This appendix provides details of all indicators in Security Guardian, listed both by severity and by source.
|
NOTE: For the general criteria Security Guardian uses to determine severity levels, refer to the topic Managing Indicators. |
This appendix provides details of all indicators in Security Guardian, listed both by severity and by source.
|
NOTE: For the general criteria Security Guardian uses to determine severity levels, refer to the topic Managing Indicators. |
The following table lists all Security Guardian indicators Guardian, from most to least severe.
Indicator | Indicator Type | Severity | Source |
---|---|---|---|
Possible Golden Ticket Kerberos exploit | Compromise | Critical | On Demand Audit |
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) | Exposure | Critical | On Demand Audit |
Groups with SID from local domain in their SID History | Compromise | Critical | Assessments |
User accounts with SID from local domain in their SID History | Compromise | Critical | Assessments |
Groups with well-known SIDs in their SID History | Compromise | Critical | Assessments |
User accounts with well-known SIDs in their SID History | Compromise | Critical | Assessments |
Potential sIDHistory injection detected | Compromise | Critical | On Demand Audit |
File changes with suspicious file extensions | Compromise | Critical | On Demand Audit |
Irregular domain controller registration detected (DCShadow) | Compromise | Critical | On Demand Audit |
Irregular Active Directory replication activity detected (DCSync) | Compromise | Critical | On Demand Audit |
AD Database (NTDS.dit) file modification attempt detected | Compromise | Critical | On Demand Audit |
Active Directory Database (NTDS.dit) access attempt detected | Compromise | Critical | On Demand Audit |
Inheritance is enabled on the AdminSDHolder container | Compromise | Critical | Assessments |
Non-privileged accounts that can promote a computer to a domain controller | Exposure | Critical | Assessments |
Non-privileged accounts can steal password hashes (DCSync) | Exposure | Critical | Assessments |
Privileged users owned by non-privileged accounts | Compromise | Critical | Assessments |
Privileged computer is owned by a non-privileged account | Compromise | Critical | Assessments |
User accounts with non-default Primary Group IDs | Compromise | Critical | Assessments |
Computer accounts with non-default Primary Group IDs | Compromise | Critical | Assessments |
User accounts without readable Primary Group ID | Compromise | Critical | Assessments |
Computer accounts without readable Primary Group ID | Compromise | Critical | Assessments |
Managed and Group Managed Service accounts that have not cycled their password recently | Compromise | Critical | Assessments |
Non-privileged users with access to gMSA password | Exposure | Critical | Assessments |
Non-privileged accounts can access the gMSA root key | Exposure | Critical | Assessments |
Non-privileged accounts have access to write properties on certificate templates | Exposure | Critical | Assessments |
Non-privileged user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account | Exposure | Critical | Assessments |
Active Directory Operator groups that are not protected by AdminSDHolder | Exposure | Critical | Assessments |
Ordinary user accounts with hidden privileges (SDProp) | Compromise | Critical | Assessments |
User accounts in protected groups that are not protected by AdminSDHolder (SDProp) | Compromise | Critical | Assessments |
KRBTGT accounts with Resource-Based Constrained Delegation | Exposure | Critical | Assessments |
Built-in Administrator account that has been used | Compromise | Critical | Assessments |
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group | Exposure | Critical | Assessments |
Built-in Guest account is enabled | Exposure | Critical | Assessments |
Schema Admins group contains members | Exposure | Critical | Assessments |
Privileged groups which should not be in use contain members | Exposure | Critical | Assessments |
DNSAdmin group contains members | Exposure | Critical | Assessments |
Non-privileged accounts with Reanimate tombstones permission delegation | Exposure | Critical | Assessments |
Non-privileged accounts with Migrate SID history permission delegation | Exposure | Critical | Assessments |
Non-privileged accounts with Unexpire password permission delegation | Exposure | Critical | Assessments |
Privileged Group Policy allows Recovery Mode to be not password-protected | Exposure | Critical | Assessments |
Privileged groups with SID History populated | Compromise | Critical | Assessments |
Privileged user accounts with SID History populated | Compromise | Critical | Assessments |
Tier Zero group policy object changes | Exposure | Critical | On Demand Audit |
Domain level group policy linked changes detected | Compromise | Critical | On Demand Audit |
Non-privileged accounts can link GPOs to the domain | Exposure | Critical | Assessments |
Non-privileged accounts can link Group Policy Objects to Domain Controller OU | Exposure | Critical | Assessments |
Non-privileged accounts can link Group Policy Objects to an Active Directory site | Exposure | Critical | Assessments |
Security changes to Tier Zero group policy objects | Exposure | Critical | On Demand Audit |
Privileged user accounts with Service Principal Names | Exposure | Critical | Assessments |
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) | Exposure | Critical | On Demand Audit |
Non-privileged user accounts with Service Principal Names | Exposure | Critical | Assessments |
Tier Zero group changes | Exposure | Critical | On Demand Audit |
Unusual increase in failed AD changes | Compromise | Critical | On Demand Audit |
Unusual increase in permission changes to AD objects | Compromise | Critical | On Demand Audit |
Security changes to Tier Zero group objects | Exposure | Critical | On Demand Audit |
Security changes to Tier Zero user objects | Exposure | Critical | On Demand Audit |
Administrative privilege elevation detected (adminCount attribute) | Exposure | Critical | On Demand Audit |
Non-privileged accounts are able to log onto privileged computers | Exposure | Critical | Assessments |
Tier Zero user logons to computers that are not Tier Zero | Exposure | Critical | On Demand Audit |
Domain Admins can log into computers with non-privileged Group Policy | Exposure | Critical | Assessments |
Unusual increase in failed AD Federation Services sign-ins | Compromise | Critical | On Demand Audit |
Unusual increase in failed on-premises sign-ins | Compromise | Critical | On Demand Audit |
Unusual increase in AD account lockouts | Compromise | Critical | On Demand Audit |
Unusual increase in file renames | Compromise | Critical | On Demand Audit |
Unusual increase in share access permission changes | Compromise | Critical | On Demand Audit |
Unusual increase in file deletes | Compromise | Critical | On Demand Audit |
Unusual increase in successful AD Federation Services sign-in | Compromise | Critical | On Demand Audit |
Unusual increase in successful on-premises sign-ins | Compromise | Critical | On Demand Audit |
Tier Zero domain and forest configuration changes | Exposure | Critical | On Demand Audit |
Security changes to Tier Zero domain objects | Exposure | Critical | On Demand Audit |
AD schema configuration changes | Exposure | Critical | On Demand Audit |
New Tier Zero Domain detected | Tier Zero | High | Security Guardian |
Domain trust configured insecurely | Exposure | High | Assessments |
Privileged computer accounts that have not cycled their password recently | Exposure | High | Assessments |
Privileged computers that have not recently authenticated to the domain | Exposure | High | Assessments |
Protected group credentials exposed on read-only domain controllers | Exposure | High | Assessments |
Privileged account token can be stolen from a read-only domain controller | Exposure | High | Assessments |
User accounts do not require a password | Exposure | High | Assessments |
Group Policy allows reversible passwords | Exposure | High | Assessments |
User accounts have a reversible password | Exposure | High | Assessments |
Administrator account can be delegated | Exposure | High | Assessments |
Computer accounts with reversible password | Exposure | High | Assessments |
User accounts with Kerberos pre-authentication disabled | Exposure | High | Assessments |
User accounts with unconstrained delegation | Exposure | High | Assessments |
Computer accounts with unconstrained delegation | Exposure | High | Assessments |
User accounts using DES encryption to log in | Exposure | High | Assessments |
Privileged user accounts whose passwords have not changed recently | Exposure | High | Assessments |
Privileged user accounts configured for Password Never Expires | Exposure | High | Assessments |
Non-privileged user accounts configured for Password Never Expires | Exposure | High | Assessments |
Non-privileged accounts with Microsoft Local Administrator Password (LAPS) access | Exposure | High | Assessments |
Privileged computer can be compromised through Resource-Based Constrained Delegation | Exposure | High | Assessments |
Privileged computer that has write permissions on Resource-Based Constrained Delegation granted to a non-privileged account | Exposure | High | Assessments |
Non-privileged computer can be compromised through Resource-Based Constrained Delegation | Exposure | High | Assessments |
Accounts that allow Kerberos protocol transition delegation | Exposure | High | Assessments |
DNS zone configuration allows anonymous record updates | Exposure | High | Assessments |
Tier Zero computer changes | Exposure | High | On Demand Audit |
Security changes to Tier Zero computer objects | Exposure | High | On Demand Audit |
Tier Zero user changes | Exposure | High | On Demand Audit |
Foreign Security Principals are members of a privileged group | Exposure | High | Assessments |
Domain Controller is running SMBv1 protocol | Exposure | High | Assessments |
Non-privileged users can create computer accounts | Exposure | High | Assessments |
Protected Users group is not being used | Exposure | High | Assessments |
Abnormally large number of privileged user accounts in the domain | Exposure | High | Assessments |
Enabled privileged user accounts that are inactive | Exposure | High | Assessments |
Privileged groups that have computer accounts as members | Exposure | High | Assessments |
Anonymous access to Active Directory is enabled | Exposure | High | Assessments |
New Tier Zero GPO detected | Tier Zero | Medium | Security Guardian |
New Tier Zero Group detected | Tier Zero | Medium | Security Guardian |
New Tier Zero Computer detected | Tier Zero | Medium | Security Guardian |
New Tier Zero User detected | Tier Zero | Medium | Security Guardian |
Unprotected Tier Zero Domain | Exposure | Medium | Protection |
Unprotected Active Directory database | Exposure | Medium | Protection |
Unprotected Tier Zero Group Policy | Exposure | Medium | Protection |
Unprotected Tier Zero Group | Exposure | Medium | Protection |
Unprotected Tier Zero Computer | Exposure | Medium | Protection |
Unprotected Tier Zero User | Exposure | Medium | Protection |
Printer Spooler service is enabled on a domain controller | Exposure | Medium | Assessments |
Privileged user account is disabled | Exposure | Medium | Assessments |
Domain with obsolete domain functional level | Exposure | Medium | Assessments |
NTLM version 1 authentications | Exposure | Medium | On Demand Audit |
Security Guardian Indicators originate from the following sources:
The following table contains an alphabetical list of all indicators that originate from On Demand Audi, .
Indicator | Indicator Type | Severity |
---|---|---|
Active Directory Database (NTDS.dit) access attempt detected | Compromise | Critical |
AD Database (NTDS.dit) file modification attempt detected | Compromise | Critical |
AD schema configuration changes | Exposure | Critical |
Administrative privilege elevation detected (adminCount attribute) | Exposure | Critical |
Domain level group policy linked changes detected | Compromise | Critical |
File changes with suspicious file extensions | Compromise | Critical |
Irregular Active Directory replication activity detected (DCSync) | Compromise | Critical |
Irregular domain controller registration detected (DCShadow) | Compromise | Critical |
NTLM version 1 authentications | Exposure | Medium |
Possible Golden Ticket Kerberos exploit | Compromise | Critical |
Potential sIDHistory injection detected | Compromise | Critical |
Security changes to Tier Zero computer objects | Exposure | High |
Security changes to Tier Zero domain objects | Exposure | Critical |
Security changes to Tier Zero group objects | Exposure | Critical |
Security changes to Tier Zero group policy objects | Exposure | Critical |
Security changes to Tier Zero user objects | Exposure | Critical |
Tier Zero computer changes | Exposure | High |
Tier Zero domain and forest configuration changes | Exposure | Critical |
Tier Zero group changes | Exposure | Critical |
Tier Zero group policy object changes | Exposure | Critical |
Tier Zero user changes | Exposure | High |
Tier Zero user logons to computers that are not Tier Zero | Exposure | Critical |
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) | Exposure | Critical |
Unusual increase in AD account lockouts | Compromise | Critical |
Unusual increase in failed AD changes | Compromise | Critical |
Unusual increase in failed AD Federation Services sign-ins | Compromise | Critical |
Unusual increase in failed on-premises sign-ins | Compromise | Critical |
Unusual increase in file deletes | Compromise | Critical |
Unusual increase in file renames | Compromise | Critical |
Unusual increase in permission changes to AD objects | Compromise | Critical |
Unusual increase in share access permission changes | Compromise | Critical |
Unusual increase in successful AD Federation Services sign-in | Compromise | Critical |
Unusual increase in successful on-premises sign-ins | Compromise | Critical |
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) | Exposure | Critical |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center