<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><title>Indicators of Exposure<!-- --> | Tenable®</title><meta name="description" content="Tenable Identity Exposure measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels to the flow of events that it monitors and analyzes. Tenable Identity Exposure triggers alerts when it detects security regressions."/><meta property="og:title" content="Indicators of Exposure"/><meta property="og:description" content="Tenable Identity Exposure measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels to the flow of events that it monitors and analyzes. Tenable Identity Exposure triggers alerts when it detects security regressions."/><meta name="twitter:title" content="Indicators of Exposure"/><meta name="twitter:description" content="Tenable Identity Exposure measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels to the flow of events that it monitors and analyzes. Tenable Identity Exposure triggers alerts when it detects security regressions."/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="apple-touch-icon" sizes="180x180" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/apple-touch-icon-180x180.png"/><link rel="manifest" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/manifest.json"/><link rel="icon" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/favicon.ico" sizes="any"/><link rel="icon" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/tenable-favicon.svg" type="image/svg+xml"/><meta name="msapplication-config" content="https://www.tenable.com/themes/custom/tenable/images-new/favicons/browserconfig.xml"/><meta name="theme-color" content="#ffffff"/><link rel="canonical" href="https://www.tenable.com/indicators/ioe"/><link rel="alternate" hrefLang="x-default" href="https://www.tenable.com/indicators/ioe"/><link rel="alternate" hrefLang="en" href="https://www.tenable.com/indicators/ioe"/><meta name="next-head-count" content="18"/><script type="text/javascript">window.NREUM||(NREUM={});NREUM.info = {"agent":"","beacon":"bam.nr-data.net","errorBeacon":"bam.nr-data.net","licenseKey":"5febff3e0e","applicationID":"96358297","agentToken":null,"applicationTime":77.670625,"transactionName":"MVBabEEHChVXU0IIXggab11RIBYHW1VBDkMNYEpRHCgBHkJaRU52I2EXF1oIAA9VUUIOQxUaUVdW","queueTime":0,"ttGuid":"8b21301ef8d70cf8"}; (window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={licenseKey:"5febff3e0e",applicationID:"96358297"};;/*! For license information please see nr-loader-rum-1.282.0.min.js.LICENSE.txt */ (()=>{var e,t,r={8122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n=r(944);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.R)(3);if(!t||"object"!=typeof t)return(0,n.R)(4);const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{if(null===e[a]){r[a]=null;continue}Array.isArray(e[a])&&Array.isArray(t[a])?r[a]=Array.from(new Set([...e[a],...t[a]])):"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.R)(1,e)}return r}catch(e){(0,n.R)(2,e)}}},2555:(e,t,r)=>{"use strict";r.d(t,{Vp:()=>c,fn:()=>s,x1:()=>u});var n=r(384),i=r(8122);const o={beacon:n.NT.beacon,errorBeacon:n.NT.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){try{const t=c(e);return!!t.licenseKey&&!!t.errorBeacon&&!!t.applicationID}catch(e){return!1}}function c(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function u(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.a)(t,o);const r=(0,n.nY)(e);r&&(r.info=a[e])}},5217:(e,t,r)=>{"use strict";r.d(t,{D0:()=>m,gD:()=>b,xN:()=>v});r(860).K7.genericEvents;const n="experimental.marks",i="experimental.measures",o="experimental.resources";var a=r(993);const s=e=>{if(!e||"string"!=typeof e)return!1;try{document.createDocumentFragment().querySelector(e)}catch{return!1}return!0};var c=r(2614),u=r(944),l=r(384),d=r(8122);const f="[data-nr-mask]",g=()=>{const e={feature_flags:[],experimental:{marks:!1,measures:!1,resources:!1},mask_selector:"*",block_selector:"[data-nr-block]",mask_input_options:{color:!1,date:!1,"datetime-local":!1,email:!1,month:!1,number:!1,range:!1,search:!1,tel:!1,text:!1,time:!1,url:!1,week:!1,textarea:!1,select:!1,password:!0}};return{ajax:{deny_list:void 0,block_internal:!0,enabled:!0,autoStart:!0},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},get feature_flags(){return e.feature_flags},set feature_flags(t){e.feature_flags=t},generic_events:{enabled:!0,autoStart:!0},harvest:{interval:30},jserrors:{enabled:!0,autoStart:!0},logging:{enabled:!0,autoStart:!0,level:a.p_.INFO},metrics:{enabled:!0,autoStart:!0},obfuscate:void 0,page_action:{enabled:!0},page_view_event:{enabled:!0,autoStart:!0},page_view_timing:{enabled:!0,autoStart:!0},performance:{get capture_marks(){return e.feature_flags.includes(n)||e.experimental.marks},set capture_marks(t){e.experimental.marks=t},get capture_measures(){return e.feature_flags.includes(i)||e.experimental.measures},set capture_measures(t){e.experimental.measures=t},capture_detail:!0,resources:{get enabled(){return e.feature_flags.includes(o)||e.experimental.resources},set enabled(t){e.experimental.resources=t},asset_types:[],first_party_domains:[],ignore_newrelic:!0}},privacy:{cookies_enabled:!0},proxy:{assets:void 0,beacon:void 0},session:{expiresMs:c.wk,inactiveMs:c.BB},session_replay:{autoStart:!0,enabled:!1,preload:!1,sampling_rate:10,error_sampling_rate:100,collect_fonts:!1,inline_images:!1,fix_stylesheets:!0,mask_all_inputs:!0,get mask_text_selector(){return e.mask_selector},set mask_text_selector(t){s(t)?e.mask_selector="".concat(t,",").concat(f):""===t||null===t?e.mask_selector=f:(0,u.R)(5,t)},get block_class(){return"nr-block"},get ignore_class(){return"nr-ignore"},get mask_text_class(){return"nr-mask"},get block_selector(){return e.block_selector},set block_selector(t){s(t)?e.block_selector+=",".concat(t):""!==t&&(0,u.R)(6,t)},get mask_input_options(){return e.mask_input_options},set mask_input_options(t){t&&"object"==typeof t?e.mask_input_options={...t,password:!0}:(0,u.R)(7,t)}},session_trace:{enabled:!0,autoStart:!0},soft_navigations:{enabled:!0,autoStart:!0},spa:{enabled:!0,autoStart:!0},ssl:void 0,user_actions:{enabled:!0,elementAttributes:["id","className","tagName","type"]}}},p={},h="All configuration objects require an agent identifier!";function m(e){if(!e)throw new Error(h);if(!p[e])throw new Error("Configuration for ".concat(e," was never set"));return p[e]}function v(e,t){if(!e)throw new Error(h);p[e]=(0,d.a)(t,g());const r=(0,l.nY)(e);r&&(r.init=p[e])}function b(e,t){if(!e)throw new Error(h);var r=m(e);if(r){for(var n=t.split("."),i=0;i<n.length-1;i++)if("object"!=typeof(r=r[n[i]]))return;r=r[n[n.length-1]]}return r}},3371:(e,t,r)=>{"use strict";r.d(t,{V:()=>f,f:()=>d});var n=r(8122),i=r(384),o=r(6154),a=r(9324);let s=0;const c={buildEnv:a.F3,distMethod:a.Xs,version:a.xv,originTime:o.WN},u={customTransaction:void 0,disabled:!1,isolatedBacklog:!1,loaderType:void 0,maxBytes:3e4,onerror:void 0,ptid:void 0,releaseIds:{},appMetadata:{},session:void 0,denyList:void 0,timeKeeper:void 0,obfuscator:void 0,harvester:void 0},l={};function d(e){if(!e)throw new Error("All runtime objects require an agent identifier!");if(!l[e])throw new Error("Runtime for ".concat(e," was never set"));return l[e]}function f(e,t){if(!e)throw new Error("All runtime objects require an agent identifier!");l[e]={...(0,n.a)(t,u),...c},Object.hasOwnProperty.call(l[e],"harvestCount")||Object.defineProperty(l[e],"harvestCount",{get:()=>++s});const r=(0,i.nY)(e);r&&(r.runtime=l[e])}},9324:(e,t,r)=>{"use strict";r.d(t,{F3:()=>i,Xs:()=>o,xv:()=>n});const n="1.282.0",i="PROD",o="CDN"},6154:(e,t,r)=>{"use strict";r.d(t,{OF:()=>c,RI:()=>i,WN:()=>l,bv:()=>o,gm:()=>a,mw:()=>s,sb:()=>u});var n=r(1863);const i="undefined"!=typeof window&&!!window.document,o="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),a=i?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),s=Boolean("hidden"===a?.document?.visibilityState),c=/iPad|iPhone|iPod/.test(a.navigator?.userAgent),u=c&&"undefined"==typeof SharedWorker,l=((()=>{const e=a.navigator?.userAgent?.match(/Firefox[/\s](\d+\.\d+)/);Array.isArray(e)&&e.length>=2&&e[1]})(),Date.now()-(0,n.t)())},1687:(e,t,r)=>{"use strict";r.d(t,{Ak:()=>c,Ze:()=>d,x3:()=>u});var n=r(7836),i=r(3606),o=r(860),a=r(2646);const s={};function c(e,t){const r={staged:!1,priority:o.P3[t]||0};l(e),s[e].get(t)||s[e].set(t,r)}function u(e,t){e&&s[e]&&(s[e].get(t)&&s[e].delete(t),g(e,t,!1),s[e].size&&f(e))}function l(e){if(!e)throw new Error("agentIdentifier required");s[e]||(s[e]=new Map)}function d(e="",t="feature",r=!1){if(l(e),!e||!s[e].get(t)||r)return g(e,t);s[e].get(t).staged=!0,f(e)}function f(e){const t=Array.from(s[e]);t.every((([e,t])=>t.staged))&&(t.sort(((e,t)=>e[1].priority-t[1].priority)),t.forEach((([t])=>{s[e].delete(t),g(e,t)})))}function g(e,t,r=!0){const o=e?n.ee.get(e):n.ee,s=i.i.handlers;if(!o.aborted&&o.backlog&&s){if(r){const e=o.backlog[t],r=s[t];if(r){for(let t=0;e&&t<e.length;++t)p(e[t],r);Object.entries(r).forEach((([e,t])=>{Object.values(t||{}).forEach((t=>{t[0]?.on&&t[0]?.context()instanceof a.y&&t[0].on(e,t[1])}))}))}}o.isolatedBacklog||delete s[t],o.backlog[t]=null,o.emit("drain-"+t,[])}}function p(e,t){var r=e[1];Object.values(t[r]||{}).forEach((t=>{var r=e[0];if(t[0]===r){var n=t[1],i=e[3],o=e[2];n.apply(i,o)}}))}},7836:(e,t,r)=>{"use strict";r.d(t,{P:()=>c,ee:()=>u});var n=r(384),i=r(8990),o=r(3371),a=r(2646),s=r(5607);const c="nr@context:".concat(s.W),u=function e(t,r){var n={},s={},l={},d=!1;try{d=16===r.length&&(0,o.f)(r).isolatedBacklog}catch(e){}var f={on:p,addEventListener:p,removeEventListener:function(e,t){var r=n[e];if(!r)return;for(var i=0;i<r.length;i++)r[i]===t&&r.splice(i,1)},emit:function(e,r,n,i,o){!1!==o&&(o=!0);if(u.aborted&&!i)return;t&&o&&t.emit(e,r,n);for(var a=g(n),c=h(e),l=c.length,d=0;d<l;d++)c[d].apply(a,r);var p=v()[s[e]];p&&p.push([f,e,r,a]);return a},get:m,listeners:h,context:g,buffer:function(e,t){const r=v();if(t=t||"feature",f.aborted)return;Object.entries(e||{}).forEach((([e,n])=>{s[n]=t,t in r||(r[t]=[])}))},abort:function(){f._aborted=!0,Object.keys(f.backlog).forEach((e=>{delete f.backlog[e]}))},isBuffering:function(e){return!!v()[s[e]]},debugId:r,backlog:d?{}:t&&"object"==typeof t.backlog?t.backlog:{},isolatedBacklog:d};return Object.defineProperty(f,"aborted",{get:()=>{let e=f._aborted||!1;return e||(t&&(e=t.aborted),e)}}),f;function g(e){return e&&e instanceof a.y?e:e?(0,i.I)(e,c,(()=>new a.y(c))):new a.y(c)}function p(e,t){n[e]=h(e).concat(t)}function h(e){return n[e]||[]}function m(t){return l[t]=l[t]||e(f,t)}function v(){return f.backlog}}(void 0,"globalEE"),l=(0,n.Zm)();l.ee||(l.ee=u)},2646:(e,t,r)=>{"use strict";r.d(t,{y:()=>n});class n{constructor(e){this.contextId=e}}},9908:(e,t,r)=>{"use strict";r.d(t,{d:()=>n,p:()=>i});var n=r(7836).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},3606:(e,t,r)=>{"use strict";r.d(t,{i:()=>o});var n=r(9908);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.d,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.d);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},3878:(e,t,r)=>{"use strict";function n(e,t){return{capture:e,passive:!1,signal:t}}function i(e,t,r=!1,i){window.addEventListener(e,t,n(r,i))}function o(e,t,r=!1,i){document.addEventListener(e,t,n(r,i))}r.d(t,{DD:()=>o,jT:()=>n,sp:()=>i})},5607:(e,t,r)=>{"use strict";r.d(t,{W:()=>n});const n=(0,r(9566).bz)()},9566:(e,t,r)=>{"use strict";r.d(t,{LA:()=>s,bz:()=>a});var n=r(6154);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n.gm?.crypto||n.gm?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(30))),i.split("").map((e=>"x"===e?o(t,r++).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n.gm?.crypto||n.gm?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(e)));const a=[];for(var s=0;s<e;s++)a.push(o(r,i++).toString(16));return a.join("")}},2614:(e,t,r)=>{"use strict";r.d(t,{BB:()=>a,H3:()=>n,g:()=>u,iL:()=>c,tS:()=>s,uh:()=>i,wk:()=>o});const n="NRBA",i="SESSION",o=144e5,a=18e5,s={STARTED:"session-started",PAUSE:"session-pause",RESET:"session-reset",RESUME:"session-resume",UPDATE:"session-update"},c={SAME_TAB:"same-tab",CROSS_TAB:"cross-tab"},u={OFF:0,FULL:1,ERROR:2}},1863:(e,t,r)=>{"use strict";function n(){return Math.floor(performance.now())}r.d(t,{t:()=>n})},944:(e,t,r)=>{"use strict";function n(e,t){"function"==typeof console.debug&&console.debug("New Relic Warning: https://github.com/newrelic/newrelic-browser-agent/blob/main/docs/warning-codes.md#".concat(e),t)}r.d(t,{R:()=>n})},5284:(e,t,r)=>{"use strict";r.d(t,{t:()=>c,B:()=>s});var n=r(7836),i=r(6154);const o="newrelic";const a=new Set,s={};function c(e,t){const r=n.ee.get(t);s[t]??={},e&&"object"==typeof e&&(a.has(t)||(r.emit("rumresp",[e]),s[t]=e,a.add(t),function(e={}){try{i.gm.dispatchEvent(new CustomEvent(o,{detail:e}))}catch(e){}}({loaded:!0})))}},8990:(e,t,r)=>{"use strict";r.d(t,{I:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},6389:(e,t,r)=>{"use strict";function n(e,t=500,r={}){const n=r?.leading||!1;let i;return(...r)=>{n&&void 0===i&&(e.apply(this,r),i=setTimeout((()=>{i=clearTimeout(i)}),t)),n||(clearTimeout(i),i=setTimeout((()=>{e.apply(this,r)}),t))}}function i(e){let t=!1;return(...r)=>{t||(t=!0,e.apply(this,r))}}r.d(t,{J:()=>i,s:()=>n})},5289:(e,t,r)=>{"use strict";r.d(t,{GG:()=>o,We:()=>i,sB:()=>a});var n=r(3878);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.sp)("load",e,t)}function a(e){if(i())return e();(0,n.DD)("DOMContentLoaded",e)}},384:(e,t,r)=>{"use strict";r.d(t,{NT:()=>o,US:()=>l,Zm:()=>a,bQ:()=>c,dV:()=>s,nY:()=>u,pV:()=>d});var n=r(6154),i=r(1863);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return n.gm.NREUM||(n.gm.NREUM={}),void 0===n.gm.newrelic&&(n.gm.newrelic=n.gm.NREUM),n.gm.NREUM}function s(){let e=a();return e.o||(e.o={ST:n.gm.setTimeout,SI:n.gm.setImmediate,CT:n.gm.clearTimeout,XHR:n.gm.XMLHttpRequest,REQ:n.gm.Request,EV:n.gm.Event,PR:n.gm.Promise,MO:n.gm.MutationObserver,FETCH:n.gm.fetch,WS:n.gm.WebSocket}),e}function c(e,t){let r=a();r.initializedAgents??={},t.initializedAt={ms:(0,i.t)(),date:new Date},r.initializedAgents[e]=t}function u(e){let t=a();return t.initializedAgents?.[e]}function l(e,t){a()[e]=t}function d(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},2843:(e,t,r)=>{"use strict";r.d(t,{u:()=>i});var n=r(3878);function i(e,t=!1,r,i){(0,n.DD)("visibilitychange",(function(){if(t)return void("hidden"===document.visibilityState&&e());e(document.visibilityState)}),r,i)}},3434:(e,t,r)=>{"use strict";r.d(t,{Jt:()=>o,YM:()=>c});var n=r(7836),i=r(5607);const o="nr@original:".concat(i.W);var a=Object.prototype.hasOwnProperty,s=!1;function c(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");const a="-"===n.charAt(0);for(let s=0;s<t.length;s++){const c=t[s],u=e[c];l(u)||(e[c]=r(u,a?c+n:n,i,c,o))}},r.flag=o,r;function r(t,r,n,s,c){return l(t)?t:(r||(r=""),nrWrapper[o]=t,function(e,t,r){if(Object.defineProperty&&Object.keys)try{return Object.keys(e).forEach((function(r){Object.defineProperty(t,r,{get:function(){return e[r]},set:function(t){return e[r]=t,t}})})),t}catch(e){u([e],r)}for(var n in e)a.call(e,n)&&(t[n]=e[n])}(t,nrWrapper,e),nrWrapper);function nrWrapper(){var o,a,l,d;try{a=this,o=[...arguments],l="function"==typeof n?n(o,a):n||{}}catch(t){u([t,"",[o,a,s],l],e)}i(r+"start",[o,a,s],l,c);try{return d=t.apply(a,o)}catch(e){throw i(r+"err",[o,a,e],l,c),e}finally{i(r+"end",[o,a,d],l,c)}}}function i(r,n,i,o){if(!s||t){var a=s;s=!0;try{e.emit(r,n,i,t,o)}catch(t){u([t,r,n,i],e)}s=a}}}function u(e,t){t||(t=n.ee);try{t.emit("internal-error",e)}catch(e){}}function l(e){return!(e&&"function"==typeof e&&e.apply&&!e[o])}},9559:(e,t,r)=>{"use strict";r.d(t,{A5:()=>d,NF:()=>c,tV:()=>u});var n=r(6154),i=r(1863),o=r(5289),a=r(9566),s=r(384);const c="websocket-",u="addEventListener",l={};function d(e){if(l[e.debugId]++)return e;if(!(0,s.dV)().o.WS)return e;class t extends WebSocket{static name="WebSocket";constructor(...t){super(...t);const r=(0,a.LA)(6);this.report=function(t){const r=(0,i.t)();return function(n,...a){const s=a[0]?.timeStamp||(0,i.t)(),u=(0,o.We)();e.emit(c+n,[s,s-r,u,t,...a])}}(r),this.report("new");["message","error","open","close"].forEach((e=>{this.addEventListener(e,(function(t){this.report(u,{eventType:e,event:t})}))}))}send(...e){this.report("send",...e);try{return super.send(...e)}catch(t){throw this.report("send-err",...e),t}}}return n.gm.WebSocket=t,e}},993:(e,t,r)=>{"use strict";r.d(t,{ET:()=>o,p_:()=>i});var n=r(860);const i={ERROR:"ERROR",WARN:"WARN",INFO:"INFO",DEBUG:"DEBUG",TRACE:"TRACE"},o="log";n.K7.logging},3969:(e,t,r)=>{"use strict";r.d(t,{Pj:()=>u,TZ:()=>i,XG:()=>c,rs:()=>o,xV:()=>s,z_:()=>a});var n=r(9559);const i=r(860).K7.metrics,o="sm",a="cm",s="storeSupportabilityMetrics",c="storeEventMetrics",u=["new","send","close",n.tV]},6630:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewEvent},782:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewTiming},6344:(e,t,r)=>{"use strict";r.d(t,{G4:()=>i});var n=r(2614);r(860).K7.sessionReplay;const i={RECORD:"recordReplay",PAUSE:"pauseReplay",REPLAY_RUNNING:"replayRunning",ERROR_DURING_REPLAY:"errorDuringReplay"};n.g.ERROR,n.g.FULL,n.g.OFF},4234:(e,t,r)=>{"use strict";r.d(t,{W:()=>o});var n=r(7836),i=r(1687);class o{constructor(e,t){this.agentIdentifier=e,this.ee=n.ee.get(e),this.featureName=t,this.blocked=!1}deregisterDrain(){(0,i.x3)(this.agentIdentifier,this.featureName)}}},7603:(e,t,r)=>{"use strict";r.d(t,{j:()=>K});var n=r(860),i=r(2555),o=r(3371),a=r(9908),s=r(7836),c=r(1687),u=r(5289),l=r(6154),d=r(944),f=r(3969),g=r(384),p=r(6344);const h=["setErrorHandler","finished","addToTrace","addRelease","recordCustomEvent","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId","setApplicationVersion","start",p.G4.RECORD,p.G4.PAUSE,"log","wrapLogger"],m=["setErrorHandler","finished","addToTrace","addRelease"];var v=r(1863),b=r(2614),y=r(993);var w=r(2646),A=r(3434);const E=new Map;function R(e,t,r,n){if("object"!=typeof t||!t||"string"!=typeof r||!r||"function"!=typeof t[r])return(0,d.R)(29);const i=function(e){return(e||s.ee).get("logger")}(e),o=(0,A.YM)(i),a=new w.y(s.P);a.level=n.level,a.customAttributes=n.customAttributes;const c=t[r]?.[A.Jt]||t[r];return E.set(c,a),o.inPlace(t,[r],"wrap-logger-",(()=>E.get(c))),i}function _(){const e=(0,g.pV)();h.forEach((t=>{e[t]=(...r)=>function(t,...r){let n=[];return Object.values(e.initializedAgents).forEach((e=>{e&&e.api?e.exposed&&e.api[t]&&n.push(e.api[t](...r)):(0,d.R)(38,t)})),n.length>1?n:n[0]}(t,...r)}))}const x={};function N(e,t,g=!1){t||(0,c.Ak)(e,"api");const h={};var w=s.ee.get(e),A=w.get("tracer");x[e]=b.g.OFF,w.on(p.G4.REPLAY_RUNNING,(t=>{x[e]=t}));var E="api-",_=E+"ixn-";function N(t,r,n,o){const a=(0,i.Vp)(e);return null===r?delete a.jsAttributes[t]:(0,i.x1)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),T(E,n,!0,o||null===r?"session":void 0)(t,r)}function k(){}h.log=function(e,{customAttributes:t={},level:r=y.p_.INFO}={}){(0,a.p)(f.xV,["API/log/called"],void 0,n.K7.metrics,w),function(e,t,r={},i=y.p_.INFO){(0,a.p)(f.xV,["API/logging/".concat(i.toLowerCase(),"/called")],void 0,n.K7.metrics,e),(0,a.p)(y.ET,[(0,v.t)(),t,r,i],void 0,n.K7.logging,e)}(w,e,t,r)},h.wrapLogger=(e,t,{customAttributes:r={},level:i=y.p_.INFO}={})=>{(0,a.p)(f.xV,["API/wrapLogger/called"],void 0,n.K7.metrics,w),R(w,e,t,{customAttributes:r,level:i})},m.forEach((e=>{h[e]=T(E,e,!0,"api")})),h.addPageAction=T(E,"addPageAction",!0,n.K7.genericEvents),h.recordCustomEvent=T(E,"recordCustomEvent",!0,n.K7.genericEvents),h.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,o.f)(e).customTransaction=(r||"http://custom.transaction")+t,T(E,"setPageViewName",!0)()},h.setCustomAttribute=function(e,t,r=!1){if("string"==typeof e){if(["string","number","boolean"].includes(typeof t)||null===t)return N(e,t,"setCustomAttribute",r);(0,d.R)(40,typeof t)}else(0,d.R)(39,typeof e)},h.setUserId=function(e){if("string"==typeof e||null===e)return N("enduser.id",e,"setUserId",!0);(0,d.R)(41,typeof e)},h.setApplicationVersion=function(e){if("string"==typeof e||null===e)return N("application.version",e,"setApplicationVersion",!1);(0,d.R)(42,typeof e)},h.start=()=>{try{(0,a.p)(f.xV,["API/start/called"],void 0,n.K7.metrics,w),w.emit("manual-start-all")}catch(e){(0,d.R)(23,e)}},h[p.G4.RECORD]=function(){(0,a.p)(f.xV,["API/recordReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.RECORD,[],void 0,n.K7.sessionReplay,w)},h[p.G4.PAUSE]=function(){(0,a.p)(f.xV,["API/pauseReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.PAUSE,[],void 0,n.K7.sessionReplay,w)},h.interaction=function(e){return(new k).get("object"==typeof e?e:{})};const S=k.prototype={createTracer:function(e,t){var r={},i=this,o="function"==typeof t;return(0,a.p)(f.xV,["API/createTracer/called"],void 0,n.K7.metrics,w),g||(0,a.p)(_+"tracer",[(0,v.t)(),e,r],i,n.K7.spa,w),function(){if(A.emit((o?"":"no-")+"fn-start",[(0,v.t)(),i,o],r),o)try{return t.apply(this,arguments)}catch(e){const t="string"==typeof e?new Error(e):e;throw A.emit("fn-err",[arguments,this,t],r),t}finally{A.emit("fn-end",[(0,v.t)()],r)}}}};function T(e,t,r,i){return function(){return(0,a.p)(f.xV,["API/"+t+"/called"],void 0,n.K7.metrics,w),i&&(0,a.p)(e+t,[r?(0,v.t)():performance.now(),...arguments],r?null:this,i,w),r?void 0:this}}function j(){r.e(296).then(r.bind(r,8778)).then((({setAPI:t})=>{t(e),(0,c.Ze)(e,"api")})).catch((e=>{(0,d.R)(27,e),w.abort()}))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{S[e]=T(_,e,void 0,g?n.K7.softNav:n.K7.spa)})),h.setCurrentRouteName=g?T(_,"routeName",void 0,n.K7.softNav):T(E,"routeName",!0,n.K7.spa),h.noticeError=function(t,r){"string"==typeof t&&(t=new Error(t)),(0,a.p)(f.xV,["API/noticeError/called"],void 0,n.K7.metrics,w),(0,a.p)("err",[t,(0,v.t)(),!1,r,!!x[e]],void 0,n.K7.jserrors,w)},l.RI?(0,u.GG)((()=>j()),!0):j(),h}var k=r(5217),S=r(8122);const T={accountID:void 0,trustKey:void 0,agentID:void 0,licenseKey:void 0,applicationID:void 0,xpid:void 0},j={};var I=r(5284);const O=e=>{const t=e.startsWith("http");e+="/",r.p=t?e:"https://"+e};let P=!1;function K(e,t={},r,n){let{init:a,info:c,loader_config:u,runtime:d={},exposed:f=!0}=t;d.loaderType=r;const p=(0,g.pV)();c||(a=p.init,c=p.info,u=p.loader_config),(0,k.xN)(e.agentIdentifier,a||{}),function(e,t){if(!e)throw new Error("All loader-config objects require an agent identifier!");j[e]=(0,S.a)(t,T);const r=(0,g.nY)(e);r&&(r.loader_config=j[e])}(e.agentIdentifier,u||{}),c.jsAttributes??={},l.bv&&(c.jsAttributes.isWorker=!0),(0,i.x1)(e.agentIdentifier,c);const h=(0,k.D0)(e.agentIdentifier),m=[c.beacon,c.errorBeacon];P||(h.proxy.assets&&(O(h.proxy.assets),m.push(h.proxy.assets)),h.proxy.beacon&&m.push(h.proxy.beacon),_(),(0,g.US)("activatedFeatures",I.B),e.runSoftNavOverSpa&&=!0===h.soft_navigations.enabled&&h.feature_flags.includes("soft_nav")),d.denyList=[...h.ajax.deny_list||[],...h.ajax.block_internal?m:[]],d.ptid=e.agentIdentifier,(0,o.V)(e.agentIdentifier,d),e.ee=s.ee.get(e.agentIdentifier),void 0===e.api&&(e.api=N(e.agentIdentifier,n,e.runSoftNavOverSpa)),void 0===e.exposed&&(e.exposed=f),P=!0}},8374:(e,t,r)=>{r.nc=(()=>{try{return document?.currentScript?.nonce}catch(e){}return""})()},860:(e,t,r)=>{"use strict";r.d(t,{$J:()=>u,K7:()=>s,P3:()=>c,XX:()=>i,qY:()=>n,v4:()=>a});const n="events",i="jserrors",o="browser/blobs",a="rum",s={ajax:"ajax",genericEvents:"generic_events",jserrors:i,logging:"logging",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",softNav:"soft_navigations",spa:"spa"},c={[s.pageViewEvent]:1,[s.pageViewTiming]:2,[s.metrics]:3,[s.jserrors]:4,[s.spa]:5,[s.ajax]:6,[s.sessionTrace]:7,[s.softNav]:8,[s.sessionReplay]:9,[s.logging]:10,[s.genericEvents]:11},u={[s.pageViewEvent]:a,[s.pageViewTiming]:n,[s.ajax]:n,[s.spa]:n,[s.softNav]:n,[s.metrics]:i,[s.jserrors]:i,[s.sessionTrace]:o,[s.sessionReplay]:o,[s.logging]:"browser/logs",[s.genericEvents]:"ins"}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>"nr-rum-1.282.0.min.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA-1.282.0.PROD:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),l=0;l<u.length;l++){var d=u[l];if(d.getAttribute("src")==r||d.getAttribute("data-webpack")==t+o){s=d;break}}if(!s){c=!0;var f={296:"sha512-l47U0Uoe1hZBr59ploFpMvlKF+8qyXRcrIz3FyX0RjKPtbVX/XVLlM33rGSBPUp0xtj5pGZfY8WGANUrr9Zq4A=="};(s=document.createElement("script")).charset="utf-8",s.timeout=120,i.nc&&s.setAttribute("nonce",i.nc),s.setAttribute("data-webpack",t+o),s.src=r,0!==s.src.indexOf(window.location.origin+"/")&&(s.crossOrigin="anonymous"),f[a]&&(s.integrity=f[a])}e[r]=[n];var g=(t,n)=>{s.onerror=s.onload=null,clearTimeout(p);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},p=setTimeout(g.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=g.bind(null,s.onerror),s.onload=g.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://js-agent.newrelic.com/",(()=>{var e={374:0,840:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u<a.length;u++)o=a[u],i.o(e,o)&&e[o]&&e[o][0](),e[o]=0},r=self["webpackChunk:NRBA-1.282.0.PROD"]=self["webpackChunk:NRBA-1.282.0.PROD"]||[];r.forEach(t.bind(null,0)),r.push=t.bind(null,r.push.bind(r))})(),(()=>{"use strict";i(8374);var e=i(944),t=i(6344),r=i(9566);class n{agentIdentifier;constructor(){this.agentIdentifier=(0,r.LA)(16)}#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}addPageAction(e,t){return this.#e("addPageAction",e,t)}recordCustomEvent(e,t){return this.#e("recordCustomEvent",e,t)}setPageViewName(e,t){return this.#e("setPageViewName",e,t)}setCustomAttribute(e,t,r){return this.#e("setCustomAttribute",e,t,r)}noticeError(e,t){return this.#e("noticeError",e,t)}setUserId(e){return this.#e("setUserId",e)}setApplicationVersion(e){return this.#e("setApplicationVersion",e)}setErrorHandler(e){return this.#e("setErrorHandler",e)}addRelease(e,t){return this.#e("addRelease",e,t)}log(e,t){return this.#e("log",e,t)}}class o extends n{#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}start(){return this.#e("start")}finished(e){return this.#e("finished",e)}recordReplay(){return this.#e(t.G4.RECORD)}pauseReplay(){return this.#e(t.G4.PAUSE)}addToTrace(e){return this.#e("addToTrace",e)}setCurrentRouteName(e){return this.#e("setCurrentRouteName",e)}interaction(){return this.#e("interaction")}wrapLogger(e,t,r){return this.#e("wrapLogger",e,t,r)}}var a=i(860),s=i(5217);const c=Object.values(a.K7);function u(e){const t={};return c.forEach((r=>{t[r]=function(e,t){return!0===(0,s.gD)(t,"".concat(e,".enabled"))}(r,e)})),t}var l=i(7603);var d=i(1687),f=i(4234),g=i(5289),p=i(6154),h=i(384);const m=e=>p.RI&&!0===(0,s.gD)(e,"privacy.cookies_enabled");function v(e){return!!(0,h.dV)().o.MO&&m(e)&&!0===(0,s.gD)(e,"session_trace.enabled")}var b=i(6389);class y extends f.W{constructor(e,t,r=!0){super(e.agentIdentifier,t),this.auto=r,this.abortHandler=void 0,this.featAggregate=void 0,this.onAggregateImported=void 0,!1===e.init[this.featureName].autoStart&&(this.auto=!1),this.auto?(0,d.Ak)(e.agentIdentifier,t):this.ee.on("manual-start-all",(0,b.J)((()=>{(0,d.Ak)(e.agentIdentifier,this.featureName),this.auto=!0,this.importAggregator(e)})))}importAggregator(t,r={}){if(this.featAggregate||!this.auto)return;let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let o;try{if(m(this.agentIdentifier)){const{setupAgentSession:e}=await i.e(296).then(i.bind(i,3861));o=e(t)}}catch(t){(0,e.R)(20,t),this.ee.emit("internal-error",[t]),this.featureName===a.K7.sessionReplay&&this.abortHandler?.()}try{if(!this.#t(this.featureName,o))return(0,d.Ze)(this.agentIdentifier,this.featureName),void n(!1);const{lazyFeatureLoader:e}=await i.e(296).then(i.bind(i,6103)),{Aggregate:a}=await e(this.featureName,"aggregate");this.featAggregate=new a(t,r),t.runtime.harvester.initializedAggregates.push(this.featAggregate),n(!0)}catch(t){(0,e.R)(34,t),this.abortHandler?.(),(0,d.Ze)(this.agentIdentifier,this.featureName,!0),n(!1),this.ee&&this.ee.abort()}};p.RI?(0,g.GG)((()=>o()),!0):o()}#t(e,t){switch(e){case a.K7.sessionReplay:return v(this.agentIdentifier)&&!!t;case a.K7.sessionTrace:return!!t;default:return!0}}}var w=i(6630);class A extends y{static featureName=w.T;constructor(e,t=!0){super(e,w.T,t),this.importAggregator(e)}}var E=i(9908),R=i(2843),_=i(3878),x=i(782),N=i(1863);class k extends y{static featureName=x.T;constructor(e,t=!0){super(e,x.T,t),p.RI&&((0,R.u)((()=>(0,E.p)("docHidden",[(0,N.t)()],void 0,x.T,this.ee)),!0),(0,_.sp)("pagehide",(()=>(0,E.p)("winPagehide",[(0,N.t)()],void 0,x.T,this.ee))),this.importAggregator(e))}}var S=i(9559),T=i(3969);class j extends y{static featureName=T.TZ;constructor(e,t=!0){super(e,T.TZ,t),(0,S.A5)(this.ee),T.Pj.forEach((e=>{this.ee.on(S.NF+e,((...t)=>{(0,E.p)("buffered-"+S.NF+e,[...t],void 0,this.featureName,this.ee)}))})),this.importAggregator(e)}}new class extends o{constructor(t){super(),p.gm?(this.features={},(0,h.bQ)(this.agentIdentifier,this),this.desiredFeatures=new Set(t.features||[]),this.desiredFeatures.add(A),this.runSoftNavOverSpa=[...this.desiredFeatures].some((e=>e.featureName===a.K7.softNav)),(0,l.j)(this,t,t.loaderType||"agent"),this.run()):(0,e.R)(21)}get config(){return{info:this.info,init:this.init,loader_config:this.loader_config,runtime:this.runtime}}run(){try{const t=u(this.agentIdentifier),r=[...this.desiredFeatures];r.sort(((e,t)=>a.P3[e.featureName]-a.P3[t.featureName])),r.forEach((r=>{if(!t[r.featureName]&&r.featureName!==a.K7.pageViewEvent)return;if(this.runSoftNavOverSpa&&r.featureName===a.K7.spa)return;if(!this.runSoftNavOverSpa&&r.featureName===a.K7.softNav)return;const n=function(e){switch(e){case a.K7.ajax:return[a.K7.jserrors];case a.K7.sessionTrace:return[a.K7.ajax,a.K7.pageViewEvent];case a.K7.sessionReplay:return[a.K7.sessionTrace];case a.K7.pageViewTiming:return[a.K7.pageViewEvent];default:return[]}}(r.featureName).filter((e=>!(e in this.features)));n.length>0&&(0,e.R)(36,{targetFeature:r.featureName,missingDependencies:n}),this.features[r.featureName]=new r(this)}))}catch(t){(0,e.R)(22,t);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,h.Zm)();delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.features,delete this.sharedAggregator;return r.ee.get(this.agentIdentifier).abort(),!1}}}({features:[A,k,j],loaderType:"lite"})})()})();</script><link data-next-font="size-adjust" rel="preconnect" href="/" crossorigin="anonymous"/><link nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" rel="preload" href="/_next/static/css/92f230208c8f5fec.css" as="style"/><link nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" rel="stylesheet" href="/_next/static/css/92f230208c8f5fec.css" data-n-g=""/><noscript data-n-css="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2"></noscript><script defer="" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" nomodule="" src="/_next/static/chunks/polyfills-42372ed130431b0a.js"></script><script src="/_next/static/chunks/webpack-a707e99c69361791.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/chunks/framework-945b357d4a851f4b.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/chunks/main-61b32c80755bad6c.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/chunks/pages/_app-62aa0bf74fd1756c.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/chunks/178-1500985f9b087e1a.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/chunks/pages/indicators/ioe-84467d2b30dee036.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/TgpC0GgDQiX0eP8wJ615X/_buildManifest.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script><script src="/_next/static/TgpC0GgDQiX0eP8wJ615X/_ssgManifest.js" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2" defer=""></script></head><body data-base-url="https://www.tenable.com" data-ga4-tracking-id=""><div id="__next"><div class="app__wrapper"><header class="banner"><div class="nav-wrapper"><ul class="list-inline nav-brand"><li class="list-inline-item"><a href="https://www.tenable.com"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo.png" alt="Tenable"/></a></li><li class="list-inline-item"><a class="app-name" href="https://www.tenable.com/indicators">Indicators</a></li></ul><ul class="nav-dropdown nav"><li class="d-none d-md-block dropdown nav-item"><a aria-haspopup="true" href="#" class="dropdown-toggle nav-link" aria-expanded="false">Settings</a><div tabindex="-1" role="menu" aria-hidden="true" class="dropdown-menu dropdown-menu-right"><h6 tabindex="-1" class="dropdown-header">Links</h6><a href="https://cloud.tenable.com" role="menuitem" class="dropdown-item">Tenable Cloud<!-- --> <i class="fas fa-external-link-alt external-link"></i></a><a href="https://community.tenable.com/login" role="menuitem" class="dropdown-item">Tenable Community &amp; Support<!-- --> <i class="fas fa-external-link-alt external-link"></i></a><a href="https://university.tenable.com/lms/index.php?r=site/sso&amp;sso_type=saml" role="menuitem" class="dropdown-item">Tenable University<!-- --> <i class="fas fa-external-link-alt external-link"></i></a><div tabindex="-1" class="dropdown-divider"></div><span tabindex="-1" class="dropdown-item-text"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></span><div tabindex="-1" class="dropdown-divider"></div><button type="button" tabindex="0" role="menuitem" class="dropdown-item-link dropdown-item">Help</button></div></li></ul><div class="d-block d-md-none"><button type="button" aria-label="Toggle Overlay" class="btn btn-link nav-toggle"><i class="fas fa-bars fa-2x"></i></button></div></div></header><div class="mobile-nav closed"><ul class="flex-column nav"><li class="mobile-header nav-item"><a href="https://www.tenable.com" class="float-left nav-link"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo-teal.png" alt="Tenable"/></a><a class="float-right mr-2 nav-link"><i class="fas fa-times fa-lg"></i></a></li><li class="nav-item"><a class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/pipeline">Plugins Pipeline</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nessus/families?type=nessus">Nessus Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/was/families?type=was">WAS Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nnm/families?type=nnm">NNM Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/lce/families?type=lce">LCE Families</a></li><li class="no-capitalize nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/ot/families?type=ot">Tenable OT Security Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/families/about">About Plugin Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/release-notes">Release Notes</a></li></div></div><li class="nav-item"><a class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/search">Search Audit Files</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/items/search">Search Items</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/references">References</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/authorities">Authorities</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/documentation">Documentation</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div></div><li class="nav-item"><a class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioa">Indicators of Attack</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioe">Indicators of Exposure</a></li></div></div><li class="nav-item"><a class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/search">Search</a></li></div></div><li class="nav-item"><a class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques/search">Search</a></li></div></div><ul id="links-nav" class="flex-column mt-5 nav"><li class="nav-item"><a class="nav-link">Links<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a href="https://cloud.tenable.com" class="nav-link">Tenable Cloud</a></li><li class="nav-item"><a href="https://community.tenable.com/login" class="nav-link">Tenable Community &amp; Support</a></li><li class="nav-item"><a href="https://university.tenable.com/lms/index.php?r=site/sso&amp;sso_type=saml" class="nav-link">Tenable University</a></li></div></div><li class="nav-item"><a class="nav-link">Settings<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse py-3"><li class="nav-item"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></li></div></div></ul></ul></div><div class="app__container"><div class="app__content"><div class="card callout callout-alert callout-bg-danger mb-4"><div class="card-body"><h5 class="mb-2 text-white">Your browser is no longer supported</h5><p class="text-white">Please update or use another browser for this application to function correctly.</p></div></div><div class="row"><div class="col-3 col-xl-2 d-none d-md-block"><h6 class="side-nav-heading">Detections</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/plugins" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/plugins/pipeline" class="nav-link"><span>Plugins Pipeline</span></a></li><li class="false nav-item"><a href="/plugins/release-notes" class="nav-link"><span>Release Notes</span></a></li><li class="false nav-item"><a href="/plugins/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/plugins/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/plugins/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/plugins/nessus/families" class="nav-link"><span>Nessus Families</span></a></li><li class="false nav-item"><a href="/plugins/was/families" class="nav-link"><span>WAS Families</span></a></li><li class="false nav-item"><a href="/plugins/nnm/families" class="nav-link"><span>NNM Families</span></a></li><li class="false nav-item"><a href="/plugins/lce/families" class="nav-link"><span>LCE Families</span></a></li><li class="false nav-item"><a href="/plugins/ot/families" class="nav-link"><span>Tenable OT Security Families</span></a></li><li class="false nav-item"><a href="/plugins/families/about" class="nav-link"><span>About Plugin Families</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/audits" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/audits/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/audits/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/audits/search" class="nav-link"><span>Search Audit Files</span></a></li><li class="false nav-item"><a href="/audits/items/search" class="nav-link"><span>Search Items</span></a></li><li class="false nav-item"><a href="/audits/references" class="nav-link"><span>References</span></a></li><li class="false nav-item"><a href="/audits/authorities" class="nav-link"><span>Authorities</span></a></li><li class="false nav-item"><a href="/audits/documentation" class="nav-link"><span>Documentation</span></a></li><li class="nav-item"><a class="nav-link" href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div><li class="nav-item"><a type="button" class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-down"></i></a></li><div class="side-nav-collapse collapse show"><li class="false nav-item"><a href="/indicators" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/indicators/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/indicators/ioa" class="nav-link"><span>Indicators of Attack</span></a></li><li class="active nav-item"><a href="/indicators/ioe" class="nav-link"><span>Indicators of Exposure</span></a></li></div></ul><h6 class="side-nav-heading">Analytics</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/cve" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/cve/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/cve/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/cve/search" class="nav-link"><span>Search</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/attack-path-techniques" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/attack-path-techniques/search" class="nav-link"><span>Search</span></a></li></div></ul></div><div class="col-12 col-md-9 col-xl-10"><nav class="d-none d-md-block" aria-label="breadcrumb"><ol class="breadcrumb"><li class="breadcrumb-item"><a href="https://www.tenable.com/indicators">Indicators</a></li><li class="active breadcrumb-item" aria-current="page">Indicators of Exposure</li></ol></nav><nav class="d-md-none" aria-label="breadcrumb"><ol class="breadcrumb"><li class="breadcrumb-item"><a href="https://www.tenable.com/indicators"><i class="fas fa-chevron-left"></i> <!-- -->Indicators</a></li></ol></nav><h1 class="mb-3 h2">Indicators of Exposure</h1><div class="card"><div class="p-3 card-body"><nav class="" aria-label="pagination"><ul class="justify-content-between pagination pagination"><li class="page-item disabled"><a class="page-link page-previous" href="https://www.tenable.com/indicators/ioe?page=0">‹‹ <!-- -->Previous<span class="sr-only"> <!-- -->Previous</span></a></li><li class="page-item disabled"><a class="page-link page-text">Page 1 of 3<!-- --> <span class="d-none d-sm-inline">• <!-- -->105 Total</span></a></li><li class="page-item"><a class="page-link page-next" href="https://www.tenable.com/indicators/ioe?page=2"><span class="sr-only">Next</span>Next<!-- --> ››</a></li></ul></nav><div class="table-responsive"><table class="results-table table"><thead><tr><th>Name</th><th>Description</th><th>Severity</th></tr></thead><tbody><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-CONFLICTED-OBJECTS">Conflicting Security Principals</a></td><td><p>Checks that there are no duplicated (conflicting) users, computers, or groups.</p> </td><td><h6 class="m-1"><span class="badge badge-low">low</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-SHADOW-CREDENTIALS">Shadow Credentials</a></td><td><p>Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-GUEST-ACCOUNT">Enabled Guest Account</a></td><td><p>Checks that the built-in guest account is disabled.</p> </td><td><h6 class="m-1"><span class="badge badge-low">low</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-MSA-COMPLIANCE">Managed Service Accounts Dangerous Misconfigurations</a></td><td><p>Ensures Managed Service Accounts (MSAs) are deployed and well configured.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-AAD-PRIV-SYNC">Privileged AD User Accounts Synchronized to Microsoft Entra ID</a></td><td><p>Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-AUTH-SILO">Privileged Authentication Silo Configuration</a></td><td><p>A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DYNAMIC-UPDATES">Unsecure Dynamic DNS Zone Updates Allowed</a></td><td><p>Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-WSUS-HARDENING">WSUS Dangerous Misconfigurations</a></td><td><p>Lists the misconfigured parameters related to Windows Server Update Services (WSUS).</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PROP-SET-SANITY">Property Sets Integrity</a></td><td><p>Checks for the integrity of property sets and validates permissions</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DFS-MISCONFIG">Dangerous SYSVOL Replication Configuration</a></td><td><p>Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS).</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PASSWORD-HASHES-ANALYSIS">Detection of Password Weaknesses</a></td><td><p>Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-RANSOMWARE-HARDENING">Insufficient Hardening Against Ransomware</a></td><td><p>Ensures that the domain implemented hardening measures to protect against ransomware.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PKI-DANG-ACCESS">ADCS Dangerous Misconfigurations</a></td><td><p>List dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI).</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-GPO-EXEC-SANITY">GPO Execution Sanity</a></td><td><p>Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-ADMIN-RESTRICT-AUTH">Logon Restrictions for Privileged Users</a></td><td><p>Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-NETLOGON-SECURITY">Unsecured Configuration of Netlogon Protocol</a></td><td><p>CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-CREDENTIAL-ROAMING">Vulnerable Credential Roaming Related Attributes</a></td><td><p>Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.</p> </td><td><h6 class="m-1"><span class="badge badge-low">low</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-CLEARTEXT-PASSWORD">Potential Clear-Text Password</a></td><td><p>Checks for objects containing potential clear-text passwords in attributes readable by domain users.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DANGEROUS-SENSITIVE-PRIVILEGES">Dangerous Sensitive Privileges</a></td><td><p>Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-SENSITIVE-CERTIFICATES-ON-USER">Mapped Certificates on Accounts</a></td><td><p>Ensures that privileged objects do not have any mapped certificate assigned to them.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-GPO-HARDENING">Domain Without Computer-Hardening GPOs</a></td><td><p>Checks hardening GPOs have been deployed on the domain.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PROTECTED-USERS-GROUP-UNUSED">Protected Users Group Not Used</a></td><td><p>Verifies for privileged users who are not members of the Protected Users group.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PASSWORD-NOT-REQUIRED">Account with Possible Empty Password</a></td><td><p>Identifies user accounts that allow empty passwords.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-USERS-CAN-JOIN-COMPUTERS">Users Allowed to Join Computers to the Domain</a></td><td><p>Verify that regular users cannot join external computers to the domain.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-AAD-SSO-PASSWORD">Last Change of the Microsoft Entra SSO Account Password</a></td><td><p>Ensures regular changes to the Microsoft Entra SSO account password.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-ABNORMAL-ENTRIES-IN-SCHEMA">Dangerous Rights in the AD Schema</a></td><td><p>Lists schema entries considered anomalous that could potentially offer a means of persistence.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-USER-PASSWORD">User Account Using Old Password</a></td><td><p>Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-AAD-CONNECT">Verify Permissions Related to Microsoft Entra Connect Accounts</a></td><td><p>Ensure the permissions set on Microsoft Entra Connect accounts are sane</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DC-ACCESS-CONSISTENCY">Domain Controllers Managed by Illegitimate Users</a></td><td><p>Some domain controllers can be managed by non-administrative users due to dangerous access rights.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PASSWORD-POLICY">Application of Weak Password Policies on Users</a></td><td><p>Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-GPO-SD-CONSISTENCY">Verify Sensitive GPO Objects and Files Permissions</a></td><td><p>Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DSHEURISTICS">Domain with Unsafe Backward-Compatibility Configuration</a></td><td><p>The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk.</p> </td><td><h6 class="m-1"><span class="badge badge-low">low</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DOMAIN-FUNCTIONAL-LEVEL">Domains with an Outdated Functional Level</a></td><td><p>Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-LAPS-UNSECURE-CONFIG">Local Administrative Account Management</a></td><td><p>Ensures the secure and central management of local administrative accounts using LAPS.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-KERBEROS-CONFIG-ACCOUNT">Kerberos Configuration on User Account</a></td><td><p>Detects accounts that use weak Kerberos configuration.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-ROOTOBJECTS-SD-CONSISTENCY">Root Objects Permissions Allowing DCSync-Like Attacks</a></td><td><p>Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PRE-WIN2000-ACCESS-MEMBERS">Accounts Using a Pre-Windows 2000 Compatible Access Control</a></td><td><p>Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DISABLED-ACCOUNTS-PRIV-GROUPS">Disabled Accounts in Privileged Groups</a></td><td><p>Accounts that are not used anymore should not stay in privileged groups.</p> </td><td><h6 class="m-1"><span class="badge badge-low">low</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-OBSOLETE-SYSTEMS">Computers Running an Obsolete OS</a></td><td><p>Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-ACCOUNTS-DANG-SID-HISTORY">Accounts With a Dangerous SID History Attribute</a></td><td><p>Checks user or computer accounts using a privileged SID in SID history attribute.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PKI-WEAK-CRYPTO">Use of Weak Cryptography Algorithms in Active Directory PKI</a></td><td><p>Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-ADM-ACC-USAGE">Recent Use of the Default Administrator Account</a></td><td><p>Checks for recent uses of the built-in administrator account.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-DANG-PRIMGROUPID">User Primary Group</a></td><td><p>Verify users' Primary Group has not been changed</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-UNCONST-DELEG">Dangerous Kerberos Delegation</a></td><td><p>Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-USERS-REVER-PWDS">Reversible Passwords</a></td><td><p>Verifies that the option to store passwords in a reversible format does not get enabled.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-REVER-PWD-GPO">Reversible Passwords in GPO</a></td><td><p>Checks that GPO preferences do not allow passwords in a reversible format.</p> </td><td><h6 class="m-1"><span class="badge badge-medium">medium</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-SDPROP-CONSISTENCY">Ensure SDProp Consistency</a></td><td><p>Control that the AdminSDHolder object is in a clean state.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-KRBTGT-PASSWORD">Last Password Change on KRBTGT account</a></td><td><p>Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval.</p> </td><td><h6 class="m-1"><span class="badge badge-high">high</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-NATIVE-ADM-GROUP-MEMBERS">Native Administrative Group Members</a></td><td><p>Abnormal accounts in the native administrative groups of Active Directory</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr><tr><td><a href="https://www.tenable.com/indicators/ioe/ad/C-PRIV-ACCOUNTS-SPN">Privileged Accounts Running Kerberos Services</a></td><td><p>Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security.</p> </td><td><h6 class="m-1"><span class="badge badge-critical">critical</span></h6></td></tr></tbody></table></div><nav class="" aria-label="pagination"><ul class="justify-content-between pagination pagination"><li class="page-item disabled"><a class="page-link page-previous" href="https://www.tenable.com/indicators/ioe?page=0">‹‹ <!-- -->Previous<span class="sr-only"> <!-- -->Previous</span></a></li><li class="page-item disabled"><a class="page-link page-text">Page 1 of 3<!-- --> <span class="d-none d-sm-inline">• <!-- -->105 Total</span></a></li><li class="page-item"><a class="page-link page-next" href="https://www.tenable.com/indicators/ioe?page=2"><span class="sr-only">Next</span>Next<!-- --> ››</a></li></ul></nav></div></div></div></div></div></div><footer class="footer"><div class="container"><ul class="footer-nav"><li class="footer-nav-item"><a href="https://www.tenable.com/">Tenable.com</a></li><li class="footer-nav-item"><a href="https://community.tenable.com">Community &amp; Support</a></li><li class="footer-nav-item"><a href="https://docs.tenable.com">Documentation</a></li><li class="footer-nav-item"><a href="https://university.tenable.com">Education</a></li></ul><ul class="footer-nav footer-nav-secondary"><li class="footer-nav-item">© <!-- -->2025<!-- --> <!-- -->Tenable®, Inc. All Rights Reserved</li><li class="footer-nav-item"><a href="https://www.tenable.com/privacy-policy">Privacy Policy</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/legal">Legal</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/section-508-voluntary-product-accessibility">508 Compliance</a></li></ul></div></footer><div class="Toastify"></div></div></div><script id="__NEXT_DATA__" type="application/json" nonce="nonce-ZDQzYTAzMDUtOTc4MS00OWEyLTg3Y2UtMGI3YWIwM2I5ZDA2">{"props":{"pageProps":{"indicators":[{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-CONFLICTED-OBJECTS","_score":null,"_source":{"language_code":"en_US","codename":"C-CONFLICTED-OBJECTS","name":"Conflicting Security Principals","id":60,"description":"\u003cp\u003eChecks that there are no duplicated (conflicting) users, computers, or groups.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003eThe multi-master replication system of Active Directory generally works well, but conflicts can arise for various reasons and require manual resolution.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory uses multi-master replication to avoid a single point of failure. While this process usually works well, conflicts can sometimes occur, leading to duplicated objects. A conflict may affect an attribute when it changes simultaneously on two distinct domain controllers with different values. This issue can also apply to an entire object, such as during its creation:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDC-1 creates a new object \"object-A\" in \"container-A\".\u003c/li\u003e\n\u003cli\u003eAt the same time, DC-2 creates a new object with the same name at the same location.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eDuplicated objects, especially users and computers, can cause confusion. Ideally, you should keep only one identity and remove the others. If you're unsure or want the safest approach, delete all the conflicting objects instead of choosing one to save. Clean everything to ensure clarity.\nA high number of conflicting objects could indicate an issue with the replication process and may require further investigation.\n\u003cbr\u003eThis Indicator of Exposure (IoE) checks for the following elements:\u003c/p\u003e\n\u003ch4\u003eDuplicate Relative Distinguished Names (RDN) in the same Organizational Unit (OU) or container.\u003c/h4\u003e\n\u003cp\u003eChecks whether at least two Security Principals (SP) are in the same OU or container and use the same Relative Distinguished Name (\u003ca href=\"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_22198321-b40b-4c24-b8a2-29e44d9d92b9\"\u003eRDN\u003c/a\u003e) or CN.\u003c/p\u003e\n\u003ch4\u003eDuplicate sAMAccountName\u003c/h4\u003e\n\u003cp\u003eChecks whether at least two SPs have the same sAMAccountName at creation time. After an authentication or a new creation attempt, only one sAMAccountName may retains the correct value, while the others or all get renamed with \"$DUPLICATE-xxx,\" where \"xxx\" is the RID of the object in hexadecimal.\u003c/p\u003e\n\u003ch4\u003eSame sAMAccountName\u003c/h4\u003e\n\u003cp\u003eCheck whether at least two SPs have the same sAMAccountName. After an authentication or a new creation attempt, only one sAMAccountName may retains the original value, and the others or all get renamed (see \"Duplicate sAMAccountName\" reason).\n\u003cbr\u003eNotes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe \"\u003cem\u003eUnlinked, Disabled or Orphan GPO\u003c/em\u003e\" IoE reports on conflicting GPOs, whereas this IoE reports on conflicts between security principals (users, computers, and groups).\u003c/li\u003e\n\u003cli\u003eEven if an account is disabled, someone can still attempt to authenticate.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Remove Duplicated Security Principals","description":"To enhance infrastructure consistency and prevent identity confusion, remove duplicated security principals.","exec_summary":"\u003cp\u003eTo enhance infrastructure consistency and prevent identity confusion, remove duplicated security principals.\u003c/p\u003e\n","detail":"\u003cp\u003eTenable does not recommend having duplicated objects because they indicate low data integrity and potentially unsolvable replication issues. This is particularly problematic with users and computers as it could prevent users or services from authenticating. When you encounter this situation, remove conflicting objects.\n\u003cbr\u003eThis IoE assesses the following reasons and Tenable recommends this approach:\u003c/p\u003e\n\u003ch4\u003eDuplicate RDN in the same OU or container\u003c/h4\u003e\n\u003cp\u003eDelete objects with \"CNF\" in the CN/DN attributes by executing the following PowerShell command and replacing the placeholder \u003ccode\u003e\u0026lt;Replace by the impacted CN\u0026gt;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$domainDN = (Get-ADDomain).DistinguishedName\n\n(Get-ADObject -LDAPFilter \"(cn=\u0026lt;Replace by the impacted CN\u0026gt;\\0ACNF:*)\" -SearchBase $domainDN -Properties DistinguishedName, Cn, SamAccountName).DistinguishedName | Remove-ADUser -Confirm:$True\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eDuplicate sAMAccountName\u003c/h4\u003e\n\u003cp\u003eDelete objects with \"$DUPLICATE-xxx\" in the sAMAccountName by executing the following PowerShell command and replacing the placeholder \u003ccode\u003e\u0026lt;$DUPLICATE-xxx\u0026gt;\u003c/code\u003e or using \u003ccode\u003e$DUPLICATE-*\u003c/code\u003e to delete all objects:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$domainDN = (Get-ADDomain).DistinguishedName\n\n(Get-ADObject -LDAPFilter \"(samaccountname=\u0026lt;`$DUPLICATE`-xxx\u0026gt;)\" -SearchBase $domainDN -Properties DistinguishedName, Cn, SamAccountName).DistinguishedName | Remove-ADUser -Confirm:$True\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eSame sAMAccountName\u003c/h4\u003e\n\u003cp\u003eIdentify the deviant object located in the wrong location and delete it by executing the following PowerShell command and replacing the placeholder \u003ccode\u003e\u0026lt;Replace by the impacted CN\u0026gt;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$domainDN = (Get-ADDomain).DistinguishedName\n\n(Get-ADObject -LDAPFilter \"(cn=\u0026lt;Replace by the impacted CN\u0026gt;*)\" -SearchBase $domainDN -Properties DistinguishedName, Cn, SamAccountName).DistinguishedName | Remove-ADUser -Confirm:$True\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003eA high number of conflicting objects may indicate a replication issue and warrant further investigation.\u003c/p\u003e\n","resources":[{"name":"Active Directory: Duplicate Object Name Resolution","url":"https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution","type":"hyperlink"},{"name":"Troubleshooting Directory Data Problems","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727059(v=technet.10)","type":"hyperlink"}]},"resources":[{"name":"Active Directory: Duplicate Object Name Resolution","url":"https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution","type":"hyperlink"},{"name":"sAMAccountName is always unique in a Windows domain… or is it?","url":"https://blog.joeware.net/2012/01/04/2357/","type":"hyperlink"},{"name":"Using conflicting objects in Active Directory to gain privileges","url":"https://medium.com/tenable-techblog/using-conflicting-objects-in-active-directory-to-gain-privileges-243ef6a27928","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user"],"attacker_known_tools":[],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1136 - Create Account"]},{"tactic":"TA0005 - Defense Evasion","techniques":["T1036 - Masquerading"]},{"tactic":"TA0040 - Impact","techniques":["T1489 - Service Stop"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ja_JP","zh_CN","zh_TW","de_DE","fr_FR","ko_KR","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-CONFLICTED-OBJECTS","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["ja","zh-CN","zh-TW","de","fr","ko","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1136","name":"Create Account","url":"https://attack.mitre.org/techniques/T1136/"}]},{"tactic":{"id":"TA0005","name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005/"},"techniques":[{"id":"T1036","name":"Masquerading","url":"https://attack.mitre.org/techniques/T1036/"}]},{"tactic":{"id":"TA0040","name":"Impact","url":"https://attack.mitre.org/tactics/TA0040/"},"techniques":[{"id":"T1489","name":"Service Stop","url":"https://attack.mitre.org/techniques/T1489/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[60]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-SHADOW-CREDENTIALS","_score":null,"_source":{"language_code":"en_US","codename":"C-SHADOW-CREDENTIALS","name":"Shadow Credentials","id":59,"description":"\u003cp\u003eDetects Shadow Credentials backdoors and misconfigurations in the \"Windows Hello for Business\" feature and its associated key credentials.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eThe Shadow Credentials backdoor technique exploits the legitimate Microsoft \"Windows Hello for Business\" feature. If the Active Directory does not use this feature, it is easy to detect this persistence mechanism. If it does use this feature, misconfigurations could indicate compromise or poor management practices.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eMicrosoft's \"Windows Hello for Business\" (WHfB) feature addresses the growing demand for passwordless authentication solutions. As Multi-Factor Authentication (MFA) gains popularity over traditional password-based authentication, WHfB provides a Microsoft-native solution for MFA sign-in on Windows 10 and later devices.\u003c/p\u003e\n\u003cp\u003eMFA solutions from third-party vendors have traditionally required substantial effort to deploy and configure, often involving smartcards. Microsoft's \"Windows Hello for Business\" (WHfB) offers a streamlined, native MFA solution tightly integrated with Active Directory and Entra ID, making it an appealing option for enhancing security, especially for privileged domain user accounts, without the overhead of external MFA products.\n\u003cbr\u003eEntra ID supports three types of passwordless authentication:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eWindows Hello for Business\u003c/strong\u003e, which this Indicator of Exposure checks\u003c/li\u003e\n\u003cli\u003eMicrosoft Authenticator application\u003c/li\u003e\n\u003cli\u003eFIDO2 security keys\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eUnlike the standalone \"Windows Hello\" feature available on Windows workstations, WHfB only uses key-based or certificate-based authentication methods, that can be protected by a Trusted Platform Module (TPM).\u003c/p\u003e\n\u003cp\u003eWHfB satisfies the \"Smartcard is required for interactive logon\" option for user accounts and the \"Interactive logon: Require smart card\" Group Policy setting for computers, enabling seamless integration with existing smart card configurations.\u003c/p\u003e\n\u003cp\u003eWhile offering enhanced security capabilities, the WHfB feature introduces new potential risks and possibilities for misconfiguration that organizations must know about and mitigate appropriately.\u003c/p\u003e\n\u003ch2\u003eDeployment methods of WHfB\u003c/h2\u003e\n\u003cp\u003eDuring the WHfB enrollment process, the computer's TPM chip generates a public/private key pair for the user account and stores the private key exclusively within the TPM. If a TPM is unavailable, it encrypts the private key with DPAPI-NG and stores it locally on the disk. The usage of this key pair varies based on the selected deployment method.\n\u003cbr\u003eThe following deployment methods are available for WHfB:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e(Hybrid) Certificate Trust\u003cul\u003e\n\u003cli\u003eTraditionally, a Public Key Infrastructure (PKI) allows the KDC and a client to exchange public keys using Digital Certificates signed by a trusted Certificate Authority (CA). Smartcard deployments use the same infrastructure as Certificate Trust, but the storage location of the generated private key differs. In Certificate Trust, the TPM protects the private key, whereas in smartcard deployments, a physical card with a silicon chip stores the key.\u003c/li\u003e\n\u003cli\u003eDuring the enrollment process for Certificate Trust, the client uses the keys generated by the TPM to issue a certificate request and obtain a trusted certificate from the CA.\u003c/li\u003e\n\u003cli\u003eIn this model, a PKI (such as an AD CS server) generates certificates, and an AD FS server translates those certificates into a format that Entra ID can understand, such as OAuth or OpenID Connect.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e(Hybrid) Key Trust\u003cul\u003e\n\u003cli\u003eThis approach is useful for environments lacking the prerequisites for deploying Certificate Trust, such as a PKI (AD CS) and an AD FS server. However, in exchange for this simplicity and flexibility, it relies on Entra ID for various kinds of orchestration and the availability of Windows Server 2016+ servers.\u003c/li\u003e\n\u003cli\u003eUnder this model, PKINIT authentication, an extension of the Kerberos protocol, uses raw key data rather than a certificate.\u003c/li\u003e\n\u003cli\u003eDuring the Key Trust enrollment process, the TPM generates the public key and directly stores it within a new \"Key Credential\" object in the \"msDS-KeyCredentialLink\" attribute of the account.\u003c/li\u003e\n\u003cli\u003eIn this model, unlike Certificate Trust, Entra ID manages the keys, necessitating AD to retrieve them from Entra ID. Microsoft Entra Connect then synchronizes this information from Entra ID to the on-premises AD.\u003c/li\u003e\n\u003cli\u003eConsequently, the primary drawback of this deployment lies in provisioning keys to the on-premises environment, which is time-consuming due to synchronization delays with Microsoft Entra Connect and replication delays between DCs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eCloud Kerberos Trust\u003cul\u003e\n\u003cli\u003eThis represents the latest and most advanced deployment method available. It combines the strengths of the previous two methods, offering instant provisioning (eliminating delays from multiple synchronizations), hybrid authentication, and requiring no additional infrastructure deployment (such as PKI or AD FS servers).\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAfter enrollment, when a client seeks authentication, Windows tries Kerberos PKINIT using the private key. In \"Key Trust,\" the DC decrypts pre-authentication data with the raw public key in the \"msDS-KeyCredentialLink\" attribute. In \"Certificate Trust,\" the DC validates the trust chain from the client's provided certificate.\n\u003cbr\u003eThe IoE primarily focuses on the \"Key Trust\" method, which attackers exploit differently through an attack known as \"Shadow Credentials.\"\u003c/p\u003e\n\u003ch2\u003eHow does WHfB (Key Trust) work in AD?\u003c/h2\u003e\n\u003cp\u003eIn Active Directory, WHfB uses a dedicated attribute on user and computer accounts called \"msDS-KeyCredentialLink\". This attribute can accommodate multiple values known as \"Key Credentials,\" representing the public part of a certificate (raw cryptographic material, distinct from a complete certificate). It facilitates authentication via Kerberos PKINIT, enabling certificate-based authentication in AD.\u003c/p\u003e\n\u003cp\u003eThis attribute can store multiple key credentials for user and computer accounts, typically corresponding to distinct linked devices, with each device requiring individual specification.\u003c/p\u003e\n\u003ch4\u003eMisconfigurations of WHfB\u003c/h4\u003e\n\u003cp\u003eMultiple misconfigurations, particularly concerning cryptographic materials, can occur with the \"msDS-KeyCredentialLink\" attribute.\u003c/p\u003e\n\u003cp\u003eSuch misconfigurations can also indicate suspicious entries such as the \"Shadow Credentials\" backdoor.\u003c/p\u003e\n\u003ch2\u003eROCA and RSA key length\u003c/h2\u003e\n\u003cp\u003eEach key credential is a specific structure that ultimately holds key cryptographic materials, such as an RSA key.\u003c/p\u003e\n\u003cp\u003eIn this case, if the RSA key size is shorter than the minimum recommended 2048-bit length, it may be feasible, with ample computational power, to retrieve the associated private key from the public key.\u003c/p\u003e\n\u003cp\u003eThe ROCA vulnerability, discovered in 2017, is another factor to consider when validating keys. Known as the \"Return of Coppersmith's Attack,\" this weakness enables the recovery of the private key from the public key when a device affected by this vulnerability generates the key.\u003c/p\u003e\n\u003ch2\u003eOrphan key\u003c/h2\u003e\n\u003cp\u003eSince the credentials in the \"msDS-KeyCredentialLink\" attribute must link to a specific device (one entry per device), you can verify their validity. Device registration is mandatory for WHfB implementation, so if you deploy WHfB with \"Key Trust,\" you must enable the \"device writeback\" feature in Microsoft Entra Connect.\u003c/p\u003e\n\u003cp\u003eThis detail is significant because, by default, most attack tools set the GUID representing a device (referred to as a \"Device ID\" in Entra ID and the binary structure) to a random value.\u003c/p\u003e\n\u003cp\u003eAn orphan key specifies a device ID not registered in AD, which could associate with a previously removed device (note that Microsoft does not perform automatic cleaning) or a backdoor from a \"Shadow Credentials\" attack. In both cases, it is best to remove these entries from the list of installed credentials.\u003c/p\u003e\n\u003ch2\u003eShadow Credentials attack\u003c/h2\u003e\n\u003cp\u003eThe Shadow Credentials attack exploits control over the \"msDS-KeyCredentialLink\" attribute of a user or computer account. If an attacker can modify this attribute, they can add alternative credentials for Kerberos authentication. This allows the use of a forged certificate, in addition to the regular account password (which the attacker doesn't need to know), to obtain a valid Kerberos TGT ticket. From this TGT, the attacker can also retrieve the LM and NTLM hashes of the compromised account using the \"UnPAC-the-hash\" attack.\n\u003cbr\u003eIn practice, during the exploitation phase of this attack, an attacker creates a self-signed certificate with a private/public key pair and then sets the public key inside of the \"msDS-KeyCredentialLink\" attribute.\u003c/p\u003e\n\u003cp\u003eThis attribute can hold multiple values, with each entry called a \"Key Credential.\" A single account can have both legitimate entries and backdoors simultaneously.\u003c/p\u003e\n\u003cp\u003eThis authentication method is separate from the password, so the backdoor remains even if the account password changes.\n\u003cbr\u003eIn addition to validating the content of the \"msDS-KeyCredentialLink\" attribute, this IoE ensures that no permission authorizes a non-privileged account to modify this attribute. By default, only members of \"Key Admins\" and \"Enterprise Key Admins\" have this permission. Also, each machine can change its attribute through the \"Validated Write\" right on this attribute.\u003c/p\u003e\n\u003ch2\u003eUnexpected sources\u003c/h2\u003e\n\u003cp\u003eFor a computer account, the content structure of a key credential differs from that of a user account.\n\u003cbr\u003eFor user accounts in the \"Key Trust\" model, Entra ID serves as the data source since Microsoft Entra Connect populates the \"msDS-KeyCredentialLink\" attribute. However, for computer accounts, the computer itself performs the enrollment process. As such, to detect a rogue key credential added on a computer account, if the source is set to Entra ID for this key credential, this is not a valid entry.\n\u003cbr\u003eMoreover, most existing attack tools typically generate a random GUID by default for the associated \"DeviceID\" in new rogue key credentials. This provides another detection mechanism for invalid entries, specifically for user accounts (unlike the previous method for computer accounts). This validation occurs through \"Orphan key\" tests, ensuring that a legitimate device links to the key credential.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Analyze and Remediate Risks in Windows Hello for Business Key Credentials Configuration","description":"To mitigate the risks of potential privilege escalation or the installation of backdoors (such as Shadow Credentials) by attackers, it is essential to assess thoroughly and correct the configuration of key credentials in Windows Hello for Business.\n","exec_summary":"\u003cp\u003eMisconfigurations of key credentials in the Windows Hello for Business feature can have a significant impact on Active Directory security, potentially introducing alternative authentication methods. Therefore, it is imperative to give them thorough attention and supervision.\u003c/p\u003e\n","detail":"\u003cp\u003eWhen deployed with the \"Key Trust\" model, the \"Windows Hello for Business\" feature can introduce various misconfigurations even in legitimate usage scenarios. Furthermore, even if not actively deployed in your environment, attackers might exploit the underlying technical features to establish authentication-related backdoors.\u003c/p\u003e\n\u003ch4\u003eMisconfigurations of key credentials\u003c/h4\u003e\n\u003cp\u003eBy addressing the single \"msDS-KeyCredentialLink\" attribute, you can fix most misconfigurations flagged in this Indicator of Exposure:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eOrphan Key Credential\u003c/li\u003e\n\u003cli\u003eKey Credential vulnerable to ROCA\u003c/li\u003e\n\u003cli\u003eKey Credential with short RSA key\u003c/li\u003e\n\u003cli\u003eUnexpected value in Key Credential's source field\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIt's worth noting that Microsoft lacks an official built-in tool to remove individual problematic \"Key Credentials\" within this attribute, which can store multiple entries at once.\u003c/p\u003e\n\u003cp\u003eHowever, Microsoft provides a methodology along with the \u003ca href=\"https://support.microsoft.com/en-us/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb\"\u003eWHfBTools\u003c/a\u003e external tool. (Please note that this tool had security issues upon its initial release, so review its code before execution.)\n\u003cbr\u003eIf feasible, we recommend removing all \"Key Credentials\" associated with an account. However, this requires re-enrollment of the account, which can be challenging and time-consuming. Nevertheless, if you are certain that your environment does not use WHfB, this procedure is the safest and most efficient option.\n\u003cbr\u003eTo remove all \"Key Credentials\" associated with an account, apply the following procedure: (\u003cstrong\u003eNote: Adapt it to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; Set-ADUser -Identity user-to-fix -Clear 'msDS-KeyCredentialLink' # For a user account\nPS\u0026gt; Set-ADComputer -Identity computer-to-fix$ -Clear 'msDS-KeyCredentialLink' # For a computer account\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNote: If \"Key Credential vulnerable to ROCA\" deviances reappear after clearing the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute, it may indicate that the TPM on the affected devices remains susceptible to the ROCA vulnerability (CVE-2017-15361). Microsoft \u003ca href=\"https://support.microsoft.com/en-us/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb\"\u003econfirms this\u003c/a\u003e and advises following the steps outlined in \u003ca href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012\"\u003eADV170012\u003c/a\u003e as a priority. Without updating the vulnerable firmware, any new Windows Hello for Business (WHfB) keys generated on these devices will remain exposed to CVE-2017-15361 (ROCA). Consequently, Tenable Identity Exposure will continue to flag these vulnerabilities.\u003c/p\u003e\n\u003ch4\u003eCorrect dangerous permissions set on accounts\u003c/h4\u003e\n\u003cp\u003eYou can make permission modifications using the GUI (ADSI Edit) or PowerShell commands.\n\u003cbr\u003eTo reset the \u003cstrong\u003eowner\u003c/strong\u003e of an account, apply the following procedure: (\u003cstrong\u003eNote: Adapt it to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $accountPath = \"AD:CN=user-to-fix,CN=Users,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $securityPrincipalAccount = \"DOMAIN\\Domain Admins\"\nPS\u0026gt; $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)\nPS\u0026gt; $aclAccount = Get-Acl -Path $accountPath\nPS\u0026gt; $aclAccount.SetOwner($securityPrincipalObject)\nPS\u0026gt; $aclAccount | Set-Acl -Path $accountPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo remove a problematic \u003cstrong\u003eACE\u003c/strong\u003e from an account, apply the following procedure: (\u003cstrong\u003eNote: Adapt it to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $accountPath = \"AD:CN=user-to-fix,CN=Users,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $aclAccount = Get-Acl -Path $accountPath\nPS\u0026gt; $aceToRemove = $aclAccount.Access | ? { $_.IdentityReference -eq 'DOMAIN\\unpriv' }\nPS\u0026gt; $aclAccount.RemoveAccessRule($aceToRemove)\nPS\u0026gt; $aclAccount | Set-Acl -Path $accountPath\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Using WHfBTools PowerShell module for cleaning up orphaned Windows Hello for Business Keys","url":"https://support.microsoft.com/en-us/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb","type":"hyperlink"},{"name":"Windows Hello for Business","url":"https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/","type":"hyperlink"},{"name":"Windows Hello Cloud Trust","url":"https://syfuhs.net/windows-hello-cloud-trust","type":"hyperlink"},{"name":"Detecting shadow credentials","url":"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/","type":"hyperlink"}]},"resources":[{"name":"Black Hat Europe 2019 - Exploiting Windows Hello for Business","url":"https://www.dsinternals.com/assets/documents/eu-19-Grafnetter-Exploiting-Windows-Hello-for-Business.pdf","type":"hyperlink"},{"name":"Shadow Credentials Abusing Key Trust Account Mapping for Account Takeover","url":"https://eladshamir.com/2021/06/21/Shadow-Credentials.html","type":"hyperlink"},{"name":"Shadow Credentials","url":"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials","type":"hyperlink"},{"name":"Parsing the msDS-KeyCredentialLink value for ShadowCredentials attack","url":"https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/","type":"hyperlink"},{"name":"WHfB and Entra ID - Say hello to your new cache flow","url":"https://www.synacktiv.com/publications/whfb-and-entra-id-say-hello-to-your-new-cache-flow.html","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"DSInternals","url":"https://github.com/MichaelGrafnetter/DSInternals","author":"Michael Grafnetter"},{"name":"Whisker","url":"https://github.com/eladshamir/Whisker","author":"Elad Shamir"},{"name":"pywhisker","url":"https://github.com/ShutdownRepo/pywhisker","author":"Charlie Bromberg"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]},{"tactic":"TA0006 - Credential Access","techniques":["T1556 - Modify Authentication Process"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","zh_TW","fr_FR","ko_KR","de_DE","ja_JP","zh_CN","en_US"],"tvdb_export_source":{"file_name":"diff-202501250200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-SHADOW-CREDENTIALS","created_at":"2025-01-25T02:06:45","updated_at":"2025-01-25T02:06:45"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","zh-TW","fr","ko","de","ja","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1556","name":"Modify Authentication Process","url":"https://attack.mitre.org/techniques/T1556/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[59]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-GUEST-ACCOUNT","_score":null,"_source":{"language_code":"en_US","codename":"C-GUEST-ACCOUNT","name":"Enabled Guest Account","id":58,"description":"\u003cp\u003eChecks that the built-in guest account is disabled.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003eBy default, the guest account is disabled in Active Directory. Enabling this account introduces security risks by allowing anonymous access to the domain, which threat actors might use to conduct reconnaissance and potentially compromise network integrity by accessing sensitive data and enumerating accounts.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eAs \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts#guest-account\"\u003estated by Microsoft\u003c/a\u003e, the guest account is a default account that has limited access to computers of the domain (or locally) and is disabled by default. By default, the guest account password is left blank, which allows this account to be accessed without requiring the user to enter a password.\nEnabling the guest account exposes the network to unauthorized access, granting individuals access to its resources. This can facilitate reconnaissance, which is often the initial phase of an attack.\nAlso, disabling the guest account enhances traceability. If individuals use this account, it can obscure their actions, complicating the tracking and understanding of user activity.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Disable the guest account","description":"Do not enable the guest account.","exec_summary":"\u003cp\u003eDisable the guest account to avoid anonymous logins.\u003c/p\u003e\n","detail":"\u003cp\u003eTenable recommends keeping the guest account disabled to prevent anonymous access to the domain, thus aiding in reducing the attack surface.\nYou can disable the guest account in the following ways:\u003c/p\u003e\n\u003ch4\u003eGUI\u003c/h4\u003e\n\u003cp\u003eUsing a graphical user interface (GUI):\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen Active Directory Users and Computers.\u003c/li\u003e\n\u003cli\u003eNavigate to the default location \u003ccode\u003eCN=Users,DC=DOMAIN,DC=CORP\u003c/code\u003e. If you moved it, navigate to the new location.\u003c/li\u003e\n\u003cli\u003eRight-click on the \u003ccode\u003eGuest\u003c/code\u003e account. If you renamed it, right-click on the new name.\u003c/li\u003e\n\u003cli\u003eClick on \"Disable account\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003ePowerShell\u003c/h4\u003e\n\u003cp\u003eRun the following \u003ca href=\"https://learn.microsoft.com/en-us/powershell/module/activedirectory/disable-adaccount\"\u003ePowerShell\u003c/a\u003e command. If you renamed the account, replace \u003ccode\u003eGuest\u003c/code\u003e with its new name:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-powershell\"\u003eDisable-ADAccount -Identity Guest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNote: If the guest account re-enables itself automatically, check for a Group Policy Object (GPO) with the security policy setting \u003ca href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status\"\u003eAccounts: Guest account status\u003c/a\u003e.\nIf this GPO exists, set it to \u003ccode\u003eDisable\u003c/code\u003e. This Indicator of Exposure checks only for the account status and not the GPO parameter.\u003c/p\u003e\n","resources":[{"name":"Accounts: Guest account status - security policy setting","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status","type":"hyperlink"}]},"resources":[{"name":"Active Directory Security Assessment Checklist - Guest account enabled","url":"https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_guest","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078.001 - Default Accounts"]},{"tactic":"TA0043 - Reconnaissance","techniques":["T1590 - Gather Victim Network Information"]},{"tactic":"TA0043 - Reconnaissance","techniques":["T1595 - Active Scanning"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["fr_FR","de_DE","zh_TW","ja_JP","es_001","ko_KR","zh_CN","en_US"],"tvdb_export_source":{"file_name":"diff-202502071400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-GUEST-ACCOUNT","created_at":"2025-02-07T14:08:40","updated_at":"2025-02-07T14:08:40"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["fr","de","zh-TW","ja","es","ko","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1078.001","name":"Default Accounts","url":"https://attack.mitre.org/techniques/T1078/001/"}]},{"tactic":{"id":"TA0043","name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043/"},"techniques":[{"id":"T1590","name":"Gather Victim Network Information","url":"https://attack.mitre.org/techniques/T1590/"}]},{"tactic":{"id":"TA0043","name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043/"},"techniques":[{"id":"T1595","name":"Active Scanning","url":"https://attack.mitre.org/techniques/T1595/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[58]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-MSA-COMPLIANCE","_score":null,"_source":{"language_code":"en_US","codename":"C-MSA-COMPLIANCE","name":"Managed Service Accounts Dangerous Misconfigurations","id":57,"description":"\u003cp\u003eEnsures Managed Service Accounts (MSAs) are deployed and well configured.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eMSAs (Managed Service Accounts) provide a secure way to manage Active Directory service accounts. A MSA has its own complex password which is maintained automatically, as computer accounts do. This feature should be deployed and correctly configured so that no illegitimate user account can compromise them (e.g. through \"Kerberoasting\" attacks)\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eA service account, according to Microsoft definition, is a user account that is created explicitly to provide a security context for services running on Windows operating systems. The security context determines the service's ability to access local and network resources.\u003c/p\u003e\n\u003cp\u003eService accounts, if they are classic domain users, are prone to a well-known attack named Kerberoasting, because service accounts passwords may be weak and guessed offline by an attacker. The Managed Service Accounts feature addresses this issue, by providing service accounts that are automatically managed and with a strong password.\nDepending on the privileges of a service account, it can lead to a straight Active Directory compromise. Note that service accounts should use the least privileged model and be granted only the rights and permissions they require to run their services, whether it is a classic service account or through a Managed Service Account.\n\u003cbr\u003eAlso it is worth considering that Managed Service Accounts have to be correctly configured and that no illegitimate user can elevate his privileges compromising one of these accounts.\u003c/p\u003e\n\u003cp\u003eIndeed, even if MSAs add an abstraction layer in terms of administrative tasks and enhance service accounts security, Active Directory administrators have to take care that MSAs are properly configured and that no permissive rights could create an attack path to those accounts.\n\u003cbr\u003eThere are two types of MSAs, standalone (sMSA) and group (gMSA):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003esMSA (Standalone Managed Service Accounts) are tied to only one computer, they cannot be reused across multiple servers. sMSAs provide automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators. The password is managed and renewed by the computer itself and then communicated to a domain controller.\u003c/li\u003e\n\u003cli\u003egMSA (Group Managed Service Accounts) provide the same functionality within the domain than sMSA but also extend that functionality over multiple servers. For a gMSA, the password is computed (and renewed) by a domain controller and requested by computers hosting the gMSA.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eGoals of the IoE\u003c/h4\u003e\n\u003cp\u003eIn this IoE, multiple checks are made to ensure that:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrerequisites are met to install MSAs and use them\u003c/li\u003e\n\u003cli\u003eMSAs exist and are well configured\u003c/li\u003e\n\u003cli\u003eNo control path exists which could lead to a MSA compromise\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth types (sMSA \u0026amp; gMSA) of Managed Service Accounts are supported by this IoE.\u003c/p\u003e\n\u003ch4\u003eAttacks on Group Managed Service Accounts\u003c/h4\u003e\n\u003cp\u003eBecause for gMSAs the password is generated by a domain controller, there is a specific attribute that exists on gMSA objects to store this password (on top of the NTLM and LM hashes attributes): the \u003ccode\u003emsDS-ManagedPassword\u003c/code\u003e attribute. Being able to read this attribute (after some decoding) means that it is possible to authenticate as this service account to the resources it has access to. Having the rights to do so is a persistence mechanism in Active Directory.\u003c/p\u003e\n\u003cp\u003eFor normal objects and attributes, a security descriptor is used to determine the ACLs that are configured on an object. This specific attribute does not work like any other typical attributes and relies upon a dedicated attribute instead: the \u003ccode\u003emsDS-GroupMSAMembership\u003c/code\u003e attribute, which is also formated as a security descriptor, but specialized. If an attacker is able to write a value inside of this attribute, it is possible to add an entry in the permissions list to allow an account to read the gMSA password. As such, this last attribute is monitored for potential misconfigurations or backdoors.\nThe content of this attribute needs to be validated and also it permissions, to validate that no unprivileged account can modify it.\n\u003cbr\u003eAnother attack related to gMSA accounts is \u003ccode\u003eGolden GMSA\u003c/code\u003e. This attack addresses some technical limitations of the previous attack, by being able to directly generate the password of a gMSA, completely offline. It relies on the control of the KDS root key that was used to generate the password of the gMSA.\nThe \u003ccode\u003emsKds-RootKeyData\u003c/code\u003e attribute of a KDS root key is containing the cryptographic elements that is used by attackers to generate passwords and is monitored as well.\n\u003cbr\u003eRemark: Regarding this KDS root key check, it can only be done if the T.IE account used to crawl and monitor the Active Directory has access to this attribute. By default, no unprivileged account has the right to read KDS root key attributes, which means that most of the time, this check cannot be executed by the product. Setting permissions to allow the product to have access to this data can be dangerous, because it could allow an elevation of privileges, and is not recommended. But if the service account that is used is already a high privileged account, this check will be performed.\nAs such, KDS root key checks are executed as best-effort, when the necessary information is available.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Deploy and Correct Errors for Managed Service Accounts","description":"The Managed Service Account (MSA) feature is a good security practice when service accounts are required.\n","exec_summary":"\u003cp\u003eService accounts should be configured as Managed Service Accounts (MSAs) and secured properly, to avoid potential elevation of privileges and persistence mechanisms.\u003c/p\u003e\n","detail":"\u003ch4\u003eBenefits of using Managed Service Accounts\u003c/h4\u003e\n\u003cp\u003eOne of the most interesting features that Windows Server 2008R2 introduced is Managed Service Accounts (initially standalone MSAs). This feature allows to create an account in Active Directory that is tied to a specific set of computers (one or more). That account has its own complex password which is maintained automatically (either by the computer itself or by domain controllers).\nThis means that a MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources in the domain as a specific user principal. So MSAs should rather be used when service accounts are required. In particular because having a strong password prevents Kerberoasting attacks.\n\u003cbr\u003eHowever MSAs do not protect secrets if the computer hosting the MSA has been compromised. Indeed, in order to ensure a proper authentication for service accounts, their passwords are stored locally, in the registry (using a reversible format).\nIf a host is identified as compromised, every account running a service (whether classic service account or MSA) should be considered as well, disabled and re-created from scratch.\u003c/p\u003e\n\u003ch4\u003eNo DC having the required OS version for gMSA\u003c/h4\u003e\n\u003cp\u003eTo support both sMSA and gMSA, at least one domain controllers of the domain should be updated to Windows Server 2012 or above. There is no specific requirement for the domain functional level and forest functional level.\u003c/p\u003e\n\u003ch4\u003eNo MSA configured for the domain\u003c/h4\u003e\n\u003cp\u003eWhen there is a product that requires a domain service account to run a service on a Windows computer, MSAs should be privileged. In some situations, this is not supported by the product. For this situation, this service account needs to be carefully managed manually. It should have a complex password set, that should be changed regularly. Usually, a documentation should exist to reference all those service accounts and what needs to be done for them and when.\u003c/p\u003e\n\u003ch4\u003eMSA with high privileges\u003c/h4\u003e\n\u003cp\u003eMSAs can be installed on all types of domain computers. If a MSA is identified as privileged, it should be validated that the computers using this account are also on the same privileged level. For example, having a MSA that is a member of a privileged group like \"Domain Admins\" does not increase the risks if the targeted computer is a domain controller. But if this account is used for other types of servers that are from a lower tier, this becomes a high security risk for the AD environment.\nBe careful about service accounts used for backups or for monitoring computers, they have usually too much rights on the domain than what they require locally on each computer.\u003c/p\u003e\n\u003cp\u003eThe least amount of privileges should be given to MSAs and there should be as little of them in the privileged groups of the domain. Remove those MSAs from the members of those groups if they are not strictly required.\u003c/p\u003e\n\u003ch4\u003eMSA (with privileges) without AES support\u003c/h4\u003e\n\u003cp\u003eThis is a good practice to support the AES encryption algorithm for MSAs. This is the case by default, which means that this configuration has probably been changed.\nUse PowerShell to revert it to the default correct value. For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity \"CN=gMSA,CN=Managed Service Accounts,DC=DOMAIN,DC=CORP\" -Replace @{'msDS-SupportedEncryptionTypes'=\"28\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eAccounts able to read the (privileged) gMSA password\u003c/h4\u003e\n\u003cp\u003eThe only accounts that should be able to read a gMSA password are the computers that are using it.\nIf the accounts specified here are legitimate (they cannot be if they are user accounts and not computer accounts), this means that the configuration is not completed and that the \"msDS-HostServiceAccount\" attribute is not set on those computer accounts.\u003c/p\u003e\n\u003cp\u003eUse PowerShell to reset the computers that are able to read this password. You should include all computer names that will use this gMSA, not only the new ones to allow. For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADServiceAccount -Identity \"gMSA\" -PrincipalsAllowedToRetrieveManagedPassword \"WIN10$\",\"WIN11$\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor legitimate computer accounts, to complete the configuration on those computers, use the \"Add-ADComputerServiceAccount\" cmdlet for each of them. For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Add-ADComputerServiceAccount -Identity \"WIN10$\" -ServiceAccount \"gMSA\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eUnsafe permissions on MSA account \u0026amp; Unsafe owner for MSA account\u003c/h4\u003e\n\u003cp\u003eYou can make permission modifications through the GUI (ADSI Edit) or by using PowerShell commands.\u003c/p\u003e\n\u003cp\u003eIf you need to reset the \u003cstrong\u003eowner\u003c/strong\u003e of a MSA, the procedure is as follows (\u003cstrong\u003eNote: Adapt this to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $securityPrincipalAccount = \"DOMAIN\\Domain Admins\"\nPS\u0026gt; $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)\nPS\u0026gt; $msaPath = \"AD:CN=gMSA,CN=Managed Service Accounts,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $msa = Get-Acl -Path $msaPath\nPS\u0026gt; $msa.SetOwner($securityPrincipalObject)\nPS\u0026gt; $msa | Set-Acl -Path $msaPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf you need to remove a problematic \u003cstrong\u003eACE\u003c/strong\u003e from a property set, you can follow the procedure below (\u003cstrong\u003eNote: Adapt this to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $msaPath = \"AD:CN=gMSA,CN=Managed Service Accounts,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $msa = Get-Acl -Path $msaPath\nPS\u0026gt; $aceToRemove = $msa.Access | ? { $_.ActiveDirectoryRights -eq 'WriteProperty' -and $_.IdentityReference -eq 'DOMAIN\\unpriv' }\nPS\u0026gt; $msa.RemoveAccessRule($aceToRemove)\nPS\u0026gt; $msa | Set-Acl -Path $msaPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eUnsafe permissions on KDS root key \u0026amp; Unsafe owner for KDS root key\u003c/h4\u003e\n\u003cp\u003eUse similar commands as the previous example to change the owner of a KDS root key back to the default one, which is \"Enterprise Admins\", and to remove dangerous ACEs.\u003c/p\u003e\n","resources":[{"name":"Secure group managed service accounts","url":"https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed","type":"hyperlink"},{"name":"How to recover from a Golden gMSA attack","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/recover-from-golden-gmsa-attack","type":"hyperlink"}]},"resources":[{"name":"Group Managed Service Accounts Overview","url":"https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview","type":"hyperlink"},{"name":"gMSA Active Directory Attacks","url":"https://www.semperis.com/blog/golden-gmsa-attack/","type":"hyperlink"},{"name":"Retrieving Cleartext GMSA Passwords from Active Directory","url":"https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/","type":"hyperlink"},{"name":"Step-by-Step - How to work with Group Managed Service Accounts (gMSA)","url":"https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-how-to-work-with-group-managed-service-accounts/ba-p/329864","type":"hyperlink"},{"name":"Windows Server 2012 - Group Managed Service Accounts","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-server-2012-group-managed-service-accounts/ba-p/255910","type":"hyperlink"}],"applicable_resource_types":["ad_domain_dns","ad_msds_group_managed_service_account","ad_msds_managed_service_account","ad_ms_kds_prov_root_key"],"attacker_known_tools":[{"name":"GoldenGMSA","url":"https://github.com/Semperis/GoldenGMSA","author":"Yuval Gordon"},{"name":"DSInternals","url":"https://github.com/MichaelGrafnetter/DSInternals","author":"Michael Grafnetter"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","fr_FR","es_001","zh_CN","ko_KR","ja_JP","de_DE","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-MSA-COMPLIANCE","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["zh-TW","fr","es","zh-CN","ko","ja","de","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[57]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-AAD-PRIV-SYNC","_score":null,"_source":{"language_code":"en_US","codename":"C-AAD-PRIV-SYNC","name":"Privileged AD User Accounts Synchronized to Microsoft Entra ID","id":56,"description":"\u003cp\u003eChecks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eSynchronizing privileged Active Directory accounts to Microsoft Entra ID poses a risk, enabling attackers to pivot from a compromised Entra ID tenant to on-premises Active Directory, facilitating their migration from the cloud.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory domain users can be synchronized to an Entra ID tenant, achieving a \"hybrid\" status using either or both of the following tools (\u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync\"\u003ecomparison\u003c/a\u003e):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect-v2\"\u003eMicrosoft Entra Connect Sync\u003c/a\u003e (formerly \"Azure AD Connect\").\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync\"\u003eMicrosoft Entra Cloud Sync\u003c/a\u003e (formerly \"Azure AD Connect Cloud Sync\").\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003eBased on \u003ca href=\"https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#centralize-identity-management\"\u003eMicrosoft identity security best practices\u003c/a\u003e:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eDon't synchronize accounts to Microsoft Entra ID that have high privileges in your existing Active Directory instance.\nDon't change the default Microsoft Entra Connect configuration that filters out these accounts. This configuration mitigates the risk of attackers pivoting from cloud to on-premises assets (which could create a major incident).\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e\u003cbr\u003eThis vulnerability could lead an attacker to exploit a hybrid account with privileges in AD using techniques such as:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePhishing to steal the Entra ID password, which is identical to the AD password.\u003c/li\u003e\n\u003cli\u003eForcing a password change in Entra ID, triggering synchronization to AD through \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback\"\u003epassword writeback\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe IoE check operates on a \u003cstrong\u003ebest-effort\u003c/strong\u003e basis, relying solely on information available from Active Directory and not from Entra ID. The algorithm is outlined below.\n\u003cbr\u003eMicrosoft Entra Connect uses a \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-design-concepts#sourceanchor\"\u003esourceAnchor\u003c/a\u003e attribute to uniquely identifies an object as being the same object in AD and in Entra ID. The attribute is also called \u003ccode\u003eimmutableId\u003c/code\u003e.\n\u003cbr\u003eIn default settings, earlier versions of Microsoft Entra Connect (version 1.1.486.0 from April 2017 and earlier) used \u003ccode\u003eobjectGUID\u003c/code\u003e as the \u003ccode\u003esourceAnchor\u003c/code\u003e attribute. Conversely, newer versions (version 1.1.524.0 from May 2017 and later) default to using \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e as the \u003ccode\u003esourceAnchor\u003c/code\u003e attribute whenever feasible.\n\u003cbr\u003eThis IoE \u003cstrong\u003edetects hybrid accounts by inspecting the populated \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute\u003c/strong\u003e. If an alternative attribute acts as the source anchor or encounters permission issues that prevent population, the IoE may overlook hybrid accounts, leading to false negatives. Typically, Entra Connect version 1.1.524.0 from May 2017 and later prefers the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute, but you can specify another attribute during installation. If a third-party tool already uses \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e, the Microsoft Entra Connect wizard defaults to \u003ccode\u003eobjectGUID\u003c/code\u003e as the \u003ccode\u003esourceAnchor\u003c/code\u003e attribute.\nMoreover, Microsoft retired and no longer supports Azure AD Connect V1 on August 31, 2022. Azure AD Connect V2 succeeded it, and later, Microsoft Entra Connect V2 took its place after the Entra ID renaming.\n\u003cbr\u003e\u003cstrong\u003eNote:\u003c/strong\u003e The population of the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute is unlikely for hybrid users with AD privileges. This is because, by default, the Entra Connect / Cloud Sync AD service account lacks the \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-design-concepts#permission-required\"\u003epermission\u003c/a\u003e to write on AD user accounts protected by the AdminSDHolder mechanism (indicated by \u003ccode\u003eadminCount=1\u003c/code\u003e and where inheritance is disabled). Unfortunately, this prevents the IoE from flagging these as deviants, leading to false negatives. You can detect this issue by checking for \"\u003ca href=\"https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/troubleshoot-permission-issue-sync-service-manager\"\u003epermission-issue\u003c/a\u003e\" errors in the Entra Connect \"Synchronization Service Manager\" logs.\nThis is not an issue if you \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account#configure-ms-ds-consistency-guid-permissions\"\u003egive more permissions to the service account\u003c/a\u003e by using \u003ccode\u003eSet-ADSyncMsDsConsistencyGuidPermissions\u003c/code\u003e with \u003ccode\u003e-IncludeAdminSdHolders\u003c/code\u003e. However, Tenable does not recommend doing this in any case since these privileged AD user accounts must not be hybrid.\n\u003cbr\u003eAlthough the \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/plan-cloud-sync-topologies#things-to-remember-about-all-scenarios-and-topologies\"\u003eMicrosoft Entra Cloud Sync supported topologies and scenarios\u003c/a\u003e guide states:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eThe source anchor for objects is chosen automatically. It uses \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e if present, otherwise ObjectGUID is used.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eTenable did not observe that Entra Cloud Sync populated automatically the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute. This could lead to incomplete results if Entra Cloud Sync is the sole method used to synchronize users to Entra ID. In this case, you can safely disable this IoE.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Avoid hybrid synchronization of privileged Active Directory accounts with Entra ID.","description":"Do not synchronize highly privileged Active Directory accounts to Microsoft Entra ID.","exec_summary":"\u003cp\u003eConfigure filtering in Entra Connect / Cloud Sync to exclude privileged Active Directory accounts from synchronization.\u003c/p\u003e\n","detail":"\u003cp\u003eConfigure filtering in either Entra Connect or Entra Cloud Sync as applicable to exclude privileged Active Directory user accounts from synchronization.\nDefault rules automatically ignore certain accounts like \u003ccode\u003ekrbtgt\u003c/code\u003e, \u003ccode\u003eGuest\u003c/code\u003e, \u003ccode\u003eMSOL_...\u003c/code\u003e, and the built-in \u003ccode\u003eAdministrator\u003c/code\u003e. However, other privileged users such as Domain Admins members do not get excluded by default, which poses a security risk when they synchronize to Entra ID. Configure the filtering manually to address this.\n\u003cbr\u003eFollowing best practices, store privileged users in a dedicated Tier-0 Organization Unit (OU). Use \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering\"\u003eorganizational unit-based filtering\u003c/a\u003e in Entra Connect or the \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure#scope-provisioning-to-specific-users-and-groups\"\u003escope provisioning to specific users and groups\u003c/a\u003e method for Entra Cloud Sync to exclude this Tier-0 OU from synchronization.\n\u003cbr\u003eAfter configuring the filtering and removing privileged users from synchronization, clear the value of the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute (indicated in the vulnerability details) to clean the AD object. This ensures that the IoE no longer considers user accounts as hybrid and resolves the deviance(s). Use the following PowerShell command to reset the value of the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute and replace the \"user-to-clean-CN\" with the CN of the applicable user:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Get-ADUser -Filter 'CN -like \"user-to-clean-CN\"' -Properties CN,mS-DS-ConsistencyGuid | Set-ADUser -Clear mS-DS-ConsistencyGuid\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003e\u003cstrong\u003eNote\u003c/strong\u003e: If a privileged user has synchronized at least once, even a long time ago, and if you did not clean the attribute, the IoE generates a deviance because the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute indicates ongoing synchronization.\u003c/p\u003e\n","resources":[{"name":"Azure Identity Management and access control security best practices","url":"https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#centralize-identity-management","type":"hyperlink"}]},"resources":[{"name":"Azure Identity Management and access control security best practices","url":"https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#centralize-identity-management","type":"hyperlink"},{"name":"Démos d'attaques par rebond en environnement hybride Active Directory-Azure AD (French)","url":"https://www.slideshare.net/IdentityDays/dmos-dattaques-par-rebond-en-environnement-hybride-active-directoryazure-ad","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0006 - Credential Access","techniques":["T1556 - Modify Authentication Process"]},{"tactic":"TA0008 - Lateral Movement","techniques":["T1021 - Remote Services: Cloud Services"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ja_JP","ko_KR","zh_TW","de_DE","zh_CN","es_001","fr_FR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AAD-PRIV-SYNC","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["ja","ko","zh-TW","de","zh-CN","es","fr","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1556","name":"Modify Authentication Process","url":"https://attack.mitre.org/techniques/T1556/"}]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[{"id":"T1021","name":"Remote Services: Cloud Services","url":"https://attack.mitre.org/techniques/T1021/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[56]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-AUTH-SILO","_score":null,"_source":{"language_code":"en_US","codename":"C-AUTH-SILO","name":"Privileged Authentication Silo Configuration","id":55,"description":"\u003cp\u003eA step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eProper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies.\nThis Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. \"Tier-0\") accounts.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eEffective privileged user and computer management is crucial for mitigating risks associated with credential theft. Microsoft introduced an authentication model based on silos a few years ago to confine authentication to a specific set of computers within the same scope as their users. The Tier-0 silo, the most critical one, should exclusively include the highest-privileged accounts in the environment, such as \"Domain Admins\" user members and \"Domain Controllers\" computers in particular.\u003c/p\u003e\n\u003ch4\u003eAuthentication silos and policies\u003c/h4\u003e\n\u003cp\u003eAuthentication silos, as outlined in the \"Logon Restrictions for Privileged Users\" IoE, share the goal of limiting Tier-0 privileged accounts from exposing their credentials on lower-privileged systems (e.g. standard servers or workstations). This feature focuses on safeguarding users rather than computers, replacing the older concepts in the \"Logon Restrictions for Privileged Users\" IoE with a more contemporary approach to configuring user authentication restrictions.\n\u003cbr\u003eAuthentication silos leverage various foundational elements, including the Kerberos protocol, claims, authentication policies, conditional ACEs, and Kerberos Armoring. The use of these features requires that domain controllers run version 2012 R2 or later.\n\u003cbr\u003eThe silo implementation aims to offer AD administrators a simpler and more robust solution compared to previous authentication restrictions. The objective is to group Tier-0 users and computers within a shared security context, called a \"silo.\" This ensures that these users can only connect to computers within the same silo, whether through Remote Desktop or traditional interactive sessions.\n\u003cbr\u003eAn additional risk of credential theft involves delegating authentication to a computer outside the designated silo. \nTo address the challenges of securing NTLM authentication fully, it is advisable to opt for the Kerberos protocol. To safeguard Tier-0 administrators against both risks, it is recommended to include them in the \"Protected Users\" group.\n\u003cbr\u003eThe interconnected features essential for this IoE are linked as follows:\nAuthentication silo → (requires) → Authentication policy → (requires) → Claims → (requires) → Kerberos Armoring\n\u003cbr\u003eDelving into the intricacies of these concepts exceeds the scope of this IoE. In summary:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn authentication silo consists of a collection of computer and user accounts sharing the same security concerns - specifically, privileged objects in our context.\u003c/li\u003e\n\u003cli\u003eAn authentication policy is a set of rules designed to limit authentication in various scenarios. Its purpose is to ensure that users within a silo can authenticate exclusively to silo-designated computers.\u003c/li\u003e\n\u003cli\u003eClaims serve as the foundational components that allow silos and authentication policies to work. Simply put, they act like tags on objects, with these tags specified in the authentication policy configuration.\u003c/li\u003e\n\u003cli\u003eKerberos Armoring enhances the Kerberos protocol for improved security by guarding against potential brute-force attacks on user credentials through network traffic access. It also introduces support for claims, enabling their storage in the user's security token.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote: Kerberos Armoring requires configuration on both clients and servers to support silos.\u003c/p\u003e\n\u003ch4\u003ePrerequisite for a Tier-0 authentication silo installation\u003c/h4\u003e\n\u003cp\u003eTo maintain control over the silo and minimize the risk, it's crucial to keep the number of user and computer accounts at a minimum. Before including privileged users in the silo, it's essential to restrict their number by first using the \"Native Administrative Group Members\" IoE.\u003c/p\u003e\n\u003ch4\u003eIoE Objective\u003c/h4\u003e\n\u003cp\u003eThis IoE aims to assist AD administrators in installing and setting up an authentication silo for Tier-0 accounts. Proper configuration is essential to prevent vulnerabilities or gaps in the implementation.\n\u003cbr\u003eThis IoE will address the following questions to ensure that a proper configuration gets implemented:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAre all Tier-0 users in the \"Protected Users\" group? (This prevents NTLM protocol usage, relying solely on Kerberos authentication.)\u003c/li\u003e\n\u003cli\u003eDo all domain controllers have the minimum required OS version to support authentication silos and policies? (2012R2 and above)\u003cul\u003e\n\u003cli\u003eNote: Silos on the client side require workstations running Windows 8+ and servers running Windows Server 2012+. Lack of compliance won't pose a security risk but prevent Tier-0 user authentication. This IoE does not check for this non-compliance, but you should consider compatibility during configuration.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eIs Kerberos Armoring correctly configured on clients and servers? This confirmation goes through GPO parameter checks.)\u003c/li\u003e\n\u003cli\u003eIs there a configured authentication silo?\u003c/li\u003e\n\u003cli\u003eIs this authentication silo appropriately configured for Tier-0 accounts, as defined by the product?\u003cul\u003e\n\u003cli\u003eTier-0 users within the silo\u003cul\u003e\n\u003cli\u003eAre all domain privileged users in this list? (Tier-0 users should include members of natively privileged AD groups. Those are provided in the deviance details.)\u003c/li\u003e\n\u003cli\u003eAre there any non-validated or unprivileged users present?\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eTier-0 computers within the silo\u003cul\u003e\n\u003cli\u003eAre all domain privileged computers in this list? (By default, the IoE considers only domain controllers as privileged computers. However, various IoE options are available to specify and help identify additional servers that should be considered, such as ADCS, WSUS, Exchange, AD backup servers, etc.)\n *Are there any non-validated or unprivileged computers present?\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eIs the silo's authentication policy configured as intended?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAs indicated, this IoE follows a step-by-step approach, displaying deviances only for the relevant information needed to proceed with the installation of an authentication silo for Tier-0 accounts. \nNew deviances will appear as the IoE completes and validates each step, resolving previous deviances in the process. Upon clearing all deviances, the configuration of the authentication silo for Tier-0 accounts is complete and deemed secure.\u003c/p\u003e\n\u003ch4\u003eImportant security reminder\u003c/h4\u003e\n\u003cp\u003eThis IoE cannot analyze an important security aspect: it can only assess data from AD (LDAP/SYSVOL) and cannot query the local configuration of Tier-0 computers. Thus, manual verification is necessary for a crucial configuration aspect on all Tier-0 silo computers: no other administrators, including Helpdesk teams, should have privileges on these machines. This precaution applies to both Tier-0 workstations and computers created using a master file with a generic local Administrator account. This prevents unauthorized access and potential credential theft of Tier-0 users.\u003c/p\u003e\n\u003ch4\u003eSpecial case for the Administrator account\u003c/h4\u003e\n\u003cp\u003eTreat the built-in \"Administrator\" account (RID = 500) as a break glass account, as Microsoft recommends (verify its usage with the \"Recent Use of the Default Administrator Account\" IoE). Only use it as a last resort when other options fail, and you cannot use other domain administrators, like when there is a lockout due to misconfiguration of an authentication silo. In standard situations, store its password securely, whether in a virtual or physical safe to ensure protection.\n\u003cbr\u003eThis implies that, when placed within a silo, this account won't have the same restrictions as other accounts (i.e., it won't function as expected, and won't prevent authentication on non-Tier-0 computers). As such, it's not necessary to include it within the Tier-0 silo. It can serve as a backup mechanism if you lock yourself out of your domain controllers.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Implement a Tier-0 Authentication Silo and Policy","description":"Define the tier model, specifying which systems and users belong to the highest tier. Subsequently, validate the necessary steps for implementing this model practically in Active Directory.\n","exec_summary":"\u003cp\u003eTo enhance security against attackers and malware attempting to steal privileged identities, privileged users should exclusively connect to trusted machines. Employing a \"tier model\" design, particularly focusing on the highest tier (referred to as \"Tier-0\"), implement authentication silos and policies. This ensures that the credentials of privileged users are inaccessible on standard workstations and servers.\u003c/p\u003e\n","detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eAs detailed in this IoE's \"Vulnerability details\" section, the initial step in implementing a Tier-0 authentication silo involves documenting the accounts (users and computers) that need protection within this specific security context.\n\u003cbr\u003eThis IoE assists you by highlighting users inadvertently omitted from the silo. For computers requiring inclusion in the silo, recommendations depend solely on the provided IoE options. Various similar \"named\" options offer insights into server types traditionally deemed highly privileged in an AD environment, such as the following:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eADCS servers could be compromised to generate insecure certificates used for authentication to domain controllers (refer to \"ADCS Dangerous Misconfigurations\" IoE).\u003c/li\u003e\n\u003cli\u003eWSUS servers applying updates to domain controllers could be compromised to deploy fake Windows updates (refer to \"WSUS Dangerous Misconfigurations\" IoE).\u003c/li\u003e\n\u003cli\u003eExchange servers lacking AD schema hardening may possess risky permissions at the domain root (refer to \"Root Objects Permissions Allowing DCSync-Like Attacks\" IoE).\u003c/li\u003e\n\u003cli\u003eetc.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAllocate time to identify Tier-0 servers carefully. Insufficient system specifications could expose AD to attack paths, while excessive inclusion in the silo might compromise security and visibility. It's advisable to begin conservatively, including only evident privileged servers, and gradually add more servers when there's a pivot path that could compromise the AD or existing silo servers.\n\u003cbr\u003e\u003cbr\u003eThe following sections detail the sequence of deviances that this IoE triggers, offering a step-by-step guide for Tier-0 authentication silo installation. Administrators familiar with configuring authentication silos and policies may opt out of following this procedure. \nNote that the product GUI will present sequentially the interdependent steps, while a deviance will indicate actions that can take place concurrently.\u003c/p\u003e\n\u003ch4\u003e1. Unprotected Tier-0 user account\u003c/h4\u003e\n\u003cp\u003ePrivileged users within a Tier-0 silo should exclusively use the Kerberos protocol, avoiding the NTLM protocol. Additionally, be cautious of potential risks associated with the delegation of authentication for these accounts.\nTo mitigate both potential issues, it's advisable to include these users in the \"Protected Users\" group. Refer to the dedicated IoE \"Protected Users Group Not Used\" for more information on this group and the implications of adding members to it.\n\u003cbr\u003eNote: If necessary, you can disable this check using an option if it does not apply to your situation.\n\u003cbr\u003eFor example, use the following command in PowerShell to add a specific user to the \"Protected Users\" group:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Add-ADGroupMember -Identity \"Protected Users\" -Members \"adm-t0\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003e2. DCs not up-to-date\u003c/h4\u003e\n\u003cp\u003eTo support authentication silos and their technical dependencies, domain controllers must be \"Windows Server 2012R2\" or later (the required version on the server side). Ensure that you update all domain controllers before configuration.\u003c/p\u003e\n\u003ch4\u003e3a. Client-side misconfiguration\u003c/h4\u003e\n\u003cp\u003eOn the client side, configure a GPO to enable support for claims, compound authentication, and Kerberos armoring. Link this GPO to the containers of servers and workstations in the Tier-0 silo to ensure Tier-0 users can authenticate to them. While it's not a security risk if the GPO is not linked and applied, it may cause authentication issues after creating the silo.\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use an existing GPO and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\Kerberos\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eKerberos client support for claims, compound authentication and Kerberos armoring\u003c/em\u003e and select \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNote: Remember to link this GPO also to Tier-0 workstations and domain controllers.\u003c/p\u003e\n\u003ch4\u003e3b. Unenforced Kerberos Armoring\u003c/h4\u003e\n\u003cp\u003eThe existing client-side GPO configuration is sufficient for meeting requirements. However, for enhanced security, consider enforcing, rather than requesting, Kerberos armoring. This minimizes the risk of attackers intercepting network traffic and retrieving credentials.\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use the previously created client-side GPO and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\Kerberos\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eFail authentication requests when Kerberos armoring is not available\u003c/em\u003e and select \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eWith these two parameters set, Tier-0 users can authenticate to those computers after the GPO goes into effect (this may take some time and might require a reboot).\u003c/p\u003e\n\u003ch4\u003e3c. Server-side misconfiguration\u003c/h4\u003e\n\u003cp\u003eOn the server side, you must configure domain controllers to support the prerequisites of the authentication silo.\nTo do this, link a GPO to the default domain controllers container (or other organizational units if DCs have moved).\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use an existing GPO (not the previously created client-side one) and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\KDC\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eKDC support for claims, compound authentication and Kerberos armoring\u003c/em\u003e, select \u003cem\u003eEnabled\u003c/em\u003e, and set the option \u003cem\u003eClaims, compound authentication for Dynamic Access Control and Kerberos armoring options:\u003c/em\u003e to \u003cem\u003eSupported\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eOnce a domain controller applies this GPO, it makes a change to the \"krbtgt\" account. The IoE validates these changes on the account, and resolution occurs upon detection.\u003c/p\u003e\n\u003ch4\u003e4. Authentication silo misconfiguration\u003c/h4\u003e\n\u003cp\u003eThe silo configuration comprises multiple small steps indicated by checkboxes in the deviance. These changes can occur in any order, and Microsoft's documentation, detailed in the links below the \"Documents\" section, provides exhaustive information on the implementation details.\n\u003cbr\u003eThe \"Active Directory Administrative Center\" is a convenient tool for creating the authentication silo and its associated policy.\nAccess the configuration through the left panel, under the \"Authentication\" category within the \"Authentication Policies\" and \"Authentication Policy Silos\" sub-categories.\n\u003cbr\u003eBegin by creating the Tier-0 authentication policy first, enabling direct referencing inside the Tier-0 silo. Initially, configure both as \"Only audit policy restrictions\" and \"Only audit silo policies\" to create an initial version of the Tier-0 silo. This setting allows you to view Windows event logs to understand the impact before enforcing the configuration.\nOnce you're ready, the reasons below will provide additional assistance to ensure the correct computers and users get included in the silo. Those further checks can only be executed after every steps described here have been completed.\u003c/p\u003e\n\u003ch4\u003e5a. Unreferenced privileged user\u003c/h4\u003e\n\u003cp\u003eThe following reasons offer context on which user and computer accounts to include in the Tier-0 silo and also indicate which accounts to exclude.\n\u003cbr\u003eThis initial topic concerns the importance of having a comprehensive list of user accounts within the Tier-0 silo. Every user account identified as privileged (as explained in detail in the \"Native Administrative Group Members\" IoE) should go inside the silo.\nIf the check returns a list of users that is too extensive, it indicates the need to reduce the number of privileged users beforehand.\n\u003cbr\u003eThe resolution for this reason can only occur after you add every privileged user account to the silo (in the \"Permitted Accounts\" section of the silo configuration). This may require creating new administrative user accounts for managing non-sensitive resources.\u003c/p\u003e\n\u003ch4\u003e5b. Unassigned privileged user\u003c/h4\u003e\n\u003cp\u003eThe second necessary step to include a user in the silo is to assign the user to it. The first step is to \"reference,\" and the second step is to \"assign.\"\n\u003cbr\u003eDo this individually for each user by double-clicking on each account, navigating to the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section, selecting the \u003cem\u003eAssign Authentication Policy Silo\u003c/em\u003e checkbox, and choosing the Tier-0 by its name in the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section.\u003c/p\u003e\n\u003ch4\u003e5c. Unprivileged user referenced\u003c/h4\u003e\n\u003cp\u003eTo maintain the Tier-0 silo as restricted and minimal as possible, include only the essential privileged user accounts. Remove non-privileged user accounts that should not be part of this silo. If validated and necessary, you can exempt them through the dedicated IoE option.\u003c/p\u003e\n\u003ch4\u003e5d. Unreferenced privileged computer\u003c/h4\u003e\n\u003cp\u003eLike user accounts, include computer accounts in the Tier-0 silo. Unlike the user part, the IoE cannot automatically calculate and suggest privileged computers to facilitate configuration. However, use multiple options to identify servers and workstations to include in this Tier-0 silo.\u003c/p\u003e\n\u003ch4\u003e5e. Unassigned privileged computer\u003c/h4\u003e\n\u003cp\u003eAfter referencing computer accounts, you must also assign them within the Tier-0 silo.\nTo do this, double-click on each computer and navigate to the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section. Select the \u003cem\u003eAssign Authentication Policy Silo\u003c/em\u003e checkbox and choose the Tier-0 silo by its name in the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section.\u003c/p\u003e\n\u003ch4\u003e5f. Unprivileged computer referenced\u003c/h4\u003e\n\u003cp\u003eLike the user configuration, the Tier-0 silo should only contain privileged computers.\nIf these are not validated, remove them from the \"Permitted Accounts\" section. If accepted, add their organizational units through the dedicated options.\u003c/p\u003e\n\u003ch4\u003e6. Authentication policy misconfiguration\u003c/h4\u003e\n\u003cp\u003eConfigure the authentication policy associated with the Tier-0 silo with a condition to restrict user accounts from authenticating only to computers within the silo. Without this restriction, users' credentials are unprotected and can get compromised on lower-tier computers if administrators authenticate there.\n\u003cbr\u003eTo do this, go to the authentication policy configuration and navigate to the \u003cem\u003eUser Sign On\u003c/em\u003e section. Under \u003cem\u003eClick Edit to define conditions\u003c/em\u003e, create the following condition: \u003cem\u003e(User.AuthenticationSilo Equals \"T0-Silo\")\u003c/em\u003e (adapt the name of the Tier-0 silo accordingly).\u003c/p\u003e\n\u003ch4\u003e7. Multiple uses of the authentication policy\u003c/h4\u003e\n\u003cp\u003eMicrosoft provides two methods for specifying an authentication policy for an account:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBy being a member of a silo.\u003c/li\u003e\n\u003cli\u003eAlternatively, by manually assigning an authentication policy to the account, outside of a silo.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAssigning an authentication policy directly to an account (outside of the silo configuration) is not a recommended practice as it complicates the management of both the silo and its policy.\n\u003cbr\u003eTo manually remove an account associated with the authentication policy of a Tier-0 silo, go to the authentication policy configuration and remove every account specified in the \u003cem\u003eAccounts\u003c/em\u003e section.\u003c/p\u003e\n","resources":[{"name":"Authentication Policies and Authentication Silos - Restricting Domain Controller Access","url":"https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx","type":"hyperlink"},{"name":"Protecting Domain Administrative Credentials","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/protecting-domain-administrative-credentials/ba-p/259210","type":"hyperlink"}]},"resources":[{"name":"Authentication Policies and Authentication Policy Silos","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)","type":"hyperlink"},{"name":"L'administration en silo (french reference whitepaper)","url":"https://www.sstic.org/2017/presentation/administration_en_silo/","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user","ad_sysvol_pol","ad_domain_dns","ad_msds_auth_n_policy_silo"],"attacker_known_tools":[],"category_id":1,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","es_001","zh_CN","de_DE","ja_JP","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AUTH-SILO","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["ko","es","zh-CN","de","ja","fr","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[55]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DYNAMIC-UPDATES","_score":null,"_source":{"language_code":"en_US","codename":"C-DYNAMIC-UPDATES","name":"Unsecure Dynamic DNS Zone Updates Allowed","id":54,"description":"\u003cp\u003eChecks that the DNS server configuration disallows unsecure dynamic DNS zone updates.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eConfiguring a dynamic DNS zone with unsecure updates can lead to unauthenticated editing of DNS records, making them vulnerable to rogue DNS records.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe Domain Name System (DNS) functions as a hierarchical and distributed naming system actively mapping a hostname to one or multiple IP addresses. Reciprocally, it can perform reverse lookup, converting an IP address to its corresponding hostname. Domain controllers typically host the DNS role, with DNS records configured to be replicated across them.\nIn addition to the traditional DNS service, DNS information is stored in Active Directory, known as AD Integrated DNS (ADIDNS), and is accessible through the LDAP protocol.\nDynamic DNS (DDNS) operates as a real-time service, automatically updating DNS records. This functionality facilitates accessibility to devices with dynamic IP addresses by maintaining a consistent hostname. DDNS clients, running on devices (typically Windows OS), actively update DNS records in response to changes in their IP addresses. This seamless process allows users to reach their devices consistently through a fixed hostname, thereby enhancing remote connectivity.\n\u003cbr\u003eThis Indicator of Exposure identifies unsecure configuration of dynamic DNS zone updates.\u003c/p\u003e\n\u003ch4\u003eUnsecure dynamic DNS zone updates setting\u003c/h4\u003e\n\u003cp\u003eBy default, Active Directory is optimally configured, permitting dynamic DNS zone updates securely through the designated setting: \"Secure only\". Nevertheless, it is possible to modify this configuration to either \"None\" or \"Nonsecure and secure\".\nDisabling this feature entirely poses no inherent risk. By default, certain zones related to Active Directory do not have the dynamic mode enabled, but this is not a problem (e.g., DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=tenable,DC=com). However, if the setting changes to \"Nonsecure and secure\", it means that the addition, editing, or deletion of DNS records can occur without requiring authentication. The consequences of such an unsecured configuration for an attacker include:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeleting an existing record and blocking the business.\u003c/li\u003e\n\u003cli\u003eUpdating an existing record to allow impersonating a machine as another one. If the network uses IP filters, an attacker might abuse them in this situation.\u003c/li\u003e\n\u003cli\u003eCreating new records and flooding the DNS server.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Set Dynamic DNS Zone Updates Setting to \"Secure only\", or Disable Dynamic Mode","description":"Set dynamic DNS zone updates setting to \"Secure only\", or disable dynamic mode.","exec_summary":"\u003cp\u003eMisconfiguration of dynamic DNS zone updates can significantly impact the security of the Active Directory. Hence, it is crucial either to use dynamic updates in a secure manner, or not use them at all.\u003c/p\u003e\n","detail":"\u003ch4\u003eSet dynamic DNS zone updates setting to \"Secure only\", or disable dynamic mode\u003c/h4\u003e\n\u003cp\u003eBy using the secure mode only, devices must be authenticated to add and/or update records. If you are using \"Nonsecure and secure\" mode, perhaps some devices are doing updates without being authenticated. This should be evaluated before doing the change.\nYou can perform this remediation graphically with the DNS RSAT tool, or in console with the \u003ccode\u003ednscmd\u003c/code\u003e utility.\u003c/p\u003e\n\u003ch2\u003eDNS RSAT (GUI)\u003c/h2\u003e\n\u003cp\u003eOpen the \"Server Manager\" and proceed as follows:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOn the top menu bar, click \"Tools\", then \"DNS\".\u003c/li\u003e\n\u003cli\u003eNavigate through the DNS server to \"Forward Lookup Zones\", which shows a zone with the domain name.\u003c/li\u003e\n\u003cli\u003eRight-click the domain name and select \"Properties\".\u003c/li\u003e\n\u003cli\u003eIn the \"General Tab\", under \"Dynamic updates\", change the value from \"Nonsecure and secure\" to \"Secure only\" to resolve the deviance. Note: The value \"None\" means that dynamic DNS updates are disabled, and does not cause concern.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2\u003ednscmd\u003c/h2\u003e\n\u003cp\u003eExecute the following command to reconfigure DNS zones to allow only secure updates:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ednscmd \u0026lt;servername\u0026gt; /Config \u0026lt;zone\u0026gt; /AllowUpdate 2\n#### example: dnscmd 127.0.0.1 /Config ad.tenable.com /AllowUpdate 2\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Dnscmd","url":"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd","type":"hyperlink"}]},"resources":[{"name":"Active Directory Security Assessment Checklist - Misconfigured DNS zones","url":"https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_dnszone_bad_prop","type":"hyperlink"},{"name":"[MS-DNSP]: Domain Name Service (DNS) Server Management Protocol","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/f97756c9-3783-428b-9451-b376f877319a","type":"hyperlink"},{"name":"Active Directory-Integrated DNS Zones","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones","type":"hyperlink"},{"name":"Dynamic update","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784052(v=ws.10)","type":"hyperlink"},{"name":"Understanding Dynamic Update","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771255(v=ws.11)","type":"hyperlink"},{"name":"Dynamic Update and Secure Dynamic Update","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959275(v=technet.10)","type":"hyperlink"},{"name":"Beyond LLMNR/NBNS Spoofing - Exploiting Active Directory-Integrated DNS","url":"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/","type":"hyperlink"},{"name":"ADIDNS Revisited - WPAD, GQBL, and More","url":"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/","type":"hyperlink"}],"applicable_resource_types":["ad_dns_zone"],"attacker_known_tools":[{"name":"Powermad","url":"https://github.com/Kevin-Robertson/Powermad#adidns-functions","author":"Kevin Robertson"}],"category_id":4,"mitre_attacks":[{"tactic":"TA0006 - Credential Access","techniques":["T1557 - Adversary-in-the-Middle"]},{"tactic":"TA0042 - Resource Development","techniques":["T1584 - Compromise Infrastructure"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","fr_FR","zh_TW","de_DE","zh_CN","ko_KR","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DYNAMIC-UPDATES","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","fr","zh-TW","de","zh-CN","ko","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1557","name":"Adversary-in-the-Middle","url":"https://attack.mitre.org/techniques/T1557/"}]},{"tactic":{"id":"TA0042","name":"Resource Development","url":"https://attack.mitre.org/tactics/TA0042/"},"techniques":[{"id":"T1584","name":"Compromise Infrastructure","url":"https://attack.mitre.org/techniques/T1584/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[54]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-WSUS-HARDENING","_score":null,"_source":{"language_code":"en_US","codename":"C-WSUS-HARDENING","name":"WSUS Dangerous Misconfigurations","id":53,"description":"\u003cp\u003eLists the misconfigured parameters related to Windows Server Update Services (WSUS).\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eWindows Server Update Services (WSUS) is the Microsoft product that deploys Windows updates to workstations and servers.\nMisconfigurations of WSUS settings can lead to an elevation to administrator privileges from a standard account.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWSUS enables IT administrators to deploy the latest Microsoft product updates, which they download from Microsoft's update servers and store locally on the WSUS server. At this point, administrators can approve the updates for deployment to their internal clients. Windows clients (workstations and servers) can check the local WSUS server for approved updates to download and install, and then report back to the WSUS server with successful update installations. This allows administrators to ensure that the necessary updates are in place. Given that WSUS is designed to install software and patches on a large number of operating systems, it is clear that a misuse of its intended functionality could pose a serious threat to network security.\n\u003cbr\u003eCorporations often choose multiple types of network architectures, and they usually have multiple WSUS servers that replicate changes from a single upstream server connected to the Microsoft public WSUS server.\nNetwork isolation is crucial for security, as attackers can use the attack methods described below. Choosing the wrong scope for WSUS server updates deployment, such as using the same reference WSUS server for isolated forests, can provide attackers with a means to spread to another environment entirely separate from the one they already compromised.\n\u003cbr\u003eThe paradox of a WSUS server, intended for protection through security updates, can, in reality, lead to escalate privileges due to its centralized role, and potentially undermine network silos. As a result, administrators should treat WSUS servers as a Tier 0 asset (equivalent in sensitivity to a Domain Controller) and ensure that only privileged accounts can authenticate to them.\n\u003cbr\u003eCompromising a WSUS server enables an attacker to propagate a malicious patch that runs as the built-in identity SYSTEM on WSUS clients. In a WSUS exploitation, two main scenarios exist:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eMan-in-the-Middle (MitM) attack between a WSUS server and a client\u003c/li\u003e\n\u003cli\u003eDirect compromise of a WSUS server\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003eIn the Man-in the-Middle case, an attacker uses a MitM approach to inject a malicious update into the network connection between a client and a server. To do this, the attacker must intercept HTTP traffic between these two entities, using common methods like Web Proxy Auto-Discovery (WPAD) protocol usage or Address Resolution Protocol (ARP) poisoning when the attacker is on the same network segment. Before Windows 10 version 1607, a non-privileged user could configure a user proxy as a fallback to the system proxy, allowing an attacker to reroute machine traffic. At present, platforms only use the system proxy if configured during update scanning, but it's possible to disable this setting via a GPO.\n\u003cbr\u003eTherefore, it's important to prevent such attacks by enforcing HTTPS and certificate pinning when communicating with the WSUS server. The system applies WSUS store certificates by default to counter HTTPS-intercepting proxy attacks, but a GPO can disable this pinning mechanism.\n\u003cbr\u003eThe second attack, a direct compromise, involves infiltrating a WSUS server (via CVE or an attack path). Such infiltration would enable an attacker to insert a malicious payload into the underlying database and distribute it to the clients.\n\u003cbr\u003eIn conclusion, to minimize risks, this Indicator of Exposure checks the following settings for potential misconfigurations:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEnsuring the user proxy, used as a fallback for update detection, remains disabled.\u003c/li\u003e\n\u003cli\u003eVerifying the use of an encrypted protocol (HTTPS) rather than HTTP for both the main and alternate WSUS servers.\u003c/li\u003e\n\u003cli\u003eConfirming that certificate pinning remains enabled.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBy default, these settings apply correct configurations and do not require modification unless they use wrong values.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Correct Errors in WSUS Configuration","description":"To limit the risks of full AD compromise, you should address and rectify WSUS misconfigurations.\n","exec_summary":"\u003cp\u003eCertain Microsoft WSUS parameters can have a significant security impact on the entire Active Directory and therefore require careful configuration.\u003c/p\u003e\n","detail":"\u003cp\u003eTo minimize the risk of tampering with WSUS updates, you must configure properly certain settings for WSUS servers.\n\u003cbr\u003eStart by ensuring that the WSUS application uses SSL to encrypt traffic. This prevents any potential attackers on the network from executing commands on remote systems that request updates. Microsoft offers a comprehensive guide on generating a dedicated certificate and installing it on the WSUS server. You can also use a PKI like ADCS to generate certificates for multiple WSUS servers.\nOnce you've created and installed the certificate, update the GPO that specifies the WSUS server for update retrieval to apply the HTTPS protocol instead of HTTP.\n\u003cbr\u003eTo change the value with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLaunch the Group Policy Management Console. Right-click the GPO that contains the setting you want to change and select \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder, and navigate to \u003cem\u003eAdministrative Templates\\Windows Components\\Windows Update\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eSpecify intranet Microsoft update service location\u003c/em\u003e and input the URL of WSUS using the HTTPS protocol in the box below the labels \u003cem\u003eSet the intranet update service for detecting updates\u003c/em\u003e and \u003cem\u003eSet the alternate download server\u003c/em\u003e (if appropriate).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAlso, if certificate pinning was disabled explicitly, re-enable it to harden the SSL tunnel.\nIn the same category as above, ensure that the checkbox next to \u003cem\u003eDo not enforce TLS certificate pinning for Windows Update client for detecting updates\u003c/em\u003e remains unchecked.\n\u003cbr\u003eFinally, the user proxy must not be an available option, even as a fallback mechanism, to download updates from WSUS.\nIn the same category as above, under \u003cem\u003eSelect the proxy behavior for Windows Update client for detecting updates\u003c/em\u003e, select the option \u003cem\u003eOnly use system proxy for detecting updates (default)\u003c/em\u003e.\u003c/p\u003e\n","resources":[{"name":"Configure a software update point to use TLS/SSL with a PKI certificate","url":"https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl","type":"hyperlink"},{"name":"Manage additional Windows Update settings","url":"https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings","type":"hyperlink"},{"name":"Scan changes and certificates add security for Windows devices using WSUS for updates","url":"https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668","type":"hyperlink"},{"name":"WSUSpendu - Recommendations (p29)","url":"https://www.blackhat.com/docs/us-17/wednesday/us-17-Coltel-WSUSpendu-Use-WSUS-To-Hang-Its-Clients-wp.pdf","type":"hyperlink"}]},"resources":[{"name":"Introducing SharpWSUS","url":"https://labs.nettitude.com/blog/introducing-sharpwsus/","type":"hyperlink"},{"name":"WSUSpendu - Injecting a new update (p17)","url":"https://www.blackhat.com/docs/us-17/wednesday/us-17-Coltel-WSUSpendu-Use-WSUS-To-Hang-Its-Clients-wp.pdf","type":"hyperlink"}],"applicable_resource_types":["ad_sysvol_pol"],"attacker_known_tools":[{"name":"WSUSpect Proxy","url":"https://github.com/ctxis/wsuspect-proxy","author":"Paul Stone, Alex Chapman"},{"name":"WSUSpendu","url":"https://github.com/tenable/WSUSpendu","author":"Romain Coltel, Yves Le Provost"}],"category_id":1,"mitre_attacks":[{"tactic":"TA0006 - Credential Access","techniques":["T1557 - Adversary-in-the-Middle"]},{"tactic":"TA0008 - Lateral Movement","techniques":["T1072 - Software Deployment Tools"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","ja_JP","fr_FR","zh_CN","de_DE","es_001","ko_KR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-WSUS-HARDENING","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["zh-TW","ja","fr","zh-CN","de","es","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1557","name":"Adversary-in-the-Middle","url":"https://attack.mitre.org/techniques/T1557/"}]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[{"id":"T1072","name":"Software Deployment Tools","url":"https://attack.mitre.org/techniques/T1072/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[53]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PROP-SET-SANITY","_score":null,"_source":{"language_code":"en_US","codename":"C-PROP-SET-SANITY","name":"Property Sets Integrity","id":52,"description":"\u003cp\u003eChecks for the integrity of property sets and validates permissions\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003e\"Property Set\" is a Microsoft Active Directory (AD) feature that facilitates the creation of permissions (Access Control List - ACL) for AD objects and enhances system performance. It serves as a mechanism for consolidating multiple attributes within an AD entity, which allows the system to reference them collectively within ACLs, rather than having to reference individual attributes separately.\n\u003cbr\u003eThis Indicator of Exposure aims to ensure that there are no misconfigurations or backdoors from malicious actors present in this type of object and the attributes within the AD schema.\nCurrently, there are no known public attack vectors associated with the use of property sets. Therefore, you should focus primarily on addressing misconfigurations or peculiarities stemming from third-party products that use this feature.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eMicrosoft's AD introduced the property sets concept to simplify Access Control Lists (ACL) management. This approach allows the declaration of a single Access Control Entry (ACE) for a property set instead of multiple entries for its underlying attributes.\u003c/p\u003e\n\u003cp\u003eA property set is related to one or multiple attributes, although technically, it is each attribute that can be associated to a single property set.\n\u003cbr\u003eThere are two locations for information related to property sets: the configuration partition (in the \"CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" container) and the schema partition.\n\u003cbr\u003eObjects from the \"controlAccessRight\" class in the configuration partition represent property sets. This class serves multiple purposes, encompassing \"Validated Writes\", \"Property Sets\" and \"Extended Rights\". Although this IoE focuses primarily on property sets, it conducts comprehensive integrity checks to provide more extensive information.\nIn defining the \"blueprints\" of AD objects, the schema partition plays a vital role. It specifies various classes and attributes objects that AD encompasses. Notably, the storage of information concerning the property set to which an attribute belongs is not within the property set attributes but rather in the \"attributeSchema\" object itself.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eThis IoE performs multiple checks related to property sets, as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerification of the installation of the latest AD schema before examining data integrity. This initial step is crucial because Microsoft updates the schema when it encounters design issues within this AD schema, such as the critical topic of sane default ACLs.\u003c/li\u003e\n\u003cli\u003eValidation of the integrity of default property sets by cross-checking the \"appliesTo\" and \"rightsGuid\" attributes, and comparing their current values with those configured in the latest default AD schema.\u003cul\u003e\n\u003cli\u003eThe \"rightsGuid\" attribute serves as a reference for the property set in ACLs and by an AD attribute.\u003c/li\u003e\n\u003cli\u003eThe \"appliesTo\" attribute designates the object types eligible for the application of a property set. An empty value impacts all objects having this attribute. For an exploitation scenario, this usually requires the modification of the \"rightsGuid\" attribute as well.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eValidation of the integrity of default AD schema attributes by comparing the current values of the attributes \"attributeSecurityGUID\" and \"schemaIDGUID\" with those configured in the latest default AD schema.\u003cul\u003e\n\u003cli\u003eThe \"attributeSecurityGUID\" attribute indicates the property set to which an attribute belongs; an empty value implies it doesn't belong to any property set.\u003c/li\u003e\n\u003cli\u003eThe \"schemaIDGUID\" attribute is the GUID that security descriptors (ACLs) can reference.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eValidation of permissions on both property sets and AD schema attribute objects to ensure that no unprivileged account can modify or access these objects. It also thoroughly validates their specific attributes described before.\u003c/li\u003e\n\u003cli\u003eChecking if there is a custom property set defined and validating its legitimacy, which may result from a schema extension implemented by a third-party product.\u003c/li\u003e\n\u003cli\u003eChecking and validating that a custom property set is defined and that there is no sensitive attribute configured within it. Misconfigurations here could potentially lead to an indirect elevation of privileges on the AD, even if this is difficult to carry out.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003eIt's essential to highlight that, by default, Microsoft does not introduce design flaws on an updated Active Directory schema, either in existing permissions or in the initial configuration of property sets. Consequently, some deviances from this IOE can result from third-party product installations or custom configurations, such as those implemented by an attacker.\u003c/p\u003e\n\u003cp\u003eThis means that attackers seeking to exploit property sets to introduce backdoors into AD must not only include a dangerous or sensitive attribute within a property set, but they also must strategically apply explicit ACLs to AD objects.\n\u003cbr\u003eTo reduce the likelihood of encountering deviances for known products and their custom property sets, the IoE includes the latest versions of Microsoft products that perform schema extensions, notably:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWindows -new- LAPS (introduced in 2023)\u003c/li\u003e\n\u003cli\u003eMicrosoft -legacy- LAPS\u003c/li\u003e\n\u003cli\u003eExchange\u003c/li\u003e\n\u003cli\u003eSkype for Business\u003c/li\u003e\n\u003cli\u003eSystem Center (no property set was added)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe IoE provides a dedicated option to specify the presence of a custom property set in the environment. However, you still must validate that any modifications from a third-party product align with security best practices, including member attributes, permissions settings, and more.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Analyze and Remediate Risks in Property Sets Configuration","description":"To mitigate the risks associated with potential privilege escalation or backdoor installation by attackers, you should thoroughly assess and correct the configuration of property sets.\n","exec_summary":"\u003cp\u003eMisconfigurations of property sets can significantly impact the security of the Active Directory. Hence, it is crucial to provide them with attention and supervision.\u003c/p\u003e\n","detail":"\u003cp\u003e\u003cstrong\u003e⚠️IMPORTANT NOTE (DISCLAIMER)⚠️\u003c/strong\u003e\n\u003cbr\u003e\u003cstrong\u003eThe issues addressed in this IoE pertain to a complex topic that can have significant implications for the Active Directory (AD) if mishandled. It is advisable not to attempt fixes unless you are comfortable making manual changes to the AD schema. If you lack confidence in this regard, it is best to seek assistance from a partner with a recognized AD expertise to validate your proposed changes.\nPlease note that the commands provided below are without any guarantee by Tenable, and are merely illustrative examples that you must customize to suit your specific requirements. Additionally, it is of utmost importance to ensure flawless replication between domain controllers before proceeding with schema alterations. Lastly, it is advisable to conduct prior thorough testing in a non-production environment.\u003c/strong\u003e\u003c/p\u003e\n\u003ch4\u003eUpdate the AD schema with the latest version\u003c/h4\u003e\n\u003cp\u003eTo enable full IoE analysis, ensure that you applied the latest AD schema updates. If needed, follow Microsoft's documentation and a community best-practices guide (cf. resources section), using the adprep tool from a recent Windows Server ISO. Exercise care when executing these commands, as with any AD schema modifications.\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eadprep.exe /forestprep\nadprep.exe /domainprep\nadprep.exe /domainprep /gpprep\nadprep.exe /rodcprep\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003eBefore implementing any changes in your production environment, it's advisable to conduct testing within your test environment.\u003c/p\u003e\n\u003ch4\u003eValidate then reset sensitive attributes in a default property set\u003c/h4\u003e\n\u003cp\u003eUse PowerShell to fix an incorrect attribute set for a property set (\"appliesTo\" or \"rightsGuid\" attributes). For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity \"CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" -Replace @{'rightsGuid'=\"E45795B3-9455-11d1-AEBD-0000F80367C1\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou should first verify the \"expected value\" provided in the deviance details for the modified attribute to avoid potential issues with existing references to this property set.\u003c/p\u003e\n\u003ch4\u003eValidate then reset sensitive attributes in a default AD schema attribute\u003c/h4\u003e\n\u003cp\u003eUse PowerShell to fix an incorrect attribute set for an AD schema attribute (\"attributeSecurityGUID\" or \"schemaIDGUID\" attributes). For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity \"CN=WWW-Page-Other,CN=Schema,CN=Configuration,DC=DOMAIN,DC=CORP\" -Replace @{'attributeSecurityGUID'=\"e45795b3-9455-11d1-aebd-0000f80367c1\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn the deviance details for the modified attribute, you should first verify the \"expected value\" to prevent potential issues (such as losing its association with the property set or existing ACL references). If you accept this change, you should then add this schema attribute to the allow list in the dedicated option. In the case of the PowerShell example, it would be \"WWW-Page-Other\".\u003c/p\u003e\n\u003ch4\u003eFix dangerous permissions set on property sets and schema attributes\u003c/h4\u003e\n\u003cp\u003eYou can make permission modifications through the GUI (ADSI Edit) or by using PowerShell commands.\u003c/p\u003e\n\u003cp\u003eIf you need to reset the \u003cstrong\u003eowner\u003c/strong\u003e of a property set, the procedure is as follows (\u003cstrong\u003eNote: Adapt this to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $securityPrincipalAccount = \"DOMAIN\\Enterprise Admins\"\nPS\u0026gt; $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)\nPS\u0026gt; $propSetPath = \"AD:CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" \n#### $propSetPath can be replaced by $attributSchemaPath, the commands are similar for these two objects\nPS\u0026gt; $aclPropSet = Get-Acl -Path $propSetPath\nPS\u0026gt; $aclPropSet.SetOwner($securityPrincipalObject)\nPS\u0026gt; $aclPropSet | Set-Acl -Path $propSetPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf you need to remove a problematic \u003cstrong\u003eACE\u003c/strong\u003e from a property set, you can follow the procedure below (\u003cstrong\u003eNote: Adapt this to your envronment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $propSetPath = \"AD:CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" \n#### $propSetPath can be replaced by $attributSchemaPath, the commands are similar for these two objects\nPS\u0026gt; $aclPropSet = Get-Acl -Path $propSetPath\nPS\u0026gt; $aceToRemove = $aclPropSet.Access | ? { $_.ActiveDirectoryRights -eq 'WriteProperty' -and $_.IdentityReference -eq 'DOMAIN\\unpriv' }\nPS\u0026gt; $aclPropSet.RemoveAccessRule($aceToRemove)\nPS\u0026gt; $aclPropSet | Set-Acl -Path $propSetPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eValidate legitimacy of a custom property set\u003c/h4\u003e\n\u003cp\u003eThird-party products can introduce a custom property set through a schema extension procedure.\nIf this product is no longer present in your environment or if you have confirmation that this property set is malicious or poses a risk, you can remove it using the following PowerShell command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Remove-ADObject -Identity \"CN=Z-Custom-PropSet,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" -Confirm:$false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn option is available if the property set is legitimate.\u003c/p\u003e\n\u003ch4\u003eValidate then fix sensitive attributes belonging to a custom property set\u003c/h4\u003e\n\u003cp\u003eIt is not advisable to set a sensitive attribute within a custom property set, unless you have a specific requirement to do so. This practice can conceal potential backdoors created on AD objects from attackers and is also susceptible to errors, like unintentionally granting access to a security-sensitive attribute to basic users, which they could exploit to elevate privileges within the AD.\n\u003cbr\u003eUse the following PowerShell command to reset the reference of the property set to the correct value:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; $originalGuid = [System.Guid]::Parse(\"4c164200-20c0-11d0-a768-00aa006e0529\")\nPS\u0026gt; Set-ADObject -Identity \"CN=ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity,CN=Schema,CN=Configuration,DC=DOMAIN,DC=CORP\" -Replace @{'attributeSecurityGUID'=$originalGuid}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNote that the deviance related to this issue would also show up in the integrity checks results (although the risk is higher for a deviance on a sensitive attribute).\u003c/p\u003e\n","resources":[{"name":"Upgrading AD DS Schema to Windows Server 2016","url":"https://samilamppu.com/2016/11/06/upgrading-ad-ds-schema-to-windows-server-2016/","type":"hyperlink"},{"name":"Best Practices for Implementing Schema Updates","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/best-practices-for-implementing-schema-updates/ba-p/255611","type":"hyperlink"},{"name":"Active Directory schema changes in Exchange Server","url":"https://learn.microsoft.com/en-us/exchange/plan-and-deploy/active-directory/ad-schema-changes?view=exchserver-2019","type":"hyperlink"}]},"resources":[{"name":"Control Access Rights (AD DS)","url":"https://learn.microsoft.com/en-us/windows/win32/ad/control-access-rights","type":"hyperlink"},{"name":"Property Sets (AD Schema)","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/property-sets","type":"hyperlink"},{"name":"Creating a Control Access Right","url":"https://learn.microsoft.com/en-us/windows/win32/ad/creating-a-control-access-right","type":"hyperlink"},{"name":"Windows Server Active Directory schema updates","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/schema-updates","type":"hyperlink"},{"name":"Abusing forgotten permissions on computer objects in Active Directory","url":"https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/","type":"hyperlink"}],"applicable_resource_types":["ad_dmd","ad_control_access_right","ad_attribute_schema"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","es_001","zh_CN","fr_FR","ja_JP","zh_TW","ko_KR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PROP-SET-SANITY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["de","es","zh-CN","fr","ja","zh-TW","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[52]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DFS-MISCONFIG","_score":null,"_source":{"language_code":"en_US","codename":"C-DFS-MISCONFIG","name":"Dangerous SYSVOL Replication Configuration","id":51,"description":"\u003cp\u003eChecks that the \"Distributed File System Replication\" (DFS-R) mechanism replaced the \"File Replication Service\" (FRS).\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003e\"File Replication Service\" (FRS) is deprecated since Windows Server 2008 R2. Tenable highly recommends migrating the SYSVOL share replication from FRS to \"Distributed File System Replication\" (DFS-R) for better robustness, scalability, and replication performance.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eFiles located in a shared SYSVOL folder store the settings and configurations of group policies, which replicate across all domain controllers to ensure that the content of the SYSVOL folder remains identical on each controller.\n\u003cbr\u003eEarly Windows 2000 and 2003 versions used FRS (File Replication Service), occasionally referred to as NTFRS / NT-FRS (not to confuse with NTFS) for SYSVOL replication. With Windows Server 2008, Microsoft introduced DFS-R (Distributed File System Replication), also known as DFS or DFSR or DFS-R, for better reliability and efficiency.\n\u003cbr\u003eAccording to \u003ca href=\"https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-case-for-migrating-sysvol-to-dfsr/ba-p/397642\"\u003eMicrosoft\u003c/a\u003e, the main advantages of using DFS-R instead of FRS include:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAbility to run an upgraded OS on domain controllers (DCs): Starting from Windows Server 2016 (including Windows Server 2019, 2022, 2025, and eventual later versions), it is not possible to promote a server as a DC for a domain if the SYSVOL replication uses FRS. Consequently, this would cause the Active Directory infrastructure to remain static and prevent it from receiving security updates with upgraded OS versions.\u003c/li\u003e\n\u003cli\u003eA supported protocol: Microsoft currently maintains DFS-R which receives regular security updates, contrary to FRS which it deprecated in Windows Server 2008 R2.\u003c/li\u003e\n\u003cli\u003eBetter compatibility with Read-Only Domain Controllers (RODCs): FRS does not fully support RODCs SYSVOL replicas and allows data to become unsynchronized without offering automatic resynchronization.\u003c/li\u003e\n\u003cli\u003eBetter reliability and performance: DFS-R uses a more powerful algorithm than FRS that significantly reduces bandwidth consumption and speeds up the replication process. The main algorithm improvements include:\u003cul\u003e\n\u003cli\u003eUse of Remote Differential Compression (RDC) replication to replicate partial file changes rather than entire files.\u003c/li\u003e\n\u003cli\u003eMore efficient file compression on staged files.\u003c/li\u003e\n\u003cli\u003eBetter and faster inter-site replication compared to FRS SYSVOL replication: While FRS initiates replication between intersite members every 15 minutes, DFS offers immediate replication and allows customization to reduce bandwidth use.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis Indicator of Exposure identifies whether your domain still uses FRS for replication. Additionally, it checks for attribute changes related to DFS-R, as the modification of these attributes could exclude GPOs from the replication process, thus enabling them to act as a potential backdoor or persistence mechanism.\n\u003cbr\u003eThe IoE checks for the following elements:\u003c/p\u003e\n\u003ch4\u003eDomain Functional Level (DFL) is at least equal to 2008 or above\u003c/h4\u003e\n\u003cp\u003eThis is a prerequisite for using DFS-R. Otherwise, the IoE does not check other elements.\nIf the DFL is not sufficient to allow the migration from FRS to DFS-R, the IoE raises a deviance with a reason indicating the current DFL.\u003c/p\u003e\n\u003ch4\u003eDFS-R enablement\u003c/h4\u003e\n\u003cp\u003eThe IoE can check this element only if the Active Directory infrastructure meets the DFL prerequisite.\nThe migration from FRS to DFS-R is not automatic and requires a manual procedure. Consequently, even if domain controllers receive regular patches and updates, older domains may still use FRS for SYSVOL replication, which is not a recommended practice as previously explained.\nIf the migration has not started or not yet completed, the IoE raises a deviance with a reason indicating the current status of the migration.\n\u003cbr\u003eNote that the migration process from FRS to DFS-R requires planning and careful execution to avoid any disruption of the Active Directory environment. For guidelines, see the \"Recommendation\" tab.\u003c/p\u003e\n\u003ch4\u003eDFS-R integrity checks\u003c/h4\u003e\n\u003cp\u003eThe IoE can check this element only if DFS-R does the SYSVOL replication.\nThe integrity of msDFSR-FileFilter and msDFSR-DirectoryFilter attributes of the object of class msDFSR-ContentSet located in CN=SYSVOL Share,CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=ad,DC=tenable,DC=com get checked with their default values as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003emsDFSR-FileFilter: [\"~\u003cem\u003e\", \"\u003c/em\u003e.TMP\", \"*.BAK\"]\u003c/li\u003e\n\u003cli\u003emsDFSR-DirectoryFilter: [\"DO_NOT_REMOVE_NtFrs_PreInstall_Directory\", \"NtFrs_PreExisting___See_EventLog\"]\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTo remediate the issue of \"\u003ca href=\"https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/directory-is-not-empty\"\u003eImporting a GPO using GPMC fails with \"The Directory is not empty\"\u003c/a\u003e\", Microsoft recommends excluding the following temporary directories from the replication, which the IoE considers as legitimate:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eMachineOld\u003c/li\u003e\n\u003cli\u003eUserOld\u003c/li\u003e\n\u003cli\u003eMachineStaging\u003c/li\u003e\n\u003cli\u003eUserStaging\u003c/li\u003e\n\u003cli\u003eAdmOld\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIncorrect modifications to these attributes could pose a security risk, potentially leading to issues such as denial of service or reduced domain security, so it is crucial that administrators thoroughly analyze and assess these modifications.\nIf one of the default values gets deleted or a non-Microsoft-recommended value gets added, the IoE raises a deviance to indicate that the integrity of the corresponding attribute has altered.\n\u003cstrong\u003eException: if one of the folders recommended by Microsoft as a solution of the aforementioned problem is present in option (default value), but not in value of the attribute, then no deviance will be generated since the absence of these directories does not represent a security risk.\u003c/strong\u003e\nIf administrators approve the modification of a new value, you can add it to the dedicated option of the IoE.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Use DFS for SYSVOL Replication and not FRS","description":"For better performance and security, \"Distributed File System Replication\" (DFS-R) must replace \"File Replication Service\" (FRS) which is an old and obsolete protocol.","exec_summary":"\u003cp\u003eMicrosoft recommends using the recent and supported DFS-R protocol for SYSVOL replication. You must migrate SYSVOL shares still using \"File Replication Service\" (FRS) to \"Distributed File System Replication\" (DFS-R) manually following the procedure from Microsoft.\u003c/p\u003e\n","detail":"\u003ch4\u003eUse a Domain Functional Level (DFL) at least equal to or above 2008\u003c/h4\u003e\n\u003cp\u003eTo increase the DFL, see the recommendation tab of the IoE \"Domains with an Outdated Functional Level\".\u003c/p\u003e\n\u003ch4\u003eMigrate from FRS to DFS-R\u003c/h4\u003e\n\u003cp\u003eThe migration from FRS to DFS-R is not automatic and requires a manual procedure.\nConsequently, even if domain controllers receive regular patches and updates, older domains may still use FRS for SYSVOL replication, which is not a recommended practice as previously explained.\nSee the full guide from Microsoft: \"\u003ca href=\"https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr#procedures\"\u003eMigrate SYSVOL replication to DFS Replication\u003c/a\u003e\".\n\u003cbr\u003e\u003cstrong\u003eYou must follow strictly the detailed procedure from Microsoft as linked \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr#procedures\"\u003ehere\u003c/a\u003e.\u003c/strong\u003e The following is only a summary of that procedure.\n\u003cbr\u003ePrerequisites for migration:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe domain controller should run a minimum of Windows Server 2008 R2, but preferably a more recent version such as 2022 or 2025.\u003c/li\u003e\n\u003cli\u003eDFL must be at least equal to 2008.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eStep 1\u003c/strong\u003e\nOn the Primary Domain Controller (PDCE), run the dfsrmig.exe tool and set the migration global state to '\u003cstrong\u003ePREPARED\u003c/strong\u003e' state (State 1). To do this, open a PowerShell and execute:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003edfsrmig /setglobalstate 1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEnsure that all domain controllers have completed this step before proceeding. To monitor the migration progress and ensure that all domain controllers successfully migrated to the '\u003cstrong\u003ePREPARED\u003c/strong\u003e' state, execute the command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003edfsrmig /getMigrationState\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf any domain controller is not yet ready, the output displays:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eThe following Domain Controllers are not in sync with Global state \u0026lt;'Prepared'\u0026gt;:\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnce all domain controllers are ready, the output displays:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eAll Domain Controllers have migrated successfuly to Global state \u0026lt;'Prepared'\u0026gt;.\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003e\u003cstrong\u003eStep 2\u003c/strong\u003e\nAfter all domain controllers successfully migrated to the '\u003cstrong\u003ePREPARED\u003c/strong\u003e' state, proceed as follows: on the PDCE, run the dfsrmig.exe tool and set the migration global state to '\u003cstrong\u003eREDIRECTED\u003c/strong\u003e' state (State 2). To do this, open a PowerShell and execute this command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003edfsrmig /setglobalstate 2\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEnsure that all domain controllers complete this step before proceeding. To monitor the migration progress and ensure that all domain controllers successfully migrated to the '\u003cstrong\u003ePREPARED\u003c/strong\u003e' state, execute this command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003edfsrmig /getMigrationState\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf any domain controller is not ready yet, the output displays:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eThe following Domain Controllers are not in sync with Global state \u0026lt;'Redirected'\u0026gt;:\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnce all domain controllers are ready, the output displays:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eAll Domain Controllers have migrated successfuly to Global state \u0026lt;'Redirected'\u0026gt;.\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003e\u003cstrong\u003eStep 3\u003c/strong\u003e\nRemember that you cannot revert the migration process to the '\u003cstrong\u003eELIMINATED\u003c/strong\u003e' state under any circumstance. Therefore, ensure that SYSVOL replication using the DFS Replication service functions correctly before proceeding with the finalization of the migration process.\n\u003cbr\u003eOnce all domain controllers successfully migrated to the '\u003cstrong\u003eREDIRECTED\u003c/strong\u003e' state, proceed as follows: on the PDCE, run the dfsrmig.exe tool and set the migration global state to '\u003cstrong\u003eREDIRECTED\u003c/strong\u003e' state (State 2). To do this, open a PowerShell and execute this command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003edfsrmig /setglobalstate 3\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis step can take some time. Monitor the migration progress and ensure that all domain controllers successfully migrated to the '\u003cstrong\u003eELIMINATED\u003c/strong\u003e' state by executing this command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003edfsrmig /getMigrationState\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf any domain controller is not yet ready, the output displays:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eThe following Domain Controllers are not in sync with Global state \u0026lt;'Eliminated'\u0026gt;:\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnce all domain controllers are ready, the output displays:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eAll Domain Controllers have migrated successfuly to Global state \u0026lt;'Eliminated'\u0026gt;.\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003eTo verify that the SYSVOL shared folder is properly shared by each domain controller in the domain and that it corresponds to the SYSVOL_DFSR folder that DFS-R replicated, open a command prompt window on each domain controller and type:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003enet share\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe result should look like the following:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eShare name Resource Remark\n\n--------------------------------------------------------------------------------\n[…]\nNETLOGON C:\\Windows\\SYSVOL_DFSR\\sysvol\\ad.tenable.com\\SCRIPTS\n Logon server share\nSYSVOL C:\\Windows\\SYSVOL_DFSR\\sysvol Logon server share\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis output confirms that the SYSVOL shared folder is correctly shared and mapped to the SYSVOL_DFSR folder, which DFS-R replicated.\u003c/p\u003e\n\u003ch4\u003eDFS-R integrity checks\u003c/h4\u003e\n\u003cp\u003eTwo attributes, msDFSR-FileFilter and msDFSR-DirectoryFilter, belonging to the object of class msDFSR-ContentSet, located in CN=SYSVOL Share,CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=ad,DC=tenable,DC=com, may interest attackers because they can use them to exclude files or folders from the replication.\nAs stated in the IoE's \"Vulnerability Details\" tab, Microsoft advises adding specific directories to the exclusion list in certain scenarios. By doing so, the IoE does not report these directories as deviant as long as they are present in the option value.\n\u003cbr\u003eVerify the legitimacy of any remaining non-default filter value(s) and confirm with Active Directory administrators. Once confirmed, add them as options for the IoE to prevent it from flagging them as deviant.\u003c/p\u003e\n","resources":[{"name":"Migrate SYSVOL replication to DFS Replication","url":"https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr","type":"hyperlink"},{"name":"Replicate SYSVOL using DFS Replication","url":"https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/migrate-sysvol-to-dfs-replication","type":"hyperlink"}]},"resources":[{"name":"Active Directory Security Assessment Checklist - SYSVOL replication through NTFRS","url":"https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_sysvol_ntfrs","type":"hyperlink"},{"name":"Windows Server version 1709 no longer supports FRS","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/windows-server-version-1709-no-longer-supports-frs","type":"hyperlink"},{"name":"FRS Technical Reference","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759297(v=ws.10)","type":"hyperlink"},{"name":"DFS Replication FAQ","url":"https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfsr-faq","type":"hyperlink"},{"name":"The Case for Migrating SYSVOL to DFSR","url":"https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-case-for-migrating-sysvol-to-dfsr/ba-p/397642","type":"hyperlink"},{"name":"Importing a GPO using GPMC fails with \"The Directory is not empty\"","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/directory-is-not-empty","type":"hyperlink"}],"applicable_resource_types":["ad_cross_ref","ad_msdfsr_content_set","ad_msdfsr_global_settings"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[{"tactic":"TA0005 - Defense Evasion","techniques":["T1484.001 - Domain Policy Modification - Group Policy Modification"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["fr_FR","es_001","zh_CN","de_DE","zh_TW","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DFS-MISCONFIG","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["fr","es","zh-CN","de","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0005","name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005/"},"techniques":[{"id":"T1484.001","name":"Domain Policy Modification - Group Policy Modification","url":"https://attack.mitre.org/techniques/T1484/001/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[51]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PASSWORD-HASHES-ANALYSIS","_score":null,"_source":{"language_code":"en_US","codename":"C-PASSWORD-HASHES-ANALYSIS","name":"Detection of Password Weaknesses","id":50,"description":"\u003cp\u003eVerifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eMultiple problems can arise with Active Directory account passwords (insufficient complexity, obsolete cryptography, blank, reused, leaked...), leading to a decrease in Active Directory security by allowing \"brute-force\", \"password spraying\" and \"lateral movement\" attacks.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe importance of an account's password in ensuring authentication within the Active Directory is paramount. However, several factors can categorize a password as weak, including:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eInsufficient complexity: The password consists of a weak string of characters or, in some cases, remains completely blank\u003c/li\u003e\n\u003cli\u003eObsolete password hashing algorithm: The use of outdated hashing algorithms, such as LM (Lan Manager) hash, which are prone to easy offline brute-forcing\u003c/li\u003e\n\u003cli\u003eShared passwords: Instances where the same password applies across multiple accounts, such as default or common passwords\u003c/li\u003e\n\u003cli\u003eName used as a password: The password is equals to the \u003ccode\u003esamAccountName\u003c/code\u003e or \u003ccode\u003edisplayName\u003c/code\u003e attribute value\u003c/li\u003e\n\u003cli\u003ePasswords found in leaked databases: The possibility to discover a password by referencing leaked databases\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAttackers actively exploit these biases to spoof an account, enabling them to move laterally within the Active Directory.\nThis risk becomes even more elevated when dealing with privileged accounts.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eA password must meet a robust password policy and must be unique for each account in the Active Directory domain\nA blank password is also critical because it allows an attacker to authenticate without providing a password\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eAn account can have a blank password based on the following conditions:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe domain password policy has the setting \"Minimum password length\" set to 0 and \"Password must meet complexity requirements\" set to False.\u003c/li\u003e\n\u003cli\u003eThe userAccountControl attribute has the PASSWD_NOTREQD flag set to True.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eNote\u003c/strong\u003e: Identifying a domain controller with a blank password is crucial because it corresponds to the exploitation vector of the critical vulnerability known as ZeroLogon. This indicates that an attacker may have already exploited this vulnerability to target the domain. In light of this, Tenable strongly advises initiating an Incident Response process to investigate thoroughly this potential attack.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eThis Indicator of Exposure checks for all these aspects, and also ensures that a password is not identical to another belonging to a compromised and leaked database.\nCharacteristics of leaked passwords include the following traits:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWeakness due to successful offline brute force attack: The hashed version of the password has been subjected to a successful offline brute force attack, leading to the recovery of the password in clear text\u003c/li\u003e\n\u003cli\u003eSusceptibility to dictionary-based brute force attacks: Attackers can include a leaked password in their dictionary and use it to launch brute force attacks against Active Directory secrets\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eUsing a leaked password significantly increases the risk of compromise and you should avoid it.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003e\u003cstrong\u003eKEY CONSIDERATIONS\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eTo prioritize security, the analysis of this IoE takes place on the \"Secure Relay\" to ensure the protection of sensitive information. No raw secrets get stored or shared with any external entities\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eThe analysis focuses on the passwords of the following entities: enabled user accounts and domain controllers.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eAccounts using an LM hash are rare and get flagged with a dedicated reason and will not undergo further analysis, including comparisons between the account's name and password.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eMachine accounts are not susceptible to password weaknesses as robust password generation and automatic renewal mechanisms effectively address these concerns.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Apply security best practices to Active Directory passwords","description":"It is imperative to implement password hardening and adhere to good password administration practices.\n","exec_summary":"\u003cp\u003eGood administrative practices for domain user passwords involve using strong and unique passwords, avoiding unchanged default values that relate to domain-authenticated accounts, and securely storing passwords with robust algorithms.\u003c/p\u003e\n","detail":"\u003cp\u003eRecommendations concerning identified issues to consider:\u003c/p\u003e\n\u003ch4\u003eWeak Passwords\u003c/h4\u003e\n\u003cp\u003eTo ensure password strength, a password should consist of 12 or more alphanumeric characters, including lowercase letters, uppercase letters, numbers, and special characters.\nIt is advisable to establish a robust password policy either through the GPO associated with the default domain policy (\"Default Domain Policy\") or by defining it within a \"Password Settings Object\".\u003c/p\u003e\n\u003cp\u003eYou must change any password set during user account creation or when resetting an existing account's password upon the first authentication attempt.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eReview other Indicators of Exposure (\"Account with Empty Password\" and \"Application of Weak Password Policies on Users\") related to the password policy for further evaluation.\u003c/p\u003e\n\u003ch4\u003eLM hashes\u003c/h4\u003e\n\u003cp\u003eFrom Windows Server 2008 onwards, the system actively uses NT hashes for password storage, while keeping LM hashes empty.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eTo deactivate the storage of LM hashes for user passwords, confirm that you have the following GPO setting configured for domain controllers:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eIn Group Policy, navigate to Computer Configuration \u0026gt; Windows Settings \u0026gt; Security Settings \u0026gt; Local Policies, and then select Security Options.\u003c/li\u003e\n\u003cli\u003eIn the list of available policies, double-click \"Network security: Do not store LAN Manager hash value on next password change\".\u003c/li\u003e\n\u003cli\u003eChoose Enabled, and click OK.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cem\u003eTo remove the LM hash from an account, you must change its password after applying the GPO.\u003c/em\u003e\u003c/p\u003e\n\u003ch4\u003ePasswords Shared Across Accounts\u003c/h4\u003e\n\u003cp\u003eTenable highly recommends that you maintain unique passwords for accounts within an Active Directory forest.\nIf an account's secret becomes compromised, it expands the attacker's knowledge and enables them to compromise additional accounts, facilitating lateral movement.\u003c/p\u003e\n\u003cp\u003eThis risk becomes particularly critical when one of the newly compromised accounts holds privileged access within the domain, potentially leading to privilege escalation\u003c/p\u003e\n\u003ch4\u003ePasswords belonging to leaked databases\u003c/h4\u003e\n\u003cp\u003eThe knowledge of leaked database secrets allows us to assess the additional risks associated with a password.\nIn the context of this IoE, if a password is identified as appearing in a data leak, it signifies the following:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe password is weak because its cleartext version was previously subjected to successful brute force attacks\u003c/li\u003e\n\u003cli\u003eAn attacker can download compromised databases and conduct targeted searches for organization-specific keywords, including plaintext passwords and potential personal data\u003c/li\u003e\n\u003cli\u003eAn attacker can exploit the password for password spraying attacks against Active Directory accounts\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIt is important to note that even a strong password should be unique and never shared between applications. To facilitate this, you can use a password manager such as KeePass.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eCurrently, this IoE incorporates a subset of breached passwords provided by the service HaveIBeenPwned.\u003c/p\u003e\n","resources":[{"name":"Recommandations relatives à l'authentification multifacteur et aux mots de passe","url":"https://www.ssi.gouv.fr/uploads/2021/10/anssi-guide-authentification_multifacteur_et_mots_de_passe.pdf\n","type":"hyperlink"},{"name":"NIST Digital Identity Guidelines","url":"https://pages.nist.gov/800-63-3/sp800-63b.html\n","type":"hyperlink"},{"name":"The only secure password is the one you can't remember","url":"https://www.troyhunt.com/only-secure-password-is-one-you-cant/\n","type":"hyperlink"},{"name":"Hundreds of millions of real world passwords previously exposed in data breaches","url":"https://haveibeenpwned.com/\n","type":"hyperlink"},{"name":"Password must meet complexity requirements","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements\n","type":"hyperlink"},{"name":"How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password\n","type":"hyperlink"},{"name":"Keepass Password Safe","url":"https://keepass.info/\n","type":"hyperlink"}]},"resources":[{"name":"The 773 Million Record \"Collection #1\" Data Breach\n","url":"https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/\n","type":"hyperlink"},{"name":"The Default Password Threat","url":"https://www.giac.org/paper/gsec/317/default-password-threat/100889\n","type":"hyperlink"},{"name":"How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password\n","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"Kerbrute - A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication","url":"https://github.com/ropnop/kerbrute","author":"ropnop"},{"name":"John the Ripper - A fast password cracker","url":"https://github.com/openwall/john","author":"OpenWall"},{"name":"hashcat - advanced password recovery tool","url":"https://hashcat.net/hashcat/","author":"Jens Steube, Gabriele Gristina"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0006 - Credential Access","techniques":["T1110 - Brute Force"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","de_DE","zh_TW","fr_FR","zh_CN","ko_KR","ja_JP","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PASSWORD-HASHES-ANALYSIS","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","de","zh-TW","fr","zh-CN","ko","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1110","name":"Brute Force","url":"https://attack.mitre.org/techniques/T1110/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[50]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-RANSOMWARE-HARDENING","_score":null,"_source":{"language_code":"en_US","codename":"C-RANSOMWARE-HARDENING","name":"Insufficient Hardening Against Ransomware","id":49,"description":"\u003cp\u003eEnsures that the domain implemented hardening measures to protect against ransomware.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eRansomware is the most disruptive global cyberthreat we face today. This threat affects virtually every industry and stems from a variety of root causes, which security teams must consider in their defender strategies.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eRansomware groups are now using Active Directory (AD), a technology already present in many organizations, instead of their custom spreader code as a more effective way to propagate attacks.\nA \u003cstrong\u003ecompromised privileged user\u003c/strong\u003e account is the \u003cstrong\u003eeasiest way\u003c/strong\u003e for attackers to deploy ransomware through the AD. To \u003cstrong\u003eprevent ransomware attacks\u003c/strong\u003e, it is important \u003cstrong\u003eto fix the most critical vulnerabilities (IoEs) that could lead to a direct compromise\u003c/strong\u003e.\nRansomware attacks often use similar methods such as phishing, malicious Office files, and scripts to infect a system.\n\u003cbr\u003eThis Indicator of Exposure performs the following subchecks to block or slow down an attack:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEnables \u003cstrong\u003eAppLocker\u003c/strong\u003e rule enforcement for scripts and executables.\u003c/li\u003e\n\u003cli\u003eChanges \u003cstrong\u003edefault file association\u003c/strong\u003e for dangerous file types.\u003c/li\u003e\n\u003cli\u003eEnforces a strong \u003cstrong\u003ePowerShell Execution Policy\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eDisables Windows Script Host (\u003cstrong\u003eWSH\u003c/strong\u003e).\u003c/li\u003e\n\u003cli\u003eDisables \u003cstrong\u003emacros\u003c/strong\u003e for all Office applications (the safest approach, if not always feasible).\u003c/li\u003e\n\u003cli\u003eEnsures that \u003cstrong\u003eMacros\u003c/strong\u003e contained in Office documents \u003cstrong\u003edo not bypass\u003c/strong\u003e the registered Antimalware Scan Interface (\u003cstrong\u003eAMSI\u003c/strong\u003e) engine.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003e\u003cstrong\u003eKEY POINT 1\u003c/strong\u003e\nThis IoE has a \u003cstrong\u003elot of options\u003c/strong\u003e in order to customize the check for your needs.\nThis IoE offers a \u003cstrong\u003evariety of options\u003c/strong\u003e that allow you to customize the security check based on specific needs. For instance, \u003cstrong\u003eyou can disable each subcheck for parts of the environment that are not fully mature for a full check\u003c/strong\u003e. This still enhances the security of the system by analyzing other parts that are ready for the check.\nVarious other options are available to customize further the security check, as shown in the next section.\n\u003cbr\u003e\u003cstrong\u003eKEY POINT 2\u003c/strong\u003e\nThis IoE uses the following logic to ensure domain security:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eChecks \u003cstrong\u003eif there is at least one GPO that defines the expected setting\u003c/strong\u003e for each domain. If found, performs a fine analysis of all objects. If not found, reports a global \"No GPO defining [...]\" deviance for the check.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eChecks the value of the setting\u003c/strong\u003e and reports a deviance \"The GPO sets the policy [...]\" with the current and expected values. Also, \u003cstrong\u003echecks that all security objects (computers and users) related to the setting benefit from the policy\u003c/strong\u003e. If not, reports the impacted containers with a deviance \"No GPO defining [...]\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cbr\u003e**Options exist for all checks at each level. For instance, you can whitelist a GPO that defines a wrong value and exclude an OU from the analysis.\u003c/p\u003e\n\u003ch4\u003eAppLocker rule enforcements for scripts and executables\u003c/h4\u003e\n\u003cp\u003eThis setup prevents the execution of scripts and executables from locations that ransomware is likely to target.\u003c/p\u003e\n\u003cp\u003eEnable \u003cstrong\u003eAppLocker script rule enforcement\u003c/strong\u003e and apply this setting to the following file formats:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e.ps1\u003c/li\u003e\n\u003cli\u003e.bat\u003c/li\u003e\n\u003cli\u003e.cmd\u003c/li\u003e\n\u003cli\u003e.vbs\u003c/li\u003e\n\u003cli\u003e.js\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eEnabling this setting will activate \u003cstrong\u003eConstrained Language Mode\u003c/strong\u003e (\u003cstrong\u003eCLM\u003c/strong\u003e) for PowerShell, which restricts access to sensitive language elements that may act to invoke arbitrary Windows APIs.\nTo enable CLM, set the \u003ccode\u003e__PSLockdownPolicy\u003c/code\u003e environment variable in a debugging and unit testing environment. However, note that Microsoft does not recommend using this enforcement mechanism since an attacker can easily change the environment variable to remove the restrictions. For more information about CLM, see the dedicated resource in the IoE's \"Recommendations\" tab.\n\u003cbr\u003eEnable \u003cstrong\u003eAppLocker executable rule enforcement\u003c/strong\u003e and apply this setting to the following file formats:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e.exe\u003c/li\u003e\n\u003cli\u003e.com\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eChange default file association for dangerous file types\u003c/h4\u003e\n\u003cp\u003eThis setting \u003cstrong\u003eblocks users from inadvertently executing malicious code by double-clicking\u003c/strong\u003e on files with dangerous extensions. These extensions are defined as customizable options, and the default values are: js, jse, hta, wsc, ws, wsh, wsf, vbs, vbe, ps1, and psm1.\nThe recommended associated program for opening these files is Notepad, which is also defined as a customizable option.\u003c/p\u003e\n\u003ch4\u003eEnforce a strong PowerShell Execution Policy\u003c/h4\u003e\n\u003cp\u003eAttackers often use PowerShell to deploy or exploit their malicious code. A \u003cstrong\u003estrong PowerShell Execution Policy\u003c/strong\u003e can make it \u003cstrong\u003eharder for attackers to run malicious PowerShell payloads on devices\u003c/strong\u003e. Although there are methods to bypass this, a strong policy can still block automated tools and slow down attackers. The default value is \u003ccode\u003eRestricted\u003c/code\u003e and modifiable with a customizable option.\u003c/p\u003e\n\u003ch4\u003eDisable Windows Script Host (WSH)\u003c/h4\u003e\n\u003cp\u003eWindows Script Host enables users to execute scripts in various languages to perform tasks using different object models. However, \u003cstrong\u003eit can also serve to download or deploy malicious code on devices\u003c/strong\u003e. If Windows Script Host is not required for the domain, you should disable it.\u003c/p\u003e\n\u003ch4\u003eDisable macros for all Office applications (the safest approach if not always feasible)\u003c/h4\u003e\n\u003cp\u003eWhile macros are a powerful tool for automating tasks in Office, \u003cstrong\u003emalware also exploits them to infect the infrastructure\u003c/strong\u003e. If domain users do not require macros, \u003cstrong\u003eit is best to disable them using GPO for improved security\u003c/strong\u003e.\u003c/p\u003e\n\u003ch4\u003ePrevent macros contained in Office documents from bypassing the registered Antimalware Scan Interface (AMSI) engine\u003c/h4\u003e\n\u003cp\u003eThis security measure is a recent addition, so \u003cstrong\u003ethe check will not mandate that the domain enable it\u003c/strong\u003e. However, if the measure exists but is disabled, \u003cstrong\u003eit poses a risk to the infrastructure and the IoE reports it as a deviance\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eNB Office settings apply to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eV15 (Office 2013).\u003c/li\u003e\n\u003cli\u003eV16 (Office 2016, Microsoft Office 365 ProPlus, Office 2019).\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Deploy Hardening Measures Against Ransomware","description":"Security measures against ransomware should be deployed by GPO.\n","exec_summary":"\u003cp\u003eThis security measure is a recent addition, so the check will not mandate that the domain enable it. However, if the measure exists but is disabled, it poses a risk to the infrastructure and the IoE reports it as a deviance.\u003c/p\u003e\n","detail":"\u003cp\u003eOffice-related settings require additional ADMX (Group Policy administrative templates) deployment on the domain. To do this, follow the procedure below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cp\u003eCreate a Central Repository on your DC:\n a. If the domain does not already have a \u003cstrong\u003eCentral Store for Group Policy Administrative Templates\u003c/strong\u003e, go to this \u003ca href=\"https://learn.microsoft.com/en-US/troubleshoot/windows-client/group-policy/create-and-manage-central-store\"\u003epage\u003c/a\u003e to learn how to create and manage one. Example: Go to \"Links to download the Administrative Templates files based on the operating system version\" section and click on the corresponding OS of domain member workstations.\n b. Download the MSI and install it on the DC.\n c. Copy the extracted \u003cstrong\u003ePolicyDefinitions\u003c/strong\u003e folder to the appropriate path in the \u003cstrong\u003eSysvol\u003c/strong\u003e. For example, if the MSI is related to Windows11-2021-10, such as \u003ccode\u003eC:\\Program Files (x86)\\Microsoft Group Policy\\Windows 11 October 2021 Update (21H2)\\PolicyDefinitions\u003c/code\u003e, copy it to the following path: \u003ccode\u003e\\\\contoso.com\\SYSVOL\\contoso.com\\policies\\PolicyDefinitions\u003c/code\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003eDeploy the Office-related ADMX:\n a. Go to this \u003ca href=\"https://www.microsoft.com/en-us/download/details.aspx?id=49030\"\u003epage\u003c/a\u003e and download an EXE file containing ADMX for Office 2016/2019/365.\n b. Run the downloaded EXE and specify a folder where to extract ADMX.\n c. Copy the ADMX files to the Central Repository. \u003cstrong\u003eRemember to copy the language folders, including at least en-us, or else it won't function properly\u003c/strong\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe following section explaisn how to resolve deviances, and the \"Vulnerability Details\" tab provides information on the checks. \u003cstrong\u003eKeep in mind that this IoE offers various options, such as disabling sub-checks, whitelisting objects, and modifying expected values\u003c/strong\u003e.\u003c/p\u003e\n\u003ch4\u003eEnable Applocker rule enforcements for scripts and executables\u003c/h4\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console.\u003c/li\u003e\n\u003cli\u003eRight-click the GPO (or create a new one) that defines the settings, and click \u003cstrong\u003eEdit\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cstrong\u003eComputer Configuration\u003c/strong\u003e, expand the \u003cstrong\u003ePolicies\u003c/strong\u003e folder until you reach the folder \u003cstrong\u003eWindows Settings\\Security Settings\\Application Control Policies\\AppLocker\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eClick on \u003cstrong\u003eConfigure rule enforcement\u003c/strong\u003e and select \u003cstrong\u003eConfigured\u003c/strong\u003e and \"Enforce rules\" and for both \u003cstrong\u003eExecutable rules\u003c/strong\u003e and \u003cstrong\u003eScript rules\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eTo create default rules, right-click \u003cstrong\u003eWindows Settings\\Security Settings\\Application Control Policies\\AppLocker\\Executable Rules\u003c/strong\u003e and \u003cstrong\u003eWindows Settings\\Security Settings\\Application Control Policies\\AppLocker\\Script Rules\u003c/strong\u003e, and select \u003cstrong\u003eCreate Default Rules\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eAdd as many rules as the domain requires.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eChange the default file association for dangerous file types\u003c/h4\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the GPO (or create a new one) that defines the settings, and click \u003cstrong\u003eEdit\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cstrong\u003eComputer Configuration\u003c/strong\u003e, expand the \u003cstrong\u003ePreferences\u003c/strong\u003e folder until you reach the \u003cstrong\u003eControl Panel Settings\u003c/strong\u003e folder.\u003c/li\u003e\n\u003cli\u003eRight-click the \u003cstrong\u003eFolder Option\u003c/strong\u003e node, and select \u003cstrong\u003eNew\u003c/strong\u003e \u0026gt; \u003cstrong\u003eOpen With\u003c/strong\u003e. In the \u003cstrong\u003eNew Open With Properties\u003c/strong\u003e dialog box, select the following options (for example an HTA extension):\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eAction\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eUpdate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFile Extension\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003ehta\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eAssociated Program\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e%windir%\\system32\\notepad.exe\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSet as default\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n\u003cp\u003eThe \u003cstrong\u003eUpdate\u003c/strong\u003e action is the safest option as it creates the property if it's not present, or updates it with new settings if the property already exists.\u003c/p\u003e\n\u003ch4\u003eEnforce a strong PowerShell Execution Policy\u003c/h4\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the GPO (or create a new one) that defines the settings, and click \u003cstrong\u003eEdit\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cstrong\u003eComputer Configuration\u003c/strong\u003e, expand the \u003cstrong\u003ePolicies\u003c/strong\u003e folder until you reach \u003cstrong\u003eAdministrative Templates: Policy definitions (ADMX files) retrieved from the central store\\Windows Components\\Windows PowerShell\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cstrong\u003eTurn on script execution\u003c/strong\u003e and set the value to \u003ccode\u003eDisabled\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eDisable Windows Script Host (WSH)\u003c/h4\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the GPO (or create a new one) that defines the settings, and click \u003cstrong\u003eEdit\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cstrong\u003eComputer Configuration\u003c/strong\u003e, expand the \u003cstrong\u003ePreferences\u003c/strong\u003e folder until you reach the \u003cstrong\u003eWindows Settings\u003c/strong\u003e folder.\u003c/li\u003e\n\u003cli\u003eRight-click the \u003cstrong\u003eRegistry node\u003c/strong\u003e, select \u003cstrong\u003eNew\u003c/strong\u003e \u0026gt; \u003cstrong\u003eRegistry Item\u003c/strong\u003e. In the \u003cstrong\u003eNew Registry Properties\u003c/strong\u003e dialog box, select the following options (for example an HTA extension):\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eAction\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eUpdate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eRegistry subkey\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eValue\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEnabled\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eData type\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eREG_DWORD\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eData\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e0\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eReboot required\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n\u003cp\u003eThe \u003cstrong\u003eUpdate\u003c/strong\u003e action is the safest option as it creates the property if it's not present, or updates it with new settings if the property already exists.\u003c/p\u003e\n\u003ch4\u003eDisable macros for all Office applications (the safest approach if not always feasible)\u003c/h4\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the GPO (or create a new one) that defines the settings, and click \u003cstrong\u003eEdit\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cstrong\u003eComputer Configuration\u003c/strong\u003e, expand the \u003cstrong\u003ePolicies\u003c/strong\u003e folder until you reach the folder \u003cstrong\u003eAdministrative Templates: Policy definitions (ADMX files) retrieved from the central store\\Microsoft Office 2016 (Machine)\\Security Settings\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cstrong\u003eDisable VBA for Office applications\u003c/strong\u003e and set the value to \u003ccode\u003eEnable\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf this setting is too restrictive for the domain, you have an option to disable it.\u003c/p\u003e\n\u003ch4\u003ePrevent macros contained in Office documents from bypassing the registered Antimalware Scan Interface (AMSI) engine\u003c/h4\u003e\n\u003cp\u003eIf there is no Group Policy Object (GPO) that defines this setting, the IoE does not raise a deviance.\nHowever, if the setting is defined and set to \u003ccode\u003eDisabled\u003c/code\u003e (under \u003cstrong\u003eUser Configuration\u003c/strong\u003e, navigate through the \u003cstrong\u003ePolicies\u003c/strong\u003e folder until you reach \u003cstrong\u003eAdministrative Templates: Policy definitions (ADMX files) retrieved from the central store\\Microsoft Office 2016\\Security Settings for macro Runtime Scan Scope\u003c/strong\u003e), the IoE raises a deviance.\u003c/p\u003e\n","resources":[{"name":"Script rules in AppLocker","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker\n","type":"hyperlink"},{"name":"Executable rules in AppLocker","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker\n","type":"hyperlink"},{"name":"PowerShell Constrained Language Mode","url":"https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/\n","type":"hyperlink"},{"name":"Macro malware","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/macro-malware?view=o365-worldwide\n","type":"hyperlink"},{"name":"Enable or disable macros in Office files","url":"https://support.microsoft.com/en-us/office/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6\n","type":"hyperlink"},{"name":"Plan security settings for VBA macros in Office 2016","url":"https://learn.microsoft.com/en-us/DeployOffice/security/plan-security-settings-for-vba-macros-in-office\n","type":"hyperlink"},{"name":"Antimalware Scan Interface (AMSI)","url":"https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\n","type":"hyperlink"},{"name":"about_Execution_Policies","url":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2\n","type":"hyperlink"}]},"resources":[{"name":"Active Directory is Now in the Ransomware Crosshairs","url":"https://www.tenable.com/blog/active-directory-is-now-in-the-ransomware-crosshairs\n","type":"hyperlink"},{"name":"Anatomy of a modern ransomware attack","url":"https://lookbook.tenable.com/ransomware-2021/anatomy-ransomware-e\n","type":"hyperlink"},{"name":"Which Protective Measures Will Help You Really Disrupt Ransomware Attacks?","url":"https://lookbook.tenable.com/webinar-replay-protective-measures-prevent-ransomware-attacks/od-webinar-which-protective-measures-will-help-you-really-disrupt-ransomware-attacks\n","type":"hyperlink"},{"name":"Secure Active Directory and Stop the Spread of Ransomware","url":"https://lookbook.tenable.com/webinar-replay-protective-measures-prevent-ransomware-attacks/datasheet-tenable-ad-stop-the-spread-of-ransomware\n","type":"hyperlink"},{"name":"5 Ways to Strengthen Active Directory Security and Prevent Ransomware Attacks","url":"https://lookbook.tenable.com/5-ways-to-strengthen-active-directory-security-and-prevent-ransomware-attacks/od-webinar-5-ways-to-strengthen-ad-and-prevent-ransomware\n","type":"hyperlink"},{"name":"How to Protect Active Directory Against Ransomware Attacks","url":"https://lookbook.tenable.com/ransomware-2021/how-to-protect-ad-ransomware\n","type":"hyperlink"}],"applicable_resource_types":["ad_container","ad_gpo_preferences","ad_ou","ad_root_domain","ad_sysvol_pol"],"attacker_known_tools":[{"name":"WannaCry","url":"https://en.wikipedia.org/wiki/WannaCry_ransomware_attack","author":"Unknown"},{"name":"Ryuk","url":"https://en.wikipedia.org/wiki/Ryuk_(ransomware)","author":"Unknown"},{"name":"DarkSide (hacking group)","url":"https://en.wikipedia.org/wiki/DarkSide_(hacking_group)","author":"Unknown"}],"category_id":2,"mitre_attacks":[],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","fr_FR","de_DE","zh_CN","ko_KR","ja_JP","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-RANSOMWARE-HARDENING","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["es","fr","de","zh-CN","ko","ja","zh-TW","en"],"mitre_attack_information":[],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[49]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PKI-DANG-ACCESS","_score":null,"_source":{"language_code":"en_US","codename":"C-PKI-DANG-ACCESS","name":"ADCS Dangerous Misconfigurations","id":48,"description":"\u003cp\u003eList dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI).\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eMisconfigurations of Active Directory Certificate Services (AD CS) PKI objects in Active Directory can lead to an elevation to administrator privileges from a standard account, but also persistence (using the \"Golden Certificate\" technique).\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eMicrosoft offers a dedicated PKI implementation using the ADCS server role, which is available in Windows Server. When configuring the Certification Authority server for the first time (a building block of Windows PKI), you have the option to integrate the PKI with Active Directory or keep it as a standalone system.\n\u003cbr\u003eThis Indicator of Exposure focuses only on Active Directory-integrated PKIs.\n\u003cbr\u003eA PKI generates trusted certificates for multiple purposes, with authentication being the primary one linked to Active Directory. Microsoft enabled certificate-based authentication through PKINIT, an extension of Kerberos protocol.\n\u003cbr\u003eIn 2021, the security community extensively researched ADCS, specifically focused on certificate templates. These templates are pre-configured blueprints for specific use cases such as SSL/TLS encryption, code signing, smartcard authentication, etc. When an AD account requires a certificate, it must enroll in a specific template through a dedicated ADCS enrollment service. Not all templates are registered in every service, and enrollment is restricted to a dedicated population for security reasons. They have many parameters that can allow privilege escalation and persistence in the AD/Windows environment.\n\u003cbr\u003ePKI implementation complexity and required skills may lead to vulnerabilities, including full Active Directory compromise via improperly configured authentication certificates generated with ADCS. Microsoft offers a graphical interface to configure the AD CS PKI, which makes it look easy, but so are misconfigurations with security impacts.\u003c/p\u003e\n\u003ch4\u003eUnsafe owner or permission\u003c/h4\u003e\n\u003cp\u003eGoal is to identify hazardous permissions on ADCS-related objects and containers, with the \"Unsafe owner...\" and \"Unsafe permissions...\" reasons on the following objects:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eADCS servers computer objects\u003c/li\u003e\n\u003cli\u003eCertificate Templates objects\u003c/li\u003e\n\u003cli\u003ePKI Enrollment Services objects\u003c/li\u003e\n\u003cli\u003eCertification Authorities objects\u003c/li\u003e\n\u003cli\u003eCertificate Templates container\u003c/li\u003e\n\u003cli\u003eEnrollment Services container\u003c/li\u003e\n\u003cli\u003eCertification Authorities container (root and intermediate CAs)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eMisconfigured certificate template\u003c/h4\u003e\n\u003cp\u003eGoal is to prevent unprivileged accounts from enrolling as administrators by assessing and modifying configuration parameters and permissions. \"Misconfigured\" certificate templates refer to those with multiple parameters leading to security risks, which require context-specific modifications.\u003c/p\u003e\n\u003ch4\u003eOID linked to a group\u003c/h4\u003e\n\u003cp\u003eGoal is to identify issuance policies (enterprise OIDs) that allow principals to become member of AD groups in an implicit way (i.e. without being explicit member of the group, hence not visible in AD administration tools).\u003c/p\u003e\n\u003ch2\u003eMapping with reference paper\u003c/h2\u003e\n\u003cp\u003eNote that this IoE includes most of the privilege escalation (ESC) techniques mentioned in the \"Certified Pre-Owned\" research paper by SpecterOps, with some modifications for ease of use. The mapping between their technique IDs and Tenable Identity Exposure reasons is as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eESC1: reason \"Unsafe certificate template configuration\"\u003c/li\u003e\n\u003cli\u003eESC2: not implemented since there was no concrete proof of its exploitability\u003c/li\u003e\n\u003cli\u003eESC3: not implemented since it requires local access to all ADCS servers to check registry values, which is not feasible in Tenable Identity Exposure\u003c/li\u003e\n\u003cli\u003eESC4: reason \"Unsafe certificate template configuration\"\u003c/li\u003e\n\u003cli\u003eESC5 with these reasons:\u003cul\u003e\n\u003cli\u003e\"Unsafe permissions on an AD CS server\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on an AD CS server\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe permissions on a CA object\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on a CA object\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe permissions on a CA container\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on a CA container\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe permissions on a certificate template\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on a certificate template\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe permissions on a certificate template container\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on a certificate template container\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe permissions on an enrollment service\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on an enrollment service\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe permissions on an enrollment service container\"\u003c/li\u003e\n\u003cli\u003e\"Unsafe owner on an enrollment service container\"\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eESC6: reason \"Unsafe certificate template configuration\", but partially since it requires local access to systems to verify a local Access Control List (ACL), so it was included as the \"Local configuration for SAN\" option only to remind you to check local configurations for this security issue.\u003c/li\u003e\n\u003cli\u003eESC7: not implemented since it requires local access to all ADCS servers to check a local ACL, which is not feasible in Tenable Identity Exposure\u003c/li\u003e\n\u003cli\u003eESC8: not implemented since it requires local access to all ADCS servers to check registry values, which is not feasible in Tenable Identity Exposure\u003c/li\u003e\n\u003cli\u003eESC13 (published later in February 2024): reason \"OID linked to a group\"\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Fix Mistakes in ADCS Configuration","description":"In order to limit the risks of full AD compromise, ADCS misconfigurations should be fixed.\n","exec_summary":"\u003cp\u003eCertain ADCS PKI parameters can significantly affect the security of the entire Active Directory and therefore require careful configuration.\u003c/p\u003e\n","detail":"\u003cp\u003eConfiguring a Public Key Infrastructure (PKI) can be challenging due to the number of parameters involved, which can lead to security issues. Tenable Identity Exposure provides results on sensitive parameters that need fixing.\n\u003cbr\u003eAddressing the identified issues requires defining a more restrictive configuration, therefore ensure to collaborate between the AD and security teams, and with the IT teams in charge of servers/workstations/applications that rely on these certificates (templates) to avoid any regression or undesired side-effects.\u003c/p\u003e\n\u003ch4\u003eUnsafe owner\u003c/h4\u003e\n\u003cp\u003eAssign a safe owner depending on your PKI administration policy, or by default, a built-in privileged AD group such as \"Enterprise Admins\". If impossible and the identified owner is legitimate: you can ignore them using the \"Permitted object owner\" option, but keep in mind that this user will maintain control over the object which is a potential attack path.\u003c/p\u003e\n\u003cp\u003eNote that if the identified owner seems suspicious (e.g. normal user, or unknown by the administrators), it could indicate that the environment was compromised or backdoored, in which case you should initiate further research and potentially a forensics analysis.\u003c/p\u003e\n\u003ch4\u003eUnsafe permissions\u003c/h4\u003e\n\u003cp\u003eRemove the identified permissions if possible, or reduce their power (e.g. from a \"write\" to a \"read\"). If impossible and if they are legitimate: you can ignore them using the \"Permitted trustees list\" option, but keep in mind that these permissions will remain a potential attack path.\u003c/p\u003e\n\u003cp\u003eNote that if the identified permissions seem suspicious (e.g. granted to a normal user, or overly permissive), it could indicate that the environment was compromised or backdoored, in which case you should initiate further research and potentially a forensics analysis.\u003c/p\u003e\n\u003ch4\u003eUnsafe certificate template configuration\u003c/h4\u003e\n\u003cp\u003eRefer to the reason for the exact misconfiguration of the certificate template. Fix it as instructed, or if impossible, ignore them using the \"Certificate templates to whitelist\" option.\u003c/p\u003e\n\u003cp\u003eNote that if the misconfigurations seem suspicious, it could indicate that the environment was compromised or backdoored, in which case you should initiate further research and potentially a forensics analysis.\u003c/p\u003e\n\u003ch4\u003eOID linked to a group\u003c/h4\u003e\n\u003cp\u003eThis setting is a legitimate feature, therefore if you recognize it and rely on it, you can ignore it using the \"Enterprise OIDs to whitelist\" option.\u003c/p\u003e\n\u003cp\u003eNote that on the contrary, the usage of this feature is suspicious and could indicate that the environment was backdoored to allow the principal to be a stealth member of the group, in which case you should initiate further research and potentially a forensics analysis.\u003c/p\u003e\n","resources":[{"name":"How to Request a Certificate With a Custom Subject Alternative Name","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v=ws.10)","type":"hyperlink"},{"name":"Securing Public Key Infrastructure (PKI)","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11)","type":"hyperlink"},{"name":"Extended Protection for Authentication","url":"https://msrc-blog.microsoft.com/2009/12/08/extended-protection-for-authentication/","type":"hyperlink"},{"name":"GitHub - Invoke-Leghorn","url":"https://github.com/RemiEscourrou/Invoke-Leghorn","type":"hyperlink"},{"name":"GitHub - PSPKIAudit","url":"https://github.com/GhostPack/PSPKIAudit","type":"hyperlink"}]},"resources":[{"name":"Microsoft ADCS - Abusing PKI in Active Directory Environment","url":"https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/","type":"hyperlink"},{"name":"Certified Pre-Owned","url":"https://posts.specterops.io/certified-pre-owned-d95910965cd2","type":"hyperlink"}],"applicable_resource_types":["ad_certification_authority","ad_container","ad_pki_certificate_template","ad_pki_enrollment_service","ad_user","ad_ms_pki_enterprise_oid"],"attacker_known_tools":[{"name":"Certify","url":"https://github.com/GhostPack/Certify","author":null},{"name":"Certipy","url":"https://github.com/ly4k/Certipy","author":null},{"name":"ForgeCert","url":"https://github.com/GhostPack/ForgeCert","author":null}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":[]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","ja_JP","es_001","ko_KR","zh_CN","zh_TW","fr_FR","en_US"],"tvdb_export_source":{"file_name":"diff-202501110200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PKI-DANG-ACCESS","created_at":"2025-01-11T02:08:17","updated_at":"2025-01-11T02:08:17"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["de","ja","es","ko","zh-CN","zh-TW","fr","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[48]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-GPO-EXEC-SANITY","_score":null,"_source":{"language_code":"en_US","codename":"C-GPO-EXEC-SANITY","name":"GPO Execution Sanity","id":47,"description":"\u003cp\u003eVerifies that the Group Policy Objects (GPOs) applied to domain computers are sane.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eCSEs are components that generally will be executed with very high privileges on a domain machine during the GPO application. Hence, it is essential to ensure that every \u003cstrong\u003eClient-Side Extension (CSE) contained in a GPO is sane and has been certified by a trusted party\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eIt is also crucial that \u003cstrong\u003eall GPO files retrieved by domain computers originate from a safe place\u003c/strong\u003e, before anything is applied.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eReminders about Group Policy Objects (GPO)\u003c/h4\u003e\n\u003cp\u003eThe compromise of a GPO can lead to the takeover of the targeted users and computers where this GPO is applied.\n\u003cbr\u003eA (GPO) consists of two parts, the Group Policy Container (GPC) and the files containing configurations and scripts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe GPC, containing \u003cstrong\u003eGPO-related metadata and attributes\u003c/strong\u003e, is stored in the \u003cstrong\u003eLDAP directory\u003c/strong\u003e at \u003ccode\u003eCN={GPO's GUID},CN=Policies,CN=System,DC=DomainName\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe files containing \u003cstrong\u003econfigurations and scripts\u003c/strong\u003e are stored in the SYSVOL share directory of a distributed file system. To ensure security, it's crucial to apply only verified and valid scripts and configurations retrieved from a secure location on domain computers.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eWhen a user has the modification rights on a GPO, they have the ability to change all attributes contained in the GPC object.\n\u003cbr\u003eMonitor the following main \u003cstrong\u003eattributes of the GPC object to ensure the sanity of GPO execution\u003c/strong\u003e, as follows:\u003c/p\u003e\n\u003ch4\u003eGpcMachineExtensionNames and GpcUserExtensionNames attributes - Responsible for the deviances with \"Unknown CSE\" reasons\u003c/h4\u003e\n\u003cp\u003eThe Extension List of a GPC consists of two attributes: GpcMachineExtensionNames and GpcUserExtensionNames. Each attribute is a list of pairs (GUID, GUID) consisting of a GUID that corresponds to a CSE and another GUID.\n\u003cbr\u003eThe \u003cstrong\u003eCSE, identified by a GUID, is a component that domain computers\u003c/strong\u003e execute to apply policies in a GPO from a domain controller. It consists of a \u003cstrong\u003eregistry key paired with a Dynamic Link Library (DLL)\u003c/strong\u003e and executes on the domain computer after retrieving GPO information and files from a domain controller.\n\u003cbr\u003eCSEs in GpcMachineExtensionNames apply \u003cstrong\u003emachine policies using system privileges\u003c/strong\u003e, while CSEs in GpcUserExtensionNames apply \u003cstrong\u003euser policies using a targeted user's privileges\u003c/strong\u003e.\nModifying the Extension List allows adding or removing extensions that execute with high privileges on a machine. An attacker with modification rights on a GPO could add their own CSE to the Extension List and run arbitrary code on a domain computer, even without prior specific privileges. They can also use this method to set a backdoor.\n\u003cbr\u003eTenable Identity Exposure authorizes all CSE GUID certified by a trusted party such as Microsoft as well as other known GUIDs. \u003cstrong\u003eIt raises a deviance for any unrecognized CSE GUID that may be dangerous and requires examination\u003c/strong\u003e. You can whitelist known and harmless CSEs in the IoA options.\u003c/p\u003e\n\u003ch4\u003eGpcFileSysPath attribute - Responsible for the deviances with \"Dangerous SYSVOL Path\" reasons\u003c/h4\u003e\n\u003cp\u003eThe GpcFileSysPath attribute indicates the \u003cstrong\u003eSYSVOL\u003c/strong\u003e path where GPO files are stored, usually following the format \u003ccode\u003e\\\\[DCName or DomainName]\\SYSVOL\\[DomainName]\\Policies\\[GpoGuid]\u003c/code\u003e. All domain controllers in the domain share this SYSVOL directory.\n\u003cbr\u003eIf the GpcFileSysPath attribute does not follow the expected format, it indicates that the GPO files may be stored in an unsafe share and this \u003cstrong\u003etriggers a deviance\u003c/strong\u003e. To guard against the MS15-011 vulnerability, Microsoft introduced the \"hardened UNC path\" or \"UNC Hardened Access\" feature, which offers additional protection for shares named SYSVOL or NETLOGON. Using a custom share with a different name will prevent this feature's automatic protection of domain computers by default.\n\u003cbr\u003eAn attacker with modification rights on a GPO could also change this attribute to point towards their own network share, where they store \u003cstrong\u003emalicious scripts and configuration files that they can execute with potentially high privileges on the targeted domain computer\u003c/strong\u003e.\n\u003cbr\u003eIf the path is confirmed as safe, you can manually whitelist it in the IoE options.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Verify CSEs and the Execution Path","description":"Only verified and secured CSEs should be applied on a domain computer.The GpcFileSysPath should point towards a safe location.","exec_summary":"\u003cp\u003eYou should remove unknown CSEs that are considered dangerous or add them to the whitelist if you accept the risk.\nThe GpcFileSysPath attribute should point towards a safe location such as the SYSVOL share share.\u003c/p\u003e\n","detail":"\u003ch4\u003eThe \"Unknown CSE\" reason\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eWhen Tenable Identity Exposure raises a deviance for an \u003ccode\u003eUnknown CSE\u003c/code\u003e reason, you should verify the Client-Side Extensions of the targeted GPO to ensure that they are harmless. If you find a dangerous CSE, remove it promptly and investigate the context for its presence.\u003c/li\u003e\n\u003cli\u003eHowever, if a harmless CSE triggers a deviance, you can manually whitelist its GUID.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eThe \"Dangerous SYSVOL share path\" reason\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eWhen Tenable Identity Exposure raises a deviance for a \u003ccode\u003eDangerous SYSVOL share path\u003c/code\u003e reason, verify the path for the \u003ccode\u003eGpcFileSysPath\u003c/code\u003e attribute of the corresponding GPO. This path should point to a known trusted and safe location.\u003c/li\u003e\n\u003cli\u003eIf this path is dangerous, modify it to point towards:\u003cul\u003e\n\u003cli\u003ethe \u003ccode\u003e\\\\[DomainName]\\SYSVOL\\[DomainName]\\Policy\\[GpoGuid]\u003c/code\u003e path, which is by default \u003cstrong\u003ethe most secure path leading to the SYSVOL share\u003c/strong\u003e (see the resources for more information on this format).\u003c/li\u003e\n\u003cli\u003eanother \u003cstrong\u003esecure and controlled\u003c/strong\u003e location.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eYou can whitelist trusted paths in the IoE options.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eAdditional precautions\u003c/h4\u003e\n\u003cp\u003eVerify regularly modification rights on each GPO. Remove these rights from users who do not need them.\u003c/p\u003e\n","resources":[{"name":"This page contains the different types of valid GUIDs for more informations on the B format","url":"https://learn.microsoft.com/en-us/dotnet/api/system.guid.tryparse?view=net-5.0","type":"hyperlink"},{"name":"GPO audit (in french)","url":"https://www.sstic.org/media/SSTIC2019/SSTIC-actes/audit-gpo/SSTIC2019-Article-audit-gpo-bordes.pdf","type":"hyperlink"}]},"resources":[{"name":"Microsoft Open Specification on Group Policy Object","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/b724bd91-e224-4524-b752-5f810a0cc071","type":"hyperlink"},{"name":"Microsoft Open Specification on Client-Side Extension","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/896f59a5-5b72-4fb5-b1d4-8d007fdd6cb3","type":"hyperlink"},{"name":"Additional explanations about GPOs and their dangers","url":"https://adsecurity.org/?p=2716","type":"hyperlink"},{"name":"MS15-011 bulletin regarding \"UNC Hardened Access\"","url":"https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328","type":"hyperlink"},{"name":"GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!","url":"https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more","type":"hyperlink"},{"name":"Sending GPOs Down the Wrong Track-Redirecting the GPT","url":"https://sdmsoftware.com/security-related/sending-gpos-down-the-wrong-track-redirecting-the-gpt/","type":"hyperlink"},{"name":"Exploiting AD gpLink for Good or Evil","url":"https://markgamache.blogspot.com/2020/07/exploiting-ad-gplink-for-good-or-evil.html","type":"hyperlink"}],"applicable_resource_types":["ad_gpc"],"attacker_known_tools":[{"name":"GPOddity","url":"https://github.com/synacktiv/GPOddity","author":"Synacktiv"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":[]},{"tactic":"TA0008 - Lateral Movement","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","zh_CN","ko_KR","fr_FR","es_001","zh_TW","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-GPO-EXEC-SANITY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["de","zh-CN","ko","fr","es","zh-TW","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[47]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-ADMIN-RESTRICT-AUTH","_score":null,"_source":{"language_code":"en_US","codename":"C-ADMIN-RESTRICT-AUTH","name":"Logon Restrictions for Privileged Users","id":46,"description":"\u003cp\u003eChecks for privileged users who can connect to less privileged machines leading to a risk of credential theft.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eCredentials of a user logging onto a machine are often exposed in-memory, allowing malware to steal them and impersonate the user. \u003cstrong\u003ePrivileged users\u003c/strong\u003e with access to sensitive business data \u003cstrong\u003eshould only connect to secure, trusted machines\u003c/strong\u003e to minimize identity theft risk. \u003cstrong\u003eTechnical measures\u003c/strong\u003e exist to enforce this rule, and this Indicator of Exposure verifies their implementation.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWhen a user authenticates to a Windows machine using a non-network logon (logon type other than 3, typically used with remote MMC console), their credentials, including password, NTLM hash, or Kerberos TGT ticket, are transferred and stored in the LSASS process memory. This allows for Single Sign-On on Windows and easy connections to other machines without re-entering the password. However, if an attacker or malware compromises the machine, they can use hacking tools like \u003cem\u003emimikatz\u003c/em\u003e to \u003cstrong\u003esteal the credentials\u003c/strong\u003e and \u003cstrong\u003eimpersonate the user to gain their privileges\u003c/strong\u003e. \u003cem\u003eBloodHound\u003c/em\u003e is another tool that massively identifies machines where privileged users have sessions, making them targets for credential theft.\n\u003cbr\u003e\"OS Credential Dumping (T1003)\" and \"Steal or Forge Kerberos Tickets (T1558)\", from MITRE ATT\u0026amp;CK knowledge base, are common credential theft techniques, observed in \u003cstrong\u003ehuman-operated ransomware attacks\u003c/strong\u003e and \u003cstrong\u003emalware like \u003cem\u003eNotPetya\u003c/em\u003e\u003c/strong\u003e. These techniques allow attackers to move laterally through systems, using stolen identities to reach their goals of compromising Active Directory, deploying ransomware, leaking sensitive data, or disrupting business processes. Unfortunately, there is \u003cstrong\u003eno perfect solution to mitigate credential theft\u003c/strong\u003e, as you can no longer trust compromised machines even with added security measures such as OS hardening or antivirus/EDR.\n\u003cbr\u003eTo counter this risk, organizations should use a 3-tier model to organize assets, which are machines, users, and software. Tiers are also known as \"layers\" or \"zones\", a distinct concept from the three-tier architecture used for Web applications:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cem\u003eTier 0\u003c/em\u003e (or \"red zone\") is the most critical tier with assets that can have a significant technical impact on the information system. Seizing control of just one of these assets can compromise the entire organization. It includes AD domain controllers and domain administrators (including their workstations). Tier 0 also includes other AD administrators in built-in groups (e.g. \"Server Operators\", etc.) with indirect rights similar to domain administrators, and Microsoft Exchange servers with full domain control (except in rare cases that use the \"split permissions\" model).\u003c/li\u003e\n\u003cli\u003e\u003cem\u003eTier 1\u003c/em\u003e (or \"yellow zone\"): This tier typically holds normal servers, applications, and business data. Their compromise poses a risk to one part of the organization (business data), but not everything.\u003c/li\u003e\n\u003cli\u003e\u003cem\u003eTier 2\u003c/em\u003e (or \"green zone\"): This tier typically contains workstations and end-user devices with a limited impact if compromised.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAfter defining the model, assign privileged/admin accounts to each tier, and restrict them to only logging on to devices in their respective tiers. Prohibit explicitly lower tier logons. For instance, Domain Admins, who are typically Tier 0, must only connect to domain controllers or their Privileged Access Workstations (PAWs), and not to application servers or normal workstations. This approach ensures that they do no expose their credentials to lower-trust machines.\n\u003cbr\u003eTo enforce rules in day-to-day operations, \u003cstrong\u003erestrict logons (even accidental) to prevent lower tier access\u003c/strong\u003e. This IoE implements three methods and verifies that at least one restricts authentication for each privileged user to each non-privileged machine. This IoE considers as privileged the same users as other IoEs. It checks all non-Tier 0 machines (all machines except domain controllers). Use the IoE customization options to whitelist other legitimate Tier 0 machines such as Privileged Access Workstations / PAWs.\n\u003cbr\u003eHere are \u003cstrong\u003ethree different ways to deny authentication\u003c/strong\u003e to a machine that this IoE checks.\u003c/p\u003e\n\u003ch2\u003eUser-Workstations\u003c/h2\u003e\n\u003cp\u003eThis UserWorkstations User object attribute corresponds the values set for the \"Log On To...\" button under the \"Account\" tab for that user's properties in the \"Active Directory Users and Computers\" tool. The default \"All computers\" option has no restrictions, while the option \"The following computers\" with a list of NETBIOS or DNS names allows the user to connect only to those machines. However, Microsoft strongly advises against using this attribute due to its unreliability and limited support only up to Windows 10 20H2 and Windows Server 2019. As a result, this IoE identifies the privileged users who still use it.\u003c/p\u003e\n\u003ch2\u003eUser rights assignment\u003c/h2\u003e\n\u003cp\u003eWindows has various user rights for managing authentication, including batch, service, local/interactive, remote/interactive (RDP), and network logons:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBatch logon: Scheduled task with explicit credentials\u003c/li\u003e\n\u003cli\u003eService logon: Windows service with explicit credentials\u003c/li\u003e\n\u003cli\u003eLocal logon or Interactive logon: Classic Windows session opening from the local machine's logon screen\u003c/li\u003e\n\u003cli\u003eRemote (interactive) logon or RDP logon: Windows session opening on a remote machine using Remote Desktop Protocol or Remote Desktop Services\u003c/li\u003e\n\u003cli\u003eNetwork logon: Mounting a network share and usage of Remote Procedure Calls (RPC).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eEach type of logon has rights to \"allow\" (default for some users or groups) and \"deny\" (empty by default), but the deny rights take priority when both are defined. This IOE focuses only on deny rights.\u003c/p\u003e\n\u003cp\u003eDeny privileged users all logon types since each type poses a risk. \u003cstrong\u003eThe IoE monitors for any remaining allowed logon types and raises a deviance if it detects any\u003c/strong\u003e. Tenable Identity Exposure cannot collect deny rights defined in the machines' local security policy, so the IoE relies only on user rights assignments defined using GPOs, and recommends using GPOs to ensure a reliable and consistent application of security parameters. The IoE checks if there is a GPO (for each domain) denying at least one of the five user rights assignments to the \"Domain Admins\" group (directly and not through indirect group membership), enabled and linked to at least one location. If such a GPO does not exist, the IoE raises a single \"Lack of GPO for restricting the authentication of privileged users on lower tier machines\" deviance for the domain, and it does not perform a precise analysis of which privileged users can connect to which computers.\u003c/p\u003e\n\u003ch2\u003eSelective authentication\u003c/h2\u003e\n\u003cp\u003eTrusted domain users can connect to machines in the trusting domain by default since \"Authenticated Users\" group has this right. Even when crossing a trust, remote users are still part of this group. This puts privileged users in the trusted domain at risk of exposing their credentials to attackers in the trusting domains.\n\u003cbr\u003eFor inter-forest trusts (\"forest\" and \"external\" trust types, but not \"parent-child\" which are intra-forest trusts), applying the \"selective authentication\" flag on the side of the trusting domain can disable the default behavior of allowing trusted domain users to connect to machines in the trusting domain. This removes the \"Authenticated Users\" group and assigns the OTHER_ORGANIZATION (S-1-5-1000) group instead of THIS_ORGANIZATION (S-1-5-15) in their access tokens. Specific users/groups from the trusted domain must then have the \u003ccode\u003eAllowed to authenticate\u003c/code\u003e extended right to connect to particular machines in the trusting domain on a per-machine basis.\n\u003cbr\u003eThis IoE verifies whether selective authentication is enabled on a trust, and if so, it verifies on each machine to see if there is an extended right that would return access to each privileged user.\u003c/p\u003e\n\u003ch4\u003eHow this IoE works\u003c/h4\u003e\n\u003cp\u003eThe IoE checks if there is a GPO (for each domain) denying at least one of the five user rights assignments to the \"Domain Admins\" group (directly and not through indirect group membership), enabled and linked to at least one location. If found, it proceeds to analyze all computers and privileged users; otherwise, it reports a global \"Lack of GPO for restricting the authentication of privileged users on lower tier machines\" deviance.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Implement Logon Restrictions for Privileged Users","description":"Define the tier model, then implement technical controls to ensure logon restrictions for privileged users are enforced.","exec_summary":"\u003cp\u003eTo increase the difficulty for attackers and malware to steal privileged identities and their associated permissions, privileged users should only connect to trusted machines. After determining privileged users and trusted machines using a \"tier model,\" implement technical measures to enforce logon restrictions for privileged users during day-to-day operations, even in the event of a mistake.\u003c/p\u003e\n","detail":"\u003ch4\u003eDefine a secure administration model\u003c/h4\u003e\n\u003cp\u003eTo establish a secure administration model, start by designing an organizational-level \u003cstrong\u003etier model\u003c/strong\u003e, as Microsoft called it previously when it was focused on Active Directory and on-premises resources. Microsoft's new \"\u003cstrong\u003esecuring privileged access\u003c/strong\u003e\" guidance, released in 2020, includes the Cloud (identity providers such as Microsoft Entra ID or services such as Azure) and may appear complex. However, the fundamental principles still apply: prevent privileged accounts from logging in to non-privileged systems to limit exposure of privileged credentials.\n\u003cbr\u003eAdministrators of privileged resources must use dedicated, hardened workstations known as \"privileged access workstations\" (PAWs).\n\u003cbr\u003eImplementing this model for all IT operations can be challenging and time-consuming, but it does not necessitate significant technical resources. While it may require investment in time and money, the \u003cstrong\u003ebenefits are worthwhile\u003c/strong\u003e and include \u003cstrong\u003eprevention of ransomware attacks\u003c/strong\u003e, corporate espionage, and business disruptions. Microsoft, national (cyber)security agencies, and IT auditors highly recommend this approach.\u003c/p\u003e\n\u003ch4\u003eEnforce the model by implementing logon restrictions\u003c/h4\u003e\n\u003cp\u003eAfter your organization defines and widely accepts the model, \u003cstrong\u003eenforce it with technical measures\u003c/strong\u003e to get the return on investment. For instance, allow Tier 0 administrators to log on only to Tier 0 servers, such as domain controllers and their Privileged Access Workstation, and deny them access to Tier 1 or Tier 2 machines.\n\u003cbr\u003eAvoid using the deprecated \"User-Workstations\" attribute per Microsoft's recommendation. If \"selective authentication\" is not already enabled, Tenable does not advise enabling it solely for this purpose.\n\u003cbr\u003eInstead, apply \u003cstrong\u003euse deny user rights assignments\u003c/strong\u003e via GPO:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeny log on as a batch job\u003c/li\u003e\n\u003cli\u003eDeny log on as a service\u003c/li\u003e\n\u003cli\u003eDeny log on locally\u003c/li\u003e\n\u003cli\u003eDeny log on through Remote Desktop Services\u003c/li\u003e\n\u003cli\u003eDeny access to this computer from the network\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExample: To protect Domain Administrators who are Tier 0, follow Microsoft's recommendation by \u003cstrong\u003ecreating a GPO to deny all rights\u003c/strong\u003e (found in \u003ccode\u003eComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignments\u003c/code\u003e) for the \u003ccode\u003eDomain Admins\u003c/code\u003e groups of all domains, and link it to Organizational Units containing all Tier 1 and Tier 2 machines. Be careful not to link it to OUs containing Tier 0 machines to avoid losing access. Additionally, you can also set this security GPO as Enforced to prevent other GPOs defined at lower OU levels from overwriting the deny rights.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eCreating this GPO triggers the IoE's precise analysis mode for the relevant domain\u003c/em\u003e for better visibility on optimal locations where to implement access restrictions.\n\u003cbr\u003eTo ensure that this GPO only applies to non-Tier 0 machines, use the following methods:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eReorganize the AD hierarchy by introducing three top-level Organizational Units: \"Tier 0\", \"Tier 1\" and \"Tier 2\", and move objects (devices, users, groups, etc.) below the corresponding tier. Note that moving objects in AD may have side-effects.\u003c/li\u003e\n\u003cli\u003eFocus on securing Tier 0 initially by creating a single \"Tier 0\" Organizational Unit, which reduces the number of assets to move.\u003c/li\u003e\n\u003cli\u003eTo avoid moving AD objects or changing the AD hierarchy, create and link denial GPOs at the root level and use GPO security filtering to avoid applying some GPOs to non-relevant machines. Create AD groups for each level of assets and keep them updated.\n For instance, you have the option to establish a GPO that restricts the five rights for \"Tier0-Users\" and link it at the highest root level. However, it is essential to employ security filtering before linking the GPO to ensure that the GPO and its settings do not apply to \"Tier0-Computers.\" Failure to do so would prevent Domain Admins from logging on to domain controllers.\n When initially focusing the security efforts on Tier 0, you can create and update the \"Tier0-Users\" and \"Tier0-Computers\" groups exclusively. For detailed information, consult the linked resource \"Initially Isolate Tier 0 Assets with Group Policy to Start Administrative Tiering\".\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote: Computers in the default \"Computers\" container at the root of the domain cannot have a GPO linked to it because it is a Container and not an Organizational Unit. As a result, it is best practice to move them to a proper Organizational Unit.\n\u003cbr\u003eMature organizations can consider \"Authentication Silos\" and \"Authentication Policies\" introduced with Windows 2012 R2, which centrally declare isolation tiers (called \"silos\").\u003c/p\u003e\n\u003ch4\u003eTroubleshooting\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eWhat to do if the IoE reports several deviances regarding a \"Privileged user can log on to lower tier machines (across a trust)\"?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e Create a denial GPO that applies to all computers in the containers shown in the deviance, blocking all five user rights either directly or through group membership. Ensure the GPO is enabled and linked at a high-level in the hierarchy without any Organizational Units blocking GPO inheritance. If there are any blocking Organizational Units, explicitly link the GPO to them or set it as Enforced.\n \u003cbr\u003e Note: Computers in the default \"Computers\" container at the root of the domain cannot have a GPO linked to it because it is a Container and not an Organizational Unit. As a result, it is best practice to move them to a proper Organizational Unit.\u003c/p\u003e\n","resources":[{"name":"Securing privileged access model","url":"https://learn.microsoft.com/en-us/security/compass/overview","type":"hyperlink"},{"name":"Securing privileged access model (evolution from the legacy AD Tier model)","url":"https://learn.microsoft.com/en-us/security/compass/privileged-access-access-model#evolution-from-the-legacy-ad-tier-model","type":"hyperlink"},{"name":"Mitigating Pass The Hash attacks \"Architect a credential theft defense\"","url":"https://download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ecfb10cb4b9/mitigating-pass-the-hash-attacks-and-other-credential-theft-version-2.pdf#page=14","type":"hyperlink"},{"name":"Securing Domain Admins Groups in Active Directory","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory#appendix-f-securing-domain-admins-groups-in-active-directory-1","type":"hyperlink"},{"name":"Initially Isolate Tier 0 Assets with Group Policy to Start Administrative Tiering","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/initially-isolate-tier-0-assets-with-group-policy-to-start/ba-p/1184934","type":"hyperlink"},{"name":"Secure system administration","url":"https://www.ncsc.gov.uk/collection/secure-system-administration/risk-manage-administration-using-tiers","type":"hyperlink"},{"name":"L'administration en silo [French only]","url":"https://www.sstic.org/2017/presentation/administration_en_silo/","type":"hyperlink"},{"name":"User right: Deny log on as a batch job (SeDenyBatchLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job","type":"hyperlink"},{"name":"User right: Deny log on as a service (SeDenyServiceLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service","type":"hyperlink"},{"name":"User right: Deny log on locally (SeDenyInteractiveLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally","type":"hyperlink"},{"name":"User right: Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services","type":"hyperlink"},{"name":"User right: Deny access to this computer from the network (SeDenyNetworkLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network","type":"hyperlink"},{"name":"Authentication Policies and Authentication Policy Silos","url":"https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos","type":"hyperlink"}]},"resources":[{"name":"User-Workstations deprecation notice","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/a-userworkstations","type":"hyperlink"},{"name":"User right: Deny log on as a batch job (SeDenyBatchLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job","type":"hyperlink"},{"name":"User right: Deny log on as a service (SeDenyServiceLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service","type":"hyperlink"},{"name":"User right: Deny log on locally (SeDenyInteractiveLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally","type":"hyperlink"},{"name":"User right: Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services","type":"hyperlink"},{"name":"User right: Deny access to this computer from the network (SeDenyNetworkLogonRight)","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network","type":"hyperlink"},{"name":"Description of Selective Authentication (introduced by Windows 2003)","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)#selective-authentication","type":"hyperlink"},{"name":"How selective authentication affects domain controller behavior","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)#how-selective-authentication-affects-domain-controller-behavior","type":"hyperlink"},{"name":"Allowed-To-Authenticate extended right","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/r-allowed-to-authenticate","type":"hyperlink"}],"applicable_resource_types":["ad_container","ad_ou","ad_root_domain","ad_user"],"attacker_known_tools":[{"name":"Mimikatz","url":"https://github.com/gentilkiwi/mimikatz","author":"Benjamin Delpy"},{"name":"BloodHound","url":"https://github.com/BloodHoundAD/BloodHound/","author":"Andrew Robbins (@_wald0), Rohan Vazarkar (@CptJesus), Will Schroeder (@harmj0y)"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","zh_CN","ja_JP","es_001","zh_TW","fr_FR","ko_KR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-ADMIN-RESTRICT-AUTH","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["de","zh-CN","ja","es","zh-TW","fr","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[46]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-NETLOGON-SECURITY","_score":null,"_source":{"language_code":"en_US","codename":"C-NETLOGON-SECURITY","name":"Unsecured Configuration of Netlogon Protocol","id":45,"description":"\u003cp\u003eCVE-2020-1472 (\"Zerologon\") affects Netlogon protocol and allows elevation of privilege\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eThe vulnerability described by CVE-2020-1472 (\"Zerologon\") allows an unauthenticated attacker to connect to a domain controller to obtain domain administrator access.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe Netlogon Remote Protocol is a \u003cem\u003eRemote Procedure Call\u003c/em\u003e (RPC) interface used for user and machine authentication in domain-based networks. It discovers and manages relationships between domain members and the domain controller (DC), among DCs in a domain, and between DCs across domains.\n\u003cbr\u003eCVE-2020-1472, also known as \"Zerologon\", revealed that it was possible for an unauthenticated attacker to abuse the non-secure authentication method of the Netlogon protocol.\nAs a consequence, this could result in the takeover of a domain controller by an attacker. This security issue was resolved in two phases by Microsoft:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e[\u003cstrong\u003eInitial Deployment Phase\u003c/strong\u003e] Updates released on 08/11/2020 (MM/DD/YYYY format)\u003c/li\u003e\n\u003cli\u003e[\u003cstrong\u003eEnforcement Phase\u003c/strong\u003e] Updates released on 02/09/2021\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe first updates of 08/11/2020 bring changes to the Netlogon protocol to protect Windows devices by default:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEnforces secure RPC usage for machine accounts on Windows based devices.\u003c/li\u003e\n\u003cli\u003eEnforces secure RPC usage for trust accounts.\u003c/li\u003e\n\u003cli\u003eEnforces secure RPC usage for all Windows and non-Windows DCs.\u003c/li\u003e\n\u003cli\u003eIncludes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.\u003c/li\u003e\n\u003cli\u003eFullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode).\u003c/li\u003e\n\u003cli\u003eIncludes new events when accounts are denied or would be denied in the DC enforcement mode (and will continue in the Enforcement phase).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eEnforce the use of secure RPCs immediately after the 08/11/2020 updates deployment (obsolete nowadays)\u003c/h4\u003e\n\u003cp\u003eSecure RPC usage can be enforced between DCs and devices that are \u003cstrong\u003enot running Windows\u003c/strong\u003e by adding the following registry key on all DCs:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eRegistry subkey\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eValue\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eFullSecureChannelProtection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eData type\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eREG_DWORD\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eData\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e1\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eReboot required?\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n\u003cp\u003eNB: This parameter has been \u003cstrong\u003edefinitively\u003c/strong\u003e enabled since the 02/09/2021 updates, even if this registry key does not exist.\n\u003cbr\u003eThis IOE can check if the registry key is set by GPO with a dedicated option. It doesn't check it by default and considers that the 02/09/2021 updates have been applied.\u003c/p\u003e\n\u003ch4\u003eMachine accounts allowed to use \u003cstrong\u003eunsecure\u003c/strong\u003e RPC\u003c/h4\u003e\n\u003cp\u003eThis IOE checks that no groups have been added as an exception. However, this check can be relaxed with an IOE's option to indicate which groups are legitimate.\u003c/p\u003e\n\u003ch4\u003eApply the registry key only on DCs\u003c/h4\u003e\n\u003cp\u003eThis IOE checks that registry key is defined in a GPO that applies to all DCs. The domain might be vulnerable if one of the DCs allows vulnerable connections.\u003c/p\u003e\n\u003ch4\u003eApply the registry key to all the domains in the forest\u003c/h4\u003e\n\u003cp\u003eThis IOE checks that registry key is positioned within all domains belonging to the same forest. The forest remains vulnerable if one of its domains allows vulnerable connections.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Deploy the registry key","description":"Secure RPC should be mandatory within the forest","exec_summary":"\u003cp\u003eThe registry key that forces secure RPC calls for Netlogon protocol should be applied on all DCs in the forest.\u003c/p\u003e\n","detail":"\u003cp\u003eThe protection measures added by the 08/11/2020 (DD/MM/AAAA format) updates must be applied to avoid all DCs in the same forest to allow vulnerable Netlogon connections. The procedure is described below:\u003c/p\u003e\n\u003ch4\u003eDeploy the 08/11/2020 updates\u003c/h4\u003e\n\u003cp\u003eThose updates need to be deployed on all the DCs to provide AD forest protection. This includes read-only domain controllers (RODCs). After these updates, domain controllers can:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEnforce secure RPC usage for machine accounts on Windows based devices, trust accounts, and all Windows and non-Windows DCs.\u003c/li\u003e\n\u003cli\u003eUse new event IDs 5827 and 5828 in the system event log, if connections are denied.\u003c/li\u003e\n\u003cli\u003eUse new event IDs 5830 and 5831 in the system event log, if connections are allowed by \u003cem\u003eDomain controller: Allow vulnerable Netlogon secure channel connections\u003c/em\u003e group policy.\u003c/li\u003e\n\u003cli\u003eUse new event ID 5829 in the system event log whenever a vulnerable Netlogon secure channel connection is allowed. \u003cstrong\u003eThese events should be addressed before the DC enforcement mode is configured (set the registry key) or before the enforcement phase starts on February 9, 2021.\u003c/strong\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eDetecting non-compliant devices using event ID 5829\u003c/h4\u003e\n\u003cp\u003eAfter the 08/11/2020 updates, event ID 5829 can be collected in DCs logs to determine which devices are using vulnerable Netlogon secure channel connections as mentioned in the CVE-2020-1472 (\"Zerologon\").\nThe events will include relevant information for identifying the non-compliant devices. Microsoft has published a script to monitor them (see resources at the bottom of the page).\u003c/p\u003e\n\u003ch4\u003eAddressing event IDs 5827 and 5828\u003c/h4\u003e\n\u003cp\u003eThose events should not refer to a device running a supported versions of Windows. If one of these events is logged in the system event log for a Windows device, please check two points:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eEnsure the device is fully updated.\u003c/li\u003e\n\u003cli\u003eCheck to ensure that GPO \u003cstrong\u003eDomain member: Digitally encrypt or sign secure channel data (always)\u003c/strong\u003e is set to Enabled.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor non-Windows devices acting as a DC:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eIf the non-compliant DC supports secure RPC with Netlogon secure channel, then enable secure RPC on the DC.\u003c/li\u003e\n\u003cli\u003eIf the non-compliant DC \u003cstrong\u003edoes not\u003c/strong\u003e currently support secure RPC, work with the device manufacturer (OEM) or software vendor to get an update that supports secure RPC with Netlogon secure channel.\u003c/li\u003e\n\u003cli\u003eRetire the non-compliant DC.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf this non-compliant DC cannot be retired, add the DC machine account to a dedicated group. This group could be added to a whitelist in the \u003cem\u003eDomain controller: Allow vulnerable Netlogon secure channel connections\u003c/em\u003e group policy.\n\u003cstrong\u003eWarning, allowing DCs to use vulnerable connections by the group policy will make the forest vulnerable to attack.\u003c/strong\u003e The end goal should be to address and remove all accounts from this group policy.\u003c/p\u003e\n\u003ch4\u003eAddressing event 5829\u003c/h4\u003e\n\u003cp\u003eThis event ID can be found on DCs system event log when a vulnerable connection is allowed during the \u003cstrong\u003einitial deployment phase\u003c/strong\u003e (after the 08/11/2020 updates). These connections will be denied when DCs are in enforcement mode (after the 02/09/2021 updates or after setting the registry key in advance).\n\u003cbr\u003eFollow the steps below to fix the issue:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eIf the non-compliant device supports secure RPC with Netlogon secure channel, then enable secure RPC on the device.\u003c/li\u003e\n\u003cli\u003eIf the non-compliant device \u003cstrong\u003edoes not\u003c/strong\u003e currently support secure RPC with Netlogon secure channel, work with the device manufacturer or software vendor to get an update that allows secure RPC with Netlogon secure channel to be enabled.\u003c/li\u003e\n\u003cli\u003eRetire the non-compliant device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf this non-compliant device cannot be retired, add the machine account to a dedicated group. This group could be added to a whitelist in the \"Domain controller: Allow vulnerable Netlogon secure channel connections\" group policy.\n\u003cstrong\u003eWarning, allowing device accounts to use vulnerable connections by the group policy will make the forest vulnerable to attack.\u003c/strong\u003e The end goal should be to address and remove all accounts from this group policy.\u003c/p\u003e\n\u003ch4\u003eSetting up exceptions\u003c/h4\u003e\n\u003cp\u003eAll machines that cannot immediately use secure RPC calls with Netlogon must be a member of a group that lists those machine accounts. Here is the procedure:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCreated a security group(s) for accounts which will be allowed to use a vulnerable Netlogon secure channel.\u003c/li\u003e\n\u003cli\u003eIn Group Policy, go to Computer Configuration \u0026gt; Windows Setting \u0026gt; Security Settings \u0026gt; Local Policy \u0026gt; Security Options\u003c/li\u003e\n\u003cli\u003eSearch for \u003cem\u003eDomain controller: Allow vulnerable Netlogon secure channel connections\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eAdd the group created in the first step and tick \"Allow\" permission.\u003c/li\u003e\n\u003cli\u003eOnce the group is added, the group policy must replicate to every DC.\u003c/li\u003e\n\u003cli\u003ePeriodically, monitor event IDs 5827, 5828 and 5829 to determine which accounts are using vulnerable secure channel connections.\u003c/li\u003e\n\u003cli\u003eAdd those machine accounts to the security group as needed (cf. first step).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eMoving to enforcement mode if 02/09/2021 updates have not been deployed (obsolete nowadays)\u003c/h4\u003e\n\u003cp\u003eAfter all non-compliant devices have been addressed, it is recommended to apply security changes brought by the 08/11/2020 updates to the Netlogon protocol to protect the forest:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCreate a new GPO or use one which is linked to the \u003cem\u003eDomain Controllers\u003c/em\u003e OU.\u003c/li\u003e\n\u003cli\u003eDeploy the registry key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eAction\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eUpdate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eRegistry subkey\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eValue\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eFullSecureChannelProtection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eData type\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eREG_DWORD\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eData\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e1\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n\u003cp\u003eIf this key is deployed, it must be deployed for all DCs of the forest.\u003c/p\u003e\n\u003ch4\u003eDeploy the 02/09/2021 updates\u003c/h4\u003e\n\u003cp\u003eAfter this update, DCs will be in enforcement mode. DC enforcement mode is similar to deploy the \u003cem\u003eFullSecureChannelProtection\u003c/em\u003e registry key before this update.\nThis means DCs will deny vulnerable connections from all non-compliant devices, unless they have been added to the whitelist as described in the \u003cstrong\u003eSetting up exceptions\u003c/strong\u003e section.\n\u003cbr\u003eAt this time, the FullSecureChannelProtection registry key is no longer needed and will no longer be supported.\nIf this key is no longer deployed on the DCs, please configure the IOE option to confirm the right updates have been applied on all the DCs.\u003c/p\u003e\n","resources":[{"name":"CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability","url":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472","type":"hyperlink"},{"name":"How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472","url":"https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e","type":"hyperlink"},{"name":"Script to help in monitoring event IDs related to changes in Netlogon secure channel connections associated with CVE-2020-1472","url":"https://support.microsoft.com/en-us/topic/script-to-help-in-monitoring-event-ids-related-to-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-26434ae1-f9b9-90a0-cd0a-cfae9c5b2494","type":"hyperlink"}]},"resources":[{"name":"CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability","url":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472","type":"hyperlink"},{"name":"How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472","url":"https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e","type":"hyperlink"},{"name":"[MS-NRPC]: Netlogon Remote Protocol","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f","type":"hyperlink"},{"name":"[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)","url":"https://www.secura.com/blog/zero-logon","type":"hyperlink"}],"applicable_resource_types":["ad_gpo_preferences","ad_gpt_tmpl"],"attacker_known_tools":[{"name":"CVE-2020-1472 POC","url":"https://github.com/dirkjanm/CVE-2020-1472","author":"Dirk-jan Mollema"},{"name":"Mimikatz - LsaDump Zerologon","url":"https://github.com/gentilkiwi/mimikatz","author":"Benjamin Delpy"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0008 - Lateral Movement","techniques":["T1210 - Exploitation of Remote Services"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ja_JP","fr_FR","zh_CN","de_DE","ko_KR","zh_TW","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-NETLOGON-SECURITY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["ja","fr","zh-CN","de","ko","zh-TW","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[{"id":"T1210","name":"Exploitation of Remote Services","url":"https://attack.mitre.org/techniques/T1210/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[45]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-CREDENTIAL-ROAMING","_score":null,"_source":{"language_code":"en_US","codename":"C-CREDENTIAL-ROAMING","name":"Vulnerable Credential Roaming Related Attributes","id":44,"description":"\u003cp\u003eCredential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003e\"Credential roaming\" is the mechanism that allows a user to access their secrets across computers on the domain. The Active Directory stores the credentials and protects them using a key derived from the user's password and a key stored in the ms-PKI-DPAPIMasterKeys attribute, which is encrypted with a secret backup key. However, if an unprivileged user controls these credentials and the backup key, the user's secrets become vulnerable.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eA specific set of cryptographic materials, such as certificates or secret keys, is often necessary for cryptographic operations. Although users can create these secrets in their profiles when connecting to a new computer, deleting the profile can result in loss of access to the protected data. To solve this issue, the credential roaming mechanism moves the cryptographic material along with the user, and the Active Directory database stores the secrets to enable this process.\n\u003cbr\u003eTo maintain the system's security, it is crucial to safeguard specific attributes, including:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ems-PKI-AccountCredentials\u003c/li\u003e\n\u003cli\u003ems-PKI-DPAPIMasterKeys\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe ms-PKI-AccountCredentials stores the cryptographic material, which is encrypted with a key derived from the user's password.\n\u003cbr\u003eThe ms-PKI-DPAPIMasterKeys attribute encrypts another copy of this material and applies when the user changes their password.\n\u003cbr\u003eIf an attacker can read both attributes and retrieve the Active Directory backup key, they can potentially decrypt sensitive data. In addition, write access would allow the attacker to deny the victim access to their data. If the attacker takes ownership of this object, they can grant themselves rights to those attributes and gain control over the data.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Proper Access Rights on the credential roaming Attributes.","description":"Credential roaming attributes should not be controllable to unprivileged users.","exec_summary":"\u003cp\u003eAn attacker who gains control over credential roaming attributes can decrypt and access potentially confidential information, or delete them to cause denial of service issues.\u003c/p\u003e\n","detail":"\u003cp\u003eIf you do not properly protect credential roaming attributes, it may result in the leak or loss of access to sensitive data.\n\u003cbr\u003eTo ensure security, grant read and write permissions on these attributes only to the following entities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNT AUTHORITY\\System\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eYou should also check the ownership of the user in question, as it could enable an attacker to grant themselves illegitimate access rights.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"cqureacademy - Extracting roamed private keys","url":"https://cqureacademy.com/blog/extracting-roamed-private-keys","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"DSinternals","url":"https://github.com/MichaelGrafnetter/DSInternals","author":"Michael Grafnetter"},{"name":"Mimikatz - DCShadow module","url":"https://github.com/gentilkiwi/mimikatz","author":"Benjamin Delpy"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","fr_FR","ko_KR","es_001","zh_TW","zh_CN","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-CREDENTIAL-ROAMING","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["de","fr","ko","es","zh-TW","zh-CN","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[44]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-CLEARTEXT-PASSWORD","_score":null,"_source":{"language_code":"en_US","codename":"C-CLEARTEXT-PASSWORD","name":"Potential Clear-Text Password","id":42,"description":"\u003cp\u003eChecks for objects containing potential clear-text passwords in attributes readable by domain users.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eAdmins may store sensitive information on AD object attributes to ease their work. However, since any domain user can read these attributes, storing passwords or secret keys could risk credentials theft and harm the infrastructure.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe object owner, the object identity, or any domain administrator can write certain Active Directory attributes. However, any domain user can read these attributes via an LDAP client. If these attributes contain sensitive information such as passwords or secret keys, attackers can easily access and use them for privilege escalation. Some commonly used attributes that may contain sensitive information are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003edescription\u003c/li\u003e\n\u003cli\u003einfo\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAttackers may also find plaintext passwords in attributes used by Linux or old Windows systems to store account credentials. Unlike Active Directory's attributes, any domain user can read these attributes. If the attribute has a value, it's the current or former password of the impacted account. If compromised, the attacker can take over the resource. The following attributes may be vulnerable:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003euserPassword\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eunicodePwd\u003c/li\u003e\n\u003cli\u003eunixUserPassword\u003c/li\u003e\n\u003cli\u003emsSFU30Name\u003c/li\u003e\n\u003cli\u003emsSFU30Password\u003c/li\u003e\n\u003cli\u003eos400-password\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese attributes only exist on the \u003ccode\u003euser\u003c/code\u003e objets (and its child objects such as \u003ccode\u003ecomputers\u003c/code\u003e).\n\u003cbr\u003eLastly, the Sysvol share is where administrators deploy applications and scripts and gather domain resource information, and it is also a common place where they can mistakenly write passwords. This can expose sensitive information, such as a secret that's readable by default to every domain user. Tenable Identity Exposure focuses on analyzing the following files for secrets:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003escripts.ini\u003c/li\u003e\n\u003cli\u003eany scripts (PowerShell, Batch, VBScripts, etc.)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote: Tenable Identity Exposure ignores miscellaneous files such as executables or multimedia files.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Remove Clear-text Password from Readable Attributes","description":"Passwords should be removed from all the attributes readable by unpriviledged users.","exec_summary":"\u003cp\u003eAny user within the organization can read attributes in most AD objects. IT administrators may use certain attributes to store sensitive information such as passwords, keys, and other credentials. To prevent potential exposure of valid credentials, they must avoid storing such sensitive information in object attributes.\u003c/p\u003e\n","detail":"\u003cp\u003eAvoid using AD attributes to store IT information as it constitutes bad administrative practice, and adopt suitable organizational measures instead.\n\u003cbr\u003eIt is important to clear any existing information stored on these AD attributes and set up an automated process to prevent administrators who may be unaware of this security practice from mistakenly setting these attributes. To clear a specific AD object, you can use the following PowerShell command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity 'CN=Alice,OU=DummyOU,DC=ad,DC=tenable,DC=com' -Clear description\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eReplace the value CN=Alice,OU=DummyOU,DC=ad,DC=tenable,DC=com with the distinguished name of the object to clear.\nReplace the value description with the name of the attribute containing the value to clear.\n\u003cbr\u003eWhen clearing the attributes used by Linux or very old Windows systems, note that simply clearing them may not be sufficient to prevent authentication issues. This is because these systems could potentially set the attribute again during the next password renewal. To avoid such issues, Tenable recommends upgrading these systems to a more recent version of their operating system to provide a better way to store sensitive information and ensure better security measures.\n\u003cbr\u003eRegarding Sysvol files that contain secrets, it is important to have an appropriate administrative policy in place to prevent administrators from storing secrets in GPO files. Then, track the files stored on the Sysvol to ensure that secrets do not get inadvertently stored.\u003c/p\u003e\n","resources":[{"name":"Cmdlet Set-ADUser to clear an attribute","url":"https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-aduser?view=windowsserver2025-ps","type":"hyperlink"}]},"resources":[{"name":"BlackHills InfoSec - Gathering secrets with AD Explorer","url":"https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/","type":"hyperlink"},{"name":"Microsoft - Active Directory User class","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/c-user","type":"hyperlink"},{"name":"Microsoft - Active Directory Top class","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/c-top","type":"hyperlink"}],"applicable_resource_types":["ad_ldap_object","ad_sysvol_object"],"attacker_known_tools":[{"name":"AD Explorer","url":"https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","author":"SysInternal"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0008 - Lateral Movement","techniques":[]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0006 - Credential Access","techniques":["T1552 - Unsecured Credentials"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","zh_CN","ja_JP","fr_FR","de_DE","zh_TW","ko_KR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-CLEARTEXT-PASSWORD","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","zh-CN","ja","fr","de","zh-TW","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1552","name":"Unsecured Credentials","url":"https://attack.mitre.org/techniques/T1552/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[42]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DANGEROUS-SENSITIVE-PRIVILEGES","_score":null,"_source":{"language_code":"en_US","codename":"C-DANGEROUS-SENSITIVE-PRIVILEGES","name":"Dangerous Sensitive Privileges","id":41,"description":"\u003cp\u003eIdentifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eWindows has two methods for granting account privileges to access resources: permissions and user rights. User rights, provided by Microsoft, simplify administration tasks like system shutdown, driver loading, or security log management. They are similar to permissions but are not user-specific and can apply globally to anyone with the right to perform the task.\u003c/p\u003e\n\u003cp\u003eSensitive user rights can sometimes allow users to gain elevated privileges on a system. For instance, a user who can install a driver for a device, such as a keyboard, could potentially install a malicious driver and gain administrative rights on the system. This introduces a security risk as an attacker could exploit this misconfiguration to compromise the system locally.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWindows 10 has 34 system privilege rights, which, if set improperly (along with other requirements explained below), can lead to a complete system compromise. Microsoft's online documentation provides comprehensive information on this topic.\n\u003cbr\u003ePublic tools can easily exploit some privileges to achieve elevation of privileges (see specific examples).\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eDebug programs -\u003c/strong\u003e \u003cstrong\u003eSeDebugPrivilege\u003c/strong\u003e (Mimikatz) allows opening a process or thread and modifying its behavior by injecting and running malicious code, which attackers use to retrieve credentials from LSASS process memory. Only developers debugging Windows system components require this privilege.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eImpersonate a client after authentication -\u003c/strong\u003e \u003cstrong\u003eSeImpersonatePrivilege\u003c/strong\u003e (Rotten Potato NG) enables impersonation of any user connecting to a crafted service, typically via social engineering attacks. It allows any user with this privilege to impersonate any token for which they can get a handle, but doesn't permit creating new tokens. Rotten Potato can also retrieve an access token from the highly privileged LocalSystem account, enabling local privilege escalation without any social engineering.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eReplace a process level token -\u003c/strong\u003e \u003cstrong\u003eSeAssignPrimaryTokenPrivilege\u003c/strong\u003e (Rotten Potato NG) permits starting a process as another user (primary token) with their credentials. It is vulnerable to the same attack as SeImpersonatePrivilege (Rotten Potato). Microsoft acknowledges legitimate use by \"Local Service\" and \"Network Service\" accounts, but considers it a security risk. The Tenable Identity Exposure security profiles have an option to whitelist this type of behavior by default.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eCreate a token object -\u003c/strong\u003e \u003cstrong\u003eSeCreateTokenPrivilege\u003c/strong\u003e (Poptoke) enables the creation of any access token using NtCreateToken(), allowing user impersonation or modifying account access levels, such as adding privileged groups to the token.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eLoad and unload device drivers -\u003c/strong\u003e \u003cstrong\u003eSeLoadDriverPrivilege\u003c/strong\u003e (Poptoke) grants the highest privilege on the operating system to device drivers as they run code in the same context as the Windows Kernel.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eBack up files and directories -\u003c/strong\u003e \u003cstrong\u003eSeBackupPrivilege\u003c/strong\u003e (Poptoke) allows any user to bypass file and registry permissions when using backup functions such as RegSaveKey() or RegSaveKeyEx(). This can expose secrets such as password hashes and restricted files.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eRestore files and directories -\u003c/strong\u003e \u003cstrong\u003eSeRestorePrivilege\u003c/strong\u003e (Poptoke) allows replacing existing data with new data. Attackers can use this privilege to replace privileged binaries with modified malicious versions.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eTake ownership of files or other objects -\u003c/strong\u003e \u003cstrong\u003eSeTakeOwnershipPrivilege\u003c/strong\u003e (Poptoke) allows setting an arbitrary owner for any system object, granting this owner full control over the object and the ability to change its permissions.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eAct as part of the operating system -\u003c/strong\u003e \u003cstrong\u003eSeTcbPrivilege\u003c/strong\u003e (Poptoke) allows for the addition of extra groups to a token during its creation through Windows LogonUserExEx() and LsaLogonUser() functions. These groups can include privileged groups.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e Some other privileges are considered as dangerous by Microsoft considers some other privilesges as dangerous, which you should also protect:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eEnable computer and user accounts to be trusted for delegation - SeEnableDelegationPrivilege\u003c/strong\u003e specifies which users can enable the \"Trusted for Delegation\" setting on a user or computer object. Typically, only highly privileged groups such as Domain and Enterprise admins are authorized to do this. Since this setting only concerns domain controllers, it is not usually configured.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003ePerform volume maintenance tasks - SeManageVolumePrivilege\u003c/strong\u003e allows exploration and modification of disks, including sensitive files, creating potential risk for malicious code injection into legitimate privileged account executables.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eSynchronize directory service data - SeSyncAgentPrivilege\u003c/strong\u003e enables synchronization of all Active Directory objects and attributes regardless of their permissions. Grant this privilege only to domain controllers since they are the only entities responsible for replicating changes between them.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eAccess Credential Manager as a trusted caller - SeTrustedCredManAccessPrivilege\u003c/strong\u003e provides access to secrets such as saved credentials within the Windows Credential Manager, which holds login information for websites, applications, and networks.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese privileges can be dangerous when User Account Control (UAC) is absent. UAC was introduced by Microsoft in Windows Vista, so systems like Windows XP or Windows Server 2003 are at risk by default. While these systems are obsolete and should no longer be in use, misconfiguring UAC on newer systems can also reintroduce this security vulnerability. Specifically, if the value \"EnableLUA\" from the registry key \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" is set to 0, then it can lead to an elevation of privileges using sensitive rights.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Remove Sensitive Privileges from Unprivileged Accounts and Groups","description":"In order to limit the risk of elevation of privileges on the AD, only privileged users should have sensitive privileges.","exec_summary":"\u003cp\u003eAvoid assigning sensitive privileges to non-administrative users and groups to prevent security risks in Active Directory. Do not disable User Account Control (UAC) feature in Windows.\u003c/p\u003e\n","detail":"\u003cp\u003eAvoid the following sensitive privileges for unprivileged Active Directory accounts. They provide a false sense of security by only checking resource access permissions.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSeAssignPrimaryTokenPrivilege\u003c/li\u003e\n\u003cli\u003eSeBackupPrivilege\u003c/li\u003e\n\u003cli\u003eSeCreateTokenPrivilege\u003c/li\u003e\n\u003cli\u003eSeDebugPrivilege\u003c/li\u003e\n\u003cli\u003eSeEnableDelegationPrivilege\u003c/li\u003e\n\u003cli\u003eSeImpersonatePrivilege\u003c/li\u003e\n\u003cli\u003eSeLoadDriverPrivilege\u003c/li\u003e\n\u003cli\u003eSeManageVolumePrivilege\u003c/li\u003e\n\u003cli\u003eSeRestorePrivilege\u003c/li\u003e\n\u003cli\u003eSeSyncAgentPrivilege\u003c/li\u003e\n\u003cli\u003eSeTakeOwnershipPrivilege\u003c/li\u003e\n\u003cli\u003eSeTcbPrivilege\u003c/li\u003e\n\u003cli\u003eSeTrustedCredManAccessPrivilege\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAdditionally, it's worth noting that on recent Windows systems, the sensitive privileges mentioned earlier will not function properly without disabling the User Account Control (UAC) feature. However, disabling UAC can also pose security risks, so it is important to configure it properly rather than disabling it entirely.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"User Rights Assignment","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment","type":"hyperlink"},{"name":"EnableLUA","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec","type":"hyperlink"},{"name":"Abusing Token Privileges For Windows Local Privilege Escalation","url":"https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/","type":"hyperlink"},{"name":"Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM","url":"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/","type":"hyperlink"},{"name":"Abusing Token Privileges For LPE (part 3.1)","url":"https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt","type":"hyperlink"},{"name":"PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019","url":"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/","type":"hyperlink"},{"name":"s(4)u for Windows (in french)","url":"https://static.sstic.org/rumps2015/SSTIC_2015-06-04_P12_RUMPS_11_su4windows.pdf","type":"hyperlink"}],"applicable_resource_types":["ad_gpt_tmpl"],"attacker_known_tools":[{"name":"Mimikatz","url":"https://github.com/gentilkiwi/mimikatz","author":null},{"name":"Rotten Potato NG","url":"https://github.com/breenmachine/RottenPotatoNG","author":null},{"name":"Poptoke","url":"https://github.com/hatRiot/token-priv","author":null}],"category_id":3,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","zh_TW","fr_FR","es_001","zh_CN","ko_KR","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DANGEROUS-SENSITIVE-PRIVILEGES","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["de","zh-TW","fr","es","zh-CN","ko","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[41]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-SENSITIVE-CERTIFICATES-ON-USER","_score":null,"_source":{"language_code":"en_US","codename":"C-SENSITIVE-CERTIFICATES-ON-USER","name":"Mapped Certificates on Accounts","id":40,"description":"\u003cp\u003eEnsures that privileged objects do not have any mapped certificate assigned to them.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eMicrosoft provides a feature called security identity mapping, which attaches a certificate to an account or a group. This can serve as alternate credentials for authentication on resources in certain scenarios.\n\u003cbr\u003eHowever, having a certificate set on a privileged account can be dangerous in case the associated certificate is not protected as well as this sensitive account. It can also indicate a persistence mechanism that an attacker may have previously set.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe name mappings functionality allows X.509 certificates to serve as an alternate authentication method for accounts or groups with appropriate permissions. This feature commonly works with the IIS Web Server to provide access to specific resources on behalf of the user visiting a web page, using a transparent pass-through of the client certificate.\n\u003cbr\u003eThe default groups that have permission to add an alternate security identity are \"Account Operators\", \"Domain Admins\" and \"Enterprise Admins.\" When using this feature with a certificate, it extracts only two fields from it, the issuer and the subject. It does not store the entire public certificate. You can set one or both fields depending on the goal. Using the issuer field allows accepting more certificates, while using the subject field only authorizes the associated client certificate.\n\u003cbr\u003eAn attacker can exploit this feature in two phases:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIn the discovery phase, after compromising some accounts, the attacker searches for accounts and groups with the altSecurityIdentities attribute set. If the attacker gains access to the associated Public Key Infrastructure (PKI) that generated the certificate or to the issuer/subject configured during the intrusion, they can use it to steal the account identity, which is particularly dangerous if the target is a privileged account, leading to an elevation of privileges.\u003c/li\u003e\n\u003cli\u003eAfter the AD domain compromise with the aim of persistence, the attacker can set a specific certificate on a privileged user to which they have access, likely associated with a standard user, to maintain hidden access on the domain.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth situations pose a risk to the domain and require evaluation.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Remove Dangerous Mapped Certificates on Accounts","description":"Certificates set on privileged objects should be controlled.","exec_summary":"\u003cp\u003eWhenever there is an alternate security identity set on a privileged Active Directory account, you should evaluate it to decide whether or not to accept the risk of elevation of privileges. When in doubt, you can safely remove it.\n\u003cbr\u003eNote: This feature does not relate to the use of smart cards, which remains a strong security option for authentication with proper configuration.\u003c/p\u003e\n","detail":"\u003cp\u003eUsing mapped certificates on accounts and groups can lead to some high-security risks, especially when all certificates come from an issuer. Any attacker can compromise the single issuer and thereby gain access to every account using the alternate security identities feature.\nIt is a bad practice to use this feature with privileged users because of the risk of elevation of privileges on the domain. Evaluate alternative solutions for these sensitive accounts.\n\u003cbr\u003eAlso, if you can not find any information regarding a configuration, this could indicate a compromised domain due to a persistence mechanism that the attacker had set. It is advisable to carry out a threat-hunting phase before a full remediation.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Map a certificate to a user account","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc736781%28v%3dws.10%29\n","type":"hyperlink"},{"name":"Mapping certificates to user accounts","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779393%28v%3dws.10%29\n","type":"hyperlink"},{"name":"Mapping a client certificate to an AD domain account using clientCertificateMappingAuthentication","url":"https://learn.microsoft.com/en-us/archive/blogs/napegadie_kones_msft_blog/mapping-a-client-certificate-to-an-ad-domain-account-using-clientcertificatemappingauthentication\n","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user"],"attacker_known_tools":[{"name":"Kekeo","url":"https://github.com/gentilkiwi/kekeo/releases","author":"Gentil Kiwi"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","ja_JP","ko_KR","fr_FR","es_001","zh_TW","zh_CN","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-SENSITIVE-CERTIFICATES-ON-USER","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["de","ja","ko","fr","es","zh-TW","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[40]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-GPO-HARDENING","_score":null,"_source":{"language_code":"en_US","codename":"C-GPO-HARDENING","name":"Domain Without Computer-Hardening GPOs","id":39,"description":"\u003cp\u003eChecks hardening GPOs have been deployed on the domain.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eMicrosoft places emphasis on maintaining backward compatibility in Active Directory infrastructure, which means that it cannot enable all hardening features.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThis Indicator of Exposure validates GPO hardening configurations to minimize potential attack vectors.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe NTLMv1 logon protocol\u003c/li\u003e\n\u003cli\u003eThe SMBv1 network share stack protocol\u003c/li\u003e\n\u003cli\u003eThe print spooler service status on domain controllers\u003c/li\u003e\n\u003cli\u003eNULL sessions registry keys for all domain computers\u003c/li\u003e\n\u003cli\u003eSMB signing for all domain computers\u003c/li\u003e\n\u003cli\u003eUNC hardening for domain controllers' shares\u003c/li\u003e\n\u003cli\u003eLDAP channel binding and session signing\u003c/li\u003e\n\u003cli\u003ePoint and Print hardening\u003c/li\u003e\n\u003cli\u003eCredential Guard\u003c/li\u003e\n\u003cli\u003eNTLM blocking over SMB\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eNTLMv1\u003c/h4\u003e\n\u003cp\u003eThe first version of the NTLM protocol, which has been the preferred authentication protocol since Windows 2000, uses cyclic redundancy check (CRC) or message digest algorithms for integrity and RC4 for encryption, which are not considered secure.\n\u003cbr\u003eNTLM is vulnerable to attacks such as Pass-the-Hash, NTLM Reflection, and NTLM Relay.\n\u003cbr\u003eNTLMv1 has now given way to the more robust NTLMv2. However, Windows does not even use NTLMv2 as the default authentication protocol when authenticating on Active Directory-joined servers, preferring instead to use Kerberos by default.\u003c/p\u003e\n\u003ch4\u003eSMBv1\u003c/h4\u003e\n\u003cp\u003eThe SMB protocol was initially designed in the 1980s and revised in the early 1990s, long before Active Directory was created. It combines multiple protocols (such as NTLM for authentication) and includes features like symbolic and hard links and support for large files.\n\u003cbr\u003eDue to its complexity and network inefficiency, Microsoft introduced a newer version of SMB in Windows Vista. In spring 2017, SMBv1 gained notoriety due to the \u003cem\u003eWannaCry\u003c/em\u003e ransomware, which exploited the \u003cem\u003eEternalBlue\u003c/em\u003e vulnerability fixed in security bulletin MS17-010.\n\u003cbr\u003eSMBv1 has now given way to the more modern and secure SMBv2 and SMBv3 protocols that use modern integrity and encryption algorithms. As of Windows Server 2016, SMBv1 is not installed by default.\u003c/p\u003e\n\u003ch4\u003eSpooler service\u003c/h4\u003e\n\u003cp\u003eMultiple vulnerabilities have affected the print spooler service of domain controllers in the past (ex: \"Printer Bug\", \"PrintNightmare\", etc.), leading to security issues on the Active Directory itself.\nA domain controller should only have the necessary and required features installed and enabled. This service should be deployed on another type of server and disabled on domain controllers, to avoid future security issues targeting this service.\u003c/p\u003e\n\u003ch4\u003eNULL sessions parameters\u003c/h4\u003e\n\u003cp\u003eNULL sessions are unauthenticated Server Message Block (SMB) sessions (no login and password is required) used by attackers during the reconnaissance phase to anonymously call RPC functions on a remote system.\u003c/p\u003e\n\u003cp\u003eIt allows an attacker to request RPC interfaces functions, like those from SAMR and LSARPC, in order to enumerate various useful (from an attacker perspective) computers information:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWindows services\u003c/li\u003e\n\u003cli\u003eUsernames and groups\u003c/li\u003e\n\u003cli\u003eSMB shares\u003c/li\u003e\n\u003cli\u003eDomain information\u003c/li\u003e\n\u003cli\u003eetc.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis topic is related to the \"Accounts Using a Pre-Windows 2000 Compatible Access Control\" IoE and both share the same risks.\u003c/p\u003e\n\u003ch4\u003eSMB signing\u003c/h4\u003e\n\u003cp\u003eServer Message Block (SMB) is the most commonly file transfer protocol used by Windows (also used for RPC calls through the special IPC$ administrative share). SMB signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their source point and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and \"Man-in-the-Middle\" attacks.\u003c/p\u003e\n\u003cp\u003eAfter you have properly disabled SMBv1 in your environment, you should focus your efforts to enforce SMB signing on all domain computers.\u003c/p\u003e\n\u003ch4\u003eUNC hardening\u003c/h4\u003e\n\u003cp\u003eIn order to prevent domain computers from running code (logon scripts, executables, etc.) and downloading policy configuration files from untrusted sources, Microsoft introduced UNC hardening. When a user is trying to access a share matching a path configured in the \"Hardened UNC Paths\", the security settings set for this share will be applied.\n\u003cbr\u003eReported in the MS15-011 and MS15-014 vulnerabilities, an attacker performing a \"Man-in-the-Middle\" attack between two computers was able to tamper data accessed through the SMB protocol.\nThis is even more critical when this data deals with domain policies retrieved from SYSVOL and NETLOGON domain controllers shares. In this situation, an attacker could then install programs, view/modify/delete GPO file configurations, create new local accounts with full administrative rights, etc.\nAn attacker who successfully exploited this vulnerability on the network could take complete control of a targeted system.\u003c/p\u003e\n\u003ch4\u003eLDAP channel binding and session signing\u003c/h4\u003e\n\u003cp\u003eLDAP channel binding (EPA - [Extended Protection for Authentication] / CBT - [Channel Binding Token]) and LDAP session signing are not fully enforced by default on domain controllers. The lack of signing with LDAP exchanges can lead to \"Man-in-the-Middle\" and replay attacks, allowing privilege escalation on the domain. As such, hardening the LDAP configuration on domain controllers and their clients is an important aspect to consider.\u003c/p\u003e\n\u003ch4\u003ePoint and Print hardening\u003c/h4\u003e\n\u003cp\u003eThe risks of incorrect configuration regarding the Windows Print Spooler service on domain workstations are significant and can lead to serious security vulnerabilities.\n\u003cbr\u003e\u003ca href=\"https://learn.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print\"\u003ePoint and Print\u003c/a\u003e is a Windows feature designed to simplify printer installation for users. Instead of manually installing drivers from disks or media, Point and Print allows users to connect to a network printer and automatically download and install the necessary drivers directly from a print server. This feature promotes a \"plug-and-play\" experience, especially beneficial in enterprise environments where multiple users need access to shared printers.\n\u003cbr\u003eThe Print Spooler service has presented multiple security vulnerabilities on its Point and Print feature, primarily due to its reliance on trust between the client and print server. The most notable vulnerability is known as \"PrintNightmare\" (related to \u003ca href=\"https://www.tenable.com/cve/CVE-2021-1675\"\u003eCVE-2021-1675\u003c/a\u003e, \u003ca href=\"https://www.tenable.com/cve/CVE-2021-34527\"\u003eCVE-2021-34527\u003c/a\u003e and \u003ca href=\"https://www.tenable.com/cve/CVE-2021-34481\"\u003eCVE-2021-34481\u003c/a\u003e), which allows attackers to exploit the driver installation process to gain unauthorized system access.\nThis vulnerability can affect organizations even today, primarily due to confusing group policies and settings.\n\u003cbr\u003eWhile simplifying the installation and update process, Point and Print comes with security risks:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUnrestricted driver installation: If the \"Limits print driver installation to Administrators\" policy is disabled, non-administrative users can install printer drivers.\u003c/li\u003e\n\u003cli\u003eSecurity prompts bypass: Disabling security prompts for driver installation can make a system vulnerable to the original \"PrintNightmare\" exploit.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eCredential Guard\u003c/h4\u003e\n\u003cp\u003eWindows Defender Credential Guard is built on Virtualization-Based Security (VBS), which uses hardware virtualization to improve system security. Its primary purpose is to prevent unauthorized access to and theft of various types of credentials.\n\u003cbr\u003eCredential Guard is designed to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrevent unauthorized access to credential information stored in the Windows operating system (such as NTLM password hashes, Kerberos Ticket Granting Tickets, and other domain credentials).\u003c/li\u003e\n\u003cli\u003eProtect against techniques that malicious actors can use to extract credentials from Windows memory.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBy isolating credential information, Credential Guard reduces the attack surface available to potential attackers.\u003c/p\u003e\n\u003cp\u003eIt also containerizes the Local Security Authority Subsystem Service (LSASS) authentication process, protecting credentials from malicious tools that might gain SYSTEM-level access.\u003c/p\u003e\n\u003cp\u003eEven if an attacker obtains administrative privileges, they cannot easily access these protected credentials. Credential Guard limits the effectiveness of attacker tools, like Mimikatz, which are often used to retrieve credentials stored in memory.\u003c/p\u003e\n\u003ch4\u003eNTLM blocking over SMB\u003c/h4\u003e\n\u003cp\u003eNTLM is an outdated protocol vulnerable to attacks such as Pass-the-Hash, NTLM Reflection, and NTLM Relay. To address these vulnerabilities, \u003ca href=\"https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848\"\u003eMicrosoft is pushing for its removal\u003c/a\u003e. In late 2023, they \u003ca href=\"https://www.youtube.com/watch?v=SEtARCtGP0Y\"\u003eannounced\u003c/a\u003e a long-term strategy to disable and eventually remove NTLM. With the release of Windows Server 2025 and updates to Windows 11, administrators can use a new Group Policy Object (GPO) setting, \"\u003ca href=\"https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking?tabs=group-policy\"\u003eBlock NTLM (LM, NTLM, NTLMv2)\u003c/a\u003e,\" to facilitate this transition.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Enable Hardening GPOs","description":"Hardening GPOs are to be enabled, at least for privileged users\n","exec_summary":"\u003cp\u003eEnable hardening GPOs to protect at least privileged users, specifically by disabling obsolete protocols to prevent attackers from exploiting them to elevate their privileges on the Active Directory.\u003c/p\u003e\n","detail":"\u003ch4\u003eContext\u003c/h4\u003e\n\u003cp\u003eTo enhance security, use hardening GPOs to avoid outdated protocols that may contain vulnerabilities. These protocols lack modern security standards and were developed before the 2000s. Updating protocols configuration can improve the network's robustness against attacks. Promptly install Microsoft security updates, such as Microsoft-KB4012598, which fixed the \u003cem\u003eWannaCry\u003c/em\u003e attack. A single compromised machine can compromise the entire infrastructure through its connection to the corporate network.\n\u003cbr\u003eA potential scenario can unfold as follows:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker connects on a regular computer with a standard account.\u003c/li\u003e\n\u003cli\u003eThey detect obsolete protocols in use:\n a. They intercept a secret on the network and exploit the protocol weaknesses.\n b. They exploit a protocol vulnerability to perform privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe infrastructure becomes exposed to the threat agent.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eTo prevent breaches, secure machines with dangerous configurations (with default value or unsafe GPO) by removing them from Active Directory or moving them to a dedicated OU on a restricted network. Change any shared credentials or services. In a worst-case scenario, eliminate potential vulnerabilities, like unsecured shared credentials, to prevent attackers from extending their damage.\n\u003cbr\u003eIf you cannot change certain obsolete protocols due to operational needs, take appropriate organization-dependent actions to protect directory infrastructures against threats from these protocols.\u003c/p\u003e\n\u003ch4\u003eNTLM\u003c/h4\u003e\n\u003cp\u003eNTLM is an outdated authentication protocol vulnerable to various attacks, including Pass-the-Hash, NTLM Reflection, and NTLM Relay. However, disabling NTLMv1 can render some older computers and applications unable to authenticate, making them unusable. Note that NTLM exists in different versions, and you can locate the current configuration on a machine in the following registry path: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel. See the external resources for more details.\n\u003cbr\u003eTo change the value with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the GPO that contains the new preference item, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder, and expand until you reach \u003cem\u003eWindows Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Settings\u003c/em\u003e \u0026gt; \u003cem\u003eLocal Policies\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Options\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eNetwork security: LAN Manager Authentication Level\u003c/em\u003e and set value to Send NTLMv2 response only. Refuse LM \u0026amp; NTLM.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eSMBv1\u003c/h4\u003e\n\u003cp\u003eUsing SMBv1 without the latest patch makes the system vulnerable to \u003ccode\u003eEternalBlue\u003c/code\u003e (MS17-010). SMBv2 was released with Windows Vista in 2006, so the impact of disabling SMBv1 should be minimal. However, the impact may vary depending on the system's architecture and heritage, such as a critical application that requires SMBv1.\n\u003cbr\u003eYou can check if a local machine has SMBv1 enabled using the following PowerShell command: Get-SmbServerConfiguration | Select EnableSMB1Protocol.\n\u003cbr\u003eTo disable SMBv1 Server with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that contains the new preference item, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePreferences\u003c/em\u003e folder, and expand the \u003cem\u003eWindows Settings\u003c/em\u003e folder.\u003c/li\u003e\n\u003cli\u003eRight-click the \u003cem\u003eRegistry\u003c/em\u003e node, and go to \u003cem\u003eNew\u003c/em\u003e and select \u003cem\u003eRegistry Item\u003c/em\u003e. In the \u003cem\u003eNew Registry Properties\u003c/em\u003e dialog box, select the following:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eAction: Create\u003c/li\u003e\n\u003cli\u003eHive: HKEY_LOCAL_MACHINE\u003c/li\u003e\n\u003cli\u003eKey Path: SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u003c/li\u003e\n\u003cli\u003eValue name: SMB1\u003c/li\u003e\n\u003cli\u003eValue type: REG_DWORD\u003c/li\u003e\n\u003cli\u003eValue data: 0\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eSpooler service\u003c/h4\u003e\n\u003cp\u003eOn domain controllers, you should disable the spooler service. To configure this service with Group Policy, create or select an existing GPO linked to domain controllers (ex: \"Default Domain Controllers Policy\") and configure the following:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eWindows Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSystem Services\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on the service name \u003cem\u003ePrint Spooler\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSet the checkbox \u003cem\u003eDefine this policy setting\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003ccode\u003eDisabled\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eNULL sessions parameters\u003c/h4\u003e\n\u003cp\u003eIn order to forbid SAMR and LSARPC interfaces calls to anonymous logons, the following security settings should be enabled:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\"Network access: Do not allow anonymous enumeration of SAM accounts and shares\" (RestrictAnonymous).\u003c/li\u003e\n\u003cli\u003e\"Network access: Do not allow anonymous enumeration of SAM accounts\" (RestrictAnonymousSAM).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese security settings can be enforced with Group Policy. Create or select an existing GPO linked to all domain computers (do not forget domain controllers, which are the most important for this configuration) and configure the following:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eWindows Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Settings\u003c/em\u003e \u0026gt; \u003cem\u003eLocal Policies\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Options\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the policy named \u003cem\u003eNetwork access: Do not allow anonymous enumeration of SAM accounts\u003c/em\u003e:\n a. Set the checkbox \u003cem\u003eDefine this policy setting\u003c/em\u003e.\n b. Configure it to \u003ccode\u003eEnabled\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the policy named \u003cem\u003eNetwork access: Do not allow anonymous enumeration of SAM accounts and shares\u003c/em\u003e:\n a. Set the checkbox \u003cem\u003eDefine this policy setting\u003c/em\u003e.\n b. Configure it to \u003ccode\u003eEnabled\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eSMB signing\u003c/h4\u003e\n\u003cp\u003eSMB signing needs to be enforced on domain controllers and other computers from the domain. By default, this is already the case through the builtin GPO \"Default Domain Controllers Policy\" for domain controllers, but needs to be fixed if a deviance is triggered, indicating that it was modified.\n\u003cbr\u003eThe configuration is made in Group Policy, following those steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eWindows Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Settings\u003c/em\u003e \u0026gt; \u003cem\u003eLocal Policies\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Options\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the policy named \u003cem\u003eMicrosoft Network Server: Digitally Sign Communications (Always)\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSet the checkbox \u003cem\u003eDefine this policy setting\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003ccode\u003eEnabled\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eUNC hardening\u003c/h4\u003e\n\u003cp\u003eThe default behavior for UNC hardening, starting from Windows 10 and Windows Server 2016, is to enforce mutual authentication and integrity.\nBut to apply this configuration broadly and to other OS versions, it should be enforced through Group Policy. Exceptions can be made as required but the default should be to enable mutual authentication and integrity on the NETLOGON and SYSVOL shares of all domain controllers.\n\u003cbr\u003eThe configuration is made in Group Policy, following those steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003eNetwork\u003c/em\u003e \u0026gt; \u003cem\u003eNetwork Provider\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the \u003cem\u003eHardened UNC Paths\u003c/em\u003e setting.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003cem\u003eEnabled\u003c/em\u003e, then click on \u003cem\u003eShow...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eCreate the following two lines:\n a. For the value name, set \u003ccode\u003e\\\\*\\SYSVOL\u003c/code\u003e and for the associated value, set \u003ccode\u003eRequireMutualAuthentication=1,RequireIntegrity=1\u003c/code\u003e.\n b. For the value name, set \u003ccode\u003e\\\\*\\NETLOGON\u003c/code\u003e and for the associated value, set \u003ccode\u003eRequireMutualAuthentication=1,RequireIntegrity=1\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eLDAP channel binding and session signing\u003c/h4\u003e\n\u003cp\u003eFrom March 2020, Microsoft has introduced hardening parameters for LDAP signing and channel binding, to improve security against \"Man-in-the-Middle\" attacks. These updates require that all Windows clients and servers implement LDAP signing and channel binding, to ensure that authentication requests are secure and cannot be intercepted.\n\u003cbr\u003eBefore enforcing those settings, administrators should conduct thorough audits to ensure that all connected applications and services can support it. This involves checking Windows event logs and making the necessary changes to the application configurations beforehand.\n\u003cbr\u003eThe final configuration of LDAP signing is made in Group Policy, following those steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eWindows Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Settings\u003c/em\u003e \u0026gt; \u003cem\u003eLocal Policies\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Options\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the policy named \u003cem\u003eDomain controller: LDAP server signing requirements\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003ccode\u003eRequire signing\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAnd for the configuration of LDAP channel binding in Group Policy, follow those steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eWindows Settings\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Settings\u003c/em\u003e \u0026gt; \u003cem\u003eLocal Policies\u003c/em\u003e \u0026gt; \u003cem\u003eSecurity Options\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the policy named \u003cem\u003eDomain controller: LDAP server channel binding token requirements\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003ccode\u003eAlways\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003ePoint and Print hardening\u003c/h4\u003e\n\u003cp\u003eImproper configuration of the Print Spooler service and related policies can expose systems to severe security risks, including privilege escalation. It's crucial to carefully manage these settings and keep systems updated.\n\u003cbr\u003eThe most secure approach is to allow only administrators to install printer drivers. While it prioritizes security, it may impact usability for non-administrative users. This can be achieved through Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003ePrinter\u003c/em\u003e \u0026gt; \u003cem\u003eLimits print driver installation to Administrators\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003ccode\u003eEnabled\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf this method cannot be used into your environment and you want to let users install print drivers, two specific configurations need to be set in place, for \"package-aware\" and \"non-package-aware\" drivers.\n\u003cbr\u003eFirst, for \"package-aware\" drivers, a list of allowed print servers need to be created and populated in Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003ePrinter\u003c/em\u003e \u0026gt; \u003cem\u003ePackage Point and print - Approved servers\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003cem\u003eEnabled\u003c/em\u003e, then click on \u003cem\u003eShow...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eAdd each of your print server here, to create the allow list.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThen, if \"non-package-aware\" drivers are not used in your environment, their support can be disabled (recommended):\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003ePrinter\u003c/em\u003e \u0026gt; \u003cem\u003eOnly use Package Point and print\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003ccode\u003eEnabled\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf those \"non-package-aware\" drivers are required, their security prompts need to be well-configured:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003ePrinter\u003c/em\u003e \u0026gt; \u003cem\u003ePoint and Print Restrictions\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eThen set the \u003cem\u003eWhen installing drivers for a new connection\u003c/em\u003e parameter to \u003ccode\u003eShow warning and elevation prompt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFinally, set the \u003cem\u003eWhen updating drivers for an existing connection\u003c/em\u003e parameter to \u003ccode\u003eShow warning and elevation prompt\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eCredential Guard\u003c/h4\u003e\n\u003cp\u003eAlthough Windows Defender Credential Guard has its limitations and can be bypassed by certain types of attacks, it remains an effective solution for protecting credentials stored in memory.\n\u003cbr\u003eHowever, proper implementation can be challenging due to multiple technical requirements and \u003ca href=\"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues\"\u003eknown compatibility issues\u003c/a\u003e. Therefore, a \u003cstrong\u003estep-by-step approach is essential to prevent production issues\u003c/strong\u003e.\n\u003cbr\u003eMicrosoft's documentation outlines the necessary \u003ca href=\"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/#system-requirements\"\u003esystem requirements\u003c/a\u003e and \u003ca href=\"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/#application-requirements\"\u003eapplication requirements\u003c/a\u003e, which should be reviewed before beginning this project.\nIt is important to note that \u003cstrong\u003eCredential Guard is not supported on domain controllers\u003c/strong\u003e, so the configuration GPO should exclude these machines.\n\u003cbr\u003eThe configuration of Credential Guard is made in Group Policy, following those steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Right-click the \u003cem\u003eGroup Policy object (GPO)\u003c/em\u003e that will contain this configuration, and click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree expand the following folders \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003eSystem\u003c/em\u003e \u0026gt; \u003cem\u003eDevice Guard\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the \u003cem\u003eTurn On Virtualization Based Security\u003c/em\u003e setting.\u003c/li\u003e\n\u003cli\u003eConfigure it to \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eThen set the \u003cem\u003eCredential Guard Configuration\u003c/em\u003e parameter to \u003ccode\u003eEnabled without lock\u003c/code\u003e (the \u003ccode\u003eEnabled with UEFI lock\u003c/code\u003e configuration is ideal, but can break production if not dealt with correctly!).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eNTLM blocking over SMB\u003c/h4\u003e\n\u003cp\u003eWith the release of Windows Server 2025 and Windows 11 version 24H2, administrators can configure SMB to block NTLM by using the Group Policy setting: \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking?tabs=group-policy\"\u003eBlock NTLM connections on SMB\u003c/a\u003e:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eIn the Group Policy Management Console, right-click the \u003cem\u003eGroup Policy Object (GPO)\u003c/em\u003e where you want to apply this configuration and select \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand the following folders in the console tree: \u003cem\u003eComputer Configuration\u003c/em\u003e \u0026gt; \u003cem\u003ePolicies\u003c/em\u003e \u0026gt; \u003cem\u003eAdministrative Templates\u003c/em\u003e \u0026gt; \u003cem\u003eNetwork\u003c/em\u003e \u0026gt; \u003cem\u003eLanman Workstation\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSet it to \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAnother policy, \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking?tabs=group-policy#enable-exceptions-to-ntlm-blocking\"\u003e\"Block NTLM Server Exception List\"\u003c/a\u003e, allows you to configure exceptions to NTLM blocking. If certain devices still require NTLM, you can enable the main NTLM blocking policy and list all exceptions in this additional policy.\u003c/p\u003e\n","resources":[{"name":"Network security: LAN Manager authentication level","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852207(v=ws.11)","type":"hyperlink"},{"name":"Purging Old NT Security Protocols","url":"https://learn.microsoft.com/en-us/archive/blogs/askds/purging-old-nt-security-protocols","type":"hyperlink"},{"name":"SMB1 - Audit Active Usage using Message Analyzer","url":"https://learn.microsoft.com/en-us/archive/blogs/ralphkyttle/smb1-audit-active-usage-using-message-analyzer","type":"hyperlink"},{"name":"How to disable SMBv1","url":"https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3","type":"hyperlink"},{"name":"SMBv1 security update","url":"https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598","type":"hyperlink"},{"name":"How to Disable Print Spooler on Domain Controller","url":"https://www.alitajran.com/disable-print-spooler-domain-controller/","type":"hyperlink"},{"name":"The Basics of SMB Signing (covering both SMB1 and SMB2)","url":"https://learn.microsoft.com/fr-fr/archive/blogs/josebda/the-basics-of-smb-signing-covering-both-smb1-and-smb2","type":"hyperlink"},{"name":"Active Directory Hardening Series - Part 3 - Enforcing LDAP Signing","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/active-directory-hardening-series-part-3-enforcing-ldap-signing/ba-p/4066233","type":"hyperlink"},{"name":"LDAP channel binding and LDAP signing requirements for Windows (KB4520412)","url":"https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a","type":"hyperlink"},{"name":"KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481)","url":"https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872","type":"hyperlink"},{"name":"KB5005010 - Restricting installation of new printer drivers after applying the July 6, 2021 updates","url":"https://support.microsoft.com/en-gb/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7","type":"hyperlink"},{"name":"Configure Credential Guard","url":"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=gpo","type":"hyperlink"},{"name":"Considerations and known issues when using Credential Guard","url":"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues","type":"hyperlink"},{"name":"Block NTLM connections on SMB","url":"https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking?tabs=group-policy","type":"hyperlink"}]},"resources":[{"name":"[MS-NLMP] Session Security Details\n","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/d1c86e81-eb66-47fd-8a6f-970050121347","type":"hyperlink"},{"name":"MS09-001: Vulnerabilities in SMB could allow remote code execution","url":"https://support.microsoft.com/en-us/topic/ms09-001-vulnerabilities-in-smb-could-allow-remote-code-execution-165636e8-2d15-c801-b6d9-ccc60c4ad693","type":"hyperlink"},{"name":"Stop using SMB1","url":"https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858","type":"hyperlink"},{"name":"A new look at null sessions and user enumeration","url":"https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/","type":"hyperlink"},{"name":"MS15-011 - Microsoft Windows Group Policy real exploitation via a SMB MiTM attack","url":"https://www.coresecurity.com/core-labs/articles/ms15-011-microsoft-windows-group-policy-real-exploitation-via-a-smb-mitm-attack","type":"hyperlink"},{"name":"A Practical Guide to PrintNightmare in 2024","url":"https://itm4n.github.io/printnightmare-exploitation/","type":"hyperlink"},{"name":"Credential Guard overview","url":"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/","type":"hyperlink"},{"name":"SMB NTLM blocking now supported in Windows Insider","url":"https://techcommunity.microsoft.com/blog/filecab/smb-ntlm-blocking-now-supported-in-windows-insider/3916206","type":"hyperlink"},{"name":"The evolution of Windows authentication","url":"https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848","type":"hyperlink"}],"applicable_resource_types":["ad_gpt_tmpl","ad_gpo_preferences"],"attacker_known_tools":[{"name":"WannaCry","url":"https://en.wikipedia.org/wiki/WannaCry_ransomware_attack","author":"Unknown"},{"name":"mimikatz","url":"https://github.com/gentilkiwi/mimikatz/releases","author":"Gentil Kiwi"}],"category_id":3,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","zh_CN","de_DE","zh_TW","es_001","fr_FR","ja_JP","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-GPO-HARDENING","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["ko","zh-CN","de","zh-TW","es","fr","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[39]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PROTECTED-USERS-GROUP-UNUSED","_score":null,"_source":{"language_code":"en_US","codename":"C-PROTECTED-USERS-GROUP-UNUSED","name":"Protected Users Group Not Used","id":38,"description":"\u003cp\u003eVerifies for privileged users who are not members of the Protected Users group.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eUsers not in the Protected Users group risk credential exposure during authentication-related processes. To protect the maximum number of sensitive and privileged accounts (such as domain administrators) from password theft on compromised hosts, add these accounts to this group.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eTo prevent attacks that use stolen credentials from sensitive accounts to gain access to restricted resources in Active Directory, it's crucial to protect the credentials of privileged users. The Protected Users group, available since Windows Server 2012 R2, can safeguard credentials during their use and storage. Although using this group restricts some features, it is a recommended security for sensitive accounts, particularly those belonging to privileged domain groups.\n\u003cbr\u003eThe Protected Users group has the following restrictions:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eCredSSP and WDigest no longer cache in memory passwords in clear text (even you enable \u003ccode\u003eAllow delegating default credentials\u003c/code\u003e), preventing delegation of authentication to connect to other systems transparently via internal Windows SSO.\u003c/li\u003e\n\u003cli\u003eNTLM no longer caches in memory the password's hash for authenticated accounts.\u003c/li\u003e\n\u003cli\u003eNo longer allows constrained nor unconstrained delegation of authentication for accounts.\u003c/li\u003e\n\u003cli\u003eLimits Kerberos pre-authentication to high encryption algorithms such as AES, and disables DES and RC4 support.\u003c/li\u003e\n\u003cli\u003eReduces the default Kerberos ticket lifetime (TGT only) from 10h to 4h without automatic renewal.\u003c/li\u003e\n\u003cli\u003eDisables the domain's local cache feature. If domain controllers are unavailable, accounts can't log into computers.\u003c/li\u003e\n\u003cli\u003eAllows Kerberos as the only authentication protocol, and not NTLM.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTools like Mimikatz can access authentication information in LSASS memory. An attacker who compromises a computer can recover passwords/hashes from users who authenticated on it and access their accounts. Protected Users groups make it harder for attackers to access member credentials.\n\u003cbr\u003eThis IoE checks the following critera:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDomain Functional Level (DFL) must be at least Windows Server 2012R2.\u003c/li\u003e\n\u003cli\u003eThe Protected Users group must be used, so having at least one member.\u003c/li\u003e\n\u003cli\u003eAll privileged users must be added to this group.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Add Sensitive Accounts to the Protected Users Group","description":"Protect the credentials of the privileged accounts.\n","exec_summary":"\u003cp\u003eThe Protected Users group boosts security by safeguarding member credentials and preventing attackers from accessing Active Directory privileges. To enhance security, it's advisable to include users with privileged rights in this group.\u003c/p\u003e\n","detail":"\u003cp\u003eMicrosoft's Protected Users group enforces strict policies to safeguard user credentials, making it crucial to add privileged accounts to this group. However, take into account certain considerations before adding any account to this group:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe Protected Users group feature requires a domain functional level of 2012 R2 or higher. However, Microsoft has also made it available in previous versions of Windows (Windows 7, Windows Server 2008 R2, and Windows Server 2012) through its advisory 2871997; so even with a lower functional level, you can still use the feature by following the guidelines in the advisory.\u003c/li\u003e\n\u003cli\u003ePlace only user accounts, not service or computer accounts, in the Protected Users group. Even if an attacker gains administrative access to a computer, they can still extract specific credentials from service accounts and computer accounts (except for gMSA) in the Protected Users group. This is why Microsoft warns against adding service and computer accounts to the group, as it provides incomplete protection since the password or certificate is always available on the host. \u003cem\u003eAuthentication will fail for any service or computer in the Protected Users group with the error \"The user name or password is incorrect\"\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eAdding user accounts to the Protected Users group can block certain features, so it's important to verify the impact on the account. For instance, services that use impersonation to act as a specific user won't work on any member of the Protected Users group.\u003c/li\u003e\n\u003cli\u003eUser re-authentication is required to update the authentication token with this group.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eYou can manually set some security configurations in the Protected Users group on single users or groups, so it's not always necessary to add all privileged users to the group if they're protected. However, the group offers great protection against vulnerabilities exposing user credentials and is a quick way to secure critical accounts.\n\u003cbr\u003eWhen setting up the Protected Users group for the first time, it might be a good idea to enable the corresponding logs in order to get a better overview on the use of the group and detect possible blocking.\nTo do so, enable the ProtectedUser-Client,ProtectedUserFailures-DomainController and ProtectedUserSuccesses-DomainController logs available in the Windows event viewer: Applications and Services Logs \u0026gt; Microsoft \u0026gt; Windows \u0026gt; Authentication.\n\u003cbr\u003eWhen setting up the Protected Users group, enable corresponding logs to detect possible blocking. Enable the ProtectedUser-Client,ProtectedUserFailures-DomainController and ProtectedUserSuccesses-DomainController logs in Windows Event Viewer (Applications and Services Logs \u0026gt; Microsoft \u0026gt; Windows \u0026gt; Authentication). These logs provide detailed feedback on authentication attempts by group members, allowing validation of unblocked features for recently added accounts.\u003c/p\u003e\n","resources":[{"name":"How to Configure Protected Accounts","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts\n","type":"hyperlink"}]},"resources":[{"name":"Protected users security group","url":"https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group\n","type":"hyperlink"},{"name":"How to Configure Protected Accounts","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts\n","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_root_domain"],"attacker_known_tools":[{"name":"mimikatz - Silver tickets","url":"https://github.com/gentilkiwi/mimikatz/releases","author":"Gentil Kiwi"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0006 - Credential Access","techniques":["T1003.001 - OS Credential Dumping - LSASS Memory","T1003.005 - OS Credential Dumping - Cached Domain Credentials"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","fr_FR","zh_TW","ja_JP","ko_KR","de_DE","zh_CN","en_US"],"tvdb_export_source":{"file_name":"diff-202501110200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PROTECTED-USERS-GROUP-UNUSED","created_at":"2025-01-11T02:08:17","updated_at":"2025-01-11T02:08:17"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","fr","zh-TW","ja","ko","de","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1003.001","name":"OS Credential Dumping - LSASS Memory","url":"https://attack.mitre.org/techniques/T1003/001/"},{"id":"T1003.005","name":"OS Credential Dumping - Cached Domain Credentials","url":"https://attack.mitre.org/techniques/T1003/005/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[38]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PASSWORD-NOT-REQUIRED","_score":null,"_source":{"language_code":"en_US","codename":"C-PASSWORD-NOT-REQUIRED","name":"Account with Possible Empty Password","id":37,"description":"\u003cp\u003eIdentifies user accounts that allow empty passwords.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eConfiguring an account with an optional password during account creation or password reset allows the account to have an empty password (i.e. no required password to log in), and exposes it to compromise.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eAt its creation or password reset, an account can have an empty password with PASSWD_NOTREQD option set via userAccountControl attribute. However, a user-set password cannot be blank. The \u003ccode\u003eUser must change password at next logon\u003c/code\u003e option is unaffected to ensure that the password is not empty when the user connects and changes the password. Accounts without a password are highly vulnerable and malicious users can take over their rights and gain access to all their resources.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Remove All Possibilities to Have an Empty Password on the Accounts","description":"No account should have the PASSWD_NOTREQD option set.","exec_summary":"\u003cp\u003eCheck that you configured all Active Directory accounts properly to disallow the use of blank passwords, especially for privileged accounts.\u003c/p\u003e\n","detail":"\u003cp\u003eDo not set the PASSWD_NOTREQD property flag in the userAccountControl attribute of AD accounts. This is a security weakness that malicious users can easily exploit, and there are no valid reasons to have an account with an empty password.\n\u003cbr\u003eTo disable the ability to set an empty password, remove the PASSWD_NOTREQD property flag in the userAccountControl attribute. An administrator might add this option mistakenly during account creation or change it later for convenience, but they should never do so from a security perspective.\n\u003cbr\u003eNote that in recent Windows versions (starting from Windows Server 2008 R2), this option is disabled by default during the creation of the account. It is the case for all of the regular administrative ways to create an account, whether through the Microsoft Management Console GUI (Active Directory Users and Computers snap-in), with PowerShell command inputs or cmd (\u003ccode\u003enet user\u003c/code\u003e).\nNote that in recent Windows versions (from Windows Server 2008 R2), this option is disabled by default when creating an account, including through regular administrative methods such as the Microsoft Management Console GUI (Active Directory Users and Computers snap-in), PowerShell command inputs, or cmd (\u003ccode\u003enet user\u003c/code\u003e).\n\u003cbr\u003eTo remove this option from a specific account, proceed as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse the following PowerShell command and replace \u003ccode\u003e{user name}\u003c/code\u003e with the user's name: \u003ccode\u003eGet-ADUser -Identity {user name} | Set-ADUser -PasswordNotRequired $false\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eIf the operation fails, it indicates that the account has a blank password and you must reset the password field before proceeding. The new password must comply with the domain policy, or the option to modify it will not be available:\u003cul\u003e\n\u003cli\u003eEnsure beforehand that the account is not currently in use or needed in the near future.\u003c/li\u003e\n\u003cli\u003eReset the password according to the account's domain password policy.\u003c/li\u003e\n\u003cli\u003eTry again to remove the PASSWD_NOTREQD property flag in the userAccountControl attribute using the previous PowerShell command.\u003c/li\u003e\n\u003cli\u003eIf it still fails, verify that the password change was successful and that the account you used to make the changes has the necessary permissions.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you discover that a privileged account has an empty password, the situation is critical. The entire Active Directory infrastructure may be at risk, and there is a possibility that it has already been compromised, along with all its resources.\n\u003cbr\u003eTo mitigate the risk, you should first neutralize the account by disabling it, setting a complex password, and moving it to a dedicated organizational unit. Then, create a new account to replace it. Beforehand, conduct an audit of the account's role to prevent potential functional failures in the environment.\u003c/p\u003e\n","resources":[{"name":"Understanding and Remediating \"PASSWD_NOTREQD\"","url":"https://learn.microsoft.com/en-us/archive/blogs/russellt/passwd_notreqd","type":"hyperlink"}]},"resources":[{"name":"How to use the UserAccountControl flags to manipulate user account properties","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","de_DE","ja_JP","ko_KR","zh_CN","fr_FR","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PASSWORD-NOT-REQUIRED","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["zh-TW","de","ja","ko","zh-CN","fr","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[37]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-USERS-CAN-JOIN-COMPUTERS","_score":null,"_source":{"language_code":"en_US","codename":"C-USERS-CAN-JOIN-COMPUTERS","name":"Users Allowed to Join Computers to the Domain","id":36,"description":"\u003cp\u003eVerify that regular users cannot join external computers to the domain.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eBy default, any privileged or unprivileged user can add a computer to the domain, creating a new computer account in the Active Directory. If this computer holds sensitive information, it could become a security risk, and the user who added it may still hold privileges on it, creating backdoors. This feature can also simplify exploitation of vulnerabilities (CVE-2021-42278 / CVE-2021-42287). It's recommended to disable this feature and verify existing computers added using this feature.\n\u003cbr\u003eThe \u003cstrong\u003esAMAccountName impersonation\u003c/strong\u003e Indicator of Attack can detect attacks but does not replace fixing the issue.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eTo join a new workstation to an Active Directory domain, Windows employs various strategies until it successfully acquires a computer account in the Active Directory or exhausts all possible options. These strategies include:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSearching for a disabled computer account with the same name in the domain and assign it to the external computer.\u003c/li\u003e\n\u003cli\u003eUsing the current user's rights to create a new account in the default computer container, which requires the user to have the necessary privileges.\u003c/li\u003e\n\u003cli\u003eUsing the \u003ccode\u003eAdd a workstation to the domain\u003c/code\u003e security setting, which is set on domain controllers, to create a corresponding account. This setting is available to all authenticated users by default, regardless of their user account rights. As a result, a regular domain user can perform this action.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eYou should ban this last strategy involving the use of the \"Add a workstation to the domain\" security setting. Allowing a regular user to join an external computer to the domain makes the user the creator of the computer account in the directory, which is a risky setup. This gives the user certain rights over the account, including:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAbility to change the values on these attributes: description, displayName, sAMAccountName, servicePrincipalName (provided that they adhere to the \"validated write\" constraints) and ms-DS-Key-Credential-Link (also the \"validated write\" constraints).\u003c/li\u003e\n\u003cli\u003eAbililty to change all of the following attributes of the \u003ccode\u003eproperty sets\u003c/code\u003e:\u003cul\u003e\n\u003cli\u003eLogon Information: badPwdCount, homeDirectory, homeDrive, lastLogoff, lastLogon, lastLogonTimestamp, logonCount, logonHours, logonWorkstation, profilePath, scriptPath, userWorkstations attributes\u003c/li\u003e\n\u003cli\u003eAccount Restrictions: accountExpires, msDS-AllowedToActOnBehalfOfOtherIdentity, msDS-User-Account-Control-Computed, msDS-UserPasswordExpiryTimeComputed, pwdLastSet, userAccountControl, userParameters attributes\u003c/li\u003e\n\u003cli\u003eDNS Host Name Attributes (\"validated write\"): dNSHostName and msDS-AdditionalDnsHostName attributes\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eCreation of a child object\u003c/li\u003e\n\u003cli\u003eAcquire the following extended rights on the computer object: change the computer account's password (Change Password), reset the password (Reset Password), send and receive emails from a mailbox (Send As, Receive As), delegate authentication (Allowed to Authenticate).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSome of these rights are highly sensitive and could potentially lead to the immediate compromise of the computer, providing a constant backdoor to the Active Directory. Furthermore, as the user has also set up the operating system, they may retain their local administrative access in the future, creating a system backdoor.\n\u003cbr\u003eA typical user would then possess privileges on a computer that could become sensitive for the enterprise because it contains critical information or has elevated privileges, such as becoming an administrator's workstation or a server that upgraded to a domain controller.\n\u003cbr\u003eTo be able to add a computer to the domain, a user account must fulfill two conditions: it must be included in the security option \u003ccode\u003eAdd a workstation to the domain\u003c/code\u003e (either directly by the account or as part of a group), and it must not have exceeded the maximum number of computers it can join to the domain.\n\u003cbr\u003eBy default, every newly created user in the domain gets added to the \u003ccode\u003eAuthenticated Users\u003c/code\u003e group, which grants them the ability to add a computer.\n\u003cbr\u003eTo determine if the user has exceeded their quota, you can calculate the difference between the maximum quota set on the domain and the number of computers that the user added. The attribute ms-DS-MachineAccountQuota on the domain contains the maximum value. Additionally, each workstation that the user added will have the mS-DS-CreatorSID attribute completed with the security identifier (SID) of the user who added the computer.\n\u003cbr\u003eIf the user can create a computer account as a member of a privileged group or through delegation, they are not subject to the domain's maximum quota. Furthermore, they do not need to be included in the list of the \u003ccode\u003eAdd a workstation to the domain\u003c/code\u003e security setting.\n\u003cbr\u003eThis misconfiguration also poses a risk of exploitation in certain circumstances. In November 2021, Microsoft addressed a set of vulnerabilities (CVE-2021-42278 and CVE-2021-42287) on domain controllers that allowed for an elevation of privileges on the domain. While this misconfiguration is not a prerequisite for exploiting those security issues, it can certainly facilitate the process, especially for fully automated attack tools. Therefore, it is important to fix this issue as soon as possible, even if the \u003cstrong\u003esAMAccountName impersonation\u003c/strong\u003e Indicator of Attack can alert you in case of an attack.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Prevent Regular Users from Joining Computers","description":"Verify that the quota defined to add workstation to the domain is set to 0.","exec_summary":"\u003cp\u003eEnsure that not everyone can join computers to the Active Directory domain by modifying the default value of the infamous ms-DS-MachineAccountQuota attribute (also known as \"MachineAccountQuota\") in order to authorize only designated administrators. Additionally, some existing computers may have been added to the domain through unauthorized means. In such cases, it may be necessary to reinstall those computers and apply the organization's Windows master file. Although this can be a costly undertaking, it is important to consider the potential risks posed by these computers, which may lack proper security hardening or contain hidden backdoors that could leave the domain vulnerable to attack.\u003c/p\u003e\n","detail":"\u003cp\u003ePermitting all domain users to add workstations to the domain is not a best practice. When a user creates a computer account, they gain privileged rights over it, and may even have local administrator access to all of its resources.\n\u003cbr\u003eAllow only privileged users to create computer accounts when setting up new workstations and servers. Enforcing this security measure blocks regular users from creating computer accounts and adding workstations to the domain, as it can lead to easy exploitation of privileges.\n\u003cbr\u003eBy default, the \"Add workstations to domain\" security setting is available to all users, and regular users can join new workstations to the domain according to the maximum quota set on the domain.\n\u003cbr\u003eGive the permission to the privileged users who will be in charge of adding new computers:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOn the container organizational unit) where computer accounts are created, select Delegate Control.\u003c/li\u003e\n\u003cli\u003eChoose the user or group that will receive the permission.\u003c/li\u003e\n\u003cli\u003eCustomize the delegation of the \u003ccode\u003ecreate a custom task to delegate\u003c/code\u003e option to select the computer objects.\u003c/li\u003e\n\u003cli\u003eMake sure to give the creation right under the selection of the object.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e In addition to granting permission to create computer accounts, it may also be beneficial to allow the user responsible for this administrative task to delete computer accounts as well. Note that once you grant this right, the ms-DS-MachineAccountQuota no longer limits the number of added computer accounts.\n\u003cbr\u003eTo remove the permission on regular users:\n As privileged users are not subject to the maximum quota of the domain, it is unnecessary to set a value higher than 0 for that attribute. To set the value to 0, use the following PowerShell command: \u003ccode\u003eSet-ADDomain (Get-ADDomain).distinguishedname -Replace @{\"ms-ds-MachineAccountQuota\"=\"0\"}\u003c/code\u003e.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Who can add workstation to the domain","url":"https://learn.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain","type":"hyperlink"},{"name":"Default limit to number of workstations a user can join to the domain","url":"https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain","type":"hyperlink"}],"applicable_resource_types":["ad_root_domain","ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0002 - Execution","techniques":[]},{"tactic":"TA0042 - Resource Development","techniques":["T1585 - Establish Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_CN","ko_KR","de_DE","es_001","fr_FR","zh_TW","ja_JP","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-USERS-CAN-JOIN-COMPUTERS","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["zh-CN","ko","de","es","fr","zh-TW","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0002","name":"Execution","url":"https://attack.mitre.org/tactics/TA0002/"},"techniques":[]},{"tactic":{"id":"TA0042","name":"Resource Development","url":"https://attack.mitre.org/tactics/TA0042/"},"techniques":[{"id":"T1585","name":"Establish Accounts","url":"https://attack.mitre.org/techniques/T1585/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[36]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-AAD-SSO-PASSWORD","_score":null,"_source":{"language_code":"en_US","codename":"C-AAD-SSO-PASSWORD","name":"Last Change of the Microsoft Entra SSO Account Password","id":35,"description":"\u003cp\u003eEnsures regular changes to the Microsoft Entra SSO account password.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eEvery Active Directory that uses the SSO feature of Microsoft Entra ID includes a special computer account, AZUREADSSOACC.\nThis account holds the master secret used to authenticate users from the local domain to Microsoft Azure, and it is essential that you must protect it at all costs.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eEnabling the \"Microsoft Entra Seamless Single Sign-On\" feature in Microsoft Entra Connect provides a simple way to operate between an on-premise AD and Microsoft Entra ID.\nFor this purpose, the initial setup creates a specific account (AZUREADSSOACC). This account is sensitive because it has the ability to generate Kerberos tickets for any user in its AD domain, providing access to any Azure application as any user.\nEven if this AZUREADSSOACC account is a computer account, its credentials do not renew automatically and its password never expires. For this reason, Microsoft provides a script for you to run periodically to change the account's Kerberos decryption key.\n\u003cbr\u003eThis Indicator of Exposure alerts if the Kerberos key hasn't changed recently as recommended by Microsoft (monthly).\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Change the Kerberos Decryption Key of the AZUREADSSOACC Account","description":"The special account AZUREADSSOACC should be protected by periodically rotating its credentials.\n","exec_summary":"\u003cp\u003eChanging the AZUREADSSOACC account key is a special operation that requires the use of a Microsoft script.\u003c/p\u003e\n","detail":"\u003cp\u003eMicrosoft provides an \u003ca href=\"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-\"\u003eofficial procedure\u003c/a\u003e to generate a strong random password for this account that uses 256 alphanumerical characters. A Domain Administrator must perform this process manually and preferably only once (i.e. not twice in a row) for best results.\n\u003cbr\u003ePerform the following procedure every 30 days:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cp\u003eGet list of AD forests that have \u003ccode\u003eSeamless SSO\u003c/code\u003e enabled:\n a. Download and install Azure AD PowerShell.\n b. Navigate to the %programfiles%\\Microsoft Azure Active Directory Connect folder.\n c. Import the Seamless SSO PowerShell module using this command: Import-Module .\\AzureADSSO.psd1.\n d. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command opens a popup to enter your tenant's Global Administrator credentials.\n e. Call Get-AzureADSSOStatus | ConvertFrom-Json. This command provides you the list of AD forests (see the \"Domains\" list) that have this feature enabled.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003eUpdate the Kerberos decryption key on each AD forest that it was set it up on:\n a. Call $creds = Get-Credential. At the prompt, enter the Domain Administrator credentials for the target AD forest.\n b. Call Update-AzureADSSOForest -OnPremCredentials $creds. This command updates the Kerberos decryption key for the AZUREADSSOACC computer account in this specific AD forest and updates it in Microsoft Entra ID.\n c. Repeat the previous steps for each AD forest that have this feature enabled.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n","resources":[]},"resources":[{"name":"Introduction to Azure Active Directory Seamless Single Sign-On","url":"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start","type":"hyperlink"},{"name":"Changing the Kerberos decryption key of the AZUREADSSOACC computer account","url":"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-","type":"hyperlink"},{"name":"Internals of Azure AD Seamless SSO","url":"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-how-it-works","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0003 - Persistence","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","fr_FR","zh_TW","ko_KR","ja_JP","es_001","zh_CN","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AAD-SSO-PASSWORD","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["de","fr","zh-TW","ko","ja","es","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[35]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-ABNORMAL-ENTRIES-IN-SCHEMA","_score":null,"_source":{"language_code":"en_US","codename":"C-ABNORMAL-ENTRIES-IN-SCHEMA","name":"Dangerous Rights in the AD Schema","id":34,"description":"\u003cp\u003eLists schema entries considered anomalous that could potentially offer a means of persistence.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eThe Active Directory schema is the basis for creating objects and attributes, and you must approach any schema modifications with caution.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eSome third-party software may modify the schema to function properly. For example, Microsoft Exchange creates new objects and attributes for data related to messaging services and mailboxes. It's crucial to ensure these modifications don't create security vulnerabilities in the Active Directory, such as granting dangerous rights to unprivileged accounts that could lead to privilege escalation in the domain.\n\u003cbr\u003eMicrosoft regularly updates the Active Directory schema. New releases of Windows Server introduce new features, which add new objects and attributes to the schema. For instance, upgrading from Windows Server 2012 R2 to 2016 would introduce new classSchema objects (e.g. ms-DS-Device-MDMStatus) and modify some existing ones (e.g. the ms-DS-Device class gains a new attribute systemMayContain).\n\u003cbr\u003eThe Active Directory schema can be a stealthy location to place a backdoor. Since it is not an obvious target, attackers may use it for persistence after breaching the system. However, highly privileged rights are necessary for modification. Using the attribute defaultSecurityDescriptor is an optimal way to install a backdoor, as it applies security ACLs to any object created of that class.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Verify the defaultSecurityDescriptor Attribute","description":"Verify that the defaultSecurityDescriptor attribute of the object does not allow too much access rights.","exec_summary":"\u003cp\u003eTo assess the potential risk and true intention of a configuration change, investigate a classSchema object with a hazardous defaultSecurityDescriptor attribute.\u003c/p\u003e\n","detail":"\u003cp\u003eA defaultSecurityDescriptor on a classSchema object that gives too many access rights to unprivileged users can lead to a serious security breach and you should avoid it.\n\u003cbr\u003eTo follow the principle of least privileges, analyze and fix the deviant class object using Microsoft Management Console's Schema snap-in. Then check and fix every object instance of the class with wrong ACE. If a third-party tool requires modifying the defaultSecurityDescriptor, consider the ACL trustees as privileged and protect them. Before removing permissions, assess the modifications carefully as it can impact applications or users relying on them.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"About the Active Directory Schema","url":"https://learn.microsoft.com/en-us/windows/win32/ad/about-the-active-directory-schema","type":"hyperlink"},{"name":"Default Security Descriptor","url":"https://learn.microsoft.com/en-us/windows/win32/ad/default-security-descriptor","type":"hyperlink"}],"applicable_resource_types":["ad_class_schema"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","zh_TW","ja_JP","ko_KR","zh_CN","de_DE","fr_FR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-ABNORMAL-ENTRIES-IN-SCHEMA","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","zh-TW","ja","ko","zh-CN","de","fr","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[34]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-USER-PASSWORD","_score":null,"_source":{"language_code":"en_US","codename":"C-USER-PASSWORD","name":"User Account Using Old Password","id":33,"description":"\u003cp\u003eChecks for regular updates of all active account passwords in Active Directory to reduce credential theft risk.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eTo mitigate the risk of credential theft, it is advisable to update regularly the passwords of all active accounts in Active Directory. However, if users must change their password too frequently, this may lead to the selection of predictable passwords or the storage of passwords in unsafe locations, increasing the likelihood of credential theft.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe longer a password exists, the risk of compromise by attackers is greater due to the complexity of the Microsoft Single-Sign-On mechanism and a wide range of cyberattack techniques. \u003cem\u003ePassword spraying\u003c/em\u003e, \u003cem\u003ebrute-force\u003c/em\u003e attacks, and \u003cem\u003ecredential theft\u003c/em\u003e are common ways attackers can gain access to clear-text passwords.\n\u003cbr\u003eHaving a user account with an old password is a security risk because attackers can use a compromised password for as long as the user has authorized access. Furthermore, if an attacker obtains an Active Directory account password hash (NT hash), they can use it to connect to multiple services without having to crack the hash until the password changes.\n\u003cbr\u003eWith today's computing capabilities, attackers can crack even strong passwords in a few weeks. Frequent password changes can reduce the opportunity for an attacker to use a cracked password, but setting the change interval too low may increase the number of help desk support calls due to users forgetting their current password.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Renew the Password of Sensitive Accounts at an Appropriate Frequency","description":"The password of Active Directory account managing sensitive accesses must be changed at an appropriate frequency.\n","exec_summary":"\u003cp\u003eTenable recommends implementing a password renewal policy for accounts with sensitive access rights in the information system. Configure this policy to prevent users from changing their password too frequently, which could increase the likelihood of predictable password use.\u003c/p\u003e\n","detail":"\u003cp\u003eTo prevent attackers from exploiting stolen credentials during a login session, you can implement a password policy that regularly updates user passwords. However, it is important to select carefully the frequency of password updates and which user accounts are subject to this policy.\n\u003cbr\u003eIn 2017, the NIST has changed its stance on regular password changes (cf. link in the resources), citing the tendency for users to select easily remembered, predictable passwords or to modify incrementally their current password each time they must change it. Enforcing frequent password changes can lead to the use of weaker passwords across an organization.\n\u003cbr\u003eTherefore, Tenable recommends creating customized password policies based on the level of access granted to different user groups in Active Directory. There are three groups of AD users:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eTier 0 accounts\u003c/strong\u003e: These accounts have complete access to the Active Directory and other sensitive company applications. Users with these privileges must be aware of the criticality of their access rights and must adhere to a strict password policy that enforces long and complex passwords. Tenable recommends changing their password \u003cstrong\u003eevery six months\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTier 1 accounts\u003c/strong\u003e: These accounts are service accounts or have administrative access to business servers. They can be subject to a more flexible password policy and may \u003cstrong\u003erenew their password only once a year\u003c/strong\u003e. A documented procedure should describe how to renew service accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTier 2 accounts\u003c/strong\u003e: These accounts belong to regular users for their day-to-day activities and do not hold sensitive access to the company. Tenable recommends renewing passwords once every three years or when you detect a security incident on the information system.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eHow to set a password renewal policy using Group Policy\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eGroup Policy\u003c/em\u003e tool, either from the MMC snap-in or from the server manager tools.\u003c/li\u003e\n\u003cli\u003eEdit an existing GPO or create and link a new GPO on the container where you want to apply the new policy.\u003c/li\u003e\n\u003cli\u003eSelect \u003cem\u003eComputer Configuration\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003ePolicies\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eWindows Settings\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eSecurity Settings\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eAccount Policies\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect \u003cem\u003ePassword Policy\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble click on \u003cem\u003eMaximum password age\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eVerify that the checkbox \u003cem\u003eDefine this policy setting\u003c/em\u003e is checked.\u003c/li\u003e\n\u003cli\u003eEnter the number of days before requiring a user to change their password. Do not enter 0 to avoid disabling the password renewal policy.\u003c/li\u003e\n\u003cli\u003eClick on \u003cem\u003eOK\u003c/em\u003e to validate.\u003c/li\u003e\n\u003c/ol\u003e\n","resources":[]},"resources":[{"name":"NIST - Digital Identity Guidelines Authentication and Lifecycle Management","url":"https://pages.nist.gov/800-63-3/sp800-63b.html\n","type":"hyperlink"},{"name":"Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903","url":"https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903","type":"hyperlink"},{"name":"NCSC - Password administration for system owners","url":"https://www.ncsc.gov.uk/collection/passwords","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"THC-Hydra","url":"https://github.com/vanhauser-thc/thc-hydra","author":"van Hauser / THC"},{"name":"John the Ripper","url":"https://www.openwall.com/john/","author":"Solar Designer"},{"name":"Hashcat","url":"https://hashcat.net/hashcat/","author":"Jens Steube"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","zh_TW","de_DE","fr_FR","ko_KR","ja_JP","zh_CN","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-USER-PASSWORD","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["es","zh-TW","de","fr","ko","ja","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[33]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-AAD-CONNECT","_score":null,"_source":{"language_code":"en_US","codename":"C-AAD-CONNECT","name":"Verify Permissions Related to Microsoft Entra Connect Accounts","id":32,"description":"\u003cp\u003eEnsure the permissions set on Microsoft Entra Connect accounts are sane\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003ePermissions for Microsoft Entra Connect accounts (MSOL) must be sane due to their impact on the entire Active Directory domain.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe installation of Microsoft Entra Connect (formerly Azure AD Connect) requires the setup of multiple accounts to enable synchronization between the on-prem Active Directory (AD) and Microsoft Entra ID. As such, AD accounts and computers related to this synchronization require appropriate protection.\n\u003cbr\u003eIn particular, an attacker who controls the AD account used for synchronizing AD and Microsoft Entra ID (MSOL_* when installing Microsoft Entra Connect in the \"Express\" mode) can compromise the entire domain by replicating all user password hashes using a tool such as Mimikatz DCSync.\n\u003cbr\u003eAll the ways of accessing this account give the attacker the same rights. Hence, certain other components also require protection:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe server where Microsoft Entra Connect runs (a domain controller or a dedicated domain server)\u003c/li\u003e\n\u003cli\u003eThe server hosting the database (the same server running Microsoft Entra Connect or a dedicated one)\u003c/li\u003e\n\u003cli\u003eThe service account for the database (domain/local account, gMSA, VSA, etc.);\u003c/li\u003e\n\u003cli\u003eThe ADSyncAdmins group with access to the database which contains the MSOL_* credentials.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIn addition, if you enable the feature \"Seamless Single Sign-On\" for Microsoft Entra ID, you must also protect the computer account named AZUREADSSOACC.\n\u003cbr\u003eAn attacker might exploit a permissions misconfiguration to gain access to those accounts and ultimately to the directory.\n\u003cbr\u003eThe following entities (built-in groups and accounts) are whitelisted because they have legitimate permissions on those accounts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eNT AUTHORITY\\System\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eApart from verifying permissions, it is important to validate members of the ADSyncAdmins group. Access to the database would provide control over the synchronization account by stealing its password hash. As such, all members of this group should already be privileged in the domain.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Fix permissions on Microsoft Entra Connect accounts","description":"Dangerous permissions applied on Microsoft Entra Connect accounts should be removed","exec_summary":"\u003cp\u003eA security assessment of the permissions applied on Microsoft Entra Connect accounts can identify those that you can safely remove.\u003c/p\u003e\n","detail":"\u003cp\u003eThe permissions applied on an Microsoft Entra Connect accounts impact indirectly nearly all the objects of the domain. Examine each of them carefully, and consider removing those that pose a security risk.\n\u003cbr\u003eBy default, only built-in privileged entities (see the full list in the \u003cem\u003eVulnerability detail\u003c/em\u003e tab) should have important permissions on those objects:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eADDS Connector user accounts (MSOL_* by default or dedicated ones)\u003c/li\u003e\n\u003cli\u003eService accounts used for Microsoft Entra Connect databases\u003c/li\u003e\n\u003cli\u003eComputer accounts of servers where Microsoft Entra Connect runs\u003c/li\u003e\n\u003cli\u003eComputer accounts of Microsoft Entra Connect servers that host the database\u003c/li\u003e\n\u003cli\u003eComputer accounts related to the SSO feature (AZUREADSSOACC)\u003c/li\u003e\n\u003cli\u003eADSyncAdmins groups\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAlso, members of ADSyncAdmins groups should only be privileged ones.\nCarry out a precise assessment before you remove permissions, as this can have an impact on applications or users needing those.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Microsoft Entra Connect - Accounts and permissions","url":"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions\n","type":"hyperlink"}],"applicable_resource_types":["ad_computer","ad_group","ad_user"],"attacker_known_tools":[{"name":"adconnectdump","url":"https://github.com/fox-it/adconnectdump","author":"Fox-IT"},{"name":"mimikatz","url":"https://github.com/gentilkiwi/mimikatz/releases","author":"Gentil Kiwi"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["es_001","ja_JP","zh_TW","de_DE","fr_FR","zh_CN","ko_KR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AAD-CONNECT","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["es","ja","zh-TW","de","fr","zh-CN","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[32]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DC-ACCESS-CONSISTENCY","_score":null,"_source":{"language_code":"en_US","codename":"C-DC-ACCESS-CONSISTENCY","name":"Domain Controllers Managed by Illegitimate Users","id":30,"description":"\u003cp\u003eSome domain controllers can be managed by non-administrative users due to dangerous access rights.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eDespite the number of Active Directory assets, the Domain Controllers are the most sensitive as they store all of these assets data (including authentication secrets like the users' passwords).\n\u003cbr\u003eOnly legitimate administrative accounts should be able to manage them.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eDomain Controllers (DCs) store all Active Directory secrets and have a potentially large attack surface, making them primary targets for attackers. Here are some examples:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAbuse of access rights to reset the password of the computer object hosting the domain controller to replicate password\u003c/li\u003e\n\u003cli\u003eExploitation of a misconfigured GPO to execute arbitrary code or inhibit security policy by overriding security parameters\u003c/li\u003e\n\u003cli\u003eCompromise of a vulnerable application on the host operating system to access to the Active Directory database The purpose of this Indicator of Exposure is to ensure that every DC object is safe against such attack techniques. It also ensures DCs can only be managed by regular administrators. In particular, the following three scenarios are monitored.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eDomain controllers stored outside the \"Domain Controllers\" organizational unit (OU)\u003c/h4\u003e\n\u003cp\u003eAs any computer object, Domain controllers can be moved to any Active Directory container (such as organizational units). However, moving them into another container could be extremely dangerous. In fact, the Domain Controllers OU has a special GPO (called \"Default Domain Controller Policy\") applied that is designed to implement the whole security policy for the AD (like the password complexity, the authentication protocols used, the logging policy, etc.).\n\u003cbr\u003eWhen a DC is moved out the Domain Controllers OU, the GPO won't apply (unless someone updated the GPO link, which is not made by default). This is why Microsoft refuses to provide support in such a configuration. In addition, some services and applications may only search the Domain Controllers OU for DCs (by examining the GUID_DOMAIN_CONTROLLERS_CONTAINER_W value) and setting a search base of 1. DCs in other OUs wouldn't be found, causing side effect for the service.\u003c/p\u003e\n\u003ch4\u003eIllegitimate users manipulate domain controllers objects\u003c/h4\u003e\n\u003cp\u003eEach DC is stored in the Active Directory database through two different objects:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe computer object that depicts the configuration and access rights of the Windows operating system hosting the AD database.\u003c/li\u003e\n\u003cli\u003eThe nTDSDSA object that represents the service running Active Directory components (such as LDAP, the Group Policy engine, the replication process, etc.).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth objects can be vulnerable to permissive access rights that allow an illegitimate party to gain control of the DC. This attack scenario also applies on the parent containers which must have the same security parameters.\n\u003cbr\u003eTo reinforce a strong protection level, ensure that the access control list (ACL) for all DC objects and files contains only legitimate administrators. Any other permission added to one of these elements could allow an attacker to compromise the DC.\n\u003cbr\u003eBy default, the Indicator of Exposure analyzes every DC-related objects and highlights any dangerous ACL on:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe root domain partition object (e.g. DC=ad,DC=tenable,DC=com)\u003c/li\u003e\n\u003cli\u003eThe Domain Controllers container\u003c/li\u003e\n\u003cli\u003eThe computer objects\u003c/li\u003e\n\u003cli\u003eThe nTDSDSA objects\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eIllegitimate users manage Domain controllers' configuration enforced by GPOs\u003c/h4\u003e\n\u003cp\u003eIn an Active Directory, GPOs manage DC configurations through settings that define the behavior of a system. This Indicator of Exposure ensures that only regular administrators can manipulate GPOs linked to DCs. To reinforce a strong protection level, ensure that the ACL for all DC objects and files contains only legitimate administrators. Any other permission added to one of these elements could allow an attacker to compromise the DCs.\n\u003cbr\u003eBy default, the Indicator of Exposure analyzes every GPO linked to any DC and its parent containers including:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe root domain partition object (e.g. DC=ad,DC=tenable,DC=com)\u003c/li\u003e\n\u003cli\u003eThe Domain Controllers container\u003c/li\u003e\n\u003cli\u003eThe computer objects\u003c/li\u003e\n\u003cli\u003eThe nTDSDSA objects\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor more details about GPOs security, see the Indicator of Exposure \"Verify Sensitive GPO Objects and Files Permissions\".\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Enforce strict access control on Domain Controllers","description":"Only administrative accounts should be able to manage Domain Controllers objects\n","exec_summary":"\u003cp\u003eThe Domain Controllers (DCs) require strict access rights. Allow only highly privileged user accounts to manage DC objects or link new group policies.\u003c/p\u003e\n","detail":"\u003cp\u003eIn terms of security, DCs are the most critical assets to protect in an Active Directory. See the \u003cstrong\u003eVulnerability Details\u003c/strong\u003e section for more information.\n\u003cbr\u003eEach DC is stored in the Active Directory database through two different objects that require protection from illegitimate access:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe computer object that depicts the configuration and access rights of the Windows operating system hosting the AD database.\u003c/li\u003e\n\u003cli\u003eThe nTDSDSA object that represents the service running AD components such as LDAP, the Group Policy engine, the replication process, etc.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTo do so, enforce the following several security measures.\u003c/p\u003e\n\u003ch4\u003eMove domain controllers to the appropriate organizational unit\u003c/h4\u003e\n\u003cp\u003eStore all domain controller objects in their default container called \"Domain Controllers\". Hosting DC objects on another container than the default is not supported by Microsoft and could create major security breaches that could impact the DC itself, its users or every computer in the AD infrastructure.\n\u003cbr\u003eTenable recommends that you reset the location of each DC by moving it to the appropriate \"Domain Controllers\" OU.\u003c/p\u003e\n\u003ch2\u003eProceedings using PowerShell\u003c/h2\u003e\n\u003cp\u003eTo move every domain controller to their default container:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $defaultNamingContext = (Get-ADRootDSE).defaultNamingContext\nPS\u0026gt; Get-ADDomainController -Filter * | % { Get-ADObject $_.ComputerObjectDN } | Move-ADObject -TargetPath \"OU=Domain Controllers,$defaultNamingContext\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003eProceedings using Microsoft Administrative tools\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eADSI Edit\u003c/em\u003e tool, either from the MMC snap-in or from the server manager tools.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eSelect a well-known Naming Context\u003c/em\u003e drop-down box, select \u003cem\u003eDefault naming context\u003c/em\u003e, and then click \u003cem\u003eOK\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eLocate the domain controller objects stored in an illegitimate location.\u003c/li\u003e\n\u003cli\u003eRight-click on the DC object, and then click \u003cem\u003eMove\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the organizational unit 'OU=Domain Controllers,[YOUR ACTIVE DIRECTORY NAMING CONTEXT]'.\u003c/li\u003e\n\u003cli\u003eClick \u003cem\u003eOK\u003c/em\u003e to validate the modification.\u003c/li\u003e\n\u003cli\u003eRepeat the last three steps for every DC object.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eRemove dangerous access right on computer and nTDSDSA objects or any parent container.\u003c/h4\u003e\n\u003cp\u003ePermissions on computer object hosting DC services and on nTDSDSA object should only be granted to the following entities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\"Domain Admins\" group\u003c/li\u003e\n\u003cli\u003e\"Enterprise Admins\" group\u003c/li\u003e\n\u003cli\u003e\"Enterprise Domain Controllers\" group\u003c/li\u003e\n\u003cli\u003e\"Domain Controllers\" group\u003c/li\u003e\n\u003cli\u003e\"Group Policy Creator Owners\" group\u003c/li\u003e\n\u003cli\u003eBuilt-in \"Administrators\" group\u003c/li\u003e\n\u003cli\u003eBuilt-in \"Creator Owner\" group\u003c/li\u003e\n\u003cli\u003eBuilt-in \"System\" account\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe same principle also applies to the containers encompassing computers and nTDSDSA objects as they inherently control their child items.\n\u003cbr\u003eAny other entity having important permissions set on the container should be carefully audited. In particular, no unprivileged account or group should have more than the \"read\" permission. To prevent risk, Tenable recommends that you reset the permissions of these objects to their default value.\u003c/p\u003e\n\u003ch2\u003eProceedings using PowerShell\u003c/h2\u003e\n\u003cp\u003eReset the permissions of an nTDSDSA object based on another nTDSDSA object considered as legitimate by Tenable Identity Exposure:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $computerObjectName = \"\u0026lt;NAME OF THE COMPUTER OBJECT HOSTING A DC HAVING A SAFE ACCESS CONTROL POLICY\u0026gt;\"\nPS\u0026gt; $site = \"\u0026lt;NAME OF THE ACTIVE DIRECTORY SITE HOSTING A DC HAVING A SAFE ACCESS CONTROL POLICY\u0026gt;\"\nPS\u0026gt; $deviantComputerObjectName = \"\u0026lt;NAME OF THE COMPUTER OBJECT HOSTING A DC HAVING A SAFE ACCESS CONTROL POLICY\u0026gt;\"\nPS\u0026gt; $deviantSite = \"\u0026lt;NAME OF THE ACTIVE DIRECTORY SITE HOSTING A DC HAVING A DANGEROUS ACCESS CONTROL POLICY\u0026gt;\"\nPS\u0026gt; $defaultNamingContext = (Get-ADRootDSE).defaultNamingContext\nPS\u0026gt; $standardAcl = Get-Acl \"AD:CN=$computerObjectName,CN=Servers,CN=$siteName,CN=Sites,CN=Configuration,$defaultNamingContext\"\nPS\u0026gt; Set-Acl \"AD:CN=$deviantComputerObjectName,CN=Servers,CN=$deviantSite,CN=Sites,CN=Configuration,$defaultNamingContext\" -AclObject $standardAcl\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe same strategy must be applied for every deviant computer object encompassing containers.\u003c/p\u003e\n\u003ch4\u003eRemove dangerous access right on GPOs linked to domain controllers.\u003c/h4\u003e\n\u003cp\u003eIn Active Directory, the Group Policy Objects (GPOs) are a collection of settings that defines the workings of a system and how it behaves for a defined group of users. For more information, see the \u003cstrong\u003eVulnerability Details\u003c/strong\u003e section.\n\u003cbr\u003eGrant edit permissions or ownership on sensitive GPOs linked to domain controllers, only to the following entities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\"Domain Admins\" group\u003c/li\u003e\n\u003cli\u003e\"Enterprise Admins\" group\u003c/li\u003e\n\u003cli\u003e\"Group Policy Creator Owners\" group\u003c/li\u003e\n\u003cli\u003eBuilt-in \"Administrators\" group\u003c/li\u003e\n\u003cli\u003eBuilt-in \"Creator Owner\" group\u003c/li\u003e\n\u003cli\u003eBuilt-in \"System\" account\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAudit any other entity with important permissions/ownership set on the GPO, both its Group Policy Container (GPC) object in LDAP, and its related Group Policy Template (GPT) folders and files in SYSVOL. No unprivileged account or group should have more than the \"read\" permission, or be the owner, on any of these.\u003c/p\u003e\n\u003ch2\u003eProceedings using Group Policy Management Console\u003c/h2\u003e\n\u003cp\u003eOpen the \u003cem\u003eGroup Policy Management Console\u003c/em\u003e and select the deviant GPO.\u003c/p\u003e\n\u003cp\u003eIn the \"Delegation\" tab, remove or edit any excessive edit permission granted to unprivileged user/group.\u003c/p\u003e\n\u003cp\u003eTo fix a deviant owner, still in the \"Delegation\" tab, click \"Advanced...\" then \"Advanced\" again in the popup. The current \"Owner\" is displayed at the top and you can click \"Change\". Select a safe owner such as the \"Domain Admins\" group or the built-in \"Administrators\" group.\u003c/p\u003e\n\u003cp\u003eUsing the Group Policy Management Console should fix both the Group Policy Container (GPC) object in LDAP, and its related Group Policy Template (GPT) folders and files in SYSVOL. However, sometimes this tool fails to fix exhaustively the issues, in that case you must use \u003cem\u003eADSI Edit\u003c/em\u003e to edit permissions/ownership on the GPC, or the Windows file explorer for the GPT part in SYSVOL.\u003c/p\u003e\n\u003ch2\u003eProceedings using DCGpoFix.exe\u003c/h2\u003e\n\u003cp\u003eIt is often difficult to reset the original access control policy when you have illegitimate access rights set on the \"Default Domain Controller Policy\". For this reason, Microsoft provides a utility called DCGpoFix.exe on each DC, which can reset the default access right on the \"Default Domain Controller Policy\" GPO.\n\u003cbr\u003eAfter you connect to the DC in interactive or RDP, open a command line interface and type the following commands:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eDCGPOFIX /target:DC\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Administration of Default Containers and OUs","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc728418(v=ws.10)#domain-controller-ou\n","type":"hyperlink"},{"name":"Restore Default Permissions on OU","url":"https://social.technet.microsoft.com/wiki/contents/articles/18726.active-directory-restore-default-permissions-on-organizational-units-ou.aspx\n","type":"hyperlink"},{"name":"DCGpoFix technical reference","url":"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix\n","type":"hyperlink"}]},"resources":[{"name":"Securing Active Directory Administrative Groups and Accounts","url":"https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc700835(v=technet.10)","type":"hyperlink"},{"name":"Technical description of an nTDSDSA Object","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srpl/4c62c74a-b55c-47d1-b575-33395a727d97","type":"hyperlink"}],"applicable_resource_types":["ad_configuration","ad_gpc","ad_ntdsdsa","ad_ou","ad_root_domain","ad_site","ad_sysvol_object","ad_user"],"attacker_known_tools":[],"category_id":5,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ja_JP","es_001","zh_TW","zh_CN","fr_FR","de_DE","ko_KR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DC-ACCESS-CONSISTENCY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["ja","es","zh-TW","zh-CN","fr","de","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[30]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PASSWORD-POLICY","_score":null,"_source":{"language_code":"en_US","codename":"C-PASSWORD-POLICY","name":"Application of Weak Password Policies on Users","id":29,"description":"\u003cp\u003eSome password policies applied on specific user accounts are not strong enough and can lead to credentials theft.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eWeak password policies increase the risk of users creating weak passwords that could allow attackers to steal easily through generic techniques such as brute force attacks, authentication challenge theft, etc.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eSome privileged users, Windows machines or Domain Controllers do not enforce the use of a password policy when an account tries to change its password.\u003c/p\u003e\n\u003ch4\u003eFine-Grained Password Policy in Active Directory\u003c/h4\u003e\n\u003cp\u003eIntroduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports \u003cem\u003efine-grained password policies\u003c/em\u003e. This feature provides organizations with a way to define different password and account lockout policies for different sets of users or groups in a domain.\nIn previous Windows Server versions, you could create only one password policy per domain using the Default Domain Policy GPO.\nWhen using \u003cem\u003eFine-Grained Password Policy\u003c/em\u003e, you must link all privileged accounts to at least one password policy to avoid the usage of weak passwords on those accounts.\u003c/p\u003e\n\u003ch4\u003eLimitations of password policy settings set by GPO\u003c/h4\u003e\n\u003ch2\u003eLack of password policy on a Domain Controller\u003c/h2\u003e\n\u003cp\u003eWhen DCs apply a dangerous password policy, they allow every user, computer, or service account to choose weak passwords, which could expose them to online or offline brute-force attacks.\u003c/p\u003e\n\u003ch2\u003eLack of password policy on a standard workstation\u003c/h2\u003e\n\u003cp\u003eThis is not as dangerous as it is on DCs, but these accounts can allow attackers to make lateral movements between Windows workstations which are more difficult to detect using standard security techniques.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Enforce strong password policy","description":"A strong and homogeous password policy should be applied on every user account\n","exec_summary":"\u003cp\u003ePassword policies for user accounts should enforce strong passwords using more than 7 characters and symbols.\u003c/p\u003e\n","detail":"\u003cp\u003eReview the password policy of your supervised Active Directory domains to impose complex passwords for various groups of users.\n\u003cbr\u003eStarting with Windows Server 2008, you can create and assign Password Settings Objects (PSO) objects to users or groups of users to allow for a more refined password policy than for previous Windows versions. Tenable recommends that you use PSO objects instead of the old Default Domain Policy GPO to manage password policies.\n\u003cbr\u003eTo apply these PSO objects it is necessary to raise the level of functionality of the forest to Windows Server 2008 if it is not already done.\u003c/p\u003e\n\u003ch4\u003eTo define and assign a PSO object to a group of users, follow the procedures below:\u003c/h4\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eADSI Edit\u003c/em\u003e tool (either from the MMC snap-in or from the server manager tools) with administrative rights.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eSelect a well-known Naming Context\u003c/em\u003e drop-down box, select \u003cem\u003eDefault Naming Context\u003c/em\u003e, and then click \u003cem\u003eOK\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eAdsiedit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eDefault Naming Context\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand the distinguished name of your domain, e.g. \u003cem\u003eDC=contoso,DC=com\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand the System container, e.g. \u003cem\u003eCN=System,DC=contoso,DC=com\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eRight-click \u003cem\u003ePassword Settings Container\u003c/em\u003e, and Select \u003cem\u003eNew\u003c/em\u003e then \u003cem\u003eObject...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eCreate Object Editor\u003c/em\u003e tab, select the \u003cem\u003emsDS-PasswordSettings\u003c/em\u003e attribute, and then click \u003cem\u003eNext\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eCommon-Name\u003c/em\u003e input box with the chosen name of the PSO object: password policy for administrators.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003ePassword Settings Precedence\u003c/em\u003e input box with the application priority of the PSO object, in the case of multiple objects applying to the same group. The lowest value (or the lowest GUID if two PSOs have the same precedence value) being the highest priority. The lowest value starts with 1.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003ePassword reversible encryption status for user accounts\u003c/em\u003e input box with the value \u003ccode\u003eFalse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003ePassword History Length for user accounts\u003c/em\u003e input box with the value 5.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003ePassword complexity status for user accounts\u003c/em\u003e input box with the value \u003ccode\u003eTrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eMinimum Password Length for user accounts\u003c/em\u003e input box with the value 12.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eMinimum Password Age for user accounts\u003c/em\u003e input box with the minimum time (in days) before a user can change its password.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eMaximum Password Age for user accounts\u003c/em\u003e input box with the maximum time (in days) after which the user will have to change his password.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eLockout threshold for lockout of user accounts\u003c/em\u003e input box with the threshold for locking user accounts. It is recommended to enter a value between 3 and 5.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eObservation Window for lockout of user accounts\u003c/em\u003e input box with the minimum time (in minutes) before the identification test counter is reset.\u003c/li\u003e\n\u003cli\u003eFill the \u003cem\u003eLockout duration for locked out user accounts\u003c/em\u003e input box with the minimum time (in minutes) before a user who has blocked their account can try to log in again.\u003c/li\u003e\n\u003cli\u003eClick on \u003cem\u003eFinished\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAt this point a PSO object is created.\nTo assign the PSO object with a user or group of users using the graphical user interface:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eADSI Edit\u003c/em\u003e tool (either from the MMC snap-in or from the server manager tools) with administrative rights.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eSelect a well known Naming Context\u003c/em\u003e drop-down box, select \u003cem\u003eDefault Naming Context\u003c/em\u003e, and then click \u003cem\u003eOK\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eAdsiedit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eDefault Naming Context\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand the distinguished name of your domain, e.g. \u003cem\u003eDC=contoso,DC=com\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand the System container, e.g. \u003cem\u003eCN=System,DC=contoso,DC=com\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand the Password Settings container, e.g. \u003cem\u003eCN=Password Settings Container,CN=System,DC=contoso,DC=com\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eRight-click on the PSO you want to assign, and then click \u003cem\u003eProperties\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eAttribute Editor\u003c/em\u003e, select the \u003cem\u003emsDS-PSOAppliesTo\u003c/em\u003e attribute, and then click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eMulti-valued DN with Security Principal Editor\u003c/em\u003e, click \u003cem\u003eAdd Windows Account\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSearch for the user account or the group you want on which you want to activate the PSO.\u003c/li\u003e\n\u003cli\u003eClick \u003cem\u003eOK\u003c/em\u003e three times to close every editor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eTo define and assign a PSO object to a group of users using PowerShell\u003c/h4\u003e\n\u003cp\u003eStarting with Windows Server 2008, Microsoft added multiple dedicated cmdlets to manage PSOs.\n\u003cbr\u003eTo retrieve the configuration on existing PSO, the following command can be used (where \u003cem\u003eMyPSO\u003c/em\u003e is the common name of an existing PSO):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; $pso = Get-ADFineGrainedPasswordPolicy MyPSO -Properties *\nPS\u0026gt; $pso\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe following command can be used to define a new PSO (time format is \u003ccode\u003eday:hour:minute:second\u003c/code\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; New-ADFineGrainedPasswordPolicy -Name MyPSO -Precedence 100 -LockoutDuration '0:00:30:00' -LockoutObservationWindow '0:00:29:00' -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 12 -OtherAttributes @{'msDS-PSOAppliesTo'='CN=Domain Users,CN=Users,DC=contoso,DC=com'}\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Define a good password policy","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy\n","type":"hyperlink"},{"name":"Retrieve a PSO Object","url":"https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adfinegrainedpasswordpolicy?view=windowsserver2025-ps\n","type":"hyperlink"},{"name":"Define a new PSO Object","url":"https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adfinegrainedpasswordpolicy?view=windowsserver2025-ps\n","type":"hyperlink"},{"name":"Modify a PSO Object","url":"https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adfinegrainedpasswordpolicy?view=windowsserver2025-ps\n","type":"hyperlink"}]},"resources":[{"name":"AD DS: Fine-Grained Password Policies","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770394(v=ws.10)","type":"hyperlink"},{"name":"Configuring Password Policies","url":"https://learn.microsoft.com/en-us/previous-versions/tn-archive/dd277399(v=technet.10)","type":"hyperlink"}],"applicable_resource_types":["ad_gpt_tmpl","ad_group","ad_msds_password_settings","ad_root_domain","ad_ou"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0006 - Credential Access","techniques":["T1110 - Brute Force"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","zh_CN","ja_JP","de_DE","fr_FR","zh_TW","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PASSWORD-POLICY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["ko","zh-CN","ja","de","fr","zh-TW","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1110","name":"Brute Force","url":"https://attack.mitre.org/techniques/T1110/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[29]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-GPO-SD-CONSISTENCY","_score":null,"_source":{"language_code":"en_US","codename":"C-GPO-SD-CONSISTENCY","name":"Verify Sensitive GPO Objects and Files Permissions","id":28,"description":"\u003cp\u003eEnsures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eGroup Policy Objects (GPOs) configure Windows systems and perform tasks at a high level of privileges. However, only legitimate administrative accounts should manage GPOs linked to sensitive containers, such as the ones containing administrators or domain controllers.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eIn Active Directory, Group Policy Objects (GPOs) are a collection of settings that defines the workings of a system and how it behaves for a defined group of users.\n\u003cbr\u003eWhen associated with selected Active Directory containers - such as sites, domains, or organizational units (OUs) - the GPO becomes \"linked\" to its containers.\n\u003cbr\u003eFrom a security perspective, this makes it a sensitive component because the GPO applies its parameters with the highest level of privilege on the linked computer or user session. An attacker who can configure a GPO can execute any arbitrary command on the system that the GPO controls.\n\u003cbr\u003eThis Indicator of Exposure ensures that only regular administrators can manipulate every GPO linked to sensitive containers.\n\u003cbr\u003eTechnically, the GPO works using two components with their own access control mechanism:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe GPOs Object stored in the Active Directory database and accessible through the LDAP protocol. This component stores the GPO's metadata.\u003c/li\u003e\n\u003cli\u003eThe GPOs files stored in a DFS path accessible through the SYSVOL share hosted on every domain controller.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese files contain the parameters applied to the linked system. To ensure a high security level for every sensitive GPO, the access control list (ACL) of each GPO object and file must contain only legitimate administrators. Any other permission added to one of these elements could allow an attacker to compromise the resources linked to the GPO, such as a domain controller or an administrative workstation.\n\u003cbr\u003eBy default, this Indicator of Exposure analyzes every GPO linked to the following sensitive containers and highlights any dangerous ACL:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe root domain partition object (e.g. DC=ad,DC=tenable,DC=com)\u003c/li\u003e\n\u003cli\u003eSensitive \u003ccode\u003eOrganizational Units\u003c/code\u003e (Domain Controllers, privileged organizational units, etc.)\u003c/li\u003e\n\u003cli\u003eThe Configuration container\u003c/li\u003e\n\u003cli\u003eThe Sites container\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Improve the Permission of Sensitive GPO Objects","description":"Sensitive GPO objects and files should only be controlled by legitimate\nadministrators\n","exec_summary":"\u003cp\u003ePermissions on sensitive GPO files or object should only allow control access to legitimate administrative accounts.\u003c/p\u003e\n","detail":"\u003cp\u003eOnly the following entities should have control permissions on sensitive GPO containers:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDomain Administrators group\u003c/li\u003e\n\u003cli\u003eEnterprise Administrators group\u003c/li\u003e\n\u003cli\u003eGroup Policy Creater Owners group\u003c/li\u003e\n\u003cli\u003eBuilt-in Administrators group\u003c/li\u003e\n\u003cli\u003eBuilt-in Creator Owners group\u003c/li\u003e\n\u003cli\u003eBuilt-in system account\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAudit any other entity with important permissions set on the container. No unprivileged account or group should have more than the \"read\" permission.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Group Policy Object reference","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960596(v=technet.10)","type":"hyperlink"}],"applicable_resource_types":["ad_configuration","ad_ou","ad_root_domain","ad_site"],"attacker_known_tools":[],"category_id":3,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","de_DE","es_001","ja_JP","zh_CN","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-GPO-SD-CONSISTENCY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["ko","de","es","ja","zh-CN","fr","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[28]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DSHEURISTICS","_score":null,"_source":{"language_code":"en_US","codename":"C-DSHEURISTICS","name":"Domain with Unsafe Backward-Compatibility Configuration","id":26,"description":"\u003cp\u003eThe dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003eIt is possible to customize Active Directory behavior by adjusting fundamental attributes, but some of these modifications can potentially compromise security.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe dsHeuristics attribute is responsible for configuring the fundamental behavior of the NTDS service. However, certain fields within this attribute are considered security-sensitive and may pose a risk of a security breach.\u003c/p\u003e\n\u003ch4\u003eAllow anonymous\u003c/h4\u003e\n\u003cp\u003eBy default, it is only possible to query the rootDSE in LDAP without authentication in Active Directory. For all other operations, the user needs to authenticate by binding to LDAP. The dsHeuristics attribute contains the fLDAPBlockAnonOps field, which can act to change this default setting and allow anonymous operations that require binding. However, ACL control still applies to anonymous users (denied by default), which this Indicator of Exposure does not check.\n\u003cbr\u003eAn attacker could exploit this configuration by connecting their laptop to the network through a mural network connection (like in a conference or waiting room) and accessing LDAP without binding. But in most phishing scenarios, the attacker already has an AD account and can bind to LDAP. Thus, the fLDAPBlockAnonOps field does not mitigate such risks.\u003c/p\u003e\n\u003ch4\u003eAllow password operations over unsecure connection\u003c/h4\u003e\n\u003cp\u003eBy default, the modification of a password over an LDAP connection must take place over a secure SSL/TLS-encrypted or SASL-encrypted channel to ensure secure communication. However, in an Active Directory Lightweight Directory Services (AD LDS) installation, it is possible to change this behavior by modifying the fAllowPasswordOperationsOverNonSecureConnection field of the dsHeuristics attribute, which allows password modification over an unencrypted clear-text channel.\n\u003cbr\u003eThis creates a potential vulnerability, as an attacker with an active man-in-the-middle position can exploit this to intercept and degrade LDAP communications to sniff the network for password modification operations.\n\u003cbr\u003eNote that regardless of the value in the fAllowPasswordOperationsOverNonSecureConnection field, the LDAP search never returns the user password.\u003c/p\u003e\n\u003ch4\u003eExclude objects from SD protection\u003c/h4\u003e\n\u003cp\u003eBy default, this protection applies to certain groups, including: \u003ccode\u003eAccount Operators\u003c/code\u003e, \u003ccode\u003eServer Operators\u003c/code\u003e, \u003ccode\u003ePrint Operators\u003c/code\u003e, and \u003ccode\u003eBackup Operators\u003c/code\u003e.\n\u003cbr\u003eHowever, it is possible to remove these groups from the list of protected objects by using the dwAdminSDExMask field of the dsHeuristics attribute.\n\u003cbr\u003eIf an attacker can add control rights to one of these excluded groups, the SD protection mechanism will not overwrite those rights, potentially allowing the attacker to create a backdoor for further exploitation.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Reset dsHeuristics Security-sensitive Fields","description":"Some fields in the dsHeuristics attribute are security-sensitive and can lead to breaches.\n","exec_summary":"\u003cp\u003eRemediate the security-sensitive fields of an Active Directory attribute dSHeuristics.\u003c/p\u003e\n","detail":"\u003cp\u003eThe dSHeuristics attribute of the NTDS (NT Directory Service) allows for customization of the Active Directory behavior. However, certain fields within this attribute are security-sensitive and can potentially result in security breaches.\u003c/p\u003e\n\u003ch2\u003ePowerShell procedures\u003c/h2\u003e\n\u003cp\u003eTo retrieve the value of the dSHeuristics attribute of the NTDS Service, use the following command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; $obj = Get-ADObject -LDAPFilter \"(objectClass=nTDSService)\" -SearchBase \"CN=Configuration,DC=contoso,DC=com\" -Properties dSHeuristics\nPS\u0026gt; $obj.dSHeuristics\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo reset the dSHeuristics attribute to the default value, use the following command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject $obj -Remove @{ dsheuristics = $obj.dsheuristics }\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo replace the current value with a new one, use the following command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject $obj -Replace @{ dsheuristics = \"new value\" }\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003eMicrosoft Administrative tools procedures\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eADSI Edit\u003c/em\u003e tool, either from the MMC snap-in or from the server manager tools.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eSelect a well known Naming Context\u003c/em\u003e drop-down box, select \u003cem\u003eConfiguration\u003c/em\u003e, and then click OK.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eAdsiedit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eConfiguration\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eExpand \u003cem\u003eCN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eRight-click \u003cem\u003eDirectory Service\u003c/em\u003e, and then click \u003cem\u003eProperties\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the \u003cem\u003eAttribute Editor\u003c/em\u003e tab, select the \u003cem\u003edSHeuristics\u003c/em\u003e attribute, and then click \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eClick \u003cem\u003eClear\u003c/em\u003e to reset the value to its default, or to any value that you type in the input field, and click \u003cem\u003eOK\u003c/em\u003e to validate the modification.\u003c/p\u003e\n\u003ch4\u003eWhat is the meaning of the value of the dsHeuristics attribute in AD?\u003c/h4\u003e\n\u003cp\u003eEach character in the dSHeuristics attribute string represents a heuristic that is used to determine the behavior of Active Directory. The dSHeuristics attribute in Active Directory is a string consisting of multiple characters, each representing a heuristic that determines the behavior of Active Directory. However, there are constraints that apply to the dSHeuristics string:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe order of the characters in the string is fixed. You can only omit characters by truncating the string.\u003c/li\u003e\n\u003cli\u003eBy default, the dSHeuristics attribute does not exist and, unless otherwise specified, the default value of each character in the dSHeuristics string is \"0\".\u003c/li\u003e\n\u003cli\u003eWhen modifying an existing dSHeuristics string in Active Directory, preserve the values of all existing characters that you are not modifying. The numbering of characters in the string starts from 1.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eAllow anonymous LDAP operations\u003c/h2\u003e\n\u003cp\u003eThe 7th character represents the heuristic called fLDAPBlockAnonOps. If this character is \"2\", then the heuristic is false; otherwise, the heuristic is true. If this character is not present in the string, it defaults to \"2\" when the domain controller functional level is less than DS_BEHAVIOR_WIN2003, and to \"0\" otherwise.\n\u003cbr\u003eWhen this heuristic is true, anonymous (unauthenticated) users are limited to performing rootDSE searches and binds. If fLDAPBlockAnonOps is false, anonymous users can perform any LDAP operation, subject to the access checks using the Active Directory ACLs. By default, no ACE allows anonymous binding even if this heuristic is false.\n\u003cbr\u003eTo block anonymous LDAP operations, set this 7th character to \"0\".\u003c/p\u003e\n\u003ch2\u003eAllow password operations over unsecured connection\u003c/h2\u003e\n\u003cp\u003eThe 13th character represents the heuristic called fAllowPasswordOperationsOverNonSecureConnection. This heuristic is false if this character has a value of \"0\", and true if it has any other value. This heuristic only applies to Active Directory Lightweight Directory Services (AD LDS).\n\u003cbr\u003eStarting from Windows Server 2008, if the heuristic is true and Active Directory is operating as AD LDS, then the domain controller will allow changes to the unicodePwd attribute over a connection that is not encrypted using SSL/TLS or SASL. However, note that the LDAP search never returns the unicodePwd attribute.\n\u003cbr\u003eTo prevent password operations over an insecure connection, set this 13th character to \"0\".\u003c/p\u003e\n\u003ch2\u003eExclude objects from SD protection\u003c/h2\u003e\n\u003cp\u003eThe 16th character represents a heuristic called dwAdminSDExMask. Its value specifies a bit-field used to exclude some groups from the SD protection mechanism.\n\u003cbr\u003eBeginning from the least-significant bit, the list of potentially excluded groups includes:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor instance, when this value is set at \"3\", it means that both the \u003ccode\u003eAccount Operators\u003c/code\u003e and the \u003ccode\u003eServer Operators\u003c/code\u003e groups are excluded from the protection mechanism. The value \"3\" is actually the combination of two values, 0x2 and 0x1.\n\u003cbr\u003eTo ensure that you don't exclude any group from the protection mechanism, set the 16th character to \"0\".\u003c/p\u003e\n","resources":[{"name":"dSHeuristics attribute reference","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5","type":"hyperlink"},{"name":"Disabling the fLDAPBlockAnonOps field","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/4e11a7e6-e18c-46e4-a781-3ca2b4de6f30","type":"hyperlink"},{"name":"Enabling the fAllowPasswordOperationsOverNonSecureConnection field (AD LDS only)","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2","type":"hyperlink"},{"name":"Changing the value of dwAdminSDExMask","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/50097362-ede5-40fa-973e-8d65e782e384","type":"hyperlink"}]},"resources":[{"name":"dSHeuristics attribute reference","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5","type":"hyperlink"},{"name":"Disabling the fLDAPBlockAnonOps field","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/4e11a7e6-e18c-46e4-a781-3ca2b4de6f30","type":"hyperlink"},{"name":"Enabling the fAllowPasswordOperationsOverNonSecureConnection field (AD LDS only)","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2","type":"hyperlink"},{"name":"Changing the value of dwAdminSDExMask","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/50097362-ede5-40fa-973e-8d65e782e384","type":"hyperlink"}],"applicable_resource_types":["ad_ntds_service"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[{"tactic":"TA0043 - Reconnaissance","techniques":["T1592 - Gather Victim Host Information","T1589 - Gather Victim Identity Information","T1590 - Gather Victim Network Information"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","ja_JP","es_001","ko_KR","zh_CN","fr_FR","de_DE","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DSHEURISTICS","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["zh-TW","ja","es","ko","zh-CN","fr","de","en"],"mitre_attack_information":[{"tactic":{"id":"TA0043","name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043/"},"techniques":[{"id":"T1592","name":"Gather Victim Host Information","url":"https://attack.mitre.org/techniques/T1592/"},{"id":"T1589","name":"Gather Victim Identity Information","url":"https://attack.mitre.org/techniques/T1589/"},{"id":"T1590","name":"Gather Victim Network Information","url":"https://attack.mitre.org/techniques/T1590/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[26]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DOMAIN-FUNCTIONAL-LEVEL","_score":null,"_source":{"language_code":"en_US","codename":"C-DOMAIN-FUNCTIONAL-LEVEL","name":"Domains with an Outdated Functional Level","id":24,"description":"\u003cp\u003eChecks for the correct functional level of a domain or forest which determines the availability of advanced features and security options.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eThe functional level of a domain or forest determines the advanced features that are accessible within that domain or forest. By increasing the functional level, new features become available that may provide additional security options.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eDifferent versions of Windows Server in an architecture determine the maximum functional level of a domain or forest. The functional level of a domain allows usage of advanced features that a previous level does not have.\n\u003cbr\u003eBy default, these features are not enabled even if all domain controllers are operating on the same version of the Windows Server operating system. Increasing the functional level requires manual intervention from an administrator. AD DS validates and verifies the consistency of all Windows Server versions within the domain or forest to ensure homogeneity.\n\u003cbr\u003eWhen domain controllers running earlier versions of Windows Server are included with domain controllers running later versions, it limits advanced Active Directory features.\n\u003cbr\u003eTo comply with best practices, organizations should run the latest version of the operating system on all domain controllers to use all the latest features.\n\u003cbr\u003eAlthough there may be rare exceptions, in most cases, it is impossible to roll back or lower the functional level once it is raised to a certain value.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Increase the Domain Functional Level","description":"It is recommended to increase the domain functional level (DFL) and forest functional level (FFL).\n","exec_summary":"\u003cp\u003eThe Domain Functional Level (DFL) should be compliant with the oldest Windows Server version of the domain.\u003c/p\u003e\n","detail":"\u003cp\u003eAfter installing Active Directory Domain Services (AD DS), an administrator can choose to activate certain features within AD DS. The number of available features increases with each new version of Windows Server. The availability of these features is dependent on the DFL, which is determined by the versions of domain controllers in use.\n\u003cbr\u003eWith each new version of Windows Server, new features become available when you increase the corresponding DFL. The following list highlights some major improvements with recent new releases:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWindows 2008: Password Security Object (PSO), Read-Only Domain Controller (RODC)\u003c/li\u003e\n\u003cli\u003eWindows 2008R2: Managed Service Accounts (MSA)\u003c/li\u003e\n\u003cli\u003eWindows 2012: Kerberos security improvements, Group Managed Service Accounts (gMSA)\u003c/li\u003e\n\u003cli\u003eWindows 2016: Privileged Access Management (PAM)\u003c/li\u003e\n\u003cli\u003e(Windows 2019 and 2022 did not bring any major change)\u003c/li\u003e\n\u003cli\u003eWindows 2025: Delegated Managed Service Accounts (dMSA)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTo use certain features, such as managed service accounts, the domain and forest levels must be at a certain level. For example, a forest consists of a single domain that includes three Domain Controllers (DCs), and the administrator wants to enable the managed service accounts feature. All three DCs are running on Windows Server 2012R2, but the domain and forest levels are set to Windows Server 2003. As a consequence, it is not possible to enable the managed service accounts feature without raising the domain/forest functional levels from 2003 to at least 2008R2.\u003c/p\u003e\n\u003cp\u003eDFL can be increased in the GUI or with PowerShell:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGUI:\u003col\u003e\n\u003cli\u003eOpen \"Active Directory Domains and Trusts\".\u003c/li\u003e\n\u003cli\u003eIn the console tree, right-click the domain for which you want to raise functionality, and then click \"Raise Domain Functional Level\".\u003c/li\u003e\n\u003cli\u003eIn \"Select an available domain functional level\", select the more recent one (2025), and then click \"Raise\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003c/li\u003e\n\u003cli\u003ePowerShell: use cmdlet \u003ccode\u003eSet-ADDomainMode\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFFL can be increased in the GUI or with PowerShell:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGUI:\u003col\u003e\n\u003cli\u003eOpen \"Active Directory Domains and Trusts\".\u003c/li\u003e\n\u003cli\u003eIn the console tree, right-click the \"Active Directory Domains and Trusts\" node, and then click \"Raise Forest Functional Level\".\u003c/li\u003e\n\u003cli\u003eIn \"Select an available forest functional level\", select the more recent one (2025), and then click \"Raise\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003c/li\u003e\n\u003cli\u003ePowerShell: uses cmdlet \u003ccode\u003eSet-ADForestMode\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eImportant note from \u003ca href=\"https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels\"\u003eMicrosoft website\u003c/a\u003e: \"Do not raise the functional level if the domain has or will have a domain controller that is of an earlier version than the version that is cited for that level. For example, a Windows Server 2008 functional level requires that all domain controllers have Windows Server 2008 or a later operating system installed in the domain or in the forest. After the domain functional level is raised to a higher level, it can only be changed back to an older level by using a forest recovery. This restriction exists because the features often change the communication between the domain controllers, or because the features change the storage of the Active Directory data in the database.\"\u003c/p\u003e\n","resources":[{"name":"Raise the Forest Functional Level","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730985(v=ws.11)","type":"hyperlink"},{"name":"How to raise Active Directory domain and forest functional levels","url":"https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels\n","type":"hyperlink"},{"name":"Set-ADDomainMode PowerShell Cmdlet","url":"https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-addomainmode?view=windowsserver2025-ps\n","type":"hyperlink"},{"name":"Set-ADForestMode PowerShell Cmdlet","url":"https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adforestmode?view=windowsserver2025-ps\n","type":"hyperlink"}]},"resources":[{"name":"Forest and Domain Functional Levels","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels\n","type":"hyperlink"},{"name":"Understanding Active Directory Domain Services (AD DS) Functional Level","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels\n","type":"hyperlink"},{"name":"What's new in Windows Server 2025","url":"https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025#active-directory-domain-services","type":"hyperlink"}],"applicable_resource_types":["ad_cross_ref","ad_cross_ref_container","ad_ntdsdsa"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","zh_CN","ja_JP","zh_TW","es_001","de_DE","fr_FR","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DOMAIN-FUNCTIONAL-LEVEL","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["ko","zh-CN","ja","zh-TW","es","de","fr","en"],"mitre_attack_information":[],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[24]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-LAPS-UNSECURE-CONFIG","_score":null,"_source":{"language_code":"en_US","codename":"C-LAPS-UNSECURE-CONFIG","name":"Local Administrative Account Management","id":23,"description":"\u003cp\u003eEnsures the secure and central management of local administrative accounts using LAPS.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eLocal Administrator Password Solution (LAPS) is a password management tool for privileged local accounts that requires proper deployment and configuration to ensure that no unauthorized users can gain elevated privileges.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eLAPS is a powerful system that requires proper configuration to be effective. This Indicator of Exposure validates that its deployment is safe and correct. Both legacy and the new Windows LAPS are supported.\u003c/p\u003e\n\u003ch4\u003eLAPS activation\u003c/h4\u003e\n\u003cp\u003eThe first basic check verifies for LAPS activation on the monitored perimeter.\u003c/p\u003e\n\u003ch4\u003eConfidential attribute access rights\u003c/h4\u003e\n\u003cp\u003eLAPS stores passwords in Active Directory's confidential attribute (ms-mcs-AdmPwd) and not locally. Authorized users can access this attribute, allowing administrators to log onto a machine using a local account. Only the \u003ccode\u003eDomain Admins\u003c/code\u003e group can read or modify this attribute by default. To allow access, you must set up manual delegation, which can lead to errors.\nThis IoE ensures that only the following privileged groups can access the ms-mcs-AdmPwd attribute.\n\u003cbr\u003eThese groups are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003ePassword policy\u003c/h4\u003e\n\u003cp\u003eLAPS configures local passwords automatically using a predefined password policy. By default, it uses the following policy:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMaximum password complexity\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e12 characters\u003c/strong\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis IoE ensures that the currently defined policy is \u003cstrong\u003eat least as strong\u003c/strong\u003e as the default policy.\u003c/p\u003e\n\u003ch4\u003ePassword renewal\u003c/h4\u003e\n\u003cp\u003eLAPS automatically renews the passwords that it manages. The default renewal period is \u003cstrong\u003e30 days\u003c/strong\u003e.\nThis IoE ensures that the password renewal period is \u003cstrong\u003eat least as short\u003c/strong\u003e as the default period.\u003c/p\u003e\n\u003ch4\u003eNew Windows LAPS\u003c/h4\u003e\n\u003cp\u003eIn april 2023, Microsoft introduced a new component for local administrator automatic password renewal (called in this IoE the \"new Windows LAPS\"). With this Windows update, this was added directly into the OS for Windows 10+ and Windows Server 2019+. It was designed to replace the previous \"legacy\" LAPS component, by providing an easier management and installation, and introducing new features that customers were interested about.\u003c/p\u003e\n\u003cp\u003eBoth versions of LAPS can be present in your environment at the same time. This IoE provides an option to indicate to the product which version of LAPS is installed and should be validated.\nPlease note that this IoE cannot query the configuration of the new Windows LAPS if it is made through Intune instead of a GPO. Also, if passwords are not stored in Active Directory, but in Entra ID instead, this attribute is not required to be present in the AD schema.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Deploy LAPS Component","description":"Local administrative accounts should be managed by LAPS.","exec_summary":"\u003cp\u003eUse Microsoft Local Administrator Password Solution (LAPS) to manage local privileged accounts.\u003c/p\u003e\n","detail":"\u003ch4\u003eLegacy LAPS\u003c/h4\u003e\n\u003cp\u003eFor systems that are not compatible with the new Windows LAPS, deploy the legacy LAPS to generate randomly local administrator passwords and change them regularly. The complete documentation on LAPS installation is available on \u003ca href=\"https://www.microsoft.com/en-us/download/details.aspx?id=46899\"\u003eMicrosoft's website\u003c/a\u003e.\n\u003cbr\u003ePerform this procedure:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate the Active Directory to add the two new attributes: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.\u003c/li\u003e\n\u003cli\u003eSet up the proper rights delegation, to allow computers to update their local LAPS password and legitimate privileged groups to read the confidential attribute.\u003c/li\u003e\n\u003cli\u003eInstall the client side extension on computers (included in the package downloaded on \u003ca href=\"https://www.microsoft.com/en-us/download/details.aspx?id=46899\"\u003eMicrosoft's website\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eEnable LAPS by GPO.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eNew Windows LAPS\u003c/h4\u003e\n\u003cp\u003eIf computers in your domain are all recent and compatible with the new Windows LAPS (Windows 10+ on the client side and Windows Server 2019+ on the server side), you should focus your efforts on this LAPS version. Keep in mind that you should first install the specific \"April 11 2023\" \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-microsoft-entra-laps-preview-status\"\u003eupdate\u003c/a\u003e on your systems.\nMicrosoft provides an \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-deployment-migration\"\u003einstallation procedure\u003c/a\u003e, that you can follow:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe AD schema needs to be updated\u003c/li\u003e\n\u003cli\u003eThe permissions for computers that should renew their local administrators' password need to be set\u003c/li\u003e\n\u003cli\u003eA GPO holding the configuration needs to be created and linked to your computers\u003c/li\u003e\n\u003c/ul\u003e\n","resources":[{"name":"Get started with Windows LAPS and Windows Server Active Directory","url":"https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory","type":"hyperlink"},{"name":"Windows LAPS schema extensions reference","url":"https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference","type":"hyperlink"},{"name":"Configure policy settings for Windows LAPS","url":"https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings","type":"hyperlink"}]},"resources":[{"name":"Microsoft LAPS Security \u0026 Active Directory LAPS Configuration Recon","url":"https://adsecurity.org/?p=3164","type":"hyperlink"},{"name":"Local Admin Password Solution (LAPS)","url":"https://learn.microsoft.com/en-us/archive/blogs/arnaud/local-admin-password-solution-laps\n","type":"hyperlink"},{"name":"Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including mini threat model)","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/local-administrator-password-solution-laps-implementation-hints/ba-p/258296\n","type":"hyperlink"},{"name":"Local Administrator Password Solution","url":"https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)","type":"hyperlink"},{"name":"Microsoft Security Advisory 3062591: Local Administrator Password Solution (LAPS) Now Available","url":"https://support.microsoft.com/en-us/topic/microsoft-security-advisory-local-administrator-password-solution-laps-now-available-may-1-2015-404369c3-ea1e-80ff-1e14-5caafb832f53","type":"hyperlink"}],"applicable_resource_types":["ad_dmd","ad_sysvol_pol","ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0008 - Lateral Movement","techniques":["T1021 - Remote Services"]},{"tactic":"TA0003 - Persistence","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","zh_CN","ja_JP","fr_FR","es_001","zh_TW","de_DE","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-LAPS-UNSECURE-CONFIG","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["ko","zh-CN","ja","fr","es","zh-TW","de","en"],"mitre_attack_information":[{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[{"id":"T1021","name":"Remote Services","url":"https://attack.mitre.org/techniques/T1021/"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[23]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-KERBEROS-CONFIG-ACCOUNT","_score":null,"_source":{"language_code":"en_US","codename":"C-KERBEROS-CONFIG-ACCOUNT","name":"Kerberos Configuration on User Account","id":22,"description":"\u003cp\u003eDetects accounts that use weak Kerberos configuration.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eActive Directory relies on Kerberos for authentication. It is an older protocol that has since received various security hardening measures. For this reason, it's necessary to disable some legacy options (e.g. the obsolete \"DES\" encryption or \"Do not require Kerberos preauthentication\") to ensure proper security such as avoiding \"AS-REP Roasting\" attacks.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe Kerberos protocol has a wide range of configuration options, some of which pose a significant security risk. This Indicator of Exposure reports on user and computer accounts that utilize a weak Kerberos configuration, as defined below:\u003c/p\u003e\n\u003ch4\u003eData Encryption Standard (DES) keys\u003c/h4\u003e\n\u003cp\u003eKerberos 5 protocol (\u003ca href=\"https://tools.ietf.org/html/rfc1510\"\u003eRFC 1510\u003c/a\u003e) initially only used DES encryption, which is now considered unsafe due to its small key size. Even though Active Directory still allows the DES algorithm, it's recommended to disable it as it can be easily broken.\u003c/p\u003e\n\u003ch4\u003ePre-authentication\u003c/h4\u003e\n\u003cp\u003eThe AS-REP Roasting attack is a way for an attacker to guess a user's password. To do this, the attacker first looks for users who do not have the Kerberos pre-authentication required setting (\u003ccode\u003eDo not require Kerberos preauthentication\u003c/code\u003e / DONT_REQ_PREAUTH, which is part of the userAccountControl attribute) enabled. These users are vulnerable because the KDC will respond to authentication requests (AS-REQ) on their behalf without requiring pre-authentication.\n\u003cbr\u003eThe KDC will send back an authentication server response (AS-REP) message containing an encrypted Ticket-Granting Ticket (TGT) in response to an authentication request (AS-REQ). Part of the TGT is encrypted with the user's original password-derived key. This provides an opportunity for the attacker to use offline bruteforcing to guess the user's password, which is much faster than online bruteforcing.\n\u003cbr\u003ePre-authentication is a security feature that requires the attacker to already possess the password (by having to encrypt a timestamp) before the KDC will send the encrypted TGT. Without pre-authentication, an attacker can carry out an AS-REP Roasting attack to guess the user's password.\n\u003cbr\u003eThis attack relies on the fact that passwords are being used for authentication and that they are weak enough to be discovered through brute-force. But if smartcard (certificate) authentication is used instead, then this attack cannot work, because this is not the password of the user that requires to be brute-forced, but the private key of the certificate, which is much more difficult to recover.\nAs such, this IoE will not raise deviances related to missing Kerberos pre-authentication for users that are configured with the option \"Smartcard is required for interactive logon\".\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Securely Configure Kerberos","description":"Kerberos should be configured to use secure parameters and algorithms.","exec_summary":"\u003cp\u003eTo ensure the highest level of security, configure the Active Directory's authentication protocol to use the latest security parameters and protocols.\u003c/p\u003e\n","detail":"\u003cp\u003eConfigure the Kerberos protocol to use pre-authentication and avoid the use of DES algorithm. Although this is the default setting now, some legacy accounts may not use it and you should update them.\u003c/p\u003e\n\u003ch4\u003eConfigure an account to use Kerberos preauthentication\u003c/h4\u003e\n\u003ch2\u003eProcedure using Microsoft Administrative tools\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eActive Directory Users and Computers\u003c/em\u003e tool, either from the MMC snap-in or from the \u003cem\u003eServer manager\u003c/em\u003e tools.\u003c/li\u003e\n\u003cli\u003eRight-click on the legacy account and click on \u003cem\u003eProperties\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the \u003cem\u003eAccount\u003c/em\u003e tab.\u003c/li\u003e\n\u003cli\u003eLeave the option \u003ccode\u003eDo not require Kerberos preauthentication\u003c/code\u003e unchecked.\u003c/li\u003e\n\u003cli\u003eClick \u003cem\u003eOK\u003c/em\u003e to validate the modification.\u003c/li\u003e\n\u003cli\u003eRepeat the last three steps for each legacy account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2\u003eProcedure using PowerShell\u003c/h2\u003e\n\u003cp\u003eRun this command on a domain controller to enable the Kerberos preauthentication on every concerned user:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eGet-ADUser -Filter 'useraccountcontrol -band 0x400000' -Properties UserAccountControl | % { Set-ADUser -Identity $_ -Replace @{ UserAccountControl = $_.UserAccountControl -band (-bnot 0x400000) } }\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe Get-ADUser part fetches every user having the \u003ccode\u003eDo not require Kerberos preauthentication\u003c/code\u003e option selected, while the Set-ADUser removes this setting.\u003c/p\u003e\n\u003ch4\u003eDisable the use of the weak DES algorithm\u003c/h4\u003e\n\u003ch2\u003eProcedure using Microsoft Administrative tools\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eRun the \u003cem\u003eActive Directory Users and Computers\u003c/em\u003e tool, either from the MMC snap-in or from the \u003cem\u003eServer manager\u003c/em\u003e tools.\u003c/li\u003e\n\u003cli\u003eRight-click on the legacy account and click on \u003cem\u003eProperties\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eSelect the \u003cem\u003eAccount\u003c/em\u003e tab.\u003c/li\u003e\n\u003cli\u003eLeave the option \u003ccode\u003eUse only Kerberos DES encryption types for this account\u003c/code\u003e unchecked.\u003c/li\u003e\n\u003cli\u003eClick \u003cem\u003eOK\u003c/em\u003e to validate the modification.\u003c/li\u003e\n\u003cli\u003eRepeat the last three steps for each legacy account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2\u003eProcedure using PowerShell\u003c/h2\u003e\n\u003cp\u003eRun this command on a domain controller to disable the DES algorithm on every concerned user:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eGet-ADUser -Filter 'useraccountcontrol -band 0x200000' -Properties UserAccountControl | % { Set-ADUser -Identity $_ -Replace @{ UserAccountControl = $_.UserAccountControl -band (-bnot 0x200000) } }\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe Get-ADUser part fetches every user having the \u003ccode\u003eUse only Kerberos DES encryption types for this account\u003c/code\u003e, while the Set-ADUser removes this setting.\u003c/p\u003e\n","resources":[{"name":"MITRE ATT\u0026CK - Steal or Forge Kerberos Tickets: AS-REP Roasting","url":"https://attack.mitre.org/techniques/T1558/004/","type":"hyperlink"}]},"resources":[{"name":"What Is Kerberos Authentication?","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780469(v=ws.10)","type":"hyperlink"},{"name":"Kerberos RFC 4120","url":"https://www.rfc-editor.org/rfc/rfc4120","type":"hyperlink"},{"name":"Authentication secrets part II - Kerberos strikes-back","url":"https://www.sstic.org/media/SSTIC2014/SSTIC-actes/secrets_dauthentification_pisode_ii__kerberos_cont/SSTIC2014-Article-secrets_dauthentification_pisode_ii__kerberos_contre-attaque-bordes_2.pdf\n","type":"hyperlink"},{"name":"Kerberos Protocol Tutorial","url":"https://www.kerberos.org/software/tutorial.html","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"Rubeus","url":"https://github.com/GhostPack/Rubeus","author":"HarmJ0y, Elad Shamir"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","ko_KR","zh_CN","fr_FR","de_DE","ja_JP","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-KERBEROS-CONFIG-ACCOUNT","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["zh-TW","ko","zh-CN","fr","de","ja","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[22]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-ROOTOBJECTS-SD-CONSISTENCY","_score":null,"_source":{"language_code":"en_US","codename":"C-ROOTOBJECTS-SD-CONSISTENCY","name":"Root Objects Permissions Allowing DCSync-Like Attacks","id":21,"description":"\u003cp\u003eChecks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eSane permissions assigned to the root partitions (such as domain root, configuration partition, and schema) have an impact on the entire Active Directory domain. If set incorrectly, they can pose a threat to the AD environment and its objects by allowing DCSync (and related) attacks. Furthermore, dangerous permissions could serve as a means for an attacker to maintain persistence after an attack.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory stores objects in a hierarchical tree structure, with the domain root having an LDAP name such as DC=domainA,DC=local. Permissions set on the domain root apply to all objects beneath it, unless inheritance is blocked. It's crucial to ensure that dangerous permissions are not set on the domain root to protect the entire infrastructure.\u003c/p\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eThis Indicator of Exposure analyzes multiple AD partitions, including the domain root, configuration partition, and schema, to verify that no non-privileged user account has control over these objects due to dangerous permissions (ACEs in the DACL) or the resource owner's ability to add any permission.\u003c/p\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eTenable Identity Exposure defines as privileged the following list of groups (also known as Tier-0 groups) and their subgroups which have special permissions on sensitive entities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eHaving control over an object means having permissions that allow an account (the trustee in an ACE) to perform dangerous actions on that resource or the objects it contains. For instance, \"Replicating Directory Changes\" and \"Replicating Directory Changes All\" are rights that the DCSync attack requires to allow attackers to extract password hashes and secrets from all users in the domain. This attack exploits the AD replication mechanism created for domain controllers to synchronize changes. The Indicator of Attack \"DCSync\" detects these attacks and represents it in the Attack Path graph.\nIf any standard account has these permissions, they can remotely extract password hashes and potentially elevate their privileges on the domain to become a domain administrator.\u003c/p\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eThis IoE does not only focus on the DCSync attack, which is a highly sensitive topic. Many other permissions can give a standard account access to privileged resources, such as the ability to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAdd an account to a sensitive group (e.g \"Domain Admins\").\u003c/li\u003e\n\u003cli\u003eLink a new GPO on the root of the domain to execute a dangerous script on all computers (this technique could be used during a ransomware attack).\u003c/li\u003e\n\u003cli\u003eDowngrade security by unlinking a GPO related to security configurations (e.g to remove Windows firewall rules to access administrators' workstations).\u003c/li\u003e\n\u003cli\u003eDelete objects in Active Directory to destroy parts of the environment.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eIt is highly dangerous to have \"Full Control\" access on an object because it grants all possible permissions, including those required for the DCSync attack and the other examples given. Other generic and standard rights provided by Microsoft are also supported.\u003c/p\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eNote: Permissions on some partitions may be configured with a different privileged group than the default, but if they do not increase the risk to the environment, they are not considered dangerous and do not require remediation.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Fix Permissions on Domain Root Objects","description":"Dangerous permissions applied on domain root objects should be removed.","exec_summary":"\u003cp\u003ePerform a security assessment on the permissions applied to domain root objects to identify the ones that you can safely remove or adapt. Only authorize a dangerous permission if the Active Directory environment already considers the configured account or group as privileged.\u003c/p\u003e\n","detail":"\u003cp\u003eWhen assessing the permissions applied to a domain root object, you should carefully examine nearly all the objects of interest in the domain, and consider removing those that may pose a security risk. Before you remove permissions, conduct a precise assessment of the impact on applications or users that rely on them. It is recommended to conduct tests in pre-production first.\u003c/p\u003e\n\u003ch4\u003eHow to assess vulnerabilities\u003c/h4\u003e\n\u003cp\u003eTo determine if the provided results are legitimate or need remediation, you need to answer the following questions:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs the referenced user/computer account or group considered as highly privileged in the environment? If yes, does it have the same security hardening as all Tier-0 accounts? (complex password policy, dedicated workstation, specifically supervised by the SOC (Security Operations Center), etc.)\u003c/li\u003e\n\u003cli\u003eAre those privileged rights really related to Active Directory administration role, or instead, to a different administration role? For example, network, application or virtualization administrators do not usually need domain administration rights.\u003c/li\u003e\n\u003cli\u003eIs this dangerous permission really necessary for this account? What is the reason behind this setup and is it fully described in some document? Is it related to a third-party product not following security good practices?\u003c/li\u003e\n\u003cli\u003eAre the permissions configured using only necessary and sufficient rights or is it broader for simplicity?\u003c/li\u003e\n\u003cli\u003eIs it possible to replace the security principal with a appropriate account? (such as a dedicated privileged group, for example)\u003c/li\u003e\n\u003cli\u003eDo you accept this security issue and take it into account in the risk analysis?\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003c/h1\u003e\n\u003cp\u003eBy default, only built-in privileged entities (full list is provided in \u003cem\u003eVulnerability detail\u003c/em\u003e tab) should have important permissions on root objects.\u003c/p\u003e\n\u003ch4\u003eCommon issues found in production\u003c/h4\u003e\n\u003cp\u003eProduction often involves two situations:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eConfiguring Microsoft Entra Connect in Active Directory creates MSOL accounts that require sensitive domain root permissions, as indicated in Microsoft's documentation. By default, these accounts are ignored to avoid common false positives. However, it's impossible to identify if these accounts are legitimate using only AD data, leaving the possibility of an attacker creating a similar named account and installing a backdoor. If you are worried by this risk, we recommend turning on the IOE option to keep MSOL accounts instead and to reference and validate each MSOL_* account. This can be done by analyzing the configuration of each Microsoft Entra Connect instance.\u003c/li\u003e\n\u003cli\u003eCertain Exchange groups may have dangerous permissions configured due to a bug in the permissions set for \"Exchange Trusted Subsystem\" and \"Exchange Windows Permissions\" groups in previous Exchange installations. Attackers could exploit this bug to elevate privileges on the domain. Microsoft provides a solution for this in their online documentation (referenced in the resources).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eHow to correct wrong permissions using Microsoft tools\u003c/h4\u003e\n\u003cp\u003eTo remove or modify unwanted permissions using the \"ADSI Edit\" snap-in, follow this procedure:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLaunch \"mmc.exe\" program.\u003c/li\u003e\n\u003cli\u003eClick on \"File \u0026gt; Add/Remove Snap-in...\" and select \"ADSI Edit\" to load the proper snap-in.\u003c/li\u003e\n\u003cli\u003eOnce loaded, right-click on \"ADSI Edit\" and choose \"Connect to...\".\u003c/li\u003e\n\u003cli\u003eIn \"Connection Point \u0026gt; Select a well known Naming Context\", select one of following partitions (as indicated in the deviance):\na. Configuration\nb. RootDSE (this is the root of the domain)\nc. Schema\u003c/li\u003e\n\u003cli\u003eOnce you've selected a partition, right-click on it and choose \"Properties\".\u003c/li\u003e\n\u003cli\u003eIn the \"Security\" tab, select the \"Advanced\" view to access the \"Permissions\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAll permission entries will be displayed, and you can adapt or remove them as needed.\u003c/p\u003e\n","resources":[{"name":"Microsoft Entra Connect Accounts and permissions","url":"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions","type":"hyperlink"},{"name":"Exchange permissions: Domain object DACL privilege escalation","url":"https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/DomainObject.md","type":"hyperlink"},{"name":"Reducing permissions required to run Exchange Server when you use the Shared Permissions Model","url":"https://support.microsoft.com/en-us/topic/reducing-permissions-required-to-run-exchange-server-when-you-use-the-shared-permissions-model-e1972d47-d714-fd76-1fd5-7cdcb85408ed","type":"hyperlink"}]},"resources":[{"name":"Privileged Accounts and Groups in Active Directory","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory\n","type":"hyperlink"},{"name":"Mimikatz DCSync Usage, Exploitation, and Detection","url":"https://adsecurity.org/?p=1729\n","type":"hyperlink"}],"applicable_resource_types":["ad_configuration","ad_dmd","ad_root_domain"],"attacker_known_tools":[{"name":"Mimikatz DCSync","url":"https://github.com/gentilkiwi/mimikatz","author":"gentilkiwi"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":[]},{"tactic":"TA0006 - Credential Access","techniques":["T1003.006 - OS Credential Dumping - DCSync"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","ja_JP","ko_KR","zh_TW","zh_CN","fr_FR","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-ROOTOBJECTS-SD-CONSISTENCY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["de","ja","ko","zh-TW","zh-CN","fr","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1003.006","name":"OS Credential Dumping - DCSync","url":"https://attack.mitre.org/techniques/T1003/006/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[21]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PRE-WIN2000-ACCESS-MEMBERS","_score":null,"_source":{"language_code":"en_US","codename":"C-PRE-WIN2000-ACCESS-MEMBERS","name":"Accounts Using a Pre-Windows 2000 Compatible Access Control","id":20,"description":"\u003cp\u003eChecks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eCompatibility with legacy systems can decrease the security level of the whole Active Directory.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWhen Microsoft released the first version of Active Directory, it added a \u003ccode\u003ePre-Windows 2000 Compatible Access\u003c/code\u003e group with read permissions on most domain objects and configuration data to facilitate compatibility with older systems.\n\u003cbr\u003eChoosing compatibility with legacy systems populates the group with the \u003ccode\u003eEveryone\u003c/code\u003e identity, including the \u003ccode\u003eAnonymous\u003c/code\u003e user, which grants unauthenticated users access to read all configuration data in the domain. Attackers can exploit this to discover targets or launch brute-force attacks.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Clean Members of the Pre-Windows 2000 Compatible Access Group","description":"Some members of the Pre-Windows 2000 Compatible Access group should be removed.","exec_summary":"\u003cp\u003eRemove some members of the Pre-Windows 2000 Compatible Access group.\u003c/p\u003e\n","detail":"\u003cp\u003eRemove the following members of the Pre-Windows 2000 compatible access group:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eANONYMOUS LOGON, with SID S-1-5-7\u003c/li\u003e\n\u003cli\u003eEVERYONE, with SID S-1-1-0\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBy default, Windows Server 2000 and 2003 allow null or unauthenticated sessions. This allows unauthenticated users to enumerate potentially sensitive information from the directory, such as usernames and clear-text passwords found in the descriptions.\n\u003cbr\u003eWindows Server 2008 no longer allows null sessions on new installations, but upgrades will maintain the AD compatibility with earlier versions.\n\u003cbr\u003eTo disable SMB/NETBIOS NULL Session on domain controllers using a group policy, follow these steps: (To access these group policy settings, edit the GPO and navigate to Computer configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\SecurityOptions.)\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAdd the following group policy settings to the GPO object applied to your domain controllers (which is typically the Default Domain Controllers Policy):\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eNetwork access: Restrict Anonymous access to Named Pipes and Shares\u003c/li\u003e\n\u003cli\u003eNetwork access: Do not allow anonymous enumeration of SAM accounts\u003c/li\u003e\n\u003cli\u003eNetwork access: Do not allow anonymous enumeration of SAM accounts and shares\u003c/li\u003e\n\u003c/ul\u003e\n\u003col start=\"2\"\u003e\n\u003cli\u003eDisable the following group policy setting:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eNetwork access: Let Everyone permissions apply to anonymous users\u003c/li\u003e\n\u003cli\u003eNetwork access: Allow anonymous SID/Name translation\u003c/li\u003e\n\u003c/ul\u003e\n\u003col start=\"3\"\u003e\n\u003cli\u003eCustomize the \"Network access:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eNetwork access: Shares that can be accessed anonymously\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe Authenticated Users group is typically a member of the \u003ccode\u003ePre-Windows 2000 Compatible Access\u003c/code\u003e group, which does not pose a security risk. It is not recommended to remove this group as it can negatively impact software solutions and visibility over Active Directory attributes, including Tenable Identity Exposure.\n\u003cbr\u003eRemove other potential members and remove them if necessary, bearing in mind that some legacy applications and devices (such as printers) may lose functionality that relies on this legacy feature.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Pre-Windows 2000 Compatible Access","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#prewindows-2000-compatible-access\n","type":"hyperlink"},{"name":"Pre-Windows 2000 Compatible Access Group Object","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7a76a403-ed8d-4c39-adb7-a3255cab82c5","type":"hyperlink"},{"name":"Security Identifiers from Windows Server 2003","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780850(v=ws.10)","type":"hyperlink"}],"applicable_resource_types":["ad_group"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0043 - Reconnaissance","techniques":["T1592 - Gather Victim Host Information","T1589 - Gather Victim Identity Information","T1590 - Gather Victim Network Information"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","ko_KR","fr_FR","zh_TW","ja_JP","zh_CN","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PRE-WIN2000-ACCESS-MEMBERS","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["de","ko","fr","zh-TW","ja","zh-CN","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0043","name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043/"},"techniques":[{"id":"T1592","name":"Gather Victim Host Information","url":"https://attack.mitre.org/techniques/T1592/"},{"id":"T1589","name":"Gather Victim Identity Information","url":"https://attack.mitre.org/techniques/T1589/"},{"id":"T1590","name":"Gather Victim Network Information","url":"https://attack.mitre.org/techniques/T1590/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[20]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DISABLED-ACCOUNTS-PRIV-GROUPS","_score":null,"_source":{"language_code":"en_US","codename":"C-DISABLED-ACCOUNTS-PRIV-GROUPS","name":"Disabled Accounts in Privileged Groups","id":19,"description":"\u003cp\u003eAccounts that are not used anymore should not stay in privileged groups.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003eHaving a sane account management process requires monitoring membership in privileged groups.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWhen an administrator or power user leaves or changes jobs, promptly remove their privileges. Start by disabling the account, then remove it from privileged groups to prevent accidental reactivation and to ensure that only authorized accounts retain privileged access. This also allows other administrators to verify quickly that only legitimate accounts are present in privileged groups.\n\u003cbr\u003eThis Indicator of Exposure considers the following built-in privileged entities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Remove Disabled Accounts from Privileged Groups","description":"Unused accounts should be removed from privileged groups.","exec_summary":"\u003cp\u003eWhen an administrator leaves, remove their account from privileged groups to avoid accidental reactivation and simplify user management.\u003c/p\u003e\n","detail":"\u003cp\u003eWhen decommissioning a privileged service or when an administrator leaves their position, follow this procedure:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeactivate the corresponding user or service account.\u003c/li\u003e\n\u003cli\u003eRemove the account from all privileged groups.\u003c/li\u003e\n\u003cli\u003eMove the account into a special Organizational Unit for archival purposes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExcluding disabled accounts from privileged groups prevents accidental reactivation and simplifies user management by reducing the number of members in these critical groups.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Understanding User Accounts","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755130(v=ws.11)","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_CN","ja_JP","ko_KR","fr_FR","de_DE","zh_TW","es_001","en_US"],"tvdb_export_source":{"file_name":"diff-202501110200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DISABLED-ACCOUNTS-PRIV-GROUPS","created_at":"2025-01-11T02:08:17","updated_at":"2025-01-11T02:08:17"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["zh-CN","ja","ko","fr","de","zh-TW","es","en"],"mitre_attack_information":[],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[19]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-OBSOLETE-SYSTEMS","_score":null,"_source":{"language_code":"en_US","codename":"C-OBSOLETE-SYSTEMS","name":"Computers Running an Obsolete OS","id":18,"description":"\u003cp\u003eIdentifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eOS vendors like Microsoft only offer a limited support period, after which they cease security updates on operating systems.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eSoftware vulnerabilities are frequent but vendors quickly mitigate their impact with regular updates. Up-to-date software is difficult to exploit as attackers only have a narrow window to act.\n\u003cbr\u003eVendors frequently patch software vulnerabilities, but do not correct newly discovered flaws in unsupported software. Attackers can exploit publicly known flaws to take over systems quickly, posing a serious threat to the infrastructure.\n\u003cbr\u003eThis Indicator of Exposure reports only obsolete Microsoft operating systems with 4 distinct reasons, so filters can be used in the interface to help prioritize:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eActive obsolete OS\u003c/li\u003e\n\u003cli\u003eInactive obsolete OS\u003c/li\u003e\n\u003cli\u003ePrivileged computer with Active obsolete OS\u003c/li\u003e\n\u003cli\u003ePrivileged computer with Inactive obsolete OS\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNotes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eA computer is considered inactive if the interval between now and its \u003ccode\u003elastLogonTimestamp\u003c/code\u003e is longer than 2 years (by default, this can be changed with an IoE option).\u003c/li\u003e\n\u003cli\u003eA disabled computer is immedialty identified as inactive.\u003c/li\u003e\n\u003cli\u003eThe expiry date used is that corresponding to the end of the following lifecycle phases, as announced by Microsoft:\u003cul\u003e\n\u003cli\u003efor Windows Server versions: Extended Support (thus, not \"Extended Security Updates\")\u003c/li\u003e\n\u003cli\u003efor Windows desktop versions:\u003cul\u003e\n\u003cli\u003ebefore Windows 10: Extended Support\u003c/li\u003e\n\u003cli\u003efrom Windows 10: normal support, for versions Education and Enterprise (with a longer support than Home and Pro)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Isolate Obsolete Windows Systems","description":"It is recommended to isolate vulnerable systems to protect other directory ressources.\n","exec_summary":"\u003cp\u003eWithout vendor support, obsolete systems are vulnerable and impossible to secure as new flaws emerge without patches to correct them. If replacement/upgrades are not possible, isolating these systems is the only way to limit exposure.\u003c/p\u003e\n","detail":"\u003cp\u003eSome obsolete operating systems cannot be migrated due to operational needs. In that case, some actions should be taken to protect directory infrastructures against threats coming from those systems.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEstablish a precise network flow matrix to filter non-mandatory traffic with a firewall.\u003c/li\u003e\n\u003cli\u003eRemove the machine from Active Directory and change shared credentials/services to prevent further attacks in case of a compromise.\u003c/li\u003e\n\u003cli\u003eSet up extended event log monitoring to quickly detect compromise markers and respond swiftly.\u003c/li\u003e\n\u003c/ul\u003e\n","resources":[]},"resources":[{"name":"The Most Common Active Directory Security Issues and What You Can Do to Fix Them","url":"https://adsecurity.org/?p=1684","type":"hyperlink"},{"name":"Windows 7 support will end on January 14, 2020","url":"https://support.microsoft.com/en-us/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962","type":"hyperlink"},{"name":"End of support for Windows Server 2008 and Windows Server 2008 R2","url":"https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-server-eos-faq/end-of-support-windows-server-2008-2008r2","type":"hyperlink"},{"name":"End of support for Windows 10","url":"https://learn.microsoft.com/en-us/lifecycle/products/windows-10-enterprise-and-education","type":"hyperlink"},{"name":"End of support for Windows 11","url":"https://learn.microsoft.com/en-us/lifecycle/products/windows-11-enterprise-and-education","type":"hyperlink"},{"name":"End of support for Windows Server 2016+","url":"https://learn.microsoft.com/en-us/windows-server/get-started/windows-server-release-info","type":"hyperlink"},{"name":"Fixed Lifecycle Policy - Extended Support","url":"https://learn.microsoft.com/en-us/lifecycle/policies/fixed#extended-support","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[{"tactic":"TA0002 - Execution","techniques":["T1203 - Exploitation for Client Execution"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","ko_KR","de_DE","zh_CN","es_001","ja_JP","fr_FR","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-OBSOLETE-SYSTEMS","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["zh-TW","ko","de","zh-CN","es","ja","fr","en"],"mitre_attack_information":[{"tactic":{"id":"TA0002","name":"Execution","url":"https://attack.mitre.org/tactics/TA0002/"},"techniques":[{"id":"T1203","name":"Exploitation for Client Execution","url":"https://attack.mitre.org/techniques/T1203/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[18]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-ACCOUNTS-DANG-SID-HISTORY","_score":null,"_source":{"language_code":"en_US","codename":"C-ACCOUNTS-DANG-SID-HISTORY","name":"Accounts With a Dangerous SID History Attribute","id":17,"description":"\u003cp\u003eChecks user or computer accounts using a privileged SID in SID history attribute.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eIn migration scenarios, administrators use the SID History mechanism, but attackers can exploit it to escalate their privileges.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eAttackers having escalated their privileges can use this feature to discreetly add SID privileges in their own SID History. It will give them the same increased privileges but it will be much more difficult to detect.\n\u003cbr\u003eThis Indicator of Exposure considers the following built-in entities as privileged:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIt only reports on active accounts (users and computers) and groups.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Clean the SID history","description":"Remove privileged SID from the SID history.","exec_summary":"\u003cp\u003eYou should remove dangerous values stored for migration purposes.\u003c/p\u003e\n","detail":"\u003cp\u003eYou should clean up privileged SIDs stored in the sIDHistory attribute. Remove the following elements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWell-known SIDs of privileged groups: These provide high privileges to users without requiring group membership. If you detect malicious activity, you should perform a forensic examination of the entire Active Directory forest because attackers need domain administrator or equivalent high privileges to modify the SID History maliciously.\u003c/li\u003e\n\u003cli\u003eSIDs from the current domain: You should grant privileges only through group membership for the current domain, not through sIDHistory.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eCheck all remaining SIDs. Even if added for migration ease, old domain SIDs create logs that are hard to read (the SID may not have a corresponding valid distinguished name.) Modify access rights in all services (SMB shares, Exchange, etc.) to use new SIDs. It's a best practice for housekeeping, but identifying and fixing all ACLs is challenging.\n\u003cbr\u003eA user who has the rights to edit the sIDHistory attribute on the object itself can remove it. Unlike creation, it does not require domain administrator rights.\n\u003cbr\u003eGraphical tools, such as Active Directory Users and Computers, will fail to remove the sIDHistory attribute for unknown reasons. You must use PowerShell, for example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-powershell\"\u003eSet-ADUser -Identity \u0026lt;user\u0026gt; -Remove @{sidhistory=\"S-1-...\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCaution: Removing a sIDHistory value is simple, but undoing this operation is complicated as it requires you to recreate it, which in turn requires the presence of a potentially decomissioned domain. Hence, Microsoft advises preparing with snapshots/backups.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"How to remove SID History with PowerShell","url":"https://learn.microsoft.com/en-us/archive/blogs/ashleymcglone/how-to-remove-sid-history-with-powershell\n","type":"hyperlink"},{"name":"Security Considerations for Trusts","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user"],"attacker_known_tools":[],"category_id":5,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1199 - Trusted Relationship"]},{"tactic":"TA0008 - Lateral Movement","techniques":["T1550 - Use Alternate Authentication Material"]},{"tactic":"TA0003 - Persistence","techniques":[]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1134.005 - Access Token Manipulation - SID-History Injection"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["fr_FR","zh_CN","es_001","ko_KR","zh_TW","ja_JP","de_DE","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-ACCOUNTS-DANG-SID-HISTORY","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["fr","zh-CN","es","ko","zh-TW","ja","de","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1199","name":"Trusted Relationship","url":"https://attack.mitre.org/techniques/T1199/"}]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[{"id":"T1550","name":"Use Alternate Authentication Material","url":"https://attack.mitre.org/techniques/T1550/"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1134.005","name":"Access Token Manipulation - SID-History Injection","url":"https://attack.mitre.org/techniques/T1134/005/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[17]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PKI-WEAK-CRYPTO","_score":null,"_source":{"language_code":"en_US","codename":"C-PKI-WEAK-CRYPTO","name":"Use of Weak Cryptography Algorithms in Active Directory PKI","id":16,"description":"\u003cp\u003eIdentifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eActive Directory instances use a public key infrastructure (PKI) for authentication purposes. The various cryptographic algorithms require correct configuration.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory gives you the possibility to add certificates and deploy custom PKIs. These certificates must use strong cryptography to keep attackers from forging valid authentication requests.\n\u003cbr\u003eCertificates with the following weaknesses puts the domain security at risk:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eCertificates using weak cryptographic algorithms such as \u003cstrong\u003eMD5\u003c/strong\u003e or \u003cstrong\u003eSHA1\u003c/strong\u003e hash for signature.\u003c/li\u003e\n\u003cli\u003eCertificates using short keys such as RSA with a key shorter than \u003cstrong\u003e2048 bits\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExpired certificates\u003c/strong\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No known exploits are available"},"recommendation":{"name":"Remove Weak Certificates","description":"Certificates with weak cryptographic properties should be removed and regenerated.\n","exec_summary":"\u003cp\u003eRemove certificates with weak cryptographic properties to prevent attackers from compromising their private key.\u003c/p\u003e\n","detail":"\u003cp\u003eDecommission all deviant certificates.\nRegenerate their embedded private key to prevent any potential compromise.\u003c/p\u003e\n\u003cp\u003eBefore you remove the certificates, assess the elements that rely on a particular PKI for authentication. If you remove the certificate without replacing it, certain applications may stop working. Follow this procedure for a smooth transition:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eGenerate a new root certificate with a robust cryptographic configuration.\u003c/li\u003e\n\u003cli\u003eAdd the certificate to the Active Directory instance.\u003c/li\u003e\n\u003cli\u003eDeploy the new certificates to the applications using this PKI for authentication.\u003c/li\u003e\n\u003cli\u003eRemove the deprecated certificates from Active Directory.\u003c/li\u003e\n\u003c/ol\u003e\n","resources":[]},"resources":[{"name":"Block Cipher Techniques","url":"https://csrc.nist.gov/projects/block-cipher-techniques","type":"hyperlink"}],"applicable_resource_types":["ad_certification_authority"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["fr_FR","ko_KR","ja_JP","es_001","zh_TW","zh_CN","de_DE","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PKI-WEAK-CRYPTO","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["fr","ko","ja","es","zh-TW","zh-CN","de","en"],"mitre_attack_information":[],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[16]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-ADM-ACC-USAGE","_score":null,"_source":{"language_code":"en_US","codename":"C-ADM-ACC-USAGE","name":"Recent Use of the Default Administrator Account","id":15,"description":"\u003cp\u003eChecks for recent uses of the built-in administrator account.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eExcept in very rare specific cases, avoid using built-in administrative accounts.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eAvoid using the built-in administrative account usually called \u003ccode\u003eAdministrator\u003c/code\u003e except for rare global failures or when a regular domain administrator cannot access their account. This \u003ccode\u003eAdministrator\u003c/code\u003e account is identified by its SID having a RID of 500 (S-1-5-21-DOMAIN-500). Using this account regularly indicates poor administration practices. This Indicator of Exposure flags active user accounts with a last login date within the past month.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Prevent Frequent Built-in Administrative Accounts Usage","description":"Do not use the built-in administrator account for regular administrative tasks.\n","exec_summary":"\u003cp\u003eAdministrators should use a nominative and dedicated administrative account to perform daily administrative tasks.\u003c/p\u003e\n","detail":"\u003cp\u003eAvoid using built-in \u003ccode\u003eAdministrator\u003c/code\u003e accounts for regular administrative tasks. Instead, create dedicated and nominative accounts for each administrator. Use the built-in accounts only for emergencies, and store their passwords in a safe. However, such emergencies are rare, and nominative accounts should suffice for the majority of cases.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Securing Active Directory Administrative Groups and Accounts","url":"https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc875827(v=technet.10)","type":"hyperlink"},{"name":"Appendix D: Securing Built-In Administrator Accounts in Active Directory","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory\n","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0006 - Credential Access","techniques":["T1003 - OS Credential Dumping"]},{"tactic":"TA0005 - Defense Evasion","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["fr_FR","ja_JP","es_001","ko_KR","zh_CN","de_DE","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-ADM-ACC-USAGE","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["fr","ja","es","ko","zh-CN","de","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1003","name":"OS Credential Dumping","url":"https://attack.mitre.org/techniques/T1003/"}]},{"tactic":{"id":"TA0005","name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[15]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DANG-PRIMGROUPID","_score":null,"_source":{"language_code":"en_US","codename":"C-DANG-PRIMGROUPID","name":"User Primary Group","id":14,"description":"\u003cp\u003eVerify users' Primary Group has not been changed\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eWhile groups are the usual ways of giving access to resources in an environment, another less-known but equally important Active Directory (AD) feature, Primary Group, can also give access to resources.\n\u003cbr\u003ePrimary Group ID (PGID) is a mechanism that Microsoft created to support legacy UNIX applications which store group memberships differently than Windows.\n\u003cbr\u003eAs such, being a member of a group or having a Primary Group set for this group works exactly in the same way in the AD.\n\u003cbr\u003eMicrosoft AD management software knows of this feature, but this is not the case for all external monitoring tools.\n\u003cbr\u003eTherefore, using Primary Group is at least considered a bad practice, at worst a security risk to address.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe Primary Group mechanism (PGID) is a way of transposing UNIX group permissions to Active Directory in the form of a new attribute in every user and computer object in a domain. As its name suggests, PGID is an identifier that holds information about a group. As a security principal, a group has a unique security identifier (SID) composed of multiple parts, including the relative identifier (RID). Since the RID uniquely identifies a security principal, Microsoft used it directly in Primary Group (primaryGroupId).\n\u003cbr\u003eA default domain environment can only have a few different Primary Groups:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e513: \u003ccode\u003eDomain Users\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e514: \u003ccode\u003eGuest\u003c/code\u003e account\u003c/li\u003e\n\u003cli\u003e515: \u003ccode\u003eDomain Computers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e516: \u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e521: \u003ccode\u003eRead-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e498: \u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBy default, each user has its primaryGroupId set to 513, which must not change. Adding a user to a group - such as the privileged Domain Admins user - does not change the value of the primaryGroupId, which stays at 513. Only the group member attribute changes and receives the user's distinguished name.\n\u003cbr\u003eBecause the primaryGroupId can only contain one group, privileged groups are usually the ones that are targeted.\nFor example, setting the primaryGroupId of an unprivileged user to 512 (RID of Domain Admins group) has the same impact as adding the user to the members of the Domain Admins group. In the case of an attack such as DCShadow, this event goes unrecorded in any log. This allows an unprivileged user access to every resource in the domain.\n\u003cbr\u003eSince not all software on the market are compatible with the PGID feature, attackers can exploit it to maintain access to resources after an initial compromise.\n\u003cbr\u003eThis IoE raises an alert when:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eA user - including members of privileged groups - has a primaryGroupId other than 513 set (PGID 514, which is representing the \"Domain Guests\" group, is allowed by default. This can be changed with an IoE option).\u003c/li\u003e\n\u003cli\u003eA normal computer or server has a primaryGroupId other than 515 set.\u003c/li\u003e\n\u003cli\u003eA domain controller has a primaryGroupId other than 516, 521 and 498 set.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Reset the users' Primary Group","description":"Set the Primary Group of users to a non-dangerous one","exec_summary":"\u003cp\u003eReset all user primaryGroupId attributes to a safe value.\u003c/p\u003e\n","detail":"\u003cp\u003ePrimary Group (PGID) should not be used, due to its technical and security limitations. New and better solutions exist to join UNIX computers to the Active Directory.\n\u003cbr\u003eFrom a security perspective, reset the PGID value for all domain accounts to their default value to secure them from a backdoor mechanism, as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eFor all user accounts of the domain, set the primaryGroupId to 513 to correspond to the \u003ccode\u003eDomain Users\u003c/code\u003e group, regardless of their functional types (normal or privileged user, service account, VIP user, etc.).\u003c/li\u003e\n\u003cli\u003eFor the Guest account as a specific user account, set the primaryGroupId to 514.\u003c/li\u003e\n\u003cli\u003eFor all computer accounts of the domain, set the primaryGroupId to 515, regardless of their functional types (desktop or server), except for domain controllers (DCs).\u003c/li\u003e\n\u003cli\u003eFor all DCs of the domain, set the primaryGroupId depending on their appropriate type:\u003cul\u003e\n\u003cli\u003eFor standard read-write DCs, set the primaryGroupId to 516.\u003c/li\u003e\n\u003cli\u003eFor read-only DCs, set the primaryGroupId to 521.\u003c/li\u003e\n\u003cli\u003eFor enterprise read-only DCs, set the primaryGroupId to 498.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFinally, as a precaution, check regularly that attackers do not use this mechanism to hide high privileges.\u003c/p\u003e\n","resources":[{"name":"Change a User's Primary Group","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771489(v=ws.11)","type":"hyperlink"},{"name":"Integrating Linux Systems with Active Directory Environments","url":"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index","type":"hyperlink"}]},"resources":[{"name":"Resolving a Primary Group ID","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378789(v=ws.10)","type":"hyperlink"},{"name":"Well-known security identifiers in Windows operating systems","url":"https://learn.microsoft.com/en-US/windows-server/identity/ad-ds/manage/understand-security-identifiers#well-known-sids\n","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"mimikatz - DCShadow","url":"https://github.com/gentilkiwi/mimikatz/releases","author":"Gentil Kiwi"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","ja_JP","zh_CN","es_001","ko_KR","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"diff-202501311400.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DANG-PRIMGROUPID","created_at":"2025-01-31T14:09:34","updated_at":"2025-01-31T14:09:34"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["de","ja","zh-CN","es","ko","fr","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[14]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-UNCONST-DELEG","_score":null,"_source":{"language_code":"en_US","codename":"C-UNCONST-DELEG","name":"Dangerous Kerberos Delegation","id":13,"description":"\u003cp\u003eChecks for unauthorized Kerberos delegation, and ensures protection for privileged users against it.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eThe Kerberos protocol, which is central to Active Directory security, permits select servers to reuse user credentials. If an attacker compromises one of these servers, they could steal these credentials and use them to authenticate to other resources by abusing \"unconstrained delegation\" or \"(resource-based) constrained delegation\".\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWhen a user logs in to a server that has \u003ccode\u003eTrusted for delegation\u003c/code\u003e enabled, the domain controller sends a copy of the user's credentials to the server. This allows the server to authenticate on behalf of the user. However, if the server is compromised, an attacker can steal the credentials of all users who log in to the server and use them to authenticate on other resources. If an administrator logs in to the compromised machine, the attacker can escalate their privileges and become an administrator too. To prevent this, the \u003ccode\u003eTrusted for delegation\u003c/code\u003e property should only be allowed on trusted servers such as domain controllers. This is called unconstrained delegation.\n\u003cbr\u003eConstrained delegation is a delegation with protocol transition where the \u003ccode\u003eTrusted to authenticate for delegation\u003c/code\u003e flag is set on the user or computer. This allows authentication on a restricted set of services. However, with this flag set, a user or computer can authenticate as any other user on the listed services without that user having to connect to them. Depending on the list of services authorized and the business impact, this could be even more dangerous than unconstrained delegation.\n\u003cbr\u003eFully constrained delegation is as dangerous as unconstrained delegation if one of the targeted services is on a domain controller or an identified dangerous host. This Indicator of Exposure reports all accounts with such delegation attributes and exludes disabled accounts. Privileged users should not have delegation attributes. To protect these users, mark them as \u003ccode\u003eAccount is sensitive and cannot be delegated\u003c/code\u003e or add them to the \u003ccode\u003eProtected Users\u003c/code\u003e group.\n\u003cbr\u003eConstrained delegation, both with and without protocol transition, is subject to the SPN-jacking attack: attackers can change the SPN value or re-use an old but unused SPN still configured into the \u003ccode\u003emsDS-AllowedToDelegateTo\u003c/code\u003e attribute of an object. This allows an attacker to compromise a machine on which he only has the permissions to modify the SPN.\nAttackers can manipulate the SPN of computer/service accounts to redirect preconfigured Constrained Delegation to unintended targets, even without obtaining SeEnableDelegation privileges.\n\u003cbr\u003eTo manage resources better, Microsoft introduced a new Kerberos feature in Windows Server 2012 called \u003ccode\u003eResource-Based Constrained Delegation\u003c/code\u003e. This allows administrators of a specific resource to set the authorized permissions directly on it, without domain administrators having to define the business need. Although this feature is not dangerous, its use must be controlled as it can become a hidden backdoor on the Active Directory if an attacker acquires administrative rights on a resource.\n\u003cbr\u003eConduct the following checks:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eVerify that the associated attribute (msDS-AllowedToActOnBehalfOfOtherIdentity) is not set for privileged resources (such as Active Directory administrative accounts).\u003c/li\u003e\n\u003cli\u003eEnsure that unprivileged accounts do not have permissions to modify the value of the above attribute or the \"Account Restrictions\" property of these resources.\u003c/li\u003e\n\u003c/ol\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Restrict Use of Unconstrained Delegation","description":"Unconstrained delegation could lead to privileges escalation if the service allowed to delegate is compromised.\n","exec_summary":"\u003cp\u003eThe only accounts using unconstrained delegation should be the domain controller accounts. Administrators should also be protected against any dangerous delegation type.\u003c/p\u003e\n","detail":"\u003cp\u003eIn general, you should not allow delegation on an administrator account because an attacker taking control of the service can steal its credentials. Tenable recommends that you add all privileged users into the \u003ccode\u003eProtected Users\u003c/code\u003e group or add the DONT_DELEGATE flag in the userAccountControl attribute. The \u003ccode\u003eProtected Users\u003c/code\u003e group can contain other groups, among other advantages. In this scenario, adding a user to a privileged group places that user automatically in the \u003ccode\u003eProtected Users\u003c/code\u003e group, without requiring you to remember to add the correct attribute to the user.\n\u003cbr\u003eHowever, the \u003ccode\u003eProtected Users\u003c/code\u003e group includes additional security measures that prevent connections from using the NTLM protocol, thus affecting compatibility. This requires a testing period to ensure a smooth transition. By default, you can find the \u003ccode\u003eProtected Users\u003c/code\u003e group in the default \u003ccode\u003eUsers\u003c/code\u003e container using the \u003ccode\u003eActive Directory Users and Computers\u003c/code\u003e tool. To add the DONT_DELEGATE flag to the userAccountControl attribute, select the \u003ccode\u003eAccount is sensitive and cannot be delegated\u003c/code\u003e option in the \u003ccode\u003eAccount\u003c/code\u003e tab of all the accounts' properties.\n\u003cbr\u003eAvoid the following types of delegation:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUnconstrained delegation - An attacker taking control of the delegate service using unconstrained delegation can reuse credentials from all connected users to authenticate to any other target service. This is the default setting for domain controllers, but you should not activate it for any other account.\u003c/li\u003e\n\u003cli\u003eConstrained delegation with protocol transition - An attacker taking control of a delegate service using the constrained delegation with protocol transition can ask for a Kerberos ticket for any user account that does not have protection against delegation. The protocol transition is useful when clients cannot authenticate to the delegate service using the Kerberos protocol. But given the risk, you should avoid it. Also, if the attribute msDS-AllowedToDelegateTo refers to a SPN that no longer exists, it must be cleaned.\u003c/li\u003e\n\u003cli\u003eConstrained delegation targeting a sensitive resource - If an attacker can compromise a delegate service that uses constrained delegation and targets a sensitive entity like a domain controller, they can potentially use the user credentials from that service and replay them on the sensitive target. Although constrained delegation limits the target service that the delegate service can connect to, if the target service is a sensitive one like a domain controller, then the risk is similar to unconstrained delegation and you should remove it.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eYou can access these settings in the \u003ccode\u003eDelegation\u003c/code\u003e tab in the properties of the machine account using the \u003ccode\u003eActive Directory Users and Computers\u003c/code\u003e tool:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe unconstrained delegation corresponds to the \u003ccode\u003eTrust this computer for delegation to any service (Kerberos only)\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe constrained delegation with protocol transition corresponds to the \u003ccode\u003eTrust this computer for delegation to specified services only\u003c/code\u003e setting with the \u003ccode\u003eUse any authentication protocol\u003c/code\u003e selected.\u003c/li\u003e\n\u003cli\u003eThe constrained delegation to a sensitive resource corresponds to the \u003ccode\u003eTrust this computer for delegation to specified services only\u003c/code\u003e setting and consider any host in the \u003ccode\u003eUser or Computer\u003c/code\u003e column to be sensitive.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAlthough you can add exceptions if necessary, it's crucial to exercise caution when dealing with servers that operate with unconstrained delegation. \u003cstrong\u003eAdministrative accounts should never connect to these servers as an attacker could potentially steal their credentials\u003c/strong\u003e.\n\u003cbr\u003eTenable recommends using Resource-Based Constrained Delegation (RBCD) with the correct configuration. Allowing unprivileged accounts to access privileged accounts through RBCD can result in a complete domain compromise from that account. Attackers may use this technique to create a backdoor to the Active Directory by inserting an account into the attribute or using permissions. Therefore, it's crucial to analyze both the value of the msDS-AllowedToActOnBehalfOfOtherIdentity attribute and the associated permissions on critical resources to detect any such backdoors.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)","url":"https://adsecurity.org/?p=1667","type":"hyperlink"},{"name":"Get rid of accounts that use Kerberos Unconstrained Delegation","url":"https://learn.microsoft.com/en-us/archive/blogs/389thoughts/get-rid-of-accounts-that-use-kerberos-unconstrained-delegation\n","type":"hyperlink"},{"name":"Abusing Resource-Based Constrained Delegation to Attack Active Directory","url":"https://eladshamir.com/2019/01/28/Wagging-the-Dog.html\n","type":"hyperlink"},{"name":"SPN-jacking: An Edge Case in WriteSPN Abuse\n","url":"https://eladshamir.com/2022/02/10/SPN-jacking.html\n","type":"hyperlink"},{"name":"SPN-jacking","url":"https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking\n","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"Rubeus","url":"https://github.com/GhostPack/Rubeus","author":"HarmJ0y, Elad Shamir"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":[]},{"tactic":"TA0004 - Privilege Escalation","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_TW","zh_CN","de_DE","fr_FR","ko_KR","es_001","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-UNCONST-DELEG","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["zh-TW","zh-CN","de","fr","ko","es","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[13]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-USERS-REVER-PWDS","_score":null,"_source":{"language_code":"en_US","codename":"C-USERS-REVER-PWDS","name":"Reversible Passwords","id":12,"description":"\u003cp\u003eVerifies that the option to store passwords in a reversible format does not get enabled.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eWhile Active Directory does support legacy applications that require passwords in clear-text format to function, you should disable this feature.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eTo support legacy applications that require users' passwords for authentication, Active Directory provides the option to store passwords in a reversible format using a well-known key, which means that anyone can decrypt them. However, this functionality is now disabled by default. Administrators should be vigilant and monitor closely to ensure that it does not get inadvertently re-enabled by a faulty application or error.\n\u003cbr\u003eAnother way to store clear-text passwords for users is to define specific properties on the domain root, which causes Active Directory to store every user password in clear-text instead of encrypting them.\n\u003cbr\u003eLastly, Password Setting Objects (PSO), used to apply custom password policies to user accounts and groups, can be configured to store passwords using a reversible encryption as well.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Remove Reversible Passwords for Domain Accounts","description":"Accounts whose passwords are stored in plaintext should be reset.","exec_summary":"\u003cp\u003eAccounts with passwords stored in a reversible format in the Active Directory are typically legacy service accounts, which you should consider deleting.\u003c/p\u003e\n","detail":"\u003cp\u003eMicrosoft deprecated the practice of storing passwords in a reversible format, as any domain user can decrypt them. If you have accounts with this property enabled, you should examine them and remove the \u003ccode\u003eStore password using reversible encryption\u003c/code\u003e policy setting, if possible.\n\u003cbr\u003eIn the Password Setting Objects (PSO), the checkbox associated to the parameter \u003ccode\u003eStore password using reversible encryption\u003c/code\u003e should be cleared to remove this risk on these accounts.\n\u003cbr\u003eAfter you remove the setting, change the password for the account since it may have been compromised.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Store password using reversible encryption for all users in the domain","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc957013(v=technet.10)","type":"hyperlink"},{"name":"Store passwords using reversible encryption","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994559(v=ws.11)","type":"hyperlink"},{"name":"[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380","type":"hyperlink"}],"applicable_resource_types":["ad_root_domain","ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1556.005 - Modify Authentication Process - Reversible Encryption"]},{"tactic":"TA0008 - Lateral Movement","techniques":["T1021 - Remote Services"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ja_JP","fr_FR","de_DE","ko_KR","zh_CN","zh_TW","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-USERS-REVER-PWDS","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["ja","fr","de","ko","zh-CN","zh-TW","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1556.005","name":"Modify Authentication Process - Reversible Encryption","url":"https://attack.mitre.org/techniques/T1556/005/"}]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008/"},"techniques":[{"id":"T1021","name":"Remote Services","url":"https://attack.mitre.org/techniques/T1021/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[12]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-REVER-PWD-GPO","_score":null,"_source":{"language_code":"en_US","codename":"C-REVER-PWD-GPO","name":"Reversible Passwords in GPO","id":11,"description":"\u003cp\u003eChecks that GPO preferences do not allow passwords in a reversible format.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eWhile creating local accounts on machines via GPOs using the Group Policy Preferences (GPP) feature, some administrators may unknowingly store passwords in a format that is accessible to attackers. Additionally, configuring computers to bypass password requirements during startup can also result in such security issues.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eGPO Preferences, also known as \"Group Policy Preferences (GPP)\", store user passwords in an encrypted form, which attackers can easily decrypt as the encryption key is the same for every Active Directory and widely known. This is equivalent to storing passwords in plain text.\n\u003cbr\u003eAttackers also look for passwords in logon information files used during computer startup, especially when GPOs configure autologon, such as on kiosks that store passwords in plain text.\n\u003cbr\u003eTo prevent password retrieval in these ways, it is necessary to audit GPOs. Currently, this Indicator of Exposure only checks \u003ccode\u003eGroup Policy Preferences\u003c/code\u003e and not scripts.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Remove GPOs with reversible passwords","description":"GPOs containing passwords should be removed","exec_summary":"\u003cp\u003eGPOs that store reversible passwords are typically legacy settings or autologon features that you should eliminate. These settings expose valid credentials and pose a security risk.\u003c/p\u003e\n","detail":"\u003cp\u003eMicrosoft now \u003ca href=\"https://support.microsoft.com/en-us/kb/2962486\"\u003eexplicitly\u003c/a\u003e blocks the creation of GPO Preferences that contain reversible passwords. Review existing GPOs and schedule their removal as soon as possible. After removal, change all passwords previously stored in the GPOs, as all domain users have had access to them.\n\u003cbr\u003eYou should limit logon information files to the local system configuration only and avoid including them in a GPO. Autologon is generally suitable for kiosks or specific computers, rather than an entire set of computers that would expose the logged-in account credentials to any domain user.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege","url":"https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30\n","type":"hyperlink"}],"applicable_resource_types":["ad_gpo_preferences"],"attacker_known_tools":[],"category_id":3,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0006 - Credential Access","techniques":["T1552.006 - Unsecured Credentials - Group Policy Preferences"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["zh_CN","fr_FR","de_DE","zh_TW","ja_JP","ko_KR","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-REVER-PWD-GPO","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["zh-CN","fr","de","zh-TW","ja","ko","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"},"techniques":[{"id":"T1552.006","name":"Unsecured Credentials - Group Policy Preferences","url":"https://attack.mitre.org/techniques/T1552/006/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[11]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-SDPROP-CONSISTENCY","_score":null,"_source":{"language_code":"en_US","codename":"C-SDPROP-CONSISTENCY","name":"Ensure SDProp Consistency","id":10,"description":"\u003cp\u003eControl that the AdminSDHolder object is in a clean state.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eActive Directory offers protection for critical objects, such as Domain Administrators, by periodically applying default access control rules to these objects. It's essential to check these default rules for consistency since they affect the security of the most important objects in Active Directory.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory guarantees that the access control rules deployed on critical objects are always in an optimal state with the following procedure:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe SDProp agent (running on domain controllers) extracts the access control list (ACL) of a specific template object, AdminSDHolder.\u003c/li\u003e\n\u003cli\u003eThe agent then copies these rules and applies them periodically, typically every hour, on critical accounts such as Domain Administrators.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHence, Active Directory periodically overwrites any direct modification to the ACL of Domain Admins. Attackers who compromised an Active Directory domain commonly change the ACL of the AdminSDHolder object, and any permission they add to the ACL get copied to privileged users, making it easy to set up backdoors.\n\u003cbr\u003eTo prevent this, Active Directory whitelists the following entities (built-in groups and accounts), as they have legitimate permissions on the AdminSDHolder object:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eNT AUTHORITY\\System\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Improve the Permission of Critical Objects","description":"The AdminSDHolder container should only be set to use standard permissions.","exec_summary":"\u003cp\u003ePermissions set on the AdminSDHolder container should only allow privileged access to administrative accounts.\u003c/p\u003e\n","detail":"\u003cp\u003eDefault permissions on the AdminSDHolder container (located in \"CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=CORP\") must only allow control of the following entities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDomain administrators group\u003c/li\u003e\n\u003cli\u003eEnterprise administrators group\u003c/li\u003e\n\u003cli\u003eBuilt-in administrators group\u003c/li\u003e\n\u003cli\u003eBuilt-in system account\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eReview any other entities with significant permissions assigned to the AdminSDHolder container. Ensure that no unprivileged account or group has permissions exceeding basic read access.\u003c/p\u003e\n\u003ch4\u003eHow to correct wrong ACLs using Microsoft tools\u003c/h4\u003e\n\u003cp\u003eYou can correct wrong ACLs through the graphical interface using the \u003cem\u003eActive Directory Users and Computers\u003c/em\u003e tool. Follow the procedure corresponding to the specific IoE reason you want to address.\u003c/p\u003e\n\u003ch2\u003eHow to correct a wrong owner\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eLaunch \"Active Directory Users and Computers\".\u003c/li\u003e\n\u003cli\u003eClick \"View\" and check that \"Advanced Features\" is enabled.\u003c/li\u003e\n\u003cli\u003eUnder the \"System\" container, right-click the \"AdminSDHolder\" container and choose \"Property\".\u003c/li\u003e\n\u003cli\u003eIn the \"Security\" tab, click \"Advanced\".\u003c/li\u003e\n\u003cli\u003eAt the top of the window, you will see the 'Owner' information. Next to it, in blue, there is a clickable 'Change' button. Click on it.\na. Enter 'Domain Admins' as the new owner in the input field (this is the default value).\nb. Click OK.\u003c/li\u003e\n\u003cli\u003eConfirm all changes by clicking \"Apply\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2\u003eHow to correct wrong permissions\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eLaunch \"Active Directory Users and Computers\".\u003c/li\u003e\n\u003cli\u003eClick \"View\" and check that \"Advanced Features\" is enabled.\u003c/li\u003e\n\u003cli\u003eUnder the \"System\" container, right-click the \"AdminSDHolder\" container and choose \"Property\".\u003c/li\u003e\n\u003cli\u003eIn the \"Security\" tab, click \"Advanced\".\u003c/li\u003e\n\u003cli\u003eIn the \"Permissions\" tab, for each line referring to a security principal (user, computer, or group) reported by this IoE:\na. Select the line.\nb. Click \"Remove\".\u003c/li\u003e\n\u003cli\u003eConfirm all changes by clicking \"Apply\".\u003c/li\u003e\n\u003c/ol\u003e\n","resources":[{"name":"Appendix C: Protected Accounts and Groups in Active Directory\n","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory\n","type":"hyperlink"}]},"resources":[{"name":"Reducing the Active Directory Attack Surface","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/reducing-the-active-directory-attack-surface\n","type":"hyperlink"},{"name":"Securing Active Directory Administrative Groups and Accounts","url":"https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc875827(v=technet.10)","type":"hyperlink"},{"name":"Sneaky Active Directory Persistence #15: Leverage AdminSDHolder \u0026 SDProp to (Re)Gain Domain Admin Rights\n","url":"https://adsecurity.org/?p=1906","type":"hyperlink"}],"applicable_resource_types":["ad_container"],"attacker_known_tools":[],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["fr_FR","zh_CN","de_DE","zh_TW","ko_KR","es_001","ja_JP","en_US"],"tvdb_export_source":{"file_name":"diff-202501250200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-SDPROP-CONSISTENCY","created_at":"2025-01-25T02:06:45","updated_at":"2025-01-25T02:06:45"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["fr","zh-CN","de","zh-TW","ko","es","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[10]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-KRBTGT-PASSWORD","_score":null,"_source":{"language_code":"en_US","codename":"C-KRBTGT-PASSWORD","name":"Last Password Change on KRBTGT account","id":9,"description":"\u003cp\u003eChecks for KRBTGT accounts that have not changed their passwords for more than the recommended interval.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eEach Active Directory domain has a crucial account called KRBTGT that safeguards the master secret for all other secrets in the domain, making it vital to protect this account at any expense to avoid attacks such as \"Golden Ticket\".\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eStandard KRBTGT account\u003c/h4\u003e\n\u003cp\u003eTo authenticate users and machines, Active Directory uses the Kerberos protocol which relies on a master secret that protects all other domain secrets. If an attacker obtains this secret, they can impersonate any other user member of the domain, including administrators.\n\u003cbr\u003eThe master secret is stored as the KRBTGT user account password, which is the most valuable password of the domain and requires regular changing.\n\u003cbr\u003eThe Indicator of Exposure flags KRBTGT accounts that have not changed their passwords for more than \u003cstrong\u003etwo years\u003c/strong\u003e thus allowing attackers to persist for years using the \"Golden Ticket\" technique.\u003c/p\u003e\n\u003ch4\u003eKRBTGT account for Microsoft Entra Kerberos (Cloud Trust)\u003c/h4\u003e\n\u003cp\u003eThree types of deployments are provided by Microsoft for the \"Windows Hello for Business\" (WHfB) feature:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHybrid Key Trust\u003c/li\u003e\n\u003cli\u003eHybrid Certificate Trust\u003c/li\u003e\n\u003cli\u003eCloud Kerberos Trust\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eCloud Kerberos Trust was created to provide the best of the first two methods: it is simple to deploy because it does not have a lot of technical requirements, like a PKI installed or an AD FS server, and is effective immediately after the setup (no delay due to various synchronizations).\n\u003cbr\u003eIt provides a way to do seamless single sign-on (SSO) to on-premises AD resources from a full cloud computer, i.e. not joined to the local AD domain (\"Microsoft Entra joined device\").\n\u003cbr\u003eIn this deployment, to generate a \"partial\" TGT (partial because it's not usable as is) from the cloud, a read-only domain controller (RODC) account object is used (this one is created first in AD and does not represent a real RODC machine), which is then synchronized to Microsoft Entra ID. The creation of this object proves that Entra ID is trusted to authenticate on the on-premises environment. This partial TGT only holds the username of an account and no group membership is provided in this ticket. It is encrypted and signed with the secret of the RODC account that was created initially and sent to a client, then to a read/write domain controller (Windows Server 2016 or higher) to redeem a full TGT for that account.\n\u003cbr\u003eThe secret of this RODC account is stored inside of the \"krbtgt_AzureAD\" user object. As with the regular KRBTGT account, it is highly recommended to rotate its password regularly, to avoid persistence from an attacker that was able to retrieve the hash of the \"krbtgt_AzureAD\" account.\n\u003cbr\u003eThis attack is one of the methods that can be used to pivot from the cloud to the on-premises environment.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Change the Password of the KRBTGT Account","description":"The special account KRBTGT should be protected by periodically rotating its password.\n","exec_summary":"\u003cp\u003eMicrosoft fully supports the special operation of changing the KRBTGT account password.\u003c/p\u003e\n","detail":"\u003ch4\u003eOld Krbtgt password\u003c/h4\u003e\n\u003cp\u003eKRBTGT password change requires a specific sequence of operations. Improper execution may affect domain controller authentication. Microsoft offers an \u003ca href=\"https://cloudblogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/\"\u003eofficial procedure\u003c/a\u003e and a \u003ca href=\"https://github.com/microsoft/New-KrbtgtKeys.ps1\"\u003ehelper script\u003c/a\u003e.\u003c/p\u003e\n\u003ch4\u003eOld Entra ID Krbtgt password\u003c/h4\u003e\n\u003cp\u003eFor the \"krbtgt_AzureAD\" account, the procedure to renew its password is not the same as for the regular KRBTGT account.\n\u003cbr\u003eAfter successful authentication on a server where the Microsoft Entra Connect software is installed, use and adapt the following PowerShell command example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module \"C:\\Program Files\\Microsoft Azure Active Directory Connect\\AzureADKerberos\\AzureAdKerberos.psd1\"\nPS\u0026gt; $domain = \"DOMAIN.CORP\" # To be replaced with your domain FQDN\nPS\u0026gt; $cloudCred = Get-Credential -Message 'Provide the credentials for an account that has the Global Administrator role in Entra ID'\nPS\u0026gt; Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -RotateServerKey\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Rotate the Microsoft Entra Kerberos server key","url":"https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#rotate-the-microsoft-entra-kerberos-server-key","type":"hyperlink"}]},"resources":[{"name":"KRBTGT Account Password Reset Scripts now available for customers","url":"https://www.microsoft.com/en-us/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/\n","type":"hyperlink"},{"name":"Kerberos \u0026 KRBTGT: Active Directory's Domain Kerberos Service Account","url":"https://adsecurity.org/?p=483","type":"hyperlink"},{"name":"Reset the krbtgt account password/keys","url":"https://github.com/microsoft/New-KrbtgtKeys.ps1","type":"hyperlink"},{"name":"Windows Hello Cloud Trust","url":"https://syfuhs.net/windows-hello-cloud-trust","type":"hyperlink"},{"name":"Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust","url":"https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"mimikatz","url":"https://github.com/gentilkiwi/mimikatz/releases","author":"Gentil Kiwi"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0003 - Persistence","techniques":[]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","fr_FR","ja_JP","zh_CN","ko_KR","zh_TW","es_001","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-KRBTGT-PASSWORD","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["de","fr","ja","zh-CN","ko","zh-TW","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},"techniques":[]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[9]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-NATIVE-ADM-GROUP-MEMBERS","_score":null,"_source":{"language_code":"en_US","codename":"C-NATIVE-ADM-GROUP-MEMBERS","name":"Native Administrative Group Members","id":8,"description":"\u003cp\u003eAbnormal accounts in the native administrative groups of Active Directory\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eWith regard to privileged groups in Active Directory, there are very few cases where it's necessary to add an account to default administrative groups. Membership to these groups should be scrutinized and carefully justified.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eVery few specific operations require the privileges granted to native administrative groups:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe number of members belonging to these groups should be kept as low as possible, as an attacker taking control of any of them will instantly gain control of the whole forest. The list of accounts belonging to these groups is provided in the technical data annex, and should be closely monitored.\n\u003cbr\u003eDaily administrative tasks should not be conducted with such accounts, but with some lesser-privileged ones having been given delegation for specific tasks. Active and inactive user and computer accounts are reported (this behavior can be changed in the options to exclude disabled accounts).\n\u003cbr\u003eSome specific cases have to be considered when analyzing the results of this indicator. Firstly, objects referenced in other domains that are not supervised by Tenable Identity Exposure, because Tenable Identity Exposure does not have all the required information to be accurate (e.g. it is not possible to have access to the members of a group if the associated domain is not supervised). As such, whatever the object that is targeted (user, computer or group), it will be counted as one single \"user\". Secondly, Contact objects should not be present in privileged security groups so they are counted as well.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Limit administrative groups membership","description":"Limit the number of accounts in highly privileged groups","exec_summary":"\u003cp\u003eRestrict privileged administrative group membership to a minimum.\u003c/p\u003e\n","detail":"\u003cp\u003eTenable recommends that you perform all operations with a least privileged account. Implement a delegation matrix to define required mandatory privileges to execute administrative tasks as well as what privileges to grant to any newly defined group.\n\u003cbr\u003eVery few operations require the privileges granted to the members of the following administrative groups:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGPO Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor example, you only need Schema Admins rights when doing an in-depth restructuring of the domain, which does not happen more than once a year in normal situations.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Securing Privileged Access","url":"https://learn.microsoft.com/en-us/security/compass/overview\n","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","ja_JP","es_001","zh_CN","de_DE","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-NATIVE-ADM-GROUP-MEMBERS","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["ko","ja","es","zh-CN","de","fr","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[8]},{"_index":"1735837073511_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PRIV-ACCOUNTS-SPN","_score":null,"_source":{"language_code":"en_US","codename":"C-PRIV-ACCOUNTS-SPN","name":"Privileged Accounts Running Kerberos Services","id":7,"description":"\u003cp\u003eDetects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security.\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eIn 2014, a new type of attack called Kerberoast targets privileged domain user accounts by exploiting the internal mechanisms of the Kerberos authentication protocol. The attacker's goal is to discover the clear-text password of an account, which gives them associated rights.\n\u003cbr\u003eThis attack can occur from inside an Active Directory environment using a simple, unprivileged user account. If a specific Active Directory attribute (the \u003ccode\u003eservicePrincipalName\u003c/code\u003e) is set on an account, this affects the underlying security of this account. The password of this account can be guessed, and traditional security mechanisms that lock an account after several password failures cannot prevent exhaustive attacks on passwords.\n\u003cbr\u003eSome very privileged accounts are usually targeted, (e.g. users of the \u003ccode\u003eDomain Admins\u003c/code\u003e group). Those accounts can lead to a full domain compromise very fast and as such should be protected against this Kerberos configuration threat.\n\u003cbr\u003eThe \u003cstrong\u003eKerberoasting\u003c/strong\u003e Indicator of Attack can alert security personnel if an attacker attempts to exploit this vulnerability. However, it is still necessary to fix the underlying issue to secure very privileged accounts, which can lead to a full domain compromise quickly.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe concept of tickets forms the basis of Kerberos, the primary authentication protocol used in Active Directory environments. Kerberos uses two types of tickets: the Ticket Granting Tickets (TGT) and the Service Ticket (ST), which are constructed in the same way but serve different purposes. The TGT generates multiple STs after user authentication, allowing access to resources without re-authentication, while the ST is used to access a specific resource by proving the user's identity and is renewed more frequently than TGTs.\n\u003cbr\u003eTo ensure ticket security (integrity and authenticity), certain parts of the tickets are encrypted using the account's password hash (NT hash by default). The TGT is protected by a specific account (krbtgt), while the ST is protected by the Active Directory (AD) account of the service.\n\u003cbr\u003eThe \u003ccode\u003eservicePrincipalName\u003c/code\u003e (SPN) attribute on an account is used to identify each service instance in the Kerberos world. In Active Directory environments, the SQL Server database is a common service with an automatically added SPN on the configured account.\n\u003cbr\u003eThe Kerberoast attack is possible due to two reasons: an ST can be requested with a single request whenever an account has an SPN attribute, and the weakness of the account password. Hence, an attacker can request an ST for an SPN-enabled account and attempt to decipher it offline using multiple passwords\n\u003cbr\u003eThis attack is more dangerous than online attacks as it is stealthier, with only one request made to get the ticket, and quicker, with the use of powerful computers and GPUs.\n\u003cbr\u003eHowever, a normal account without an SPN would be immune to this attack, making it important to regularly check that no privileged account has an SPN. Additionally, if the user's password is strong enough, it would take too much time for an attacker to be efficient.\n\u003cbr\u003eTo elevate privileges on the domain after compromising a standard account, an attacker would specifically target privileged accounts with an SPN. To prevent this, this Indicator of Exposure ensures that following members of specific privileged groups are not at risk:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Read-only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDomain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCert Publishers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSchema Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eGroup Policy Creator Owners\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRead-Only Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKey Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Key Admins\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAdministrators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAccount Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eServer Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBackup Operators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReplicators\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eEnterprise Domain Controllers\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e The \u003cstrong\u003eKerberoasting\u003c/strong\u003e Indicator of Attack can alert security personnel if an attacker attempts to exploit this vulnerability. However, it is still necessary to fix the underlying issue to secure very privileged accounts, which can lead to a full domain compromise quickly.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Remove SPN Attributes on Highly Privileged Accounts","description":"To protect their secret, it is recommended to remove SPN attributes on administrative accounts.","exec_summary":"\u003cp\u003ePrivileged accounts should not have a Service Principal Name.\u003c/p\u003e\n","detail":"\u003cp\u003eThe presence of an SPN on a privileged account, combined with an offline brute-force attack to obtain its password, can put the entire forest at risk. To prevent this, take the following measures to ensure that privileged accounts are not vulnerable to the Kerberoast attack.\u003c/p\u003e\n\u003ch4\u003eUse a group Managed Service Account (gMSA) instead of an user account\u003c/h4\u003e\n\u003cp\u003eMicrosoft introduced the gMSA feature in Windows Server 2012, and it stores gMSA objects in the Managed Service Account container of the Active Directory. It is a good practice to use gMSA for service accounts that require an SPN, as long as the service/application is gMSA-compatible. This provides a way to generate strong passwords that are automatically renewed. Follow the next steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen a PowerShell command under the security context of Domain Admins or Account Operators groups member and use the New-ADServiceAccount command:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; New-ADServiceAccount -Name \u0026lt;String\u0026gt; `\n -Description \u0026lt;String\u0026gt; `\n -DNSHostName \u0026lt;String\u0026gt; `\n -ManagedPasswordIntervalInDays \u0026lt;Int32\u0026gt; `\n -PrincipalsAllowedToRetrieveManagedPassword \u0026lt;ADPrincipal[]\u0026gt; `\n -Enabled $True | $False `\n -PassThru\n\u003c/code\u003e\u003c/pre\u003e\n\u003col start=\"2\"\u003e\n\u003cli\u003eAssociate the gMSA with the service/application.\u003c/li\u003e\n\u003cli\u003eRemove the SPN from the privileged account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eUse an unprivileged account for SPN association if needed for functionnal reasons\u003c/h4\u003e\n\u003cp\u003eWhen it is not possible to use a gMSA due to the service/application compatibility with this Active Directory feature, use an unprivileged user account:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCreate an unprivileged account.\u003c/li\u003e\n\u003cli\u003eSet a random and complex password (preferably generated by a password manager application, e.g. KeePass).\u003c/li\u003e\n\u003cli\u003eAdd the SPN on the unprivileged account:\n a. Using the \u003cem\u003eActive Directory Users and Computers\u003c/em\u003e MMC snap-in: right-click on the account, select \u003cem\u003eProperties\u003c/em\u003e, select the \u003cem\u003eAttribute Editor\u003c/em\u003e tab, locate the servicePrincipalName attribute in the list and edit it.\n b. Using the SetSPN command: setspn -s service/name yourserviceaccount.\u003c/li\u003e\n\u003cli\u003eAssociate the unprivileged account with the service/application.\u003c/li\u003e\n\u003cli\u003eRemove the SPN from the privileged account.\u003c/li\u003e\n\u003cli\u003eDefine a procedure to renew the unprivileged account password periodically as a good practice.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003eAdditional good practices and verifications\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eIncrease the complexity of the password to mitigate this attack.\u003c/li\u003e\n\u003cli\u003eMake sure that the service ticket (ST) is encrypted using a strong encryption algorithm such as AES, instead of the default RC4 (NT hash).\u003c/li\u003e\n\u003cli\u003eUse Smart Cards to generate a password that is unrelated to the user's PIN code and is strong enough to provide secure authentication.\u003c/li\u003e\n\u003cli\u003eRemove unnecessary users from privileged groups. During this process, it's also important to ensure that service accounts are not members of any privileged group and have only the minimum rights necessary to prevent a range of attacks on the Active Directory.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote that for the same reason as for gMSAs and Smart Cards, computer accounts are not affected.\u003c/p\u003e\n","resources":[{"name":"Group Managed Service Accounts overview","url":"https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview","type":"hyperlink"},{"name":"Managed Service Accounts","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10)","type":"hyperlink"},{"name":"Windows Configurations for Kerberos Supported Encryption Type","url":"https://learn.microsoft.com/en-us/archive/blogs/openspecification/windows-configurations-for-kerberos-supported-encryption-type","type":"hyperlink"},{"name":"Removing SPNs","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v%3Dws.11)#removing-spns","type":"hyperlink"}]},"resources":[{"name":"MITRE ATT\u0026CK - Steal or Forge Kerberos Tickets: Kerberoasting","url":"https://attack.mitre.org/techniques/T1558/003/","type":"hyperlink"},{"name":"Kerberos: An Authentication Service for Computer Networks","url":"https://gost.isi.edu/publications/kerberos-neuman-tso.html","type":"hyperlink"},{"name":"Authentication secrets part II - Kerberos strikes-back","url":"https://www.sstic.org/media/SSTIC2014/SSTIC-actes/secrets_dauthentification_pisode_ii__kerberos_cont/SSTIC2014-Article-secrets_dauthentification_pisode_ii__kerberos_contre-attaque-bordes_2.pdf\n","type":"hyperlink"},{"name":"Sneaky Persistence Active Directory Trick: Dropping SPNs on Admin Accounts for Later Kerberoasting","url":"https://adsecurity.org/?p=3466","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"Kerberoast","url":"https://github.com/nidem/kerberoast","author":null},{"name":"Empire","url":"https://github.com/EmpireProject/Empire","author":null},{"name":"Impacket","url":"https://github.com/SecureAuthCorp/impacket","author":null},{"name":"PowerSploit","url":"https://github.com/PowerShellMafia/PowerSploit","author":null}],"category_id":5,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["de_DE","ja_JP","zh_TW","zh_CN","es_001","ko_KR","fr_FR","en_US"],"tvdb_export_source":{"file_name":"all-202412210200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PRIV-ACCOUNTS-SPN","created_at":"2025-01-02T16:57:53","updated_at":"2025-01-02T16:57:53"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["de","ja","zh-TW","zh-CN","es","ko","fr","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"sort":[7]}],"total":105,"type":"ioe","page":1},"cookies":{},"user":null,"flash":null,"env":{"baseUrl":"https://www.tenable.com","host":"www.tenable.com","ga4TrackingId":""},"isUnsupportedBrowser":true,"__N_SSP":true},"page":"/indicators/ioe","query":{},"buildId":"TgpC0GgDQiX0eP8wJ615X","isFallback":false,"isExperimentalCompile":false,"gssp":true,"appGip":true,"locale":"en","locales":["en","de","es","fr","ja","ko","zh-CN","zh-TW"],"defaultLocale":"en","domainLocales":[{"domain":"www.tenable.com","defaultLocale":"en"},{"domain":"de.tenable.com","defaultLocale":"de"},{"domain":"es-la.tenable.com","defaultLocale":"es"},{"domain":"fr.tenable.com","defaultLocale":"fr"},{"domain":"jp.tenable.com","defaultLocale":"ja"},{"domain":"kr.tenable.com","defaultLocale":"ko"},{"domain":"www.tenablecloud.cn","defaultLocale":"zh-CN"},{"domain":"zh-tw.tenable.com","defaultLocale":"zh-TW"}],"scriptLoader":[]}</script></body></html>