The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Defense Evasion.

Vulnerability Template Vulnerability Risk What to find
Built-in Administrator account last used

Name:

Built-in Administrator account that has been used

Default scope:

N/A

The Built-in Administrator should never be used because it cannot be tied back to an individual. Any use of the account likely indicates it has been compromised.

Remediation:

To resolve vulnerability, make sure that the Built-in Administrator account (if it has been renamed, the account whose SID is S-1-5-21-domain-500) has not been used within the last 30 days.

Built-in Administrator account was last used less than 30 days ago

NOTE: The number of days is editable.

Members of protected groups adminCount attribute value

Name:

User accounts in protected groups that are not protected by AdminSDHolder (SDProp)

Default scope:

All users

Microsoft uses the adminCount attribute to indicate an object has had its ACL modified by the system to be more secure as it was a member of one of the administrative groups. Accounts that are members of the protected groups whose adminCount attribute is not set to 1 could be evidence of an adversary who has breached the directory and trying to remain undetected. Protected groups include:

  • Account Operators (S-1-5-32-548)
  • Administrators (S-1-5-32-544)
  • Backup Operators (S-1-5-32-551)
  • Cert Publishers (S-1-5-domain-517)
  • Domain Admins (S-1-5-domain-512)
  • Domain Controllers (S-1-5-domain-516)
  • Enterprise Admins (S-1-5-root_domain-519)
  • Read-only Domain Controllers (only since Windows Server 2008) (S-1-5-domain-521)
  • Replicator (S-1-5-32-552)
  • Schema Admins (S-1-5-root_domain-518)
  • Server Operators (S-1-5-32-549)

Remediation:

Investigate accounts that are members of the protected groups whose adminCount attribute is not set to 1 to determine why the attribute is not set by Active Directory.

User objects in scope that are members of protected groups and have adminCount attribute set to 0 or not set.
Account Primary Group ID permissions

Name:

User accounts without readable Primary Group ID

Default scope:

All users

Inability to read the Primary Group ID can indicate that read permissions have been removed by an adversary trying to cover their tracks as they elevate their permissions in an environment.

Remediation:

To resolve vulnerability, review the User object and remove any Deny Read permissions which would prevent the Primary Group ID from being read.

Accounts in scope that have Deny Read set for the “Primary Group ID” attribute

Name:

Computer accounts without readable Primary Group ID

Default scope:

All computers

Inability to read the Primary Group ID can indicate that read permissions have been removed by an adversary trying to cover their tracks as they elevate their permissions in an environment.

Remediation:

To resolve vulnerability, review the computer object and remove any Deny read permissions which would prevent the Primary Group ID attribute from being read.

Active Directory Operator group AdminSDHolder protection status

Name:

Active Directory Operator groups that are not protected by AdminSDHolder

Default scope:

N/A

 

The AdminSDHolder object maintains a template of permissions that are automatically applied to Tier Zero groups to ensure their security. A change to the AdminSDHolder behavior could indicate that an adversary has compromised the directory and is covering their tracks. The dwAdminSDExMask bit in the dsHeuristics attribute of CN=DirectorService,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com, can be configured so that the following Active Directory Operator groups (and their nested members) are no longer protected:

  • Account Operators

  • Server Operators

  • Print Operators

  • Backup Operators.

Remediation:

Set the 16th character (dwAdminSDExMask
bit) of the dsHeuristics attribute to 0 to ensure that no Operator groups are excluded from AdminSDHolder protection. The dsHeuristics attribute is located on the Directory Service object in CN=Window NT,CN=Services,
CN=Configuration,DC=domain,DC=com.

The dsHeuristics attribute on the Directory Service object indicates some Operator groups are excluded from AdminSDHolder protection