Chat now with support
Chat with Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Indicators from On Demand Audit

The following table contains an alphabetical list of all indicators that originate from On Demand Audi, .

Indicator Indicator Type Severity
Active Directory Database (NTDS.dit) access attempt detected Detected TTP Critical
AD Database (NTDS.dit) file modification attempt detected Detected TTP Critical
AD schema configuration changes Detected TTP Critical
Administrative privilege elevation detected (adminCount attribute) Detected TTP Critical
Domain level group policy linked changes detected Detected TTP Critical
File changes with suspicious file extensions Detected TTP Critical
Irregular Active Directory replication activity detected (DCSync) Detected TTP Critical
Irregular domain controller registration detected (DCShadow) Detected TTP Critical
NTLM version 1 authentications Detected TTP Medium
Possible Golden Ticket Kerberos exploit Detected TTP Critical
Potential sIDHistory injection detected Detected TTP Critical
Security changes to Tier Zero computer objects Detected TTP High
Security changes to Tier Zero domain objects Detected TTP Critical
Security changes to Tier Zero group objects Detected TTP Critical
Security changes to Tier Zero group policy objects Detected TTP Critical
Security changes to Tier Zero user objects Detected TTP Critical
Tier Zero computer changes Detected TTP High
Tier Zero domain and forest configuration changes Detected TTP Critical
Tier Zero group changes Detected TTP Critical
Tier Zero group policy object changes Detected TTP Critical
Tier Zero user changes Detected TTP High
Tier Zero user logons to computers that are not Tier Zero Detected TTP Critical
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) Detected TTP Critical
Unusual increase in AD account lockouts Detected Anomaly Critical
Unusual increase in failed AD changes Detected Anomaly Critical
Unusual increase in failed AD Federation Services sign-ins Detected Anomaly Critical
Unusual increase in failed on-premises sign-ins Detected Anomaly Critical
Unusual increase in file deletes Detected Anomaly Critical
Unusual increase in file renames Detected Anomaly Critical
Unusual increase in permission changes to AD objects Detected Anomaly Critical
Unusual increase in share access permission changes Detected Anomaly Critical
Unusual increase in successful AD Federation Services sign-in Detected Anomaly Critical
Unusual increase in successful on-premises sign-ins Detected Anomaly Critical
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) Detected TTP Critical

Indicators from Security Guardian Assessments

The following table contains an alphabetical list of all indicators that originate from Security Guardian Assessments,

Indicator Indicator Type Severity  
Abnormally large number of Tier Zero user accounts in the domain Hygiene High  
Accounts that allow Kerberos protocol transition delegation Hygiene High  
Active Directory Operator groups that are not protected by AdminSDHolder Hygiene Critical  
Anonymous access to Active Directory is enabled Hygiene High  
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group Hygiene Critical  
Built-in Administrator account that has been used Hygiene Critical  
Built-in Guest account is enabled Hygiene Critical  
Computer accounts with non-default Primary Group IDs Hygiene Critical  
Computer accounts with reversible password Hygiene High  
Computer accounts with unconstrained delegation Hygiene High  
Computer accounts without readable Primary Group ID Hygiene Critical  
Default Active Directory groups which should not be in use contain members Hygiene Critical  
DNS zone configuration allows anonymous record updates Hygiene High  
Domain Admins can log into computers with non-Tier Zero Group Policy Hygiene Critical  
Domain Controller is running SMBv1 protocol Hygiene High  
Domain trust configured insecurely Hygiene High  
Domain with obsolete domain functional level Hygiene Medium  
Enabled Tier Zero user accounts that are inactive Hygiene High  
Foreign Security Principals are members of a Tier Zero group Hygiene High  
Group Policy allows reversible passwords Hygiene High  
Groups with SID from local domain in their SID History Hygiene Critical  
Groups with well-known SIDs in their SID History Hygiene Critical  
Inheritance is enabled on the AdminSDHolder container Hygiene Critical  
Kerberos KRBTGT account password has not changed recently Hygiene Medium  
KRBTGT accounts with Resource-Based Constrained Delegation Hygiene Critical  
Managed and Group Managed Service accounts that have not cycled their password recently Hygiene Critical  
Non-Tier Zero accounts are able to log onto Tier Zero computers Hygiene Critical  
Non-Tier Zero accounts are members of DnsAdmins group Hygiene Critical  
Non-Tier Zero accounts can access the gMSA root key Hygiene Critical  
Non-Tier Zero accounts can link GPOs to the domain Hygiene Critical  
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site Hygiene Critical  
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU Hygiene Critical  
Non-Tier Zero accounts can perform a DCSync attack *Name to change Hygiene Critical  
Non-Tier Zero accounts have access to write properties on certificate templates Hygiene Critical  
Non-Tier Zero accounts that can promote a computer to a domain controller Hygiene Critical  
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access Hygiene High  
Non-Tier Zero accounts with Migrate SID history permission delegation Hygiene Critical  
Non-Tier Zero accounts with Reanimate tombstones permission delegation Hygiene Critical  
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation Hygiene High  
Non-Tier Zero user accounts configured for Password Never Expires Hygiene High  
Non-Tier Zero user accounts with Service Principal Names Hygiene Critical  
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account Hygiene Critical  
Non-Tier Zero users can create computer accounts Hygiene High  
Non-Tier Zero users with access to gMSA password Hygiene Critical  
Ordinary user accounts with hidden privileges (SDProp) Hygiene Critical  
Printer Spooler service is enabled on a domain controller Hygiene Medium  
Tier Zero account can be delegated Hygiene High  
Tier Zero account token can be stolen from a read-only domain controller Hygiene High  
Tier Zero computer accounts that have not cycled their password recently Hygiene High  
Tier Zero computer can be compromised through Resource-Based Constrained Delegation Hygiene High  
Tier Zero computer is owned by a non-Tier Zero account Hygiene Critical  
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account Hygiene High  
Tier Zero computers that have not recently authenticated to the domain Hygiene High  
Tier Zero Group Policy allows Recovery Mode to be not password-protected Hygiene Critical  
Tier Zero groups that have computer accounts as members Hygiene High  
Tier Zero groups with SID History populated Hygiene Critical  
Tier Zero user account is disabled Hygiene Medium  
Tier Zero user accounts configured for Password Never Expires Hygiene High  
Tier Zero user accounts whose passwords have not changed recently Hygiene High  
Tier Zero user accounts with Service Principal Names Hygiene Critical  
Tier Zero user accounts with SID History populated Hygiene Critical  
Tier Zero users owned by non-Tier Zero accounts Hygiene Critical  
Protected group credentials exposed on read-only domain controllers Hygiene High  
Protected Users group is not being used Hygiene High  
Schema Admins group contains members Hygiene Critical  
User accounts do not require a password Hygiene High  
User accounts have a reversible password Hygiene High  
User accounts in protected groups that are not protected by AdminSDHolder (SDProp) Hygiene Critical  
User accounts using DES encryption to log in Hygiene High  
User accounts with Kerberos pre-authentication disabled Hygiene High  
User accounts with non-default Primary Group IDs Hygiene Critical  
User accounts with SID from local domain in their SID History Hygiene Critical  
User accounts with unconstrained delegation Hygiene High  
User accounts with well-known SIDs in their SID History Hygiene Critical  
User accounts without readable Primary Group ID Hygiene Critical  

Indicators from Security Guardian and Protection for Tier Zero Objects

The following table contains an alphabetical list of all indicators that originate from Security Guardian and for protection for Tier Zero objects.

Indicator Indicator Type Severity Source
New Tier Zero Domain detected Tier Zero High Security Guardian
New Tier Zero GPO detected Tier Zero Medium Security Guardian
New Tier Zero Group detected Tier Zero Medium Security Guardian
New Tier Zero Computer detected Tier Zero Medium Security Guardian
New Tier Zero User detected Tier Zero Medium Security Guardian
Unprotected Tier Zero Domain Tier Zero Medium Protection
Unprotected Active Directory Database Tier Zero Medium Protection
Unprotected Tier Zero Computer Tier Zero Medium Protection
Unprotected Tier Zero Group Tier Zero Medium Protection
Unprotected Tier Zero Group Policy Tier Zero Medium Protection
Unprotected Tier Zero User Tier Zero Medium Protection
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating