate template Subject Name setting to “Build from this Active Directory information” and set the Issuance Requirements to require “CA certificate manager approval”. In addition, ensure non-Tier Zero accounts do not have Enroll or Full Control permissions granted on the certificate template. It is also recommended that the certificates issued by the certificate authority be reviewed to confirm if the identified non-Tier zero account requested a certificate using the misconfigured certificate template and what Subject Name is used in the request.

Accounts in scope can request a certificate that allows the subjectAltName (SAN) to be specified
Account ability to request an overly permissive certificate with privileged EKU

Name:

Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2)

Default scope:

All except Tier Zero users and groups

Certificate template settings determine the characteristics for the derived certificates and the parameters required for a certificate request. A certificate template is considered “overly permissive” if the combination of settings defined can expose an organization to an attacker. A certificate template that has either no Extended Key Usage (EKU) defined or has the EKU “Any Purpose” is considered privileged.

Remediation:

Ensure non-Tier Zero accounts do not have Enroll or Full Control permissions granted on the certificate template. It is also recommended to enforce extra security such as like adding Manager approval and signing requirements, if possible.

Accounts in scope can request a certificate that has either no EKU defined or has the “Any Purpose” EKU