Account Primary Group ID |
Name:
User accounts with non-default Primary Group IDs
Default scope:
All users |
User accounts whose Primary Group IDs have been modified may have elevated privileges which are difficult to see and therefore easier to exploit within detection.
Remediation:
To resolve vulnerability, in the account's Attribute Editor tab, select primaryGroupID and change the value to either 513 (Domain Users) or 514 (Domain Guest). |
Accounts in scope that have a “Primary Group” that is not Domain Users or Domain Guests |
Name:
Computer accounts with non-default Primary Group IDs Default scope: All computers |
Computer accounts whose Primary Group IDs have been modified may have elevated privileges which are difficult to see and therefore easier to exploit within detection.
Remediation:
-
The Primary Group ID should be reset to its default value. The default primary group for computer accounts is:
-
"Domain Computers" (515)
-
for domain controller accounts, "Domain Controllers" (516)
-
for read-only domain controllers, "Read-only Domain Controllers" (521). |
Accounts in scope that have a “Primary Group” that is not Domain Computers or Domain Controllers or Read-Only Domain Controllers |
Users Service Principal Name status |
Name:
Privileged user accounts with Service Principal Names
Default scope:
Tier Zero users |
Privileged user accounts with Service Principal Names (SPNs) defined are exposed to Kerberos-based authentication attacks, enabling an adversary to escalate their privileges within the directory.
Remediation:
To resolve vulnerability, remove the Service Principal Name from the user object, if possible. If the Service Principal Name cannot be removed, enforce a very strong password on the user object which contains 32 characters with upper case, lower case, numeral, and special characters. Principal Name from the user object, if possible. If the Service Principal Name cannot be removed, enforce a very strong password on the user object which contains 32 characters with upper case, lower case, numeral, and special characters. |
User accounts in scope that have “Service Principal Name” not empty |
Number of privileged user accounts |
Name:
Abnormally large number of privileged user accounts in the domain
Default scope:
N/A |
The number of privileged accounts in a domain should be limited and closely monitored. An abnormally high number of privileged accounts could indicate loose permissioning or group nesting which should be addressed. Tier Zero user accounts are being evaluated for this vulnerability.
Remediation:
To resolve vulnerability, identify accounts that should not have privileged user credentials and remove those credentials. Resolve any group nesting issues. |
Total number of privileged user accounts within a domain is more than 20 |
Account SID History status |
Name: Privileged user accounts with SID History populated
Default scope: Tier Zero users |
If a user account's sIDHistory attribute is populated, then the account has all the privileges that belong to the SID History as well. Privileged user accounts with SID History are particularly concerning as they may have more privilege than is visible and likely indicates an adversary has compromised the account and established a backdoor for persistence.
Remediation:
To resolve vulnerability, remove the references in SID History if the user no longer requires the permissions assigned to the security groups listed. If the permissions are required, add the permission or group membership directly to the user object. |
Accounts in scope that have SID History not empty |
Name:
Privileged groups with SID History populated
Default scope: Tier Zero groups |
If a group's sIDHistory attribute is populated, the group members have the privileges that belong to the SID History as well. Privileged groups with SID History are particularly concerning as they may have more privilege than is visible and likely indicates an adversary has compromised the account and established a backdoor for persistence.
Remediation:
To resolve vulnerability, remove the references in sIDHistory if the group no longer requires the permissions assigned to the security groups listed. If the permissions are required, add the permission or group membership directly to the group object. |
Account SID History local SID status |
Name:
User accounts with SID from local domain in their SID History
Default scope:
All users |
If a user account's sIDHistory attribute is populated, the account has all the privileges that belong to the SID History as well. While user accounts that were previously migrated may have a SID History from an external domain, the presence of a SID from the same domain is an indication an adversary has compromised the account and granted themselves more privilege than is immediately visible.
Remediation:
To resolve vulnerability, immediately remove the local SID from the compromised user's sIDHistory attribute and investigate who modified the attribute and when. |
Accounts in scope that have SID from local domain in their SID History |
Name:
Groups with SID from local domain in their SID History
Default scope:
All groups |
If a group account's sIDHistory attribute is populated, the group members have all the privileges that belong to the SID History as well. While group accounts that were previously migrated may have a SID History from an external domain, the presence of a SID History from the same domain is an indication an adversary has compromised the account and granted themselves more privilege than is immediately visible.
Remediation:
To resolve vulnerability, immediately remove the local SID from the compromised group's sIDHistory attribute and investigate who modified the attribute and when. |
User account status |
Name:
Privileged user account is disabled
Default scope:
Tier Zero users
|
The number of privileged accounts in a domain should be limited and closely monitored. A privileged account that is disabled but still contains privileges through privileged group membership can be compromised by an adversary and used to elevate privileges.
Remediation:
Remove privileged group membership from user accounts that are disabled. |
Users in scope that are disabled |
Group Members Count |
Name:
Privileged groups which should not be in use contain members
Default scope:
Account Operators
Backup Operators Cryptographic Operators
Hyper-V Administrators
Network Configuration Operators
Print Operators
Remote Desktop Users
Replicator
Server Operators |
Privileged groups have elevated privileges and indirect control over vital aspects of Active Directory. These groups should typically have no members, so the presence of any memberships is a possible sign of an adversary using the group to elevate their privileges.
Remediation:
Remove the members within privileged groups:
-
Account Operators (S-1-5-32-548)
-
Backup Operators (S-1-5-32-551)
-
Cryptographic Operators (S-1-5-32-569)
-
Hyper-V Administrators (S-1-5-32-578)
-
Network Configuration Operators (S-1-5-32-556)
-
Print Operators (S-1-5-32-550)
-
Remote Desktop Users (S-1-5-32-555)
-
Replicator (S-1-5-32-552)
-
Server Operators (S-1-5-32-549)
NOTE: The Hyper-V Administrators group may have members If a Hyper-V environment is used. |
Groups in scope that have more than 0 members
NOTE: The operator and number of days are editable. |
Schema Admins Group Member Count |
Name:
Schema Admins group contains members
Default scope:
N/A |
Schema Admins group has elevated privileges and indirect control over vital aspects of Active Directory. This group should typically have no members, so the presence of any memberships is a possible sign of an adversary using the group to elevate their privileges.
Remediation:
Remove the members within Schema Admins. |
Schema Admins group has more than 0 members
NOTE: The operator and number of days are editable. |
Non-members of protected groups adminCount attribute value |
Name:
Ordinary user accounts with hidden privileges (SDProp)
Default scope:
All users |
Microsoft uses the adminCount attribute to indicate an object has had its ACL modified by the system to be more secure as it was a member of one of the administrative groups. An adversary who has breached the directory may try to remain undetected by removing accounts they leveraged to escalate their privileges, and the admincount attribute is evidence of that cover-up. Protected groups include:
- Account Operators
(S-1-5-32-548)
- Administrators
(S-1-5-32-544)
- Backup Operators
(S-1-5-32-551)
- Cert Publishers
(S-1-5-21-<domain>-517)
- Domain Admins
(S-1-5-21-<domain>-512 )
- Domain Controllers
(S-1-5-21-<domain>-516 )
- Enterprise Admins
(S-1-5-21-<root_domain>-519)
- Read-only Domain Controllers
(only since Windows Server 2008) (S-1-5-21-<domain>-521)
- Replicator
(S-1-5-32-552)
- Schema Admins
(S-1-5-21-<root_domain>-518 )
- Server Operators
(S-1-5-32-549)
Remediation:
Investigate accounts that are not members of the protected groups whose adminCount attribute is set to 1 to determine if the user account was recently removed from a protected group and that action was expected. The adminCount attribute should then be manually set back to 0 in the Attribute Editor tab of the user object. |
User objects in scope that are not members of protected groups and have adminCount attribute set to 1 |
Verify group membership of DnsAdmins group |
Name:
DnsAdmins group contains members
Default scope:
All users |
DNS is an appealing target for adversaries as it can be used to redirect domain queries or launch a denial of service. Members of the DnsAdmins group which are not highly privileged Active Directory administrators are suspicious and increase the attack surface.
Remediation:
Review the members of the DnsAdmins group, determine if any members are not highly privileged Active Directory administrators, and remove them if appropriate. |
DnsAdmins group has more than 0 members |
Anonymous Logon and Everyone groups are members of Pre-Windows 2000 Compatible Access group |
Name:
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group
Default scope:
N/A |
The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. If wide-open groups such as Everyone (S-1-1-0) or Anonymous Logon (S-1-5-7) are members of the Pre-Windows 2000 Compatible Access group, it creates exposure for an adversary to escalate their privileges.
Remediation:
Remove wide open groups Everyone (S-1-1-0) and Anonymous Logon (S-1-5-7) from the Pre-Windows 2000 Compatible Access group (S-1-5-32-554).
|
Pre-Windows 2000 Compatible Access group contains Anonymous Logon and Everyone groups |
Privileged user account ownership |
Name:
Privileged users owned by non-privileged accounts
Default scope: N/A |
The owner of an object can take control over the object and have all of its permissions. A non-privileged user having ownership over a privileged account can be evidence of tampering and represents an abusable attack path for an adversary.
Remediation:
Remove the non-privileged user ownership on the privileged user account and investigate who modified the owner and when. |
Privileged user accounts that are owned by a non-privileged account |
Privileged computer account ownership |
Name:
Privileged computer is owned by a non-privileged account
Default scope:
N/A
|
The owner of an object can take control over the object and therefore has all of its permissions. In cases where a Domain Controller was promoted after the Windows Server was provisioned, it is possible that a group belonging to the server infrastructure team still owns the computer. If a Domain Controller account is not under the ownership of either the Enterprise Admins, Domain Admins or Administrator account then it is exposed to being compromised and its password hashes stolen.
Remediation:
Update the owner of the Domain Controller to the Domain Admins group or update other Tier Zero computers to Tier Zero owners. |
Privileged computer accounts that are owned by a non-privileged account |
Account password last changed |
Name:
Privileged computer accounts that have not cycled their password recently
Default scope:
Tier Zero computers |
Privileged computers such as domain controllers will change their computer account password periodically (30 days by default). Domain controllers that have older password could be offline and susceptible to having password hashes stolen or used to introduce nefarious changes to the directory.
Remediation:
The reason that prevents servers from changing their password should be investigated. Verify if the computer is offline. If online, check the values of the following registry entries:
If these values are incorrect, they should be reset to the default values and ensure that they are not set by a GPO. |
Accounts in scope that have not updated its password within last 30 days.
NOTE: The number of days is editable. |
Group Policy "Recovery console: Allow automatic administrative logon" setting |
Name:
Privileged Group Policy allows Recovery mode to be not password-protected
Default scope:
Tier Zero Group Policies |
An unprotected Recovery Mode allows an adversary with physical access to a domain controller the ability to gain access to the Active Directory database.
Remediation:
Configure the "Recovery console: Allow automatic administrative logon" setting located in “Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options” section of the Group Policy to “disabled” |
Group Policy objects in scope "Recovery console: Allow automatic administrative logon" is enabled |
Privileged computer Group Policy "Allow log on” settings |
Name:
Non-privileged accounts are able to log onto privileged computers
Default scope: All except Tier Zero users, groups and computers |
If a non-privileged user is able to log onto a privileged computer, such as a Domain Controller, locally or by remote session, they can execute code or obtain a copy of all password hashes.
Remediation:
Prevent non-privileged users from logging into privileged computers by removing the "Allow log on locally" and "Allow log on through Remote Desktop Services" rights for any non-privileged group. These settings are located in Computer configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment. |
Accounts in scope added to Allow log on locally or Allow log on through Remote Desktop Services in privileged Group Policy |
Non-privileged Group Policy "Deny log on” for Domain Admin status |
Name:
Domain Admins can log into computers with non-privileged Group Policy
Default scope:
All except Tier Zero Group Policies |
When a privileged account logs into a non-privileged computer, their password hash remains in memory and can be harvested by an adversary. If Group Policies do not prevent Domain Admin logons to lower tiers, privileged credentials could be exposed.
Remediation:
Restrict logons to all non-privileged computers for Domain Admins by configuring the "Deny log on locally" and "Deny logon through Remote Desktop Services" in the Group Policy. These settings are located in Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment. |
Group Policies in scope that do not have Domain Admins group added to the Deny log on locally or Deny log on through Remote Desktop Services setting |
DNS zone dynamic updates status
|
NOTE: For vulnerabilities that use this template, the hybrid agent service account must be a member of the Domain Admins group. | |
Name:
DNS zone configuration allows anonymous record updates
Default scope:
N/A |
Dynamic DNS records are created by DNS clients or systems on behalf of DNS clients (Example: DHCP servers). On Microsoft DNS servers, there are three possible configurations for dynamic updates: "None", "Nonsecure and secure", "Secure only". The "Nonsecure and secure" setting allows dynamic updates to be accepted without checking if the source of updates is trusted or not. DNS zones configured to allow anonymous record updates can be exploited by adversaries to receive incoming queries and harvest credentials.
Remediation:
If enabling dynamic updates is required for an organization, it is highly recommended to use “Secure only” dynamic updates option which ensures dynamic updates are accepted only from trusted sources. This option is available only if your primary DNS zone is hosted on a domain controller and is an AD-integrated DNS zone. |
DNS zone dynamic updates set to Nonsecure and secure |
Computer Resource-Based Constrained Delegation status |
Name:
Privileged computer can be compromised through Resource-Based Constrained Delegation
Default scope:
Tier Zero computers |
If Kerberos Resource-Based Constrained Delegation (RBCD) is enabled on a privileged computer such as a domain controller, an adversary can leverage this to elevate from a system under their control to a privileged computer and take effective control over the entire domain.
Remediation:
To resolve vulnerability, in the impacted computer’s Delegation tab, select “Do not trust this computer for delegation”.
The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the impacted computer account (Note: The “Identity <computer>” portion of the command will need to be updated to reflect the display name of the computer account being checked):
Get-ADComputer -Identity <computer> -Properties PrincipalsAllowedToDelegateToAccount |
Computer accounts in scope for which Resource-Based Constrained Delegation has values |
Name:
Non-privileged computer can be compromised through Resource-Based Constrained Delegation
Default scope:
All except Tier Zero computers |
If Kerberos Resource-Based Constrained Delegation (RBCD) is enabled on a computer, an adversary can leverage this to elevate from a system under their control to another system it has delegation.
Remediation:
To resolve vulnerability, in the impacted computer’s Delegation tab, select “Do not trust this computer for delegation”.
The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the impacted computer account (Note: The “Identity <computer>” portion of the command will need to be updated to reflect the display name of the computer account being checked):
Get-ADComputer -Identity <computer> -Properties PrincipalsAllowedToDelegateToAccount |
Domain Write Group Policy Object link delegation |
Name:
Non-privileged accounts can link GPOs to the domain
Default scope:
All except Tier Zero users and groups
|
Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) at the domain level they can effectively take over the entire domain.
Remediation:
These delegations should be removed for any non-privileged unless there is a compelling reason for their existence. |
Domain has the “Write gPLink” set to Allow for any accounts in scope |
Domain promote a computer to a domain controller delegation |
Name:
Non-privileged accounts that can promote a computer to a domain controller
Default scope:
All except Tier Zero users and groups
|
The "Add/remove replica in domain" permission on the domain coupled with the SERVER_TRUST_ACCOUNT attribute in userAccountControl can allow an adversary to promote any computer they reach to a domain controller. This would allow them to move laterally across the directory and take advantage of DC-based attacks to harvest credentials.
Remediation:
The "Add/remove replica in domain" delegation should be removed from any non-privileged account unless there is a compelling reason for its existence. |
Domain has “Add/remove replica in domain” set to Allow for any account in scope |
Active Directory Site Write gPLink delegation |
Name:
Non-privileged accounts can link Group Policy Objects to an Active Directory site
Default scope:
All except Tier Zero users and groups
|
Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) to an Active Directory site, they can directly control all objects it contains.
Remediation:
These delegations should be removed unless there is a compelling reason for their existence. |
Active Directory Site has “Write gPLink” set to Allow for any accounts in scope |
Domain Controller OU Write gPLink delegation |
Name:
Non-privileged accounts can link Group Policy Objects to Domain Controller OU
Default scope:
All except Tier Zero users and groups
|
Group Policies are an effective attack path as they can be used to weaken directory-wide security or deploy payloads. If an adversary gains the ability to link a Group Policy Object (GPO) to the Domain Controller OU they can directly control the domain controllers.
Remediation:
These delegations should be removed unless there is a compelling reason for their existence. |
Domain Controllers OU has “Write gPLink” set to Allow for any accounts in scope |
Computer account group membership status |
Name:
Privileged groups that have computer accounts as members
Default scope:
Tier Zero groups
|
If a computer account is a member of a privileged group, an adversary who compromises the computer will also elevate their privileges to the privileged group the computer belongs to. Vulnerable objects will not be returned when any computer is a member of Cert Publishers or when a DC\RODC is a member of Domain Controllers, Enterprise Domain Controllers, Read-only Domain Controllers, or Enterprise Read-only Domain Controllers.
Remediation:
Review computer account privileged group membership to determine if the computer should be a member of the privileged group. If not required, remove the account from the group.
|
Groups in scope that have computer accounts as members |
KRBTGT account resource-based constrained delegation status |
Name:
KRBTGT accounts with Resource-Based Constrained Delegation
Default scope:
N/A |
Any delegations against the KRBTGT accounts are highly suspicious. If an adversary gains control over the KRBTGT account, they can use this to take control over the entire directory.
Remediation:
To resolve vulnerability, in the KRBTGT account’s Account tab, check “Account is sensitive and cannot be delegated.” The following PowerShell command can be used to verify the account that has Resource-Based Constrained Delegation against the KRBTGT account (Note: The “Identity KRBTGT” portion of the command will need to be updated to reflect the name of the KRBTGT account being checked): Get-ADuser -Identity KRBTGT -Properties PrincipalsAllowedToDelegateToAccount |
KRBTGT accounts that have Resource-Based Constrained Delegation configured |
Domain trust configured insecure status |
Name:
Domain trust configured insecurely
Default scope:
Dependent on the domain(s) selected when an Assessment is created. If a selected domain does not have a trust, it will not be assessed for the vulnerability. |
Trusts that have insecure settings are exposed to Kerberos-based authentication vulnerabilities or reduced protection against imposter identities.
Remediation:
|
Domain trust in scope has EnableTgtDelegation or EnablePIMTrust configured in the trustAttribute |