The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Persistence.

Vulnerability Template Vulnerability Risk What to find
Foreign Security Principals Tier Zero group membership status

Name:

Foreign Security Principals are members of a Tier Zero group

Default scope:

All Foreign Security Principals

 

A Foreign Security Principal (FSP) is an object created by the system to represent a security principal in a trusted external forest. They can also represent special identities, such as Authenticated Users, Anonymous Logon, and Enterprise Domain Controllers. The FSP for a special identity is created when the special identity is added to a group.

Foreign security principals can be added to Tier Zero groups in the local domain but because they do not have the adminCount attribute, their origin can be difficult to audit. Thus adversaries can abuse this relationship to proceed without being detected.

Remediation:

Investigate Foreign Security Principals that are members of the protected groups and remove the membership if appropriate.

 

Foreign Security Principals in scope that are members of a Tier Zero group