CINXE.COM

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><title>Indicators | Tenable®</title><meta name="description" content="Tenable Identity Exposure allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable Identity Exposure's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks."/><meta property="og:title" content="Indicators"/><meta property="og:description" content="Tenable Identity Exposure allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable Identity Exposure's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks."/><meta name="twitter:title" content="Indicators"/><meta name="twitter:description" content="Tenable Identity Exposure allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable Identity Exposure's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks."/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="apple-touch-icon" sizes="180x180" href="https://www.tenable.com/themes/custom/tenable/img/favicons/apple-touch-icon.png"/><link rel="manifest" href="https://www.tenable.com/themes/custom/tenable/img/favicons/manifest.json"/><link rel="mask-icon" href="https://www.tenable.com/themes/custom/tenable/img/favicons/safari-pinned-tab.svg" color="#0071dd"/><link rel="icon" href="https://www.tenable.com/favicon.ico" sizes="any"/><link rel="icon" href="https://www.tenable.com/themes/custom/tenable/img/favicons/favicon.svg" type="image/svg+xml"/><meta name="msapplication-config" content="https://www.tenable.com/themes/custom/tenable/img/favicons/browserconfig.xml"/><meta name="theme-color" content="#ffffff"/><link rel="canonical" href="https://www.tenable.com/indicators"/><link rel="alternate" hrefLang="x-default" href="https://www.tenable.com/indicators"/><link rel="alternate" hrefLang="en" href="https://www.tenable.com/indicators"/><meta name="next-head-count" content="19"/><script type="text/javascript">window.NREUM||(NREUM={});NREUM.info = {"agent":"","beacon":"bam.nr-data.net","errorBeacon":"bam.nr-data.net","licenseKey":"5febff3e0e","applicationID":"96358297","agentToken":null,"applicationTime":46.094935,"transactionName":"MVBabEEHChVXU0IIXggab11RIBYHW1VBDkMNYEpRHCgBHkJaRU52I2EXF1oIAA9VUUIOQxU=","queueTime":0,"ttGuid":"37d8bcdf2c441d14"}; (window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={licenseKey:"5febff3e0e",applicationID:"96358297"};;/*! For license information please see nr-loader-rum-1.274.0.min.js.LICENSE.txt */ (()=>{var e,t,r={8122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n=r(944);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.R)(3);if(!t||"object"!=typeof t)return(0,n.R)(4);const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{if(null===e[a]){r[a]=null;continue}Array.isArray(e[a])&&Array.isArray(t[a])?r[a]=Array.from(new Set([...e[a],...t[a]])):"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.R)(1,e)}return r}catch(e){(0,n.R)(2,e)}}},2555:(e,t,r)=>{"use strict";r.d(t,{Vp:()=>c,fn:()=>s,x1:()=>u});var n=r(384),i=r(8122);const o={beacon:n.NT.beacon,errorBeacon:n.NT.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){try{const t=c(e);return!!t.licenseKey&&!!t.errorBeacon&&!!t.applicationID}catch(e){return!1}}function c(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function u(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.a)(t,o);const r=(0,n.nY)(e);r&&(r.info=a[e])}},9417:(e,t,r)=>{"use strict";r.d(t,{D0:()=>g,gD:()=>h,xN:()=>p});var n=r(993);const i=e=>{if(!e||"string"!=typeof e)return!1;try{document.createDocumentFragment().querySelector(e)}catch{return!1}return!0};var o=r(2614),a=r(944),s=r(384),c=r(8122);const u="[data-nr-mask]",d=()=>{const e={mask_selector:"*",block_selector:"[data-nr-block]",mask_input_options:{color:!1,date:!1,"datetime-local":!1,email:!1,month:!1,number:!1,range:!1,search:!1,tel:!1,text:!1,time:!1,url:!1,week:!1,textarea:!1,select:!1,password:!0}};return{ajax:{deny_list:void 0,block_internal:!0,enabled:!0,harvestTimeSeconds:10,autoStart:!0},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},feature_flags:[],generic_events:{enabled:!0,harvestTimeSeconds:30,autoStart:!0},harvest:{tooManyRequestsDelay:60},jserrors:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},logging:{enabled:!0,harvestTimeSeconds:10,autoStart:!0,level:n.p_.INFO},metrics:{enabled:!0,autoStart:!0},obfuscate:void 0,page_action:{enabled:!0},page_view_event:{enabled:!0,autoStart:!0},page_view_timing:{enabled:!0,harvestTimeSeconds:30,autoStart:!0},performance:{capture_marks:!1,capture_measures:!1},privacy:{cookies_enabled:!0},proxy:{assets:void 0,beacon:void 0},session:{expiresMs:o.wk,inactiveMs:o.BB},session_replay:{autoStart:!0,enabled:!1,harvestTimeSeconds:60,preload:!1,sampling_rate:10,error_sampling_rate:100,collect_fonts:!1,inline_images:!1,fix_stylesheets:!0,mask_all_inputs:!0,get mask_text_selector(){return e.mask_selector},set mask_text_selector(t){i(t)?e.mask_selector="".concat(t,",").concat(u):""===t||null===t?e.mask_selector=u:(0,a.R)(5,t)},get block_class(){return"nr-block"},get ignore_class(){return"nr-ignore"},get mask_text_class(){return"nr-mask"},get block_selector(){return e.block_selector},set block_selector(t){i(t)?e.block_selector+=",".concat(t):""!==t&&(0,a.R)(6,t)},get mask_input_options(){return e.mask_input_options},set mask_input_options(t){t&&"object"==typeof t?e.mask_input_options={...t,password:!0}:(0,a.R)(7,t)}},session_trace:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},soft_navigations:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},spa:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},ssl:void 0,user_actions:{enabled:!0}}},l={},f="All configuration objects require an agent identifier!";function g(e){if(!e)throw new Error(f);if(!l[e])throw new Error("Configuration for ".concat(e," was never set"));return l[e]}function p(e,t){if(!e)throw new Error(f);l[e]=(0,c.a)(t,d());const r=(0,s.nY)(e);r&&(r.init=l[e])}function h(e,t){if(!e)throw new Error(f);var r=g(e);if(r){for(var n=t.split("."),i=0;i<n.length-1;i++)if("object"!=typeof(r=r[n[i]]))return;r=r[n[n.length-1]]}return r}},3371:(e,t,r)=>{"use strict";r.d(t,{V:()=>f,f:()=>l});var n=r(8122),i=r(384),o=r(6154),a=r(9324);let s=0;const c={buildEnv:a.F3,distMethod:a.Xs,version:a.xv,originTime:o.WN},u={customTransaction:void 0,disabled:!1,isolatedBacklog:!1,loaderType:void 0,maxBytes:3e4,onerror:void 0,ptid:void 0,releaseIds:{},appMetadata:{},session:void 0,denyList:void 0,timeKeeper:void 0,obfuscator:void 0},d={};function l(e){if(!e)throw new Error("All runtime objects require an agent identifier!");if(!d[e])throw new Error("Runtime for ".concat(e," was never set"));return d[e]}function f(e,t){if(!e)throw new Error("All runtime objects require an agent identifier!");d[e]={...(0,n.a)(t,u),...c},Object.hasOwnProperty.call(d[e],"harvestCount")||Object.defineProperty(d[e],"harvestCount",{get:()=>++s});const r=(0,i.nY)(e);r&&(r.runtime=d[e])}},9324:(e,t,r)=>{"use strict";r.d(t,{F3:()=>i,Xs:()=>o,xv:()=>n});const n="1.274.0",i="PROD",o="CDN"},6154:(e,t,r)=>{"use strict";r.d(t,{OF:()=>c,RI:()=>i,WN:()=>d,bv:()=>o,gm:()=>a,mw:()=>s,sb:()=>u});var n=r(1863);const i="undefined"!=typeof window&&!!window.document,o="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),a=i?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),s=Boolean("hidden"===a?.document?.visibilityState),c=/iPad|iPhone|iPod/.test(a.navigator?.userAgent),u=c&&"undefined"==typeof SharedWorker,d=((()=>{const e=a.navigator?.userAgent?.match(/Firefox[/\s](\d+\.\d+)/);Array.isArray(e)&&e.length>=2&&e[1]})(),Date.now()-(0,n.t)())},1687:(e,t,r)=>{"use strict";r.d(t,{Ak:()=>c,Ze:()=>l,x3:()=>u});var n=r(7836),i=r(3606),o=r(860),a=r(2646);const s={};function c(e,t){const r={staged:!1,priority:o.P3[t]||0};d(e),s[e].get(t)||s[e].set(t,r)}function u(e,t){e&&s[e]&&(s[e].get(t)&&s[e].delete(t),g(e,t,!1),s[e].size&&f(e))}function d(e){if(!e)throw new Error("agentIdentifier required");s[e]||(s[e]=new Map)}function l(e="",t="feature",r=!1){if(d(e),!e||!s[e].get(t)||r)return g(e,t);s[e].get(t).staged=!0,f(e)}function f(e){const t=Array.from(s[e]);t.every((([e,t])=>t.staged))&&(t.sort(((e,t)=>e[1].priority-t[1].priority)),t.forEach((([t])=>{s[e].delete(t),g(e,t)})))}function g(e,t,r=!0){const o=e?n.ee.get(e):n.ee,s=i.i.handlers;if(!o.aborted&&o.backlog&&s){if(r){const e=o.backlog[t],r=s[t];if(r){for(let t=0;e&&t<e.length;++t)p(e[t],r);Object.entries(r).forEach((([e,t])=>{Object.values(t||{}).forEach((t=>{t[0]?.on&&t[0]?.context()instanceof a.y&&t[0].on(e,t[1])}))}))}}o.isolatedBacklog||delete s[t],o.backlog[t]=null,o.emit("drain-"+t,[])}}function p(e,t){var r=e[1];Object.values(t[r]||{}).forEach((t=>{var r=e[0];if(t[0]===r){var n=t[1],i=e[3],o=e[2];n.apply(i,o)}}))}},7836:(e,t,r)=>{"use strict";r.d(t,{P:()=>c,ee:()=>u});var n=r(384),i=r(8990),o=r(3371),a=r(2646),s=r(5607);const c="nr@context:".concat(s.W),u=function e(t,r){var n={},s={},d={},l=!1;try{l=16===r.length&&(0,o.f)(r).isolatedBacklog}catch(e){}var f={on:p,addEventListener:p,removeEventListener:function(e,t){var r=n[e];if(!r)return;for(var i=0;i<r.length;i++)r[i]===t&&r.splice(i,1)},emit:function(e,r,n,i,o){!1!==o&&(o=!0);if(u.aborted&&!i)return;t&&o&&t.emit(e,r,n);for(var a=g(n),c=h(e),d=c.length,l=0;l<d;l++)c[l].apply(a,r);var p=m()[s[e]];p&&p.push([f,e,r,a]);return a},get:v,listeners:h,context:g,buffer:function(e,t){const r=m();if(t=t||"feature",f.aborted)return;Object.entries(e||{}).forEach((([e,n])=>{s[n]=t,t in r||(r[t]=[])}))},abort:function(){f._aborted=!0,Object.keys(f.backlog).forEach((e=>{delete f.backlog[e]}))},isBuffering:function(e){return!!m()[s[e]]},debugId:r,backlog:l?{}:t&&"object"==typeof t.backlog?t.backlog:{},isolatedBacklog:l};return Object.defineProperty(f,"aborted",{get:()=>{let e=f._aborted||!1;return e||(t&&(e=t.aborted),e)}}),f;function g(e){return e&&e instanceof a.y?e:e?(0,i.I)(e,c,(()=>new a.y(c))):new a.y(c)}function p(e,t){n[e]=h(e).concat(t)}function h(e){return n[e]||[]}function v(t){return d[t]=d[t]||e(f,t)}function m(){return f.backlog}}(void 0,"globalEE"),d=(0,n.Zm)();d.ee||(d.ee=u)},2646:(e,t,r)=>{"use strict";r.d(t,{y:()=>n});class n{constructor(e){this.contextId=e}}},9908:(e,t,r)=>{"use strict";r.d(t,{d:()=>n,p:()=>i});var n=r(7836).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},3606:(e,t,r)=>{"use strict";r.d(t,{i:()=>o});var n=r(9908);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.d,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.d);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},3878:(e,t,r)=>{"use strict";function n(e,t){return{capture:e,passive:!1,signal:t}}function i(e,t,r=!1,i){window.addEventListener(e,t,n(r,i))}function o(e,t,r=!1,i){document.addEventListener(e,t,n(r,i))}r.d(t,{DD:()=>o,jT:()=>n,sp:()=>i})},5607:(e,t,r)=>{"use strict";r.d(t,{W:()=>n});const n=(0,r(9566).bz)()},9566:(e,t,r)=>{"use strict";r.d(t,{LA:()=>s,bz:()=>a});var n=r(6154);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n.gm?.crypto||n.gm?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(30))),i.split("").map((e=>"x"===e?o(t,r++).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n.gm?.crypto||n.gm?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(e)));const a=[];for(var s=0;s<e;s++)a.push(o(r,i++).toString(16));return a.join("")}},2614:(e,t,r)=>{"use strict";r.d(t,{BB:()=>a,H3:()=>n,g:()=>u,iL:()=>c,tS:()=>s,uh:()=>i,wk:()=>o});const n="NRBA",i="SESSION",o=144e5,a=18e5,s={STARTED:"session-started",PAUSE:"session-pause",RESET:"session-reset",RESUME:"session-resume",UPDATE:"session-update"},c={SAME_TAB:"same-tab",CROSS_TAB:"cross-tab"},u={OFF:0,FULL:1,ERROR:2}},1863:(e,t,r)=>{"use strict";function n(){return Math.floor(performance.now())}r.d(t,{t:()=>n})},944:(e,t,r)=>{"use strict";function n(e,t){"function"==typeof console.debug&&console.debug("New Relic Warning: https://github.com/newrelic/newrelic-browser-agent/blob/main/docs/warning-codes.md#".concat(e),t)}r.d(t,{R:()=>n})},5284:(e,t,r)=>{"use strict";r.d(t,{t:()=>c,B:()=>s});var n=r(7836),i=r(6154);const o="newrelic";const a=new Set,s={};function c(e,t){const r=n.ee.get(t);s[t]??={},e&&"object"==typeof e&&(a.has(t)||(r.emit("rumresp",[e]),s[t]=e,a.add(t),function(e={}){try{i.gm.dispatchEvent(new CustomEvent(o,{detail:e}))}catch(e){}}({loaded:!0})))}},8990:(e,t,r)=>{"use strict";r.d(t,{I:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},6389:(e,t,r)=>{"use strict";function n(e,t=500,r={}){const n=r?.leading||!1;let i;return(...r)=>{n&&void 0===i&&(e.apply(this,r),i=setTimeout((()=>{i=clearTimeout(i)}),t)),n||(clearTimeout(i),i=setTimeout((()=>{e.apply(this,r)}),t))}}function i(e){let t=!1;return(...r)=>{t||(t=!0,e.apply(this,r))}}r.d(t,{J:()=>i,s:()=>n})},5289:(e,t,r)=>{"use strict";r.d(t,{GG:()=>o,sB:()=>a});var n=r(3878);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.sp)("load",e,t)}function a(e){if(i())return e();(0,n.DD)("DOMContentLoaded",e)}},384:(e,t,r)=>{"use strict";r.d(t,{NT:()=>o,US:()=>d,Zm:()=>a,bQ:()=>c,dV:()=>s,nY:()=>u,pV:()=>l});var n=r(6154),i=r(1863);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return n.gm.NREUM||(n.gm.NREUM={}),void 0===n.gm.newrelic&&(n.gm.newrelic=n.gm.NREUM),n.gm.NREUM}function s(){let e=a();return e.o||(e.o={ST:n.gm.setTimeout,SI:n.gm.setImmediate,CT:n.gm.clearTimeout,XHR:n.gm.XMLHttpRequest,REQ:n.gm.Request,EV:n.gm.Event,PR:n.gm.Promise,MO:n.gm.MutationObserver,FETCH:n.gm.fetch,WS:n.gm.WebSocket}),e}function c(e,t){let r=a();r.initializedAgents??={},t.initializedAt={ms:(0,i.t)(),date:new Date},r.initializedAgents[e]=t}function u(e){let t=a();return t.initializedAgents?.[e]}function d(e,t){a()[e]=t}function l(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},2843:(e,t,r)=>{"use strict";r.d(t,{u:()=>i});var n=r(3878);function i(e,t=!1,r,i){(0,n.DD)("visibilitychange",(function(){if(t)return void("hidden"===document.visibilityState&&e());e(document.visibilityState)}),r,i)}},3434:(e,t,r)=>{"use strict";r.d(t,{YM:()=>c});var n=r(7836),i=r(5607);const o="nr@original:".concat(i.W);var a=Object.prototype.hasOwnProperty,s=!1;function c(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");const a="-"===n.charAt(0);for(let s=0;s<t.length;s++){const c=t[s],u=e[c];d(u)||(e[c]=r(u,a?c+n:n,i,c,o))}},r.flag=o,r;function r(t,r,n,s,c){return d(t)?t:(r||(r=""),nrWrapper[o]=t,function(e,t,r){if(Object.defineProperty&&Object.keys)try{return Object.keys(e).forEach((function(r){Object.defineProperty(t,r,{get:function(){return e[r]},set:function(t){return e[r]=t,t}})})),t}catch(e){u([e],r)}for(var n in e)a.call(e,n)&&(t[n]=e[n])}(t,nrWrapper,e),nrWrapper);function nrWrapper(){var o,a,d,l;try{a=this,o=[...arguments],d="function"==typeof n?n(o,a):n||{}}catch(t){u([t,"",[o,a,s],d],e)}i(r+"start",[o,a,s],d,c);try{return l=t.apply(a,o)}catch(e){throw i(r+"err",[o,a,e],d,c),e}finally{i(r+"end",[o,a,l],d,c)}}}function i(r,n,i,o){if(!s||t){var a=s;s=!0;try{e.emit(r,n,i,t,o)}catch(t){u([t,r,n,i],e)}s=a}}}function u(e,t){t||(t=n.ee);try{t.emit("internal-error",e)}catch(e){}}function d(e){return!(e&&"function"==typeof e&&e.apply&&!e[o])}},993:(e,t,r)=>{"use strict";r.d(t,{ET:()=>o,p_:()=>i});var n=r(860);const i={ERROR:"ERROR",WARN:"WARN",INFO:"INFO",DEBUG:"DEBUG",TRACE:"TRACE"},o="log";n.K7.logging},3969:(e,t,r)=>{"use strict";r.d(t,{TZ:()=>n,XG:()=>s,rs:()=>i,xV:()=>a,z_:()=>o});const n=r(860).K7.metrics,i="sm",o="cm",a="storeSupportabilityMetrics",s="storeEventMetrics"},6630:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewEvent},782:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewTiming},6344:(e,t,r)=>{"use strict";r.d(t,{G4:()=>i});var n=r(2614);r(860).K7.sessionReplay;const i={RECORD:"recordReplay",PAUSE:"pauseReplay",REPLAY_RUNNING:"replayRunning",ERROR_DURING_REPLAY:"errorDuringReplay"};n.g.ERROR,n.g.FULL,n.g.OFF},4234:(e,t,r)=>{"use strict";r.d(t,{W:()=>o});var n=r(7836),i=r(1687);class o{constructor(e,t){this.agentIdentifier=e,this.ee=n.ee.get(e),this.featureName=t,this.blocked=!1}deregisterDrain(){(0,i.x3)(this.agentIdentifier,this.featureName)}}},7603:(e,t,r)=>{"use strict";r.d(t,{j:()=>P});var n=r(860),i=r(2555),o=r(3371),a=r(9908),s=r(7836),c=r(1687),u=r(5289),d=r(6154),l=r(944),f=r(3969),g=r(384),p=r(6344);const h=["setErrorHandler","finished","addToTrace","addRelease","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId","setApplicationVersion","start",p.G4.RECORD,p.G4.PAUSE,"log","wrapLogger"],v=["setErrorHandler","finished","addToTrace","addRelease"];var m=r(1863),b=r(2614),y=r(993);var w=r(2646),A=r(3434);function R(e,t,r,n){if("object"!=typeof t||!t||"string"!=typeof r||!r||"function"!=typeof t[r])return(0,l.R)(29);const i=function(e){return(e||s.ee).get("logger")}(e),o=(0,A.YM)(i),a=new w.y(s.P);return a.level=n.level,a.customAttributes=n.customAttributes,o.inPlace(t,[r],"wrap-logger-",a),i}function E(){const e=(0,g.pV)();h.forEach((t=>{e[t]=(...r)=>function(t,...r){let n=[];return Object.values(e.initializedAgents).forEach((e=>{e&&e.api?e.exposed&&e.api[t]&&n.push(e.api[t](...r)):(0,l.R)(38,t)})),n.length>1?n:n[0]}(t,...r)}))}const x={};function _(e,t,g=!1){t||(0,c.Ak)(e,"api");const h={};var w=s.ee.get(e),A=w.get("tracer");x[e]=b.g.OFF,w.on(p.G4.REPLAY_RUNNING,(t=>{x[e]=t}));var E="api-",_=E+"ixn-";function N(t,r,n,o){const a=(0,i.Vp)(e);return null===r?delete a.jsAttributes[t]:(0,i.x1)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),j(E,n,!0,o||null===r?"session":void 0)(t,r)}function T(){}h.log=function(e,{customAttributes:t={},level:r=y.p_.INFO}={}){(0,a.p)(f.xV,["API/log/called"],void 0,n.K7.metrics,w),function(e,t,r={},i=y.p_.INFO){(0,a.p)(f.xV,["API/logging/".concat(i.toLowerCase(),"/called")],void 0,n.K7.metrics,e),(0,a.p)(y.ET,[(0,m.t)(),t,r,i],void 0,n.K7.logging,e)}(w,e,t,r)},h.wrapLogger=(e,t,{customAttributes:r={},level:i=y.p_.INFO}={})=>{(0,a.p)(f.xV,["API/wrapLogger/called"],void 0,n.K7.metrics,w),R(w,e,t,{customAttributes:r,level:i})},v.forEach((e=>{h[e]=j(E,e,!0,"api")})),h.addPageAction=j(E,"addPageAction",!0,n.K7.genericEvents),h.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,o.f)(e).customTransaction=(r||"http://custom.transaction")+t,j(E,"setPageViewName",!0)()},h.setCustomAttribute=function(e,t,r=!1){if("string"==typeof e){if(["string","number","boolean"].includes(typeof t)||null===t)return N(e,t,"setCustomAttribute",r);(0,l.R)(40,typeof t)}else(0,l.R)(39,typeof e)},h.setUserId=function(e){if("string"==typeof e||null===e)return N("enduser.id",e,"setUserId",!0);(0,l.R)(41,typeof e)},h.setApplicationVersion=function(e){if("string"==typeof e||null===e)return N("application.version",e,"setApplicationVersion",!1);(0,l.R)(42,typeof e)},h.start=()=>{try{(0,a.p)(f.xV,["API/start/called"],void 0,n.K7.metrics,w),w.emit("manual-start-all")}catch(e){(0,l.R)(23,e)}},h[p.G4.RECORD]=function(){(0,a.p)(f.xV,["API/recordReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.RECORD,[],void 0,n.K7.sessionReplay,w)},h[p.G4.PAUSE]=function(){(0,a.p)(f.xV,["API/pauseReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.PAUSE,[],void 0,n.K7.sessionReplay,w)},h.interaction=function(e){return(new T).get("object"==typeof e?e:{})};const S=T.prototype={createTracer:function(e,t){var r={},i=this,o="function"==typeof t;return(0,a.p)(f.xV,["API/createTracer/called"],void 0,n.K7.metrics,w),g||(0,a.p)(_+"tracer",[(0,m.t)(),e,r],i,n.K7.spa,w),function(){if(A.emit((o?"":"no-")+"fn-start",[(0,m.t)(),i,o],r),o)try{return t.apply(this,arguments)}catch(e){const t="string"==typeof e?new Error(e):e;throw A.emit("fn-err",[arguments,this,t],r),t}finally{A.emit("fn-end",[(0,m.t)()],r)}}}};function j(e,t,r,i){return function(){return(0,a.p)(f.xV,["API/"+t+"/called"],void 0,n.K7.metrics,w),i&&(0,a.p)(e+t,[(0,m.t)(),...arguments],r?null:this,i,w),r?void 0:this}}function k(){r.e(296).then(r.bind(r,8778)).then((({setAPI:t})=>{t(e),(0,c.Ze)(e,"api")})).catch((e=>{(0,l.R)(27,e),w.abort()}))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{S[e]=j(_,e,void 0,g?n.K7.softNav:n.K7.spa)})),h.setCurrentRouteName=g?j(_,"routeName",void 0,n.K7.softNav):j(E,"routeName",!0,n.K7.spa),h.noticeError=function(t,r){"string"==typeof t&&(t=new Error(t)),(0,a.p)(f.xV,["API/noticeError/called"],void 0,n.K7.metrics,w),(0,a.p)("err",[t,(0,m.t)(),!1,r,!!x[e]],void 0,n.K7.jserrors,w)},d.RI?(0,u.GG)((()=>k()),!0):k(),h}var N=r(9417),T=r(8122);const S={accountID:void 0,trustKey:void 0,agentID:void 0,licenseKey:void 0,applicationID:void 0,xpid:void 0},j={};var k=r(5284);const I=e=>{const t=e.startsWith("http");e+="/",r.p=t?e:"https://"+e};let O=!1;function P(e,t={},r,n){let{init:a,info:c,loader_config:u,runtime:l={},exposed:f=!0}=t;l.loaderType=r;const p=(0,g.pV)();c||(a=p.init,c=p.info,u=p.loader_config),(0,N.xN)(e.agentIdentifier,a||{}),function(e,t){if(!e)throw new Error("All loader-config objects require an agent identifier!");j[e]=(0,T.a)(t,S);const r=(0,g.nY)(e);r&&(r.loader_config=j[e])}(e.agentIdentifier,u||{}),c.jsAttributes??={},d.bv&&(c.jsAttributes.isWorker=!0),(0,i.x1)(e.agentIdentifier,c);const h=(0,N.D0)(e.agentIdentifier),v=[c.beacon,c.errorBeacon];O||(h.proxy.assets&&(I(h.proxy.assets),v.push(h.proxy.assets)),h.proxy.beacon&&v.push(h.proxy.beacon),E(),(0,g.US)("activatedFeatures",k.B),e.runSoftNavOverSpa&&=!0===h.soft_navigations.enabled&&h.feature_flags.includes("soft_nav")),l.denyList=[...h.ajax.deny_list||[],...h.ajax.block_internal?v:[]],l.ptid=e.agentIdentifier,(0,o.V)(e.agentIdentifier,l),e.ee=s.ee.get(e.agentIdentifier),void 0===e.api&&(e.api=_(e.agentIdentifier,n,e.runSoftNavOverSpa)),void 0===e.exposed&&(e.exposed=f),O=!0}},8374:(e,t,r)=>{r.nc=(()=>{try{return document?.currentScript?.nonce}catch(e){}return""})()},860:(e,t,r)=>{"use strict";r.d(t,{$J:()=>o,K7:()=>n,P3:()=>i});const n={ajax:"ajax",genericEvents:"generic_events",jserrors:"jserrors",logging:"logging",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",softNav:"soft_navigations",spa:"spa"},i={[n.pageViewEvent]:1,[n.pageViewTiming]:2,[n.metrics]:3,[n.jserrors]:4,[n.spa]:5,[n.ajax]:6,[n.sessionTrace]:7,[n.softNav]:8,[n.sessionReplay]:9,[n.logging]:10,[n.genericEvents]:11},o={[n.pageViewTiming]:"events",[n.ajax]:"events",[n.spa]:"events",[n.softNav]:"events",[n.metrics]:"jserrors",[n.jserrors]:"jserrors",[n.sessionTrace]:"browser/blobs",[n.sessionReplay]:"browser/blobs",[n.logging]:"browser/logs",[n.genericEvents]:"ins"}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>"nr-rum-1.274.0.min.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA-1.274.0.PROD:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),d=0;d<u.length;d++){var l=u[d];if(l.getAttribute("src")==r||l.getAttribute("data-webpack")==t+o){s=l;break}}if(!s){c=!0;var f={296:"sha512-gkYkZDAwQ9PwaDXs2YM+rNIdRej1Ac1mupWobRJ8eahQcXz6/sunGZCKklrzi5kWxhOGRZr2tn0rEKuLTXzfAA=="};(s=document.createElement("script")).charset="utf-8",s.timeout=120,i.nc&&s.setAttribute("nonce",i.nc),s.setAttribute("data-webpack",t+o),s.src=r,0!==s.src.indexOf(window.location.origin+"/")&&(s.crossOrigin="anonymous"),f[a]&&(s.integrity=f[a])}e[r]=[n];var g=(t,n)=>{s.onerror=s.onload=null,clearTimeout(p);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},p=setTimeout(g.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=g.bind(null,s.onerror),s.onload=g.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://js-agent.newrelic.com/",(()=>{var e={840:0,374:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u<a.length;u++)o=a[u],i.o(e,o)&&e[o]&&e[o][0](),e[o]=0},r=self["webpackChunk:NRBA-1.274.0.PROD"]=self["webpackChunk:NRBA-1.274.0.PROD"]||[];r.forEach(t.bind(null,0)),r.push=t.bind(null,r.push.bind(r))})(),(()=>{"use strict";i(8374);var e=i(944),t=i(6344),r=i(9566);class n{agentIdentifier;constructor(e=(0,r.LA)(16)){this.agentIdentifier=e}#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}addPageAction(e,t){return this.#e("addPageAction",e,t)}setPageViewName(e,t){return this.#e("setPageViewName",e,t)}setCustomAttribute(e,t,r){return this.#e("setCustomAttribute",e,t,r)}noticeError(e,t){return this.#e("noticeError",e,t)}setUserId(e){return this.#e("setUserId",e)}setApplicationVersion(e){return this.#e("setApplicationVersion",e)}setErrorHandler(e){return this.#e("setErrorHandler",e)}addRelease(e,t){return this.#e("addRelease",e,t)}log(e,t){return this.#e("log",e,t)}}class o extends n{#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}start(){return this.#e("start")}finished(e){return this.#e("finished",e)}recordReplay(){return this.#e(t.G4.RECORD)}pauseReplay(){return this.#e(t.G4.PAUSE)}addToTrace(e){return this.#e("addToTrace",e)}setCurrentRouteName(e){return this.#e("setCurrentRouteName",e)}interaction(){return this.#e("interaction")}wrapLogger(e,t,r){return this.#e("wrapLogger",e,t,r)}}var a=i(860),s=i(9417);const c=Object.values(a.K7);function u(e){const t={};return c.forEach((r=>{t[r]=function(e,t){return!0===(0,s.gD)(t,"".concat(e,".enabled"))}(r,e)})),t}var d=i(7603);var l=i(1687),f=i(4234),g=i(5289),p=i(6154),h=i(384);const v=e=>p.RI&&!0===(0,s.gD)(e,"privacy.cookies_enabled");function m(e){return!!(0,h.dV)().o.MO&&v(e)&&!0===(0,s.gD)(e,"session_trace.enabled")}var b=i(6389);class y extends f.W{constructor(e,t,r=!0){super(e.agentIdentifier,t),this.auto=r,this.abortHandler=void 0,this.featAggregate=void 0,this.onAggregateImported=void 0,!1===e.init[this.featureName].autoStart&&(this.auto=!1),this.auto?(0,l.Ak)(e.agentIdentifier,t):this.ee.on("manual-start-all",(0,b.J)((()=>{(0,l.Ak)(e.agentIdentifier,this.featureName),this.auto=!0,this.importAggregator(e)})))}importAggregator(t,r={}){if(this.featAggregate||!this.auto)return;let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let o;try{if(v(this.agentIdentifier)){const{setupAgentSession:e}=await i.e(296).then(i.bind(i,3861));o=e(t)}}catch(t){(0,e.R)(20,t),this.ee.emit("internal-error",[t]),this.featureName===a.K7.sessionReplay&&this.abortHandler?.()}try{if(t.sharedAggregator)await t.sharedAggregator;else{t.sharedAggregator=i.e(296).then(i.bind(i,9337));const{EventAggregator:e}=await t.sharedAggregator;t.sharedAggregator=new e}if(!this.#t(this.featureName,o))return(0,l.Ze)(this.agentIdentifier,this.featureName),void n(!1);const{lazyFeatureLoader:e}=await i.e(296).then(i.bind(i,6103)),{Aggregate:a}=await e(this.featureName,"aggregate");this.featAggregate=new a(t,r),n(!0)}catch(t){(0,e.R)(34,t),this.abortHandler?.(),(0,l.Ze)(this.agentIdentifier,this.featureName,!0),n(!1),this.ee&&this.ee.abort()}};p.RI?(0,g.GG)((()=>o()),!0):o()}#t(e,t){switch(e){case a.K7.sessionReplay:return m(this.agentIdentifier)&&!!t;case a.K7.sessionTrace:return!!t;default:return!0}}}var w=i(6630);class A extends y{static featureName=w.T;constructor(e,t=!0){super(e,w.T,t),this.importAggregator(e)}}var R=i(9908),E=i(2843),x=i(3878),_=i(782),N=i(1863);class T extends y{static featureName=_.T;constructor(e,t=!0){super(e,_.T,t),p.RI&&((0,E.u)((()=>(0,R.p)("docHidden",[(0,N.t)()],void 0,_.T,this.ee)),!0),(0,x.sp)("pagehide",(()=>(0,R.p)("winPagehide",[(0,N.t)()],void 0,_.T,this.ee))),this.importAggregator(e))}}var S=i(3969);class j extends y{static featureName=S.TZ;constructor(e,t=!0){super(e,S.TZ,t),this.importAggregator(e)}}new class extends o{constructor(t,r){super(r),p.gm?(this.features={},(0,h.bQ)(this.agentIdentifier,this),this.desiredFeatures=new Set(t.features||[]),this.desiredFeatures.add(A),this.runSoftNavOverSpa=[...this.desiredFeatures].some((e=>e.featureName===a.K7.softNav)),(0,d.j)(this,t,t.loaderType||"agent"),this.run()):(0,e.R)(21)}get config(){return{info:this.info,init:this.init,loader_config:this.loader_config,runtime:this.runtime}}run(){try{const t=u(this.agentIdentifier),r=[...this.desiredFeatures];r.sort(((e,t)=>a.P3[e.featureName]-a.P3[t.featureName])),r.forEach((r=>{if(!t[r.featureName]&&r.featureName!==a.K7.pageViewEvent)return;if(this.runSoftNavOverSpa&&r.featureName===a.K7.spa)return;if(!this.runSoftNavOverSpa&&r.featureName===a.K7.softNav)return;const n=function(e){switch(e){case a.K7.ajax:return[a.K7.jserrors];case a.K7.sessionTrace:return[a.K7.ajax,a.K7.pageViewEvent];case a.K7.sessionReplay:return[a.K7.sessionTrace];case a.K7.pageViewTiming:return[a.K7.pageViewEvent];default:return[]}}(r.featureName).filter((e=>!(e in this.features)));n.length>0&&(0,e.R)(36,{targetFeature:r.featureName,missingDependencies:n}),this.features[r.featureName]=new r(this)}))}catch(t){(0,e.R)(22,t);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,h.Zm)();delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.features,delete this.sharedAggregator;return r.ee.get(this.agentIdentifier).abort(),!1}}}({features:[A,T,j],loaderType:"lite"})})()})();</script><link data-next-font="size-adjust" rel="preconnect" href="/" crossorigin="anonymous"/><link nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" rel="preload" href="/_next/static/css/ffa80ed36c27c549.css" as="style"/><link nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" rel="stylesheet" href="/_next/static/css/ffa80ed36c27c549.css" data-n-g=""/><noscript data-n-css="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4"></noscript><script defer="" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" nomodule="" src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/_next/static/chunks/webpack-a707e99c69361791.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/chunks/framework-b0ec748c7a4c483a.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/chunks/main-dbb03be72fb978ea.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/chunks/pages/_app-db8f48fde056b518.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/chunks/4829-023fab6608607da5.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/chunks/pages/indicators-4d58a6418cb11837.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/l4vcnKDxIXiOkUtvMoFnX/_buildManifest.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script><script src="/_next/static/l4vcnKDxIXiOkUtvMoFnX/_ssgManifest.js" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4" defer=""></script></head><body data-base-url="https://www.tenable.com" data-ga4-tracking-id=""><div id="__next"><div class="app__wrapper"><header class="banner"><div class="nav-wrapper"><ul class="list-inline nav-brand"><li class="list-inline-item"><a href="https://www.tenable.com"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo.png" alt="Tenable"/></a></li><li class="list-inline-item"><a class="app-name" href="https://www.tenable.com/indicators">Indicators</a></li></ul><ul class="nav-dropdown nav"><li class="d-none d-md-block dropdown nav-item"><a aria-haspopup="true" href="#" class="dropdown-toggle nav-link" aria-expanded="false">Settings</a><div tabindex="-1" role="menu" aria-hidden="true" class="dropdown-menu dropdown-menu-right"><h6 tabindex="-1" class="dropdown-header">Links</h6><a href="https://cloud.tenable.com" role="menuitem" class="dropdown-item">Tenable Cloud <i class="fas fa-external-link-alt external-link"></i></a><a href="https://community.tenable.com/login" role="menuitem" class="dropdown-item">Tenable Community & Support <i class="fas fa-external-link-alt external-link"></i></a><a href="https://university.tenable.com/lms/index.php?r=site/sso&sso_type=saml" role="menuitem" class="dropdown-item">Tenable University <i class="fas fa-external-link-alt external-link"></i></a><div tabindex="-1" class="dropdown-divider"></div><span tabindex="-1" class="dropdown-item-text"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></span><div tabindex="-1" class="dropdown-divider"></div><button type="button" tabindex="0" role="menuitem" class="dropdown-item-link dropdown-item">Help</button></div></li></ul><div class="d-block d-md-none"><button type="button" aria-label="Toggle Overlay" class="btn btn-link nav-toggle"><i class="fas fa-bars fa-2x"></i></button></div></div></header><div class="mobile-nav closed"><ul class="flex-column nav"><li class="mobile-header nav-item"><a href="https://www.tenable.com" class="float-left nav-link"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo-teal.png" alt="Tenable"/></a><a class="float-right mr-2 nav-link"><i class="fas fa-times fa-lg"></i></a></li><li class="nav-item"><a class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/pipeline">Plugins Pipeline</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nessus/families?type=nessus">Nessus Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/was/families?type=was">WAS Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nnm/families?type=nnm">NNM Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/lce/families?type=lce">LCE Families</a></li><li class="no-capitalize nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/ot/families?type=ot">Tenable OT Security Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/families/about">About Plugin Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/release-notes">Release Notes</a></li></div></div><li class="nav-item"><a class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/search">Search Audit Files</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/items/search">Search Items</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/references">References</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/authorities">Authorities</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/documentation">Documentation</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div></div><li class="nav-item"><a class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioa">Indicators of Attack</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioe">Indicators of Exposure</a></li></div></div><li class="nav-item"><a class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/search">Search</a></li></div></div><li class="nav-item"><a class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques/search">Search</a></li></div></div><ul id="links-nav" class="flex-column mt-5 nav"><li class="nav-item"><a class="nav-link">Links<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a href="https://cloud.tenable.com" class="nav-link">Tenable Cloud</a></li><li class="nav-item"><a href="https://community.tenable.com/login" class="nav-link">Tenable Community & Support</a></li><li class="nav-item"><a href="https://university.tenable.com/lms/index.php?r=site/sso&sso_type=saml" class="nav-link">Tenable University</a></li></div></div><li class="nav-item"><a class="nav-link">Settings<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse py-3"><li class="nav-item"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></li></div></div></ul></ul></div><div class="app__container"><div class="app__content"><div class="card callout callout-alert callout-bg-danger mb-4"><div class="card-body"><h5 class="mb-2 text-white">Your browser is no longer supported</h5><p class="text-white">Please update or use another browser for this application to function correctly.</p></div></div><div class="row"><div class="col-3 col-xl-2 d-none d-md-block"><h6 class="side-nav-heading">Detections</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/plugins" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/plugins/pipeline" class="nav-link"><span>Plugins Pipeline</span></a></li><li class="false nav-item"><a href="/plugins/release-notes" class="nav-link"><span>Release Notes</span></a></li><li class="false nav-item"><a href="/plugins/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/plugins/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/plugins/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/plugins/nessus/families" class="nav-link"><span>Nessus Families</span></a></li><li class="false nav-item"><a href="/plugins/was/families" class="nav-link"><span>WAS Families</span></a></li><li class="false nav-item"><a href="/plugins/nnm/families" class="nav-link"><span>NNM Families</span></a></li><li class="false nav-item"><a href="/plugins/lce/families" class="nav-link"><span>LCE Families</span></a></li><li class="false nav-item"><a href="/plugins/ot/families" class="nav-link"><span>Tenable OT Security Families</span></a></li><li class="false nav-item"><a href="/plugins/families/about" class="nav-link"><span>About Plugin Families</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/audits" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/audits/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/audits/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/audits/search" class="nav-link"><span>Search Audit Files</span></a></li><li class="false nav-item"><a href="/audits/items/search" class="nav-link"><span>Search Items</span></a></li><li class="false nav-item"><a href="/audits/references" class="nav-link"><span>References</span></a></li><li class="false nav-item"><a href="/audits/authorities" class="nav-link"><span>Authorities</span></a></li><li class="false nav-item"><a href="/audits/documentation" class="nav-link"><span>Documentation</span></a></li><li class="nav-item"><a class="nav-link" href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div><li class="nav-item"><a type="button" class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-down"></i></a></li><div class="side-nav-collapse collapse show"><li class="active nav-item"><a href="/indicators" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/indicators/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/indicators/ioa" class="nav-link"><span>Indicators of Attack</span></a></li><li class="false nav-item"><a href="/indicators/ioe" class="nav-link"><span>Indicators of Exposure</span></a></li></div></ul><h6 class="side-nav-heading">Analytics</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/cve" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/cve/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/cve/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/cve/search" class="nav-link"><span>Search</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/attack-path-techniques" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/attack-path-techniques/search" class="nav-link"><span>Search</span></a></li></div></ul></div><div class="col-12 col-md-9 col-xl-10"><div class="row"><div class="col-md-8"><h1 class="h2">Indicators</h1><p class="page-description">Tenable Identity Exposure allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable Identity Exposure's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks.</p></div><div class="col-md-4"><h4> RSS Feeds</h4><ul class="feed-list"><li><a target="_blank" href="/indicators/feeds?type=ioa">Attack Indicators</a></li><li><a target="_blank" href="/indicators/feeds?type=ioe">Exposure Indicators</a></li></ul></div></div><div class="card"><div class="p-3 card-body"><div class="row"><div class="p-0 col"><div class="py-1 card card-body"><h4>Search</h4><input aria-label="Start typing to search indicators" placeholder="Start typing..." type="text" class="form-control form-control-search form-control" value=""/></div></div></div><div class="row"><div class="p-0 col-md-6"><div class="card card-body"><h4 class="card-title"><a href="https://www.tenable.com/indicators/ioa">Indicators of Attack ›</a></h4><ul class="results-list list-group"><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-Zerologon">Zerologon Exploitation</a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>The branded Zerologon vulnerability is related to a critical vulnerability (CVE-2020-1472) in Windows Server that has received a CVSS score of 10.0 from Microsoft. It consists of an elevation of privileges that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to compromise a domain and acquire domain administrators privileges.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-DCShadow">DCShadow</a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push arbitrary changes to a domain via domain replication (for example applying forbidden sidHistory values).</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-DnsEnumeration">DNS Enumeration</a></h5><h6 class="m-1 mb-3"><span class="badge badge-low">low</span></h6></div><div><p>DNS zone transfer is a legitimate feature to replicate a DNS zone from a primary DNS server to a secondary one, using the AXFR query type. However, attackers often abuse this mechanism during the reconnaissance phase in order to retrieve all DNS records, providing them valuable information for attacking the environment. In particular, a successful DNS zone transfer can give an attacker useful information about the computers listed in the DNS zone, how to access them and also guessing their roles. Note that failed zone transfer (ex. not having the necessary rights, zone transfer not configured on the server, etc.) are also detected.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-ReconAdminsEnum">Enumeration of Local Administrators</a></h5><h6 class="m-1 mb-3"><span class="badge badge-low">low</span></h6></div><div><p>The local Administrators group was enumerated with SAMR RPC interface, more than likely with BloodHound/SharpHound.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-DcPasswordChange">Suspicious DC Password Change</a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>The critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as <strong>domain controller account password change</strong>, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on <strong>one</strong> of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-SamNameImpersonation">SAMAccountName Impersonation</a></h5><h6 class="m-1 mb-3"><span class="badge badge-high">high</span></h6></div><div><p>The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-ProcessInjectionLsass">OS Credential Dumping: LSASS Memory </a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-NtdsExtraction">NTDS Extraction</a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-PasswordSpraying">Password Spraying</a></h5><h6 class="m-1 mb-3"><span class="badge badge-medium">medium</span></h6></div><div><p>Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioa/I-PetitPotam">PetitPotam</a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.</p> </div></li></ul><br/><h5><a href="https://www.tenable.com/indicators/ioa">See all Indicators of Attack ›</a></h5></div></div><div class="p-0 col-md-6"><div class="card card-body"><h4 class="card-title"><a href="https://www.tenable.com/indicators/ioe">Indicators of Exposure ›</a></h4><ul class="results-list list-group"><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-SERVICE-ACCOUNT">Service Accounts Misconfigurations</a></h5><h6 class="m-1 mb-3"><span class="badge badge-medium">medium</span></h6></div><div><p>Shows potential misconfigurations of domain service accounts.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-CONFLICTED-OBJECTS">Conflicting Security Principals</a></h5><h6 class="m-1 mb-3"><span class="badge badge-low">low</span></h6></div><div><p>Checks that there are no duplicated (conflicting) users, computers, or groups.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-SHADOW-CREDENTIALS">Shadow Credentials</a></h5><h6 class="m-1 mb-3"><span class="badge badge-high">high</span></h6></div><div><p>Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-GUEST-ACCOUNT">Enabled Guest Account</a></h5><h6 class="m-1 mb-3"><span class="badge badge-low">low</span></h6></div><div><p>Checks that the built-in guest account is disabled.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-MSA-COMPLIANCE">Managed Service Accounts Dangerous Misconfigurations</a></h5><h6 class="m-1 mb-3"><span class="badge badge-high">high</span></h6></div><div><p>Ensures Managed Service Accounts (MSAs) are deployed and well configured.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-AAD-PRIV-SYNC">Privileged AD User Accounts Synchronized to Microsoft Entra ID</a></h5><h6 class="m-1 mb-3"><span class="badge badge-high">high</span></h6></div><div><p>Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-AUTH-SILO">Privileged Authentication Silo Configuration</a></h5><h6 class="m-1 mb-3"><span class="badge badge-high">high</span></h6></div><div><p>A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-DYNAMIC-UPDATES">Unsecure Dynamic DNS Zone Updates Allowed</a></h5><h6 class="m-1 mb-3"><span class="badge badge-high">high</span></h6></div><div><p>Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates.</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-WSUS-HARDENING">WSUS Dangerous Misconfigurations</a></h5><h6 class="m-1 mb-3"><span class="badge badge-critical">critical</span></h6></div><div><p>Lists the misconfigured parameters related to Windows Server Update Services (WSUS).</p> </div></li><li class="list-group-item"><div class="clearfix"><h5><a href="https://www.tenable.com/indicators/ioe/ad/C-PROP-SET-SANITY">Property Sets Integrity</a></h5><h6 class="m-1 mb-3"><span class="badge badge-medium">medium</span></h6></div><div><p>Checks for the integrity of property sets and validates permissions</p> </div></li></ul><br/><h5><a href="https://www.tenable.com/indicators/ioe">See all Indicators of Exposure ›</a></h5></div></div></div></div></div></div></div></div></div><footer class="footer"><div class="container"><ul class="footer-nav"><li class="footer-nav-item"><a href="https://www.tenable.com/">Tenable.com</a></li><li class="footer-nav-item"><a href="https://community.tenable.com">Community & Support</a></li><li class="footer-nav-item"><a href="https://docs.tenable.com">Documentation</a></li><li class="footer-nav-item"><a href="https://university.tenable.com">Education</a></li></ul><ul class="footer-nav footer-nav-secondary"><li class="footer-nav-item">© 2024 Tenable®, Inc. All Rights Reserved</li><li class="footer-nav-item"><a href="https://www.tenable.com/privacy-policy">Privacy Policy</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/legal">Legal</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/section-508-voluntary-product-accessibility">508 Compliance</a></li></ul></div></footer><div class="Toastify"></div></div></div><script id="__NEXT_DATA__" type="application/json" nonce="nonce-NGNhY2VjNTYtMmQzYi00NjYyLTgxNzYtZTcwY2EzMDE3YmY4">{"props":{"pageProps":{"ioeIndicators":[{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-SERVICE-ACCOUNT","_score":null,"_source":{"language_code":"en_US","codename":"C-SERVICE-ACCOUNT","name":"Service Accounts Misconfigurations","id":61,"description":"\u003cp\u003eShows potential misconfigurations of domain service accounts.\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003eService accounts require careful management to avoid common misconfigurations, such as excessive privileges, never-renewed passwords, and obsolete accounts. Attackers frequently target these accounts due to these vulnerabilities.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThis Indicator of Exposure (IoE) lists the bad practices and misconfigurations that can affect domain service accounts.\n\u003cbr\u003eDisplaying all potential misconfigurations together makes it easier to assess their impact on the overall security of the environment. For example, it highlights cases where a privileged service account is unused for an extended period.\nAlthough other IoEs cover most of these topics, this one focuses specifically on service accounts to provide a clear picture of their attack surface.\n\u003cbr\u003eThe checks performed here closely relate to those in other IoEs. You can refer to those IoEs for more information:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDormant Accounts\u003c/li\u003e\n\u003cli\u003eAccounts With Never Expiring Passwords\u003c/li\u003e\n\u003cli\u003eUser Account Using Old Password\u003c/li\u003e\n\u003cli\u003eManaged Service Accounts Dangerous Misconfigurations\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis IoE covers two types of domain service accounts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eManaged Service Accounts\u003c/strong\u003e (sMSA, gMSA, and dMSA): Automatically checks for and identifies these accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClassic domain service accounts\u003c/strong\u003e: These are domain user accounts specifically created to launch services. Use the \"Whitelist service accounts using naming conventions\" option to specify the naming convention used in your environment. Populating this option is mandatory for these accounts, as the product cannot automatically identify them.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe IoE performs and displays the following checks for these service accounts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDormant or stale service accounts\u003c/li\u003e\n\u003cli\u003eService accounts with passwords set to never expire\u003c/li\u003e\n\u003cli\u003eService accounts last password change\u003c/li\u003e\n\u003cli\u003eService accounts within privileged groups\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eA deviance in this IoE does not automatically indicate a vulnerability that attackers can directly exploit. You should view deviances as potential risks that, when combined, could pose a greater threat to your environment. Consider these results as toxic combinations and use the context of your environment to either improve the situation or implement mitigations.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Monitor and harden the configuration on domain service accounts","description":"Document the configuration of service accounts and fix any misconfigurations.","exec_summary":"\u003cp\u003eAttackers often target service accounts due to the challenges in managing them and the common errors in their configuration.\nWriting comprehensive documentation for each service account is the first step to reducing their risk.\nEach remaining dangerous configuration requires an associated explanation, and you must implement corrective measures to reduce the attack surface.\u003c/p\u003e\n","detail":"\u003cp\u003eService account security relies on proper management and configuration.\n\u003cbr\u003eBefore any technical actions, start by \u003cstrong\u003ecreating documentation\u003c/strong\u003e for the service accounts. This documentation should include at least the following information:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eScope\u003c/strong\u003e of the service account: Specifies the servers where this account is installed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNecessary and sufficient rights\u003c/strong\u003e for the service account: Sometimes, due to the complexity of configuration, service accounts end up with more privileges than they need.\u003cul\u003e\n\u003cli\u003eThird-party services and products should avoid configurations requiring high-privileged accounts whenever possible. During the proof of concept (PoC) phase for new products, challenge the vendor to limit the privileges needed to operate the service, as security at the design phase is crucial.\u003c/li\u003e\n\u003cli\u003eThe server on which the service is configured and its service account should have the same level of sensitivity within the domain.\u003cul\u003e\n\u003cli\u003eA privileged service account poses a risk only if it is configured on unprivileged servers. It should be configured exclusively on privileged systems to avoid introducing security vulnerabilities.\u003c/li\u003e\n\u003cli\u003eIf you configure a non-privileged service account on a privileged server, do not install it on lower-privileged servers. It should remain a dedicated account for the privileged server.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eType\u003c/strong\u003e of service account: Specify whether it is a custom service account (i.e., created from a standard domain user account) or a Microsoft Managed Service Account (MSA).\u003cul\u003e\n\u003cli\u003eWhenever possible and supported by the application or service, use Managed Service Accounts (MSAs) because they provide significant security improvements over manual operations. For example, MSAs make Kerberoasting attacks nearly impossible due to their strong passwords.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword renewal\u003c/strong\u003e for the service account:\u003cul\u003e\n\u003cli\u003eAutomatically vs. manually\u003c/li\u003e\n\u003cli\u003eIf you manage passwords manually, determine the next planned password renewal. Understanding the scope of the service account is essential to anticipate potential authentication issues that may arise from this change.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAudit of the password\u003c/strong\u003e of the service account: If the service account is not an MSA, audit the password regularly—either through penetration tests or using the \"Detection of Password Weaknesses\" IoE. This ensures that the password is strong enough to resist brute-force attacks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStorage of the password\u003c/strong\u003e of the service account: Only when necessary (which is not always the case, especially with MSAs), store service account passwords securely, such as in a dedicated password storage manager with appropriate permissions. Store these passwords solely for safety reasons, and limit access to them to a few trusted administrators.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRole\u003c/strong\u003e of the service or scheduled task associated with the service account: Determine whether it is a service created by IT administrators or by another user within the company on their own.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOwner\u003c/strong\u003e of the service account: Identify the person to contact for more information about a particular service.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIn conclusion, invest time in writing comprehensive documentation and create as many Managed Service Accounts as possible. This approach helps reduce the challenges associated with manually managing service accounts.\u003c/p\u003e\n","resources":[]},"resources":[{"name":"Best Practices for Enforcing Password Policies","url":"https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff741764(v=msdn.10)","type":"hyperlink"},{"name":"Configuring Password Policies","url":"https://learn.microsoft.com/en-us/previous-versions/tn-archive/dd277399(v=technet.10)","type":"hyperlink"},{"name":"Service accounts","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-service-accounts","type":"hyperlink"}],"applicable_resource_types":["ad_user","ad_msds_managed_service_account","ad_msds_group_managed_service_account","ad_msds_delegated_managed_service_account"],"attacker_known_tools":[{"name":"THC-Hydra","url":"https://github.com/vanhauser-thc/thc-hydra","author":"van Hauser / THC"},{"name":"John the Ripper","url":"https://www.openwall.com/john/","author":"Solar Designer"},{"name":"Hashcat","url":"https://hashcat.net/hashcat/","author":"Jens Steube"},{"name":"mimikatz","url":"https://github.com/gentilkiwi/mimikatz/releases","author":"Gentil Kiwi"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0003 - Persistence","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["zh_TW","ja_JP","zh_CN","es_001","fr_FR","de_DE","ko_KR","en_US"],"tvdb_export_source":{"file_name":"diff-202411050200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-SERVICE-ACCOUNT","created_at":"2024-11-05T02:08:18","updated_at":"2024-11-05T02:08:18"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["zh-TW","ja","zh-CN","es","fr","de","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]},{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[61]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-CONFLICTED-OBJECTS","_score":null,"_source":{"language_code":"en_US","codename":"C-CONFLICTED-OBJECTS","name":"Conflicting Security Principals","id":60,"description":"\u003cp\u003eChecks that there are no duplicated (conflicting) users, computers, or groups.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003eThe multi-master replication system of Active Directory generally works well, but conflicts can arise for various reasons and require manual resolution.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory uses multi-master replication to avoid a single point of failure. While this process usually works well, conflicts can sometimes occur, leading to duplicated objects. A conflict may affect an attribute when it changes simultaneously on two distinct domain controllers with different values. This issue can also apply to an entire object, such as during its creation:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDC-1 creates a new object \"object-A\" in \"container-A\".\u003c/li\u003e\n\u003cli\u003eAt the same time, DC-2 creates a new object with the same name at the same location.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eDuplicated objects, especially users and computers, can cause confusion. Ideally, you should keep only one identity and remove the others. If you're unsure or want the safest approach, delete all the conflicting objects instead of choosing one to save. Clean everything to ensure clarity.\nA high number of conflicting objects could indicate an issue with the replication process and may require further investigation.\n\u003cbr\u003eThis Indicator of Exposure (IoE) checks for the following elements:\u003c/p\u003e\n\u003ch4\u003eDuplicate Relative Distinguished Names (RDN) in the same Organizational Unit (OU) or container.\u003c/h4\u003e\n\u003cp\u003eChecks whether at least two Security Principals (SP) are in the same OU or container and use the same Relative Distinguished Name (\u003ca href=\"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_22198321-b40b-4c24-b8a2-29e44d9d92b9\"\u003eRDN\u003c/a\u003e) or CN.\u003c/p\u003e\n\u003ch4\u003eDuplicate sAMAccountName\u003c/h4\u003e\n\u003cp\u003eChecks whether at least two SPs have the same sAMAccountName at creation time. After an authentication or a new creation attempt, only one sAMAccountName may retains the correct value, while the others or all get renamed with \"$DUPLICATE-xxx,\" where \"xxx\" is the RID of the object in hexadecimal.\u003c/p\u003e\n\u003ch4\u003eSame sAMAccountName\u003c/h4\u003e\n\u003cp\u003eCheck whether at least two SPs have the same sAMAccountName. After an authentication or a new creation attempt, only one sAMAccountName may retains the original value, and the others or all get renamed (see \"Duplicate sAMAccountName\" reason).\n\u003cbr\u003eNotes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe \"\u003cem\u003eUnlinked, Disabled or Orphan GPO\u003c/em\u003e\" IoE reports on conflicting GPOs, whereas this IoE reports on conflicts between security principals (users, computers, and groups).\u003c/li\u003e\n\u003cli\u003eEven if an account is disabled, someone can still attempt to authenticate.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Remove Duplicated Security Principals","description":"To enhance infrastructure consistency and prevent identity confusion, remove duplicated security principals.","exec_summary":"\u003cp\u003eTo enhance infrastructure consistency and prevent identity confusion, remove duplicated security principals.\u003c/p\u003e\n","detail":"\u003cp\u003eTenable does not recommend having duplicated objects because they indicate low data integrity and potentially unsolvable replication issues. This is particularly problematic with users and computers as it could prevent users or services from authenticating. When you encounter this situation, remove conflicting objects.\n\u003cbr\u003eThis IoE assesses the following reasons and Tenable recommends this approach:\u003c/p\u003e\n\u003ch4\u003eDuplicate RDN in the same OU or container\u003c/h4\u003e\n\u003cp\u003eDelete objects with \"CNF\" in the CN/DN attributes by executing the following PowerShell command and replacing the placeholder \u003ccode\u003e\u0026lt;Replace by the impacted CN\u0026gt;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$domainDN = (Get-ADDomain).DistinguishedName\n\n(Get-ADObject -LDAPFilter \"(cn=\u0026lt;Replace by the impacted CN\u0026gt;\\0ACNF:*)\" -SearchBase $domainDN -Properties DistinguishedName, Cn, SamAccountName).DistinguishedName | Remove-ADUser -Confirm:$True\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eDuplicate sAMAccountName\u003c/h4\u003e\n\u003cp\u003eDelete objects with \"$DUPLICATE-xxx\" in the sAMAccountName by executing the following PowerShell command and replacing the placeholder \u003ccode\u003e\u0026lt;$DUPLICATE-xxx\u0026gt;\u003c/code\u003e or using \u003ccode\u003e$DUPLICATE-*\u003c/code\u003e to delete all objects:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$domainDN = (Get-ADDomain).DistinguishedName\n\n(Get-ADObject -LDAPFilter \"(samaccountname=\u0026lt;`$DUPLICATE`-xxx\u0026gt;)\" -SearchBase $domainDN -Properties DistinguishedName, Cn, SamAccountName).DistinguishedName | Remove-ADUser -Confirm:$True\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eSame sAMAccountName\u003c/h4\u003e\n\u003cp\u003eIdentify the deviant object located in the wrong location and delete it by executing the following PowerShell command and replacing the placeholder \u003ccode\u003e\u0026lt;Replace by the impacted CN\u0026gt;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$domainDN = (Get-ADDomain).DistinguishedName\n\n(Get-ADObject -LDAPFilter \"(cn=\u0026lt;Replace by the impacted CN\u0026gt;*)\" -SearchBase $domainDN -Properties DistinguishedName, Cn, SamAccountName).DistinguishedName | Remove-ADUser -Confirm:$True\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003eA high number of conflicting objects may indicate a replication issue and warrant further investigation.\u003c/p\u003e\n","resources":[{"name":"Active Directory: Duplicate Object Name Resolution","url":"https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution","type":"hyperlink"},{"name":"Troubleshooting Directory Data Problems","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727059(v=technet.10)","type":"hyperlink"}]},"resources":[{"name":"Active Directory: Duplicate Object Name Resolution","url":"https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution","type":"hyperlink"},{"name":"sAMAccountName is always unique in a Windows domain… or is it?","url":"https://blog.joeware.net/2012/01/04/2357/","type":"hyperlink"},{"name":"Using conflicting objects in Active Directory to gain privileges","url":"https://medium.com/tenable-techblog/using-conflicting-objects-in-active-directory-to-gain-privileges-243ef6a27928","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user"],"attacker_known_tools":[],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1136 - Create Account"]},{"tactic":"TA0005 - Defense Evasion","techniques":["T1036 - Masquerading"]},{"tactic":"TA0040 - Impact","techniques":["T1489 - Service Stop"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["ja_JP","zh_CN","zh_TW","de_DE","fr_FR","ko_KR","es_001","en_US"],"tvdb_export_source":{"file_name":"diff-202411230600.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-CONFLICTED-OBJECTS","created_at":"2024-11-23T06:08:25","updated_at":"2024-11-23T06:08:25"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["ja","zh-CN","zh-TW","de","fr","ko","es","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},"techniques":[{"id":"T1136","name":"Create Account","url":"https://attack.mitre.org/techniques/T1136"}]},{"tactic":{"id":"TA0005","name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},"techniques":[{"id":"T1036","name":"Masquerading","url":"https://attack.mitre.org/techniques/T1036"}]},{"tactic":{"id":"TA0040","name":"Impact","url":"https://attack.mitre.org/tactics/TA0040"},"techniques":[{"id":"T1489","name":"Service Stop","url":"https://attack.mitre.org/techniques/T1489"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[60]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-SHADOW-CREDENTIALS","_score":null,"_source":{"language_code":"en_US","codename":"C-SHADOW-CREDENTIALS","name":"Shadow Credentials","id":59,"description":"\u003cp\u003eDetects Shadow Credentials backdoors and misconfigurations in the \"Windows Hello for Business\" feature and its associated key credentials.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eThe Shadow Credentials backdoor technique exploits the legitimate Microsoft \"Windows Hello for Business\" feature. If the Active Directory does not use this feature, it is easy to detect this persistence mechanism. If it does use this feature, misconfigurations could indicate compromise or poor management practices.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eMicrosoft's \"Windows Hello for Business\" (WHfB) feature addresses the growing demand for passwordless authentication solutions. As Multi-Factor Authentication (MFA) gains popularity over traditional password-based authentication, WHfB provides a Microsoft-native solution for MFA sign-in on Windows 10 and later devices. \u003c/p\u003e\n\u003cp\u003eMFA solutions from third-party vendors have traditionally required substantial effort to deploy and configure, often involving smartcards. Microsoft's \"Windows Hello for Business\" (WHfB) offers a streamlined, native MFA solution tightly integrated with Active Directory and Entra ID, making it an appealing option for enhancing security, especially for privileged domain user accounts, without the overhead of external MFA products.\n\u003cbr\u003eEntra ID supports three types of passwordless authentication:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eWindows Hello for Business\u003c/strong\u003e, which this Indicator of Exposure checks\u003c/li\u003e\n\u003cli\u003eMicrosoft Authenticator application\u003c/li\u003e\n\u003cli\u003eFIDO2 security keys\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eUnlike the standalone \"Windows Hello\" feature available on Windows workstations, WHfB only uses key-based or certificate-based authentication methods, that can be protected by a Trusted Platform Module (TPM).\u003c/p\u003e\n\u003cp\u003eWHfB satisfies the \"Smartcard is required for interactive logon\" option for user accounts and the \"Interactive logon: Require smart card\" Group Policy setting for computers, enabling seamless integration with existing smart card configurations.\u003c/p\u003e\n\u003cp\u003eWhile offering enhanced security capabilities, the WHfB feature introduces new potential risks and possibilities for misconfiguration that organizations must know about and mitigate appropriately.\u003c/p\u003e\n\u003ch2\u003eDeployment methods of WHfB\u003c/h2\u003e\n\u003cp\u003eDuring the WHfB enrollment process, the computer's TPM chip generates a public/private key pair for the user account and stores the private key exclusively within the TPM. If a TPM is unavailable, it encrypts the private key with DPAPI-NG and stores it locally on the disk. The usage of this key pair varies based on the selected deployment method.\n\u003cbr\u003eThe following deployment methods are available for WHfB:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e(Hybrid) Certificate Trust\u003cul\u003e\n\u003cli\u003eTraditionally, a Public Key Infrastructure (PKI) allows the KDC and a client to exchange public keys using Digital Certificates signed by a trusted Certificate Authority (CA). Smartcard deployments use the same infrastructure as Certificate Trust, but the storage location of the generated private key differs. In Certificate Trust, the TPM protects the private key, whereas in smartcard deployments, a physical card with a silicon chip stores the key.\u003c/li\u003e\n\u003cli\u003eDuring the enrollment process for Certificate Trust, the client uses the keys generated by the TPM to issue a certificate request and obtain a trusted certificate from the CA.\u003c/li\u003e\n\u003cli\u003eIn this model, a PKI (such as an AD CS server) generates certificates, and an AD FS server translates those certificates into a format that Entra ID can understand, such as OAuth or OpenID Connect.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e(Hybrid) Key Trust\u003cul\u003e\n\u003cli\u003eThis approach is useful for environments lacking the prerequisites for deploying Certificate Trust, such as a PKI (AD CS) and an AD FS server. However, in exchange for this simplicity and flexibility, it relies on Entra ID for various kinds of orchestration and the availability of Windows Server 2016+ servers.\u003c/li\u003e\n\u003cli\u003eUnder this model, PKINIT authentication, an extension of the Kerberos protocol, uses raw key data rather than a certificate.\u003c/li\u003e\n\u003cli\u003eDuring the Key Trust enrollment process, the TPM generates the public key and directly stores it within a new \"Key Credential\" object in the \"msDS-KeyCredentialLink\" attribute of the account.\u003c/li\u003e\n\u003cli\u003eIn this model, unlike Certificate Trust, Entra ID manages the keys, necessitating AD to retrieve them from Entra ID. Microsoft Entra Connect then synchronizes this information from Entra ID to the on-premises AD.\u003c/li\u003e\n\u003cli\u003eConsequently, the primary drawback of this deployment lies in provisioning keys to the on-premises environment, which is time-consuming due to synchronization delays with Microsoft Entra Connect and replication delays between DCs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eCloud Kerberos Trust\u003cul\u003e\n\u003cli\u003eThis represents the latest and most advanced deployment method available. It combines the strengths of the previous two methods, offering instant provisioning (eliminating delays from multiple synchronizations), hybrid authentication, and requiring no additional infrastructure deployment (such as PKI or AD FS servers).\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAfter enrollment, when a client seeks authentication, Windows tries Kerberos PKINIT using the private key. In \"Key Trust,\" the DC decrypts pre-authentication data with the raw public key in the \"msDS-KeyCredentialLink\" attribute. In \"Certificate Trust,\" the DC validates the trust chain from the client's provided certificate.\n\u003cbr\u003eThe IoE primarily focuses on the \"Key Trust\" method, which attackers exploit differently through an attack known as \"Shadow Credentials.\"\u003c/p\u003e\n\u003ch2\u003eHow does WHfB (Key Trust) work in AD?\u003c/h2\u003e\n\u003cp\u003eIn Active Directory, WHfB uses a dedicated attribute on user and computer accounts called \"msDS-KeyCredentialLink\". This attribute can accommodate multiple values known as \"Key Credentials,\" representing the public part of a certificate (raw cryptographic material, distinct from a complete certificate). It facilitates authentication via Kerberos PKINIT, enabling certificate-based authentication in AD.\u003c/p\u003e\n\u003cp\u003eThis attribute can store multiple key credentials for user and computer accounts, typically corresponding to distinct linked devices, with each device requiring individual specification.\u003c/p\u003e\n\u003ch4\u003eMisconfigurations of WHfB\u003c/h4\u003e\n\u003cp\u003eMultiple misconfigurations, particularly concerning cryptographic materials, can occur with the \"msDS-KeyCredentialLink\" attribute.\u003c/p\u003e\n\u003cp\u003eSuch misconfigurations can also indicate suspicious entries such as the \"Shadow Credentials\" backdoor.\u003c/p\u003e\n\u003ch2\u003eROCA and RSA key length\u003c/h2\u003e\n\u003cp\u003eEach key credential is a specific structure that ultimately holds key cryptographic materials, such as an RSA key.\u003c/p\u003e\n\u003cp\u003eIn this case, if the RSA key size is shorter than the minimum recommended 2048-bit length, it may be feasible, with ample computational power, to retrieve the associated private key from the public key.\u003c/p\u003e\n\u003cp\u003eThe ROCA vulnerability, discovered in 2017, is another factor to consider when validating keys. Known as the \"Return of Coppersmith's Attack,\" this weakness enables the recovery of the private key from the public key when a device affected by this vulnerability generates the key.\u003c/p\u003e\n\u003ch2\u003eOrphan key\u003c/h2\u003e\n\u003cp\u003eSince the credentials in the \"msDS-KeyCredentialLink\" attribute must link to a specific device (one entry per device), you can verify their validity. Device registration is mandatory for WHfB implementation, so if you deploy WHfB with \"Key Trust,\" you must enable the \"device writeback\" feature in Microsoft Entra Connect.\u003c/p\u003e\n\u003cp\u003eThis detail is significant because, by default, most attack tools set the GUID representing a device (referred to as a \"Device ID\" in Entra ID and the binary structure) to a random value.\u003c/p\u003e\n\u003cp\u003eAn orphan key specifies a device ID not registered in AD, which could associate with a previously removed device (note that Microsoft does not perform automatic cleaning) or a backdoor from a \"Shadow Credentials\" attack. In both cases, it is best to remove these entries from the list of installed credentials.\u003c/p\u003e\n\u003ch2\u003eShadow Credentials attack\u003c/h2\u003e\n\u003cp\u003eThe Shadow Credentials attack exploits control over the \"msDS-KeyCredentialLink\" attribute of a user or computer account. If an attacker can modify this attribute, they can add alternative credentials for Kerberos authentication. This allows the use of a forged certificate, in addition to the regular account password (which the attacker doesn't need to know), to obtain a valid Kerberos TGT ticket. From this TGT, the attacker can also retrieve the LM and NTLM hashes of the compromised account using the \"UnPAC-the-hash\" attack.\n\u003cbr\u003eIn practice, during the exploitation phase of this attack, an attacker creates a self-signed certificate with a private/public key pair and then sets the public key inside of the \"msDS-KeyCredentialLink\" attribute.\u003c/p\u003e\n\u003cp\u003eThis attribute can hold multiple values, with each entry called a \"Key Credential.\" A single account can have both legitimate entries and backdoors simultaneously.\u003c/p\u003e\n\u003cp\u003eThis authentication method is separate from the password, so the backdoor remains even if the account password changes.\n\u003cbr\u003eIn addition to validating the content of the \"msDS-KeyCredentialLink\" attribute, this IoE ensures that no permission authorizes a non-privileged account to modify this attribute. By default, only members of \"Key Admins\" and \"Enterprise Key Admins\" have this permission. Also, each machine can change its attribute through the \"Validated Write\" right on this attribute.\u003c/p\u003e\n\u003ch2\u003eUnexpected sources\u003c/h2\u003e\n\u003cp\u003eFor a computer account, the content structure of a key credential differs from that of a user account.\n\u003cbr\u003eFor user accounts in the \"Key Trust\" model, Entra ID serves as the data source since Microsoft Entra Connect populates the \"msDS-KeyCredentialLink\" attribute. However, for computer accounts, the computer itself performs the enrollment process. As such, to detect a rogue key credential added on a computer account, if the source is set to Entra ID for this key credential, this is not a valid entry.\n\u003cbr\u003eMoreover, most existing attack tools typically generate a random GUID by default for the associated \"DeviceID\" in new rogue key credentials. This provides another detection mechanism for invalid entries, specifically for user accounts (unlike the previous method for computer accounts). This validation occurs through \"Orphan key\" tests, ensuring that a legitimate device links to the key credential.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Analyze and Remediate Risks in Windows Hello for Business Key Credentials Configuration","description":"To mitigate the risks of potential privilege escalation or the installation of backdoors (such as Shadow Credentials) by attackers, it is essential to assess thoroughly and correct the configuration of key credentials in Windows Hello for Business.\n","exec_summary":"\u003cp\u003eMisconfigurations of key credentials in the Windows Hello for Business feature can have a significant impact on Active Directory security, potentially introducing alternative authentication methods. Therefore, it is imperative to give them thorough attention and supervision.\u003c/p\u003e\n","detail":"\u003cp\u003eWhen deployed with the \"Key Trust\" model, the \"Windows Hello for Business\" feature can introduce various misconfigurations even in legitimate usage scenarios. Furthermore, even if not actively deployed in your environment, attackers might exploit the underlying technical features to establish authentication-related backdoors.\u003c/p\u003e\n\u003ch4\u003eMisconfigurations of key credentials\u003c/h4\u003e\n\u003cp\u003eYou can fix most misconfigurations flagged in this Indicator of Exposure by addressing the single \"msDS-KeyCredentialLink\" attribute.\u003c/p\u003e\n\u003cp\u003eIt's worth noting that Microsoft lacks an official built-in tool to remove individual problematic \"Key Credentials\" within this attribute, which can store multiple entries at once.\u003c/p\u003e\n\u003cp\u003eHowever, Microsoft provides a methodology along with the \u003ccode\u003eWHfBTools\u003c/code\u003e external tool. (Please note that this tool had security issues upon its initial release, so review its code before execution.)\n\u003cbr\u003eIf feasible, we recommend removing all \"Key Credentials\" associated with an account. However, this requires re-enrollment of the account, which can be challenging and time-consuming. Nevertheless, if you are certain that your environment does not use WHfB, this procedure is the safest and most efficient option.\n\u003cbr\u003eTo remove all \"Key Credentials\" associated with an account, apply the following procedure: (\u003cstrong\u003eNote: Adapt it to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; Set-ADUser -Identity user-to-fix -Clear 'msDS-KeyCredentialLink' # For a user account\nPS\u0026gt; Set-ADComputer -Identity computer-to-fix$ -Clear 'msDS-KeyCredentialLink' # For a computer account\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eCorrect dangerous permissions set on accounts\u003c/h4\u003e\n\u003cp\u003eYou can make permission modifications using the GUI (ADSI Edit) or PowerShell commands.\n\u003cbr\u003eTo reset the \u003cstrong\u003eowner\u003c/strong\u003e of an account, apply the following procedure: (\u003cstrong\u003eNote: Adapt it to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $accountPath = \"AD:CN=user-to-fix,CN=Users,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $securityPrincipalAccount = \"DOMAIN\\Domain Admins\"\nPS\u0026gt; $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)\nPS\u0026gt; $aclAccount = Get-Acl -Path $accountPath\nPS\u0026gt; $aclAccount.SetOwner($securityPrincipalObject)\nPS\u0026gt; $aclAccount | Set-Acl -Path $accountPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo remove a problematic \u003cstrong\u003eACE\u003c/strong\u003e from an account, apply the following procedure: (\u003cstrong\u003eNote: Adapt it to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $accountPath = \"AD:CN=user-to-fix,CN=Users,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $aclAccount = Get-Acl -Path $accountPath\nPS\u0026gt; $aceToRemove = $aclAccount.Access | ? { $_.IdentityReference -eq 'DOMAIN\\unpriv' }\nPS\u0026gt; $aclAccount.RemoveAccessRule($aceToRemove)\nPS\u0026gt; $aclAccount | Set-Acl -Path $accountPath\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Using WHfBTools PowerShell module for cleaning up orphaned Windows Hello for Business Keys","url":"https://support.microsoft.com/en-us/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb","type":"hyperlink"},{"name":"Windows Hello for Business","url":"https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/","type":"hyperlink"},{"name":"Windows Hello Cloud Trust","url":"https://syfuhs.net/windows-hello-cloud-trust","type":"hyperlink"},{"name":"Detecting shadow credentials","url":"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/","type":"hyperlink"}]},"resources":[{"name":"Black Hat Europe 2019 - Exploiting Windows Hello for Business","url":"https://www.dsinternals.com/assets/documents/eu-19-Grafnetter-Exploiting-Windows-Hello-for-Business.pdf","type":"hyperlink"},{"name":"Shadow Credentials Abusing Key Trust Account Mapping for Account Takeover","url":"https://eladshamir.com/2021/06/21/Shadow-Credentials.html","type":"hyperlink"},{"name":"Shadow Credentials","url":"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials","type":"hyperlink"},{"name":"Parsing the msDS-KeyCredentialLink value for ShadowCredentials attack","url":"https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/","type":"hyperlink"},{"name":"WHfB and Entra ID - Say hello to your new cache flow","url":"https://www.synacktiv.com/publications/whfb-and-entra-id-say-hello-to-your-new-cache-flow.html","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[{"name":"DSInternals","url":"https://github.com/MichaelGrafnetter/DSInternals","author":"Michael Grafnetter"},{"name":"Whisker","url":"https://github.com/eladshamir/Whisker","author":"Elad Shamir"},{"name":"pywhisker","url":"https://github.com/ShutdownRepo/pywhisker","author":"Charlie Bromberg"}],"category_id":5,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]},{"tactic":"TA0006 - Credential Access","techniques":["T1556 - Modify Authentication Process"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["es_001","zh_TW","fr_FR","ko_KR","de_DE","ja_JP","zh_CN","en_US"],"tvdb_export_source":{"file_name":"diff-202411230600.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-SHADOW-CREDENTIALS","created_at":"2024-11-23T06:08:25","updated_at":"2024-11-23T06:08:25"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","zh-TW","fr","ko","de","ja","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"},"techniques":[{"id":"T1556","name":"Modify Authentication Process","url":"https://attack.mitre.org/techniques/T1556"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[59]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-GUEST-ACCOUNT","_score":null,"_source":{"language_code":"en_US","codename":"C-GUEST-ACCOUNT","name":"Enabled Guest Account","id":58,"description":"\u003cp\u003eChecks that the built-in guest account is disabled.\u003c/p\u003e\n","criticity":"low","exec_summary":"\u003cp\u003eBy default, the guest account is disabled in Active Directory. Enabling this account introduces security risks by allowing anonymous access to the domain, which threat actors might use to conduct reconnaissance and potentially compromise network integrity by accessing sensitive data and enumerating accounts.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eAs \u003ca href=\"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts#guest-account\"\u003estated by Microsoft\u003c/a\u003e, the guest account is a default account that has limited access to computers of the domain (or locally) and is disabled by default. By default, the guest account password is left blank, which allows this account to be accessed without requiring the user to enter a password.\nEnabling the guest account exposes the network to unauthorized access, granting individuals access to its resources. This can facilitate reconnaissance, which is often the initial phase of an attack.\nAlso, disabling the guest account enhances traceability. If individuals use this account, it can obscure their actions, complicating the tracking and understanding of user activity.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Disable the guest account","description":"Do not enable the guest account.","exec_summary":"\u003cp\u003eDisable the guest account to avoid anonymous logins.\u003c/p\u003e\n","detail":"\u003cp\u003eTenable recommends keeping the guest account disabled to prevent anonymous access to the domain, thus aiding in reducing the attack surface.\nYou can disable the guest account in the following ways:\u003c/p\u003e\n\u003ch4\u003eGUI\u003c/h4\u003e\n\u003cp\u003eUsing a graphical user interface (GUI):\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen Active Directory Users and Computers.\u003c/li\u003e\n\u003cli\u003eNavigate to the default location \u003ccode\u003eCN=Users, DC=\u0026lt;domain\u0026gt;, DC=\u003c/code\u003e. If you moved it, navigate to the new location.\u003c/li\u003e\n\u003cli\u003eRight-click on the \u003ccode\u003eGuest\u003c/code\u003e account. If you renamed it, right-click on the new name.\u003c/li\u003e\n\u003cli\u003eClick on \"Disable account\".\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch4\u003ePowerShell\u003c/h4\u003e\n\u003cp\u003eRun the following \u003ca href=\"https://learn.microsoft.com/en-us/powershell/module/activedirectory/disable-adaccount\"\u003ePowerShell\u003c/a\u003e command. If you renamed the account, replace \u003ccode\u003eGuest\u003c/code\u003e with its new name:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-powershell\"\u003eDisable-ADAccount -Identity Guest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNote: If the guest account re-enables itself automatically, check for a Group Policy Object (GPO) with the security policy setting \u003ca href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status\"\u003eAccounts: Guest account status\u003c/a\u003e.\nIf this GPO exists, set it to \u003ccode\u003eDisable\u003c/code\u003e. This Indicator of Exposure checks only for the account status and not the GPO parameter.\u003c/p\u003e\n","resources":[{"name":"Accounts: Guest account status - security policy setting","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status","type":"hyperlink"}]},"resources":[{"name":"Active Directory Security Assessment Checklist - Guest account enabled","url":"https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_guest","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0001 - Initial Access","techniques":["T1078.001 - Default Accounts"]},{"tactic":"TA0043 - Reconnaissance","techniques":["T1590 - Gather Victim Network Information"]},{"tactic":"TA0043 - Reconnaissance","techniques":["T1595 - Active Scanning"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["fr_FR","de_DE","zh_TW","ja_JP","es_001","ko_KR","zh_CN","en_US"],"tvdb_export_source":{"file_name":"all-202410091000.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-GUEST-ACCOUNT","created_at":"2024-10-09T17:22:17","updated_at":"2024-10-09T17:22:17"},"severity":"low","type":"ioe","subType":"ad","availableLocales":["fr","de","zh-TW","ja","es","ko","zh-CN","en"],"mitre_attack_information":[{"tactic":{"id":"TA0001","name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"},"techniques":[{"id":"T1078.001","name":"Default Accounts","url":"https://attack.mitre.org/techniques/T1078/001"}]},{"tactic":{"id":"TA0043","name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043"},"techniques":[{"id":"T1590","name":"Gather Victim Network Information","url":"https://attack.mitre.org/techniques/T1590"}]},{"tactic":{"id":"TA0043","name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043"},"techniques":[{"id":"T1595","name":"Active Scanning","url":"https://attack.mitre.org/techniques/T1595"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[58]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-MSA-COMPLIANCE","_score":null,"_source":{"language_code":"en_US","codename":"C-MSA-COMPLIANCE","name":"Managed Service Accounts Dangerous Misconfigurations","id":57,"description":"\u003cp\u003eEnsures Managed Service Accounts (MSAs) are deployed and well configured.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eMSAs (Managed Service Accounts) provide a secure way to manage Active Directory service accounts. A MSA has its own complex password which is maintained automatically, as computer accounts do. This feature should be deployed and correctly configured so that no illegitimate user account can compromise them (e.g. through \"Kerberoasting\" attacks)\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eA service account, according to Microsoft definition, is a user account that is created explicitly to provide a security context for services running on Windows operating systems. The security context determines the service's ability to access local and network resources.\u003c/p\u003e\n\u003cp\u003eService accounts, if they are classic domain users, are prone to a well-known attack named Kerberoasting, because service accounts passwords may be weak and guessed offline by an attacker. The Managed Service Accounts feature addresses this issue, by providing service accounts that are automatically managed and with a strong password.\nDepending on the privileges of a service account, it can lead to a straight Active Directory compromise. Note that service accounts should use the least privileged model and be granted only the rights and permissions they require to run their services, whether it is a classic service account or through a Managed Service Account.\n\u003cbr\u003eAlso it is worth considering that Managed Service Accounts have to be correctly configured and that no illegitimate user can elevate his privileges compromising one of these accounts.\u003c/p\u003e\n\u003cp\u003eIndeed, even if MSAs add an abstraction layer in terms of administrative tasks and enhance service accounts security, Active Directory administrators have to take care that MSAs are properly configured and that no permissive rights could create an attack path to those accounts.\n\u003cbr\u003eThere are two types of MSAs, standalone (sMSA) and group (gMSA):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003esMSA (Standalone Managed Service Accounts) are tied to only one computer, they cannot be reused across multiple servers. sMSAs provide automatic password management, simplified service principal name (SPN) management and the ability to delegate management to other administrators. The password is managed and renewed by the computer itself and then communicated to a domain controller.\u003c/li\u003e\n\u003cli\u003egMSA (Group Managed Service Accounts) provide the same functionality within the domain than sMSA but also extend that functionality over multiple servers. For a gMSA, the password is computed (and renewed) by a domain controller and requested by computers hosting the gMSA.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eGoals of the IoE\u003c/h4\u003e\n\u003cp\u003eIn this IoE, multiple checks are made to ensure that:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrerequisites are met to install MSAs and use them\u003c/li\u003e\n\u003cli\u003eMSAs exist and are well configured\u003c/li\u003e\n\u003cli\u003eNo control path exists which could lead to a MSA compromise\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth types (sMSA \u0026amp; gMSA) of Managed Service Accounts are supported by this IoE.\u003c/p\u003e\n\u003ch4\u003eAttacks on Group Managed Service Accounts\u003c/h4\u003e\n\u003cp\u003eBecause for gMSAs the password is generated by a domain controller, there is a specific attribute that exists on gMSA objects to store this password (on top of the NTLM and LM hashes attributes): the \u003ccode\u003emsDS-ManagedPassword\u003c/code\u003e attribute. Being able to read this attribute (after some decoding) means that it is possible to authenticate as this service account to the resources it has access to. Having the rights to do so is a persistence mechanism in Active Directory.\u003c/p\u003e\n\u003cp\u003eFor normal objects and attributes, a security descriptor is used to determine the ACLs that are configured on an object. This specific attribute does not work like any other typical attributes and relies upon a dedicated attribute instead: the \u003ccode\u003emsDS-GroupMSAMembership\u003c/code\u003e attribute, which is also formated as a security descriptor, but specialized. If an attacker is able to write a value inside of this attribute, it is possible to add an entry in the permissions list to allow an account to read the gMSA password. As such, this last attribute is monitored for potential misconfigurations or backdoors.\nThe content of this attribute needs to be validated and also it permissions, to validate that no unprivileged account can modify it.\n\u003cbr\u003eAnother attack related to gMSA accounts is \u003ccode\u003eGolden GMSA\u003c/code\u003e. This attack addresses some technical limitations of the previous attack, by being able to directly generate the password of a gMSA, completely offline. It relies on the control of the KDS root key that was used to generate the password of the gMSA.\nThe \u003ccode\u003emsKds-RootKeyData\u003c/code\u003e attribute of a KDS root key is containing the cryptographic elements that is used by attackers to generate passwords and is monitored as well.\n\u003cbr\u003eRemark: Regarding this KDS root key check, it can only be done if the T.IE account used to crawl and monitor the Active Directory has access to this attribute. By default, no unprivileged account has the right to read KDS root key attributes, which means that most of the time, this check cannot be executed by the product. Setting permissions to allow the product to have access to this data can be dangerous, because it could allow an elevation of privileges, and is not recommended. But if the service account that is used is already a high privileged account, this check will be performed.\nAs such, KDS root key checks are executed as best-effort, when the necessary information is available.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Deploy and Correct Errors for Managed Service Accounts","description":"The Managed Service Account (MSA) feature is a good security practice when service accounts are required.\n","exec_summary":"\u003cp\u003eService accounts should be configured as Managed Service Accounts (MSAs) and secured properly, to avoid potential elevation of privileges and persistence mechanisms.\u003c/p\u003e\n","detail":"\u003ch4\u003eBenefits of using Managed Service Accounts\u003c/h4\u003e\n\u003cp\u003eOne of the most interesting features that Windows Server 2008R2 introduced is Managed Service Accounts (initially standalone MSAs). This feature allows to create an account in Active Directory that is tied to a specific set of computers (one or more). That account has its own complex password which is maintained automatically (either by the computer itself or by domain controllers).\nThis means that a MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources in the domain as a specific user principal. So MSAs should rather be used when service accounts are required. In particular because having a strong password prevents Kerberoasting attacks.\n\u003cbr\u003eHowever MSAs do not protect secrets if the computer hosting the MSA has been compromised. Indeed, in order to ensure a proper authentication for service accounts, their passwords are stored locally, in the registry (using a reversible format).\nIf a host is identified as compromised, every account running a service (whether classic service account or MSA) should be considered as well, disabled and re-created from scratch.\u003c/p\u003e\n\u003ch4\u003eNo DC having the required OS version for gMSA\u003c/h4\u003e\n\u003cp\u003eTo support both sMSA and gMSA, at least one domain controllers of the domain should be updated to Windows Server 2012 or above. There is no specific requirement for the domain functional level and forest functional level.\u003c/p\u003e\n\u003ch4\u003eNo MSA configured for the domain\u003c/h4\u003e\n\u003cp\u003eWhen there is a product that requires a domain service account to run a service on a Windows computer, MSAs should be privileged. In some situations, this is not supported by the product. For this situation, this service account needs to be carefully managed manually. It should have a complex password set, that should be changed regularly. Usually, a documentation should exist to reference all those service accounts and what needs to be done for them and when.\u003c/p\u003e\n\u003ch4\u003eMSA with high privileges\u003c/h4\u003e\n\u003cp\u003eMSAs can be installed on all types of domain computers. If a MSA is identified as privileged, it should be validated that the computers using this account are also on the same privileged level. For example, having a MSA that is a member of a privileged group like \"Domain Admins\" does not increase the risks if the targeted computer is a domain controller. But if this account is used for other types of servers that are from a lower tier, this becomes a high security risk for the AD environment.\nBe careful about service accounts used for backups or for monitoring computers, they have usually too much rights on the domain than what they require locally on each computer.\u003c/p\u003e\n\u003cp\u003eThe least amount of privileges should be given to MSAs and there should be as little of them in the privileged groups of the domain. Remove those MSAs from the members of those groups if they are not strictly required.\u003c/p\u003e\n\u003ch4\u003eMSA (with privileges) without AES support\u003c/h4\u003e\n\u003cp\u003eThis is a good practice to support the AES encryption algorithm for MSAs. This is the case by default, which means that this configuration has probably been changed.\nUse PowerShell to revert it to the default correct value. For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity \"CN=gMSA,CN=Managed Service Accounts,DC=DOMAIN,DC=CORP\" -Replace @{'msDS-SupportedEncryptionTypes'=\"28\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eAccounts able to read the (privileged) gMSA password\u003c/h4\u003e\n\u003cp\u003eThe only accounts that should be able to read a gMSA password are the computers that are using it.\nIf the accounts specified here are legitimate (they cannot be if they are user accounts and not computer accounts), this means that the configuration is not completed and that the \"msDS-HostServiceAccount\" attribute is not set on those computer accounts.\u003c/p\u003e\n\u003cp\u003eUse PowerShell to reset the computers that are able to read this password. You should include all computer names that will use this gMSA, not only the new ones to allow. For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADServiceAccount -Identity \"gMSA\" -PrincipalsAllowedToRetrieveManagedPassword \"WIN10$\",\"WIN11$\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor legitimate computer accounts, to complete the configuration on those computers, use the \"Add-ADComputerServiceAccount\" cmdlet for each of them. For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Add-ADComputerServiceAccount -Identity \"WIN10$\" -ServiceAccount \"gMSA\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eUnsafe permissions on MSA account \u0026amp; Unsafe owner for MSA account\u003c/h4\u003e\n\u003cp\u003eYou can make permission modifications through the GUI (ADSI Edit) or by using PowerShell commands.\u003c/p\u003e\n\u003cp\u003eIf you need to reset the \u003cstrong\u003eowner\u003c/strong\u003e of a MSA, the procedure is as follows (\u003cstrong\u003eNote: Adapt this to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $securityPrincipalAccount = \"DOMAIN\\Domain Admins\"\nPS\u0026gt; $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)\nPS\u0026gt; $msaPath = \"AD:CN=gMSA,CN=Managed Service Accounts,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $msa = Get-Acl -Path $msaPath\nPS\u0026gt; $msa.SetOwner($securityPrincipalObject)\nPS\u0026gt; $msa | Set-Acl -Path $msaPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf you need to remove a problematic \u003cstrong\u003eACE\u003c/strong\u003e from a property set, you can follow the procedure below (\u003cstrong\u003eNote: Adapt this to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $msaPath = \"AD:CN=gMSA,CN=Managed Service Accounts,DC=DOMAIN,DC=CORP\"\nPS\u0026gt; $msa = Get-Acl -Path $msaPath\nPS\u0026gt; $aceToRemove = $msa.Access | ? { $_.ActiveDirectoryRights -eq 'WriteProperty' -and $_.IdentityReference -eq 'DOMAIN\\unpriv' }\nPS\u0026gt; $msa.RemoveAccessRule($aceToRemove)\nPS\u0026gt; $msa | Set-Acl -Path $msaPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eUnsafe permissions on KDS root key \u0026amp; Unsafe owner for KDS root key\u003c/h4\u003e\n\u003cp\u003eUse similar commands as the previous example to change the owner of a KDS root key back to the default one, which is \"Enterprise Admins\", and to remove dangerous ACEs.\u003c/p\u003e\n","resources":[{"name":"Secure group managed service accounts","url":"https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed","type":"hyperlink"},{"name":"How to recover from a Golden gMSA attack","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/recover-from-golden-gmsa-attack","type":"hyperlink"}]},"resources":[{"name":"Group Managed Service Accounts Overview","url":"https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview","type":"hyperlink"},{"name":"gMSA Active Directory Attacks","url":"https://www.semperis.com/blog/golden-gmsa-attack/","type":"hyperlink"},{"name":"Retrieving Cleartext GMSA Passwords from Active Directory","url":"https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/","type":"hyperlink"},{"name":"Step-by-Step - How to work with Group Managed Service Accounts (gMSA)","url":"https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-how-to-work-with-group-managed-service-accounts/ba-p/329864","type":"hyperlink"},{"name":"Windows Server 2012 - Group Managed Service Accounts","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-server-2012-group-managed-service-accounts/ba-p/255910","type":"hyperlink"}],"applicable_resource_types":["ad_domain_dns","ad_msds_group_managed_service_account","ad_msds_managed_service_account","ad_ms_kds_prov_root_key"],"attacker_known_tools":[{"name":"GoldenGMSA","url":"https://github.com/Semperis/GoldenGMSA","author":"Yuval Gordon"},{"name":"DSInternals","url":"https://github.com/MichaelGrafnetter/DSInternals","author":"Michael Grafnetter"}],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["zh_TW","fr_FR","es_001","zh_CN","ko_KR","ja_JP","de_DE","en_US"],"tvdb_export_source":{"file_name":"diff-202411050200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-MSA-COMPLIANCE","created_at":"2024-11-05T02:08:18","updated_at":"2024-11-05T02:08:18"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["zh-TW","fr","es","zh-CN","ko","ja","de","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[57]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-AAD-PRIV-SYNC","_score":null,"_source":{"language_code":"en_US","codename":"C-AAD-PRIV-SYNC","name":"Privileged AD User Accounts Synchronized to Microsoft Entra ID","id":56,"description":"\u003cp\u003eChecks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eSynchronizing privileged Active Directory accounts to Microsoft Entra ID poses a risk, enabling attackers to pivot from a compromised Entra ID tenant to on-premises Active Directory, facilitating their migration from the cloud.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eActive Directory domain users can be synchronized to an Entra ID tenant, achieving a \"hybrid\" status using either or both of the following tools (\u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync\"\u003ecomparison\u003c/a\u003e):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect-v2\"\u003eMicrosoft Entra Connect Sync\u003c/a\u003e (formerly \"Azure AD Connect\").\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync\"\u003eMicrosoft Entra Cloud Sync\u003c/a\u003e (formerly \"Azure AD Connect Cloud Sync\").\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003eBased on \u003ca href=\"https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#centralize-identity-management\"\u003eMicrosoft identity security best practices\u003c/a\u003e:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eDon't synchronize accounts to Microsoft Entra ID that have high privileges in your existing Active Directory instance.\nDon't change the default Microsoft Entra Connect configuration that filters out these accounts. This configuration mitigates the risk of attackers pivoting from cloud to on-premises assets (which could create a major incident).\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e\u003cbr\u003eThis vulnerability could lead an attacker to exploit a hybrid account with privileges in AD using techniques such as:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePhishing to steal the Entra ID password, which is identical to the AD password.\u003c/li\u003e\n\u003cli\u003eForcing a password change in Entra ID, triggering synchronization to AD through \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback\"\u003epassword writeback\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe IoE check operates on a \u003cstrong\u003ebest-effort\u003c/strong\u003e basis, relying solely on information available from Active Directory and not from Entra ID. The algorithm is outlined below.\n\u003cbr\u003eMicrosoft Entra Connect uses a \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-design-concepts#sourceanchor\"\u003esourceAnchor\u003c/a\u003e attribute to uniquely identifies an object as being the same object in AD and in Entra ID. The attribute is also called \u003ccode\u003eimmutableId\u003c/code\u003e.\n\u003cbr\u003eIn default settings, earlier versions of Microsoft Entra Connect (version 1.1.486.0 from April 2017 and earlier) used \u003ccode\u003eobjectGUID\u003c/code\u003e as the \u003ccode\u003esourceAnchor\u003c/code\u003e attribute. Conversely, newer versions (version 1.1.524.0 from May 2017 and later) default to using \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e as the \u003ccode\u003esourceAnchor\u003c/code\u003e attribute whenever feasible.\n\u003cbr\u003eThis IoE \u003cstrong\u003edetects hybrid accounts by inspecting the populated \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute\u003c/strong\u003e. If an alternative attribute acts as the source anchor or encounters permission issues that prevent population, the IoE may overlook hybrid accounts, leading to false negatives. Typically, Entra Connect version 1.1.524.0 from May 2017 and later prefers the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute, but you can specify another attribute during installation. If a third-party tool already uses \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e, the Microsoft Entra Connect wizard defaults to \u003ccode\u003eobjectGUID\u003c/code\u003e as the \u003ccode\u003esourceAnchor\u003c/code\u003e attribute.\nMoreover, Microsoft retired and no longer supports Azure AD Connect V1 on August 31, 2022. Azure AD Connect V2 succeeded it, and later, Microsoft Entra Connect V2 took its place after the Entra ID renaming.\n\u003cbr\u003e\u003cstrong\u003eNote:\u003c/strong\u003e The population of the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute is unlikely for hybrid users with AD privileges. This is because, by default, the Entra Connect / Cloud Sync AD service account lacks the \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-design-concepts#permission-required\"\u003epermission\u003c/a\u003e to write on AD user accounts protected by the AdminSDHolder mechanism (indicated by \u003ccode\u003eadminCount=1\u003c/code\u003e and where inheritance is disabled). Unfortunately, this prevents the IoE from flagging these as deviants, leading to false negatives. You can detect this issue by checking for \"\u003ca href=\"https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/troubleshoot-permission-issue-sync-service-manager\"\u003epermission-issue\u003c/a\u003e\" errors in the Entra Connect \"Synchronization Service Manager\" logs.\nThis is not an issue if you \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account#configure-ms-ds-consistency-guid-permissions\"\u003egive more permissions to the service account\u003c/a\u003e by using \u003ccode\u003eSet-ADSyncMsDsConsistencyGuidPermissions\u003c/code\u003e with \u003ccode\u003e-IncludeAdminSdHolders\u003c/code\u003e. However, Tenable does not recommend doing this in any case since these privileged AD user accounts must not be hybrid.\n\u003cbr\u003eAlthough the \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/plan-cloud-sync-topologies#things-to-remember-about-all-scenarios-and-topologies\"\u003eMicrosoft Entra Cloud Sync supported topologies and scenarios\u003c/a\u003e guide states:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eThe source anchor for objects is chosen automatically. It uses \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e if present, otherwise ObjectGUID is used.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eTenable did not observe that Entra Cloud Sync populated automatically the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute. This could lead to incomplete results if Entra Cloud Sync is the sole method used to synchronize users to Entra ID. In this case, you can safely disable this IoE.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Avoid hybrid synchronization of privileged Active Directory accounts with Entra ID.","description":"Do not synchronize highly privileged Active Directory accounts to Microsoft Entra ID.","exec_summary":"\u003cp\u003eConfigure filtering in Entra Connect / Cloud Sync to exclude privileged Active Directory accounts from synchronization.\u003c/p\u003e\n","detail":"\u003cp\u003eConfigure filtering in either Entra Connect or Entra Cloud Sync as applicable to exclude privileged Active Directory user accounts from synchronization.\nDefault rules automatically ignore certain accounts like \u003ccode\u003ekrbtgt\u003c/code\u003e, \u003ccode\u003eGuest\u003c/code\u003e, \u003ccode\u003eMSOL_...\u003c/code\u003e, and the built-in \u003ccode\u003eAdministrator\u003c/code\u003e. However, other privileged users such as Domain Admins members do not get excluded by default, which poses a security risk when they synchronize to Entra ID. Configure the filtering manually to address this.\n\u003cbr\u003eFollowing best practices, store privileged users in a dedicated Tier-0 Organization Unit (OU). Use \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering\"\u003eorganizational unit-based filtering\u003c/a\u003e in Entra Connect or the \u003ca href=\"https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure#scope-provisioning-to-specific-users-and-groups\"\u003escope provisioning to specific users and groups\u003c/a\u003e method for Entra Cloud Sync to exclude this Tier-0 OU from synchronization.\n\u003cbr\u003eAfter configuring the filtering and removing privileged users from synchronization, clear the value of the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute (indicated in the vulnerability details) to clean the AD object. This ensures that the IoE no longer considers user accounts as hybrid and resolves the deviance(s). Use the following PowerShell command to reset the value of the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute and replace the \"user-to-clean-CN\" with the CN of the applicable user:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Get-ADUser -Filter 'CN -like \"user-to-clean-CN\"' -Properties CN,mS-DS-ConsistencyGuid | Set-ADUser -Clear mS-DS-ConsistencyGuid\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003e\u003cstrong\u003eNote\u003c/strong\u003e: If a privileged user has synchronized at least once, even a long time ago, and if you did not clean the attribute, the IoE generates a deviance because the \u003ccode\u003ems-DS-ConsistencyGuid\u003c/code\u003e attribute indicates ongoing synchronization.\u003c/p\u003e\n","resources":[{"name":"Azure Identity Management and access control security best practices","url":"https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#centralize-identity-management","type":"hyperlink"}]},"resources":[{"name":"Azure Identity Management and access control security best practices","url":"https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#centralize-identity-management","type":"hyperlink"},{"name":"Démos d'attaques par rebond en environnement hybride Active Directory-Azure AD (French)","url":"https://www.slideshare.net/IdentityDays/dmos-dattaques-par-rebond-en-environnement-hybride-active-directoryazure-ad","type":"hyperlink"}],"applicable_resource_types":["ad_user"],"attacker_known_tools":[],"category_id":2,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]},{"tactic":"TA0006 - Credential Access","techniques":["T1556 - Modify Authentication Process"]},{"tactic":"TA0008 - Lateral Movement","techniques":["T1021 - Remote Services: Cloud Services"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["ja_JP","ko_KR","zh_TW","de_DE","zh_CN","es_001","fr_FR","en_US"],"tvdb_export_source":{"file_name":"diff-202411130200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AAD-PRIV-SYNC","created_at":"2024-11-13T02:08:14","updated_at":"2024-11-13T02:08:14"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["ja","ko","zh-TW","de","zh-CN","es","fr","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]},{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"},"techniques":[{"id":"T1556","name":"Modify Authentication Process","url":"https://attack.mitre.org/techniques/T1556"}]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008"},"techniques":[{"id":"T1021","name":"Remote Services: Cloud Services","url":"https://attack.mitre.org/techniques/T1021"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[56]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-AUTH-SILO","_score":null,"_source":{"language_code":"en_US","codename":"C-AUTH-SILO","name":"Privileged Authentication Silo Configuration","id":55,"description":"\u003cp\u003eA step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eProper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies.\nThis Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. \"Tier-0\") accounts.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eEffective privileged user and computer management is crucial for mitigating risks associated with credential theft. Microsoft introduced an authentication model based on silos a few years ago to confine authentication to a specific set of computers within the same scope as their users. The Tier-0 silo, the most critical one, should exclusively include the highest-privileged accounts in the environment, such as \"Domain Admins\" user members and \"Domain Controllers\" computers in particular.\u003c/p\u003e\n\u003ch4\u003eAuthentication silos and policies\u003c/h4\u003e\n\u003cp\u003eAuthentication silos, as outlined in the \"Logon Restrictions for Privileged Users\" IoE, share the goal of limiting Tier-0 privileged accounts from exposing their credentials on lower-privileged systems (e.g. standard servers or workstations). This feature focuses on safeguarding users rather than computers, replacing the older concepts in the \"Logon Restrictions for Privileged Users\" IoE with a more contemporary approach to configuring user authentication restrictions.\n\u003cbr\u003eAuthentication silos leverage various foundational elements, including the Kerberos protocol, claims, authentication policies, conditional ACEs, and Kerberos Armoring. The use of these features requires that domain controllers run version 2012 R2 or later.\n\u003cbr\u003eThe silo implementation aims to offer AD administrators a simpler and more robust solution compared to previous authentication restrictions. The objective is to group Tier-0 users and computers within a shared security context, called a \"silo.\" This ensures that these users can only connect to computers within the same silo, whether through Remote Desktop or traditional interactive sessions.\n\u003cbr\u003eAn additional risk of credential theft involves delegating authentication to a computer outside the designated silo. \nTo address the challenges of securing NTLM authentication fully, it is advisable to opt for the Kerberos protocol. To safeguard Tier-0 administrators against both risks, it is recommended to include them in the \"Protected Users\" group.\n\u003cbr\u003eThe interconnected features essential for this IoE are linked as follows:\nAuthentication silo → (requires) → Authentication policy → (requires) → Claims → (requires) → Kerberos Armoring\n\u003cbr\u003eDelving into the intricacies of these concepts exceeds the scope of this IoE. In summary:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn authentication silo consists of a collection of computer and user accounts sharing the same security concerns - specifically, privileged objects in our context.\u003c/li\u003e\n\u003cli\u003eAn authentication policy is a set of rules designed to limit authentication in various scenarios. Its purpose is to ensure that users within a silo can authenticate exclusively to silo-designated computers.\u003c/li\u003e\n\u003cli\u003eClaims serve as the foundational components that allow silos and authentication policies to work. Simply put, they act like tags on objects, with these tags specified in the authentication policy configuration.\u003c/li\u003e\n\u003cli\u003eKerberos Armoring enhances the Kerberos protocol for improved security by guarding against potential brute-force attacks on user credentials through network traffic access. It also introduces support for claims, enabling their storage in the user's security token.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote: Kerberos Armoring requires configuration on both clients and servers to support silos.\u003c/p\u003e\n\u003ch4\u003ePrerequisite for a Tier-0 authentication silo installation\u003c/h4\u003e\n\u003cp\u003eTo maintain control over the silo and minimize the risk, it's crucial to keep the number of user and computer accounts at a minimum. Before including privileged users in the silo, it's essential to restrict their number by first using the \"Native Administrative Group Members\" IoE.\u003c/p\u003e\n\u003ch4\u003eIoE Objective\u003c/h4\u003e\n\u003cp\u003eThis IoE aims to assist AD administrators in installing and setting up an authentication silo for Tier-0 accounts. Proper configuration is essential to prevent vulnerabilities or gaps in the implementation.\n\u003cbr\u003eThis IoE will address the following questions to ensure that a proper configuration gets implemented:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAre all Tier-0 users in the \"Protected Users\" group? (This prevents NTLM protocol usage, relying solely on Kerberos authentication.)\u003c/li\u003e\n\u003cli\u003eDo all domain controllers have the minimum required OS version to support authentication silos and policies? (2012R2 and above)\u003cul\u003e\n\u003cli\u003eNote: Silos on the client side require workstations running Windows 8+ and servers running Windows Server 2012+. Lack of compliance won't pose a security risk but prevent Tier-0 user authentication. This IoE does not check for this non-compliance, but you should consider compatibility during configuration.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eIs Kerberos Armoring correctly configured on clients and servers? This confirmation goes through GPO parameter checks.)\u003c/li\u003e\n\u003cli\u003eIs there a configured authentication silo?\u003c/li\u003e\n\u003cli\u003eIs this authentication silo appropriately configured for Tier-0 accounts, as defined by the product?\u003cul\u003e\n\u003cli\u003eTier-0 users within the silo\u003cul\u003e\n\u003cli\u003eAre all domain privileged users in this list? (Tier-0 users should include members of natively privileged AD groups. Those are provided in the deviance details.)\u003c/li\u003e\n\u003cli\u003eAre there any non-validated or unprivileged users present?\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eTier-0 computers within the silo\u003cul\u003e\n\u003cli\u003eAre all domain privileged computers in this list? (By default, the IoE considers only domain controllers as privileged computers. However, various IoE options are available to specify and help identify additional servers that should be considered, such as ADCS, WSUS, Exchange, AD backup servers, etc.)\n *Are there any non-validated or unprivileged computers present?\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eIs the silo's authentication policy configured as intended?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAs indicated, this IoE follows a step-by-step approach, displaying deviances only for the relevant information needed to proceed with the installation of an authentication silo for Tier-0 accounts. \nNew deviances will appear as the IoE completes and validates each step, resolving previous deviances in the process. Upon clearing all deviances, the configuration of the authentication silo for Tier-0 accounts is complete and deemed secure.\u003c/p\u003e\n\u003ch4\u003eImportant security reminder\u003c/h4\u003e\n\u003cp\u003eThis IoE cannot analyze an important security aspect: it can only assess data from AD (LDAP/SYSVOL) and cannot query the local configuration of Tier-0 computers. Thus, manual verification is necessary for a crucial configuration aspect on all Tier-0 silo computers: no other administrators, including Helpdesk teams, should have privileges on these machines. This precaution applies to both Tier-0 workstations and computers created using a master file with a generic local Administrator account. This prevents unauthorized access and potential credential theft of Tier-0 users.\u003c/p\u003e\n\u003ch4\u003eSpecial case for the Administrator account\u003c/h4\u003e\n\u003cp\u003eTreat the built-in \"Administrator\" account (RID = 500) as a break glass account, as Microsoft recommends (verify its usage with the \"Recent Use of the Default Administrator Account\" IoE). Only use it as a last resort when other options fail, and you cannot use other domain administrators, like when there is a lockout due to misconfiguration of an authentication silo. In standard situations, store its password securely, whether in a virtual or physical safe to ensure protection.\n\u003cbr\u003eThis implies that, when placed within a silo, this account won't have the same restrictions as other accounts (i.e., it won't function as expected, and won't prevent authentication on non-Tier-0 computers). As such, it's not necessary to include it within the Tier-0 silo. It can serve as a backup mechanism if you lock yourself out of your domain controllers.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Implement a Tier-0 Authentication Silo and Policy","description":"Define the tier model, specifying which systems and users belong to the highest tier. Subsequently, validate the necessary steps for implementing this model practically in Active Directory.\n","exec_summary":"\u003cp\u003eTo enhance security against attackers and malware attempting to steal privileged identities, privileged users should exclusively connect to trusted machines. Employing a \"tier model\" design, particularly focusing on the highest tier (referred to as \"Tier-0\"), implement authentication silos and policies. This ensures that the credentials of privileged users are inaccessible on standard workstations and servers.\u003c/p\u003e\n","detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eAs detailed in this IoE's \"Vulnerability details\" section, the initial step in implementing a Tier-0 authentication silo involves documenting the accounts (users and computers) that need protection within this specific security context.\n\u003cbr\u003eThis IoE assists you by highlighting users inadvertently omitted from the silo. For computers requiring inclusion in the silo, recommendations depend solely on the provided IoE options. Various similar \"named\" options offer insights into server types traditionally deemed highly privileged in an AD environment, such as the following:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eADCS servers could be compromised to generate insecure certificates used for authentication to domain controllers (refer to \"ADCS Dangerous Misconfigurations\" IoE).\u003c/li\u003e\n\u003cli\u003eWSUS servers applying updates to domain controllers could be compromised to deploy fake Windows updates (refer to \"WSUS Dangerous Misconfigurations\" IoE).\u003c/li\u003e\n\u003cli\u003eExchange servers lacking AD schema hardening may possess risky permissions at the domain root (refer to \"Root Objects Permissions Allowing DCSync-Like Attacks\" IoE).\u003c/li\u003e\n\u003cli\u003eetc.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAllocate time to identify Tier-0 servers carefully. Insufficient system specifications could expose AD to attack paths, while excessive inclusion in the silo might compromise security and visibility. It's advisable to begin conservatively, including only evident privileged servers, and gradually add more servers when there's a pivot path that could compromise the AD or existing silo servers.\n\u003cbr\u003e\u003cbr\u003eThe following sections detail the sequence of deviances that this IoE triggers, offering a step-by-step guide for Tier-0 authentication silo installation. Administrators familiar with configuring authentication silos and policies may opt out of following this procedure. \nNote that the product GUI will present sequentially the interdependent steps, while a deviance will indicate actions that can take place concurrently.\u003c/p\u003e\n\u003ch4\u003e1. Unprotected Tier-0 user account\u003c/h4\u003e\n\u003cp\u003ePrivileged users within a Tier-0 silo should exclusively use the Kerberos protocol, avoiding the NTLM protocol. Additionally, be cautious of potential risks associated with the delegation of authentication for these accounts.\nTo mitigate both potential issues, it's advisable to include these users in the \"Protected Users\" group. Refer to the dedicated IoE \"Protected Users Group Not Used\" for more information on this group and the implications of adding members to it.\n\u003cbr\u003eNote: If necessary, you can disable this check using an option if it does not apply to your situation.\n\u003cbr\u003eFor example, use the following command in PowerShell to add a specific user to the \"Protected Users\" group:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Add-ADGroupMember -Identity \"Protected Users\" -Members \"adm-t0\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003e2. DCs not up-to-date\u003c/h4\u003e\n\u003cp\u003eTo support authentication silos and their technical dependencies, domain controllers must be \"Windows Server 2012R2\" or later (the required version on the server side). Ensure that you update all domain controllers before configuration.\u003c/p\u003e\n\u003ch4\u003e3a. Client-side misconfiguration\u003c/h4\u003e\n\u003cp\u003eOn the client side, configure a GPO to enable support for claims, compound authentication, and Kerberos armoring. Link this GPO to the containers of servers and workstations in the Tier-0 silo to ensure Tier-0 users can authenticate to them. While it's not a security risk if the GPO is not linked and applied, it may cause authentication issues after creating the silo.\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use an existing GPO and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\Kerberos\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eKerberos client support for claims, compound authentication and Kerberos armoring\u003c/em\u003e and select \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNote: Remember to link this GPO also to Tier-0 workstations and domain controllers.\u003c/p\u003e\n\u003ch4\u003e3b. Unenforced Kerberos Armoring\u003c/h4\u003e\n\u003cp\u003eThe existing client-side GPO configuration is sufficient for meeting requirements. However, for enhanced security, consider enforcing, rather than requesting, Kerberos armoring. This minimizes the risk of attackers intercepting network traffic and retrieving credentials.\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use the previously created client-side GPO and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\Kerberos\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eFail authentication requests when Kerberos armoring is not available\u003c/em\u003e and select \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eWith these two parameters set, Tier-0 users can authenticate to those computers after the GPO goes into effect (this may take some time and might require a reboot).\u003c/p\u003e\n\u003ch4\u003e3c. Server-side misconfiguration\u003c/h4\u003e\n\u003cp\u003eOn the server side, you must configure domain controllers to support the prerequisites of the authentication silo.\nTo do this, link a GPO to the default domain controllers container (or other organizational units if DCs have moved).\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use an existing GPO (not the previously created client-side one) and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\KDC\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eKDC support for claims, compound authentication and Kerberos armoring\u003c/em\u003e, select \u003cem\u003eEnabled\u003c/em\u003e, and set the option \u003cem\u003eClaims, compound authentication for Dynamic Access Control and Kerberos armoring options:\u003c/em\u003e to \u003cem\u003eSupported\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eOnce a domain controller applies this GPO, it makes a change to the \"krbtgt\" account. The IoE validates these changes on the account, and resolution occurs upon detection.\u003c/p\u003e\n\u003ch4\u003e4. Authentication silo misconfiguration\u003c/h4\u003e\n\u003cp\u003eThe silo configuration comprises multiple small steps indicated by checkboxes in the deviance. These changes can occur in any order, and Microsoft's documentation, detailed in the links below the \"Documents\" section, provides exhaustive information on the implementation details.\n\u003cbr\u003eThe \"Active Directory Administrative Center\" is a convenient tool for creating the authentication silo and its associated policy.\nAccess the configuration through the left panel, under the \"Authentication\" category within the \"Authentication Policies\" and \"Authentication Policy Silos\" sub-categories.\n\u003cbr\u003eBegin by creating the Tier-0 authentication policy first, enabling direct referencing inside the Tier-0 silo. Initially, configure both as \"Only audit policy restrictions\" and \"Only audit silo policies\" to create an initial version of the Tier-0 silo. This setting allows you to view Windows event logs to understand the impact before enforcing the configuration.\nOnce you're ready, the reasons below will provide additional assistance to ensure the correct computers and users get included in the silo. Those further checks can only be executed after every steps described here have been completed.\u003c/p\u003e\n\u003ch4\u003e5a. Unreferenced privileged user\u003c/h4\u003e\n\u003cp\u003eThe following reasons offer context on which user and computer accounts to include in the Tier-0 silo and also indicate which accounts to exclude.\n\u003cbr\u003eThis initial topic concerns the importance of having a comprehensive list of user accounts within the Tier-0 silo. Every user account identified as privileged (as explained in detail in the \"Native Administrative Group Members\" IoE) should go inside the silo.\nIf the check returns a list of users that is too extensive, it indicates the need to reduce the number of privileged users beforehand.\n\u003cbr\u003eThe resolution for this reason can only occur after you add every privileged user account to the silo (in the \"Permitted Accounts\" section of the silo configuration). This may require creating new administrative user accounts for managing non-sensitive resources.\u003c/p\u003e\n\u003ch4\u003e5b. Unassigned privileged user\u003c/h4\u003e\n\u003cp\u003eThe second necessary step to include a user in the silo is to assign the user to it. The first step is to \"reference,\" and the second step is to \"assign.\"\n\u003cbr\u003eDo this individually for each user by double-clicking on each account, navigating to the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section, selecting the \u003cem\u003eAssign Authentication Policy Silo\u003c/em\u003e checkbox, and choosing the Tier-0 by its name in the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section.\u003c/p\u003e\n\u003ch4\u003e5c. Unprivileged user referenced\u003c/h4\u003e\n\u003cp\u003eTo maintain the Tier-0 silo as restricted and minimal as possible, include only the essential privileged user accounts. Remove non-privileged user accounts that should not be part of this silo. If validated and necessary, you can exempt them through the dedicated IoE option.\u003c/p\u003e\n\u003ch4\u003e5d. Unreferenced privileged computer\u003c/h4\u003e\n\u003cp\u003eLike user accounts, include computer accounts in the Tier-0 silo. Unlike the user part, the IoE cannot automatically calculate and suggest privileged computers to facilitate configuration. However, use multiple options to identify servers and workstations to include in this Tier-0 silo.\u003c/p\u003e\n\u003ch4\u003e5e. Unassigned privileged computer\u003c/h4\u003e\n\u003cp\u003eAfter referencing computer accounts, you must also assign them within the Tier-0 silo.\nTo do this, double-click on each computer and navigate to the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section. Select the \u003cem\u003eAssign Authentication Policy Silo\u003c/em\u003e checkbox and choose the Tier-0 silo by its name in the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section.\u003c/p\u003e\n\u003ch4\u003e5f. Unprivileged computer referenced\u003c/h4\u003e\n\u003cp\u003eLike the user configuration, the Tier-0 silo should only contain privileged computers.\nIf these are not validated, remove them from the \"Permitted Accounts\" section. If accepted, add their organizational units through the dedicated options.\u003c/p\u003e\n\u003ch4\u003e6. Authentication policy misconfiguration\u003c/h4\u003e\n\u003cp\u003eConfigure the authentication policy associated with the Tier-0 silo with a condition to restrict user accounts from authenticating only to computers within the silo. Without this restriction, users' credentials are unprotected and can get compromised on lower-tier computers if administrators authenticate there.\n\u003cbr\u003eTo do this, go to the authentication policy configuration and navigate to the \u003cem\u003eUser Sign On\u003c/em\u003e section. Under \u003cem\u003eClick Edit to define conditions\u003c/em\u003e, create the following condition: \u003cem\u003e(User.AuthenticationSilo Equals \"T0-Silo\")\u003c/em\u003e (adapt the name of the Tier-0 silo accordingly).\u003c/p\u003e\n\u003ch4\u003e7. Multiple uses of the authentication policy\u003c/h4\u003e\n\u003cp\u003eMicrosoft provides two methods for specifying an authentication policy for an account:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBy being a member of a silo.\u003c/li\u003e\n\u003cli\u003eAlternatively, by manually assigning an authentication policy to the account, outside of a silo.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAssigning an authentication policy directly to an account (outside of the silo configuration) is not a recommended practice as it complicates the management of both the silo and its policy.\n\u003cbr\u003eTo manually remove an account associated with the authentication policy of a Tier-0 silo, go to the authentication policy configuration and remove every account specified in the \u003cem\u003eAccounts\u003c/em\u003e section.\u003c/p\u003e\n","resources":[{"name":"Authentication Policies and Authentication Silos - Restricting Domain Controller Access","url":"https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx","type":"hyperlink"},{"name":"Protecting Domain Administrative Credentials","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/protecting-domain-administrative-credentials/ba-p/259210","type":"hyperlink"}]},"resources":[{"name":"Authentication Policies and Authentication Policy Silos","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)","type":"hyperlink"},{"name":"L'administration en silo (french reference whitepaper)","url":"https://www.sstic.org/2017/presentation/administration_en_silo/","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user","ad_sysvol_pol","ad_domain_dns","ad_msds_auth_n_policy_silo"],"attacker_known_tools":[],"category_id":1,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["ko_KR","es_001","zh_CN","de_DE","ja_JP","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"diff-202411230600.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AUTH-SILO","created_at":"2024-11-23T06:08:25","updated_at":"2024-11-23T06:08:25"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["ko","es","zh-CN","de","ja","fr","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[55]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-DYNAMIC-UPDATES","_score":null,"_source":{"language_code":"en_US","codename":"C-DYNAMIC-UPDATES","name":"Unsecure Dynamic DNS Zone Updates Allowed","id":54,"description":"\u003cp\u003eChecks that the DNS server configuration disallows unsecure dynamic DNS zone updates.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eConfiguring a dynamic DNS zone with unsecure updates can lead to unauthenticated editing of DNS records, making them vulnerable to rogue DNS records.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eThe Domain Name System (DNS) functions as a hierarchical and distributed naming system actively mapping a hostname to one or multiple IP addresses. Reciprocally, it can perform reverse lookup, converting an IP address to its corresponding hostname. Domain controllers typically host the DNS role, with DNS records configured to be replicated across them.\nIn addition to the traditional DNS service, DNS information is stored in Active Directory, known as AD Integrated DNS (ADIDNS), and is accessible through the LDAP protocol.\nDynamic DNS (DDNS) operates as a real-time service, automatically updating DNS records. This functionality facilitates accessibility to devices with dynamic IP addresses by maintaining a consistent hostname. DDNS clients, running on devices (typically Windows OS), actively update DNS records in response to changes in their IP addresses. This seamless process allows users to reach their devices consistently through a fixed hostname, thereby enhancing remote connectivity.\n\u003cbr\u003eThis Indicator of Exposure identifies unsecure configuration of dynamic DNS zone updates.\u003c/p\u003e\n\u003ch4\u003eUnsecure dynamic DNS zone updates setting\u003c/h4\u003e\n\u003cp\u003eBy default, Active Directory is optimally configured, permitting dynamic DNS zone updates securely through the designated setting: \"Secure only\". Nevertheless, it is possible to modify this configuration to either \"None\" or \"Nonsecure and secure\".\nDisabling this feature entirely poses no inherent risk. By default, certain zones related to Active Directory do not have the dynamic mode enabled, but this is not a problem (e.g., DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=tenable,DC=com). However, if the setting changes to \"Nonsecure and secure\", it means that the addition, editing, or deletion of DNS records can occur without requiring authentication. The consequences of such an unsecured configuration for an attacker include:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeleting an existing record and blocking the business.\u003c/li\u003e\n\u003cli\u003eUpdating an existing record to allow impersonating a machine as another one. If the network uses IP filters, an attacker might abuse them in this situation.\u003c/li\u003e\n\u003cli\u003eCreating new records and flooding the DNS server.\u003c/li\u003e\n\u003c/ul\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Set Dynamic DNS Zone Updates Setting to \"Secure only\", or Disable Dynamic Mode","description":"Set dynamic DNS zone updates setting to \"Secure only\", or disable dynamic mode.","exec_summary":"\u003cp\u003eMisconfiguration of dynamic DNS zone updates can significantly impact the security of the Active Directory. Hence, it is crucial either to use dynamic updates in a secure manner, or not use them at all.\u003c/p\u003e\n","detail":"\u003ch4\u003eSet dynamic DNS zone updates setting to \"Secure only\", or disable dynamic mode\u003c/h4\u003e\n\u003cp\u003eBy using the secure mode only, devices must be authenticated to add and/or update records. If you are using \"Nonsecure and secure\" mode, perhaps some devices are doing updates without being authenticated. This should be evaluated before doing the change.\nYou can perform this remediation graphically with the DNS RSAT tool, or in console with the \u003ccode\u003ednscmd\u003c/code\u003e utility.\u003c/p\u003e\n\u003ch2\u003eDNS RSAT (GUI)\u003c/h2\u003e\n\u003cp\u003eOpen the \"Server Manager\" and proceed as follows:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOn the top menu bar, click \"Tools\", then \"DNS\".\u003c/li\u003e\n\u003cli\u003eNavigate through the DNS server to \"Forward Lookup Zones\", which shows a zone with the domain name.\u003c/li\u003e\n\u003cli\u003eRight-click the domain name and select \"Properties\".\u003c/li\u003e\n\u003cli\u003eIn the \"General Tab\", under \"Dynamic updates\", change the value from \"Nonsecure and secure\" to \"Secure only\" to resolve the deviance. Note: The value \"None\" means that dynamic DNS updates are disabled, and does not cause concern.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2\u003ednscmd\u003c/h2\u003e\n\u003cp\u003eExecute the following command to reconfigure DNS zones to allow only secure updates:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ednscmd \u0026lt;servername\u0026gt; /Config \u0026lt;zone\u0026gt; /AllowUpdate 2\n#### example: dnscmd 127.0.0.1 /Config ad.tenable.com /AllowUpdate 2\n\u003c/code\u003e\u003c/pre\u003e\n","resources":[{"name":"Dnscmd","url":"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd","type":"hyperlink"}]},"resources":[{"name":"Active Directory Security Assessment Checklist - Misconfigured DNS zones","url":"https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_dnszone_bad_prop","type":"hyperlink"},{"name":"[MS-DNSP]: Domain Name Service (DNS) Server Management Protocol","url":"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/f97756c9-3783-428b-9451-b376f877319a","type":"hyperlink"},{"name":"Active Directory-Integrated DNS Zones","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones","type":"hyperlink"},{"name":"Dynamic update","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784052(v=ws.10)","type":"hyperlink"},{"name":"Understanding Dynamic Update","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771255(v=ws.11)","type":"hyperlink"},{"name":"Dynamic Update and Secure Dynamic Update","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959275(v=technet.10)","type":"hyperlink"},{"name":"Beyond LLMNR/NBNS Spoofing - Exploiting Active Directory-Integrated DNS","url":"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/","type":"hyperlink"},{"name":"ADIDNS Revisited - WPAD, GQBL, and More","url":"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/","type":"hyperlink"}],"applicable_resource_types":["ad_dns_zone"],"attacker_known_tools":[{"name":"Powermad","url":"https://github.com/Kevin-Robertson/Powermad#adidns-functions","author":"Kevin Robertson"}],"category_id":4,"mitre_attacks":[{"tactic":"TA0006 - Credential Access","techniques":["T1557 - Adversary-in-the-Middle"]},{"tactic":"TA0042 - Resource Development","techniques":["T1584 - Compromise Infrastructure"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["es_001","fr_FR","zh_TW","de_DE","zh_CN","ko_KR","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202410091000.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-DYNAMIC-UPDATES","created_at":"2024-10-09T17:22:17","updated_at":"2024-10-09T17:22:17"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["es","fr","zh-TW","de","zh-CN","ko","ja","en"],"mitre_attack_information":[{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"},"techniques":[{"id":"T1557","name":"Adversary-in-the-Middle","url":"https://attack.mitre.org/techniques/T1557"}]},{"tactic":{"id":"TA0042","name":"Resource Development","url":"https://attack.mitre.org/tactics/TA0042"},"techniques":[{"id":"T1584","name":"Compromise Infrastructure","url":"https://attack.mitre.org/techniques/T1584"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[54]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-WSUS-HARDENING","_score":null,"_source":{"language_code":"en_US","codename":"C-WSUS-HARDENING","name":"WSUS Dangerous Misconfigurations","id":53,"description":"\u003cp\u003eLists the misconfigured parameters related to Windows Server Update Services (WSUS).\u003c/p\u003e\n","criticity":"critical","exec_summary":"\u003cp\u003eWindows Server Update Services (WSUS) is the Microsoft product that deploys Windows updates to workstations and servers.\nMisconfigurations of WSUS settings can lead to an elevation to administrator privileges from a standard account.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eWSUS enables IT administrators to deploy the latest Microsoft product updates, which they download from Microsoft's update servers and store locally on the WSUS server. At this point, administrators can approve the updates for deployment to their internal clients. Windows clients (workstations and servers) can check the local WSUS server for approved updates to download and install, and then report back to the WSUS server with successful update installations. This allows administrators to ensure that the necessary updates are in place. Given that WSUS is designed to install software and patches on a large number of operating systems, it is clear that a misuse of its intended functionality could pose a serious threat to network security.\n\u003cbr\u003eCorporations often choose multiple types of network architectures, and they usually have multiple WSUS servers that replicate changes from a single upstream server connected to the Microsoft public WSUS server.\nNetwork isolation is crucial for security, as attackers can use the attack methods described below. Choosing the wrong scope for WSUS server updates deployment, such as using the same reference WSUS server for isolated forests, can provide attackers with a means to spread to another environment entirely separate from the one they already compromised.\n\u003cbr\u003eThe paradox of a WSUS server, intended for protection through security updates, can, in reality, lead to escalate privileges due to its centralized role, and potentially undermine network silos. As a result, administrators should treat WSUS servers as a Tier 0 asset (equivalent in sensitivity to a Domain Controller) and ensure that only privileged accounts can authenticate to them.\n\u003cbr\u003eCompromising a WSUS server enables an attacker to propagate a malicious patch that runs as the built-in identity SYSTEM on WSUS clients. In a WSUS exploitation, two main scenarios exist:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eMan-in-the-Middle (MitM) attack between a WSUS server and a client\u003c/li\u003e\n\u003cli\u003eDirect compromise of a WSUS server\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003eIn the Man-in the-Middle case, an attacker uses a MitM approach to inject a malicious update into the network connection between a client and a server. To do this, the attacker must intercept HTTP traffic between these two entities, using common methods like Web Proxy Auto-Discovery (WPAD) protocol usage or Address Resolution Protocol (ARP) poisoning when the attacker is on the same network segment. Before Windows 10 version 1607, a non-privileged user could configure a user proxy as a fallback to the system proxy, allowing an attacker to reroute machine traffic. At present, platforms only use the system proxy if configured during update scanning, but it's possible to disable this setting via a GPO.\n\u003cbr\u003eTherefore, it's important to prevent such attacks by enforcing HTTPS and certificate pinning when communicating with the WSUS server. The system applies WSUS store certificates by default to counter HTTPS-intercepting proxy attacks, but a GPO can disable this pinning mechanism.\n\u003cbr\u003eThe second attack, a direct compromise, involves infiltrating a WSUS server (via CVE or an attack path). Such infiltration would enable an attacker to insert a malicious payload into the underlying database and distribute it to the clients.\n\u003cbr\u003eIn conclusion, to minimize risks, this Indicator of Exposure checks the following settings for potential misconfigurations:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEnsuring the user proxy, used as a fallback for update detection, remains disabled.\u003c/li\u003e\n\u003cli\u003eVerifying the use of an encrypted protocol (HTTPS) rather than HTTP for both the main and alternate WSUS servers.\u003c/li\u003e\n\u003cli\u003eConfirming that certificate pinning remains enabled.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBy default, these settings apply correct configurations and do not require modification unless they use wrong values.\u003c/p\u003e\n","exploitability":"Exploits are available"},"recommendation":{"name":"Correct Errors in WSUS Configuration","description":"To limit the risks of full AD compromise, you should address and rectify WSUS misconfigurations.\n","exec_summary":"\u003cp\u003eCertain Microsoft WSUS parameters can have a significant security impact on the entire Active Directory and therefore require careful configuration.\u003c/p\u003e\n","detail":"\u003cp\u003eTo minimize the risk of tampering with WSUS updates, you must configure properly certain settings for WSUS servers.\n\u003cbr\u003eStart by ensuring that the WSUS application uses SSL to encrypt traffic. This prevents any potential attackers on the network from executing commands on remote systems that request updates. Microsoft offers a comprehensive guide on generating a dedicated certificate and installing it on the WSUS server. You can also use a PKI like ADCS to generate certificates for multiple WSUS servers.\nOnce you've created and installed the certificate, update the GPO that specifies the WSUS server for update retrieval to apply the HTTPS protocol instead of HTTP.\n\u003cbr\u003eTo change the value with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLaunch the Group Policy Management Console. Right-click the GPO that contains the setting you want to change and select \u003cem\u003eEdit\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder, and navigate to \u003cem\u003eAdministrative Templates\\Windows Components\\Windows Update\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eSpecify intranet Microsoft update service location\u003c/em\u003e and input the URL of WSUS using the HTTPS protocol in the box below the labels \u003cem\u003eSet the intranet update service for detecting updates\u003c/em\u003e and \u003cem\u003eSet the alternate download server\u003c/em\u003e (if appropriate).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAlso, if certificate pinning was disabled explicitly, re-enable it to harden the SSL tunnel.\nIn the same category as above, ensure that the checkbox next to \u003cem\u003eDo not enforce TLS certificate pinning for Windows Update client for detecting updates\u003c/em\u003e remains unchecked.\n\u003cbr\u003eFinally, the user proxy must not be an available option, even as a fallback mechanism, to download updates from WSUS.\nIn the same category as above, under \u003cem\u003eSelect the proxy behavior for Windows Update client for detecting updates\u003c/em\u003e, select the option \u003cem\u003eOnly use system proxy for detecting updates (default)\u003c/em\u003e.\u003c/p\u003e\n","resources":[{"name":"Configure a software update point to use TLS/SSL with a PKI certificate","url":"https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl","type":"hyperlink"},{"name":"Manage additional Windows Update settings","url":"https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings","type":"hyperlink"},{"name":"Scan changes and certificates add security for Windows devices using WSUS for updates","url":"https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668","type":"hyperlink"},{"name":"WSUSpendu - Recommendations (p29)","url":"https://www.blackhat.com/docs/us-17/wednesday/us-17-Coltel-WSUSpendu-Use-WSUS-To-Hang-Its-Clients-wp.pdf","type":"hyperlink"}]},"resources":[{"name":"Introducing SharpWSUS","url":"https://labs.nettitude.com/blog/introducing-sharpwsus/","type":"hyperlink"},{"name":"WSUSpendu - Injecting a new update (p17)","url":"https://www.blackhat.com/docs/us-17/wednesday/us-17-Coltel-WSUSpendu-Use-WSUS-To-Hang-Its-Clients-wp.pdf","type":"hyperlink"}],"applicable_resource_types":["ad_sysvol_pol"],"attacker_known_tools":[{"name":"WSUSpect Proxy","url":"https://github.com/ctxis/wsuspect-proxy","author":"Paul Stone, Alex Chapman"},{"name":"WSUSpendu","url":"https://github.com/tenable/WSUSpendu","author":"Romain Coltel, Yves Le Provost"}],"category_id":1,"mitre_attacks":[{"tactic":"TA0006 - Credential Access","techniques":["T1557 - Adversary-in-the-Middle"]},{"tactic":"TA0008 - Lateral Movement","techniques":["T1072 - Software Deployment Tools"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["zh_TW","ja_JP","fr_FR","zh_CN","de_DE","es_001","ko_KR","en_US"],"tvdb_export_source":{"file_name":"diff-202411050200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-WSUS-HARDENING","created_at":"2024-11-05T02:08:18","updated_at":"2024-11-05T02:08:18"},"severity":"critical","type":"ioe","subType":"ad","availableLocales":["zh-TW","ja","fr","zh-CN","de","es","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0006","name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"},"techniques":[{"id":"T1557","name":"Adversary-in-the-Middle","url":"https://attack.mitre.org/techniques/T1557"}]},{"tactic":{"id":"TA0008","name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008"},"techniques":[{"id":"T1072","name":"Software Deployment Tools","url":"https://attack.mitre.org/techniques/T1072"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[53]},{"_index":"1728494537425_indicator_ad_ioe_en_us","_type":"_doc","_id":"C-PROP-SET-SANITY","_score":null,"_source":{"language_code":"en_US","codename":"C-PROP-SET-SANITY","name":"Property Sets Integrity","id":52,"description":"\u003cp\u003eChecks for the integrity of property sets and validates permissions\u003c/p\u003e\n","criticity":"medium","exec_summary":"\u003cp\u003e\"Property Set\" is a Microsoft Active Directory (AD) feature that facilitates the creation of permissions (Access Control List - ACL) for AD objects and enhances system performance. It serves as a mechanism for consolidating multiple attributes within an AD entity, which allows the system to reference them collectively within ACLs, rather than having to reference individual attributes separately.\n\u003cbr\u003eThis Indicator of Exposure aims to ensure that there are no misconfigurations or backdoors from malicious actors present in this type of object and the attributes within the AD schema.\nCurrently, there are no known public attack vectors associated with the use of property sets. Therefore, you should focus primarily on addressing misconfigurations or peculiarities stemming from third-party products that use this feature.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003cp\u003eMicrosoft's AD introduced the property sets concept to simplify Access Control Lists (ACL) management. This approach allows the declaration of a single Access Control Entry (ACE) for a property set instead of multiple entries for its underlying attributes.\u003c/p\u003e\n\u003cp\u003eA property set is related to one or multiple attributes, although technically, it is each attribute that can be associated to a single property set.\n\u003cbr\u003eThere are two locations for information related to property sets: the configuration partition (in the \"CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" container) and the schema partition.\n\u003cbr\u003eObjects from the \"controlAccessRight\" class in the configuration partition represent property sets. This class serves multiple purposes, encompassing \"Validated Writes\", \"Property Sets\" and \"Extended Rights\". Although this IoE focuses primarily on property sets, it conducts comprehensive integrity checks to provide more extensive information.\nIn defining the \"blueprints\" of AD objects, the schema partition plays a vital role. It specifies various classes and attributes objects that AD encompasses. Notably, the storage of information concerning the property set to which an attribute belongs is not within the property set attributes but rather in the \"attributeSchema\" object itself.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003eThis IoE performs multiple checks related to property sets, as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerification of the installation of the latest AD schema before examining data integrity. This initial step is crucial because Microsoft updates the schema when it encounters design issues within this AD schema, such as the critical topic of sane default ACLs.\u003c/li\u003e\n\u003cli\u003eValidation of the integrity of default property sets by cross-checking the \"appliesTo\" and \"rightsGuid\" attributes, and comparing their current values with those configured in the latest default AD schema.\u003cul\u003e\n\u003cli\u003eThe \"rightsGuid\" attribute serves as a reference for the property set in ACLs and by an AD attribute.\u003c/li\u003e\n\u003cli\u003eThe \"appliesTo\" attribute designates the object types eligible for the application of a property set. An empty value impacts all objects having this attribute. For an exploitation scenario, this usually requires the modification of the \"rightsGuid\" attribute as well.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eValidation of the integrity of default AD schema attributes by comparing the current values of the attributes \"attributeSecurityGUID\" and \"schemaIDGUID\" with those configured in the latest default AD schema.\u003cul\u003e\n\u003cli\u003eThe \"attributeSecurityGUID\" attribute indicates the property set to which an attribute belongs; an empty value implies it doesn't belong to any property set.\u003c/li\u003e\n\u003cli\u003eThe \"schemaIDGUID\" attribute is the GUID that security descriptors (ACLs) can reference.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eValidation of permissions on both property sets and AD schema attribute objects to ensure that no unprivileged account can modify or access these objects. It also thoroughly validates their specific attributes described before.\u003c/li\u003e\n\u003cli\u003eChecking if there is a custom property set defined and validating its legitimacy, which may result from a schema extension implemented by a third-party product.\u003c/li\u003e\n\u003cli\u003eChecking and validating that a custom property set is defined and that there is no sensitive attribute configured within it. Misconfigurations here could potentially lead to an indirect elevation of privileges on the AD, even if this is difficult to carry out.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cbr\u003eIt's essential to highlight that, by default, Microsoft does not introduce design flaws on an updated Active Directory schema, either in existing permissions or in the initial configuration of property sets. Consequently, some deviances from this IOE can result from third-party product installations or custom configurations, such as those implemented by an attacker.\u003c/p\u003e\n\u003cp\u003eThis means that attackers seeking to exploit property sets to introduce backdoors into AD must not only include a dangerous or sensitive attribute within a property set, but they also must strategically apply explicit ACLs to AD objects.\n\u003cbr\u003eTo reduce the likelihood of encountering deviances for known products and their custom property sets, the IoE includes the latest versions of Microsoft products that perform schema extensions, notably:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWindows -new- LAPS (introduced in 2023)\u003c/li\u003e\n\u003cli\u003eMicrosoft -legacy- LAPS\u003c/li\u003e\n\u003cli\u003eExchange\u003c/li\u003e\n\u003cli\u003eSkype for Business\u003c/li\u003e\n\u003cli\u003eSystem Center (no property set was added)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe IoE provides a dedicated option to specify the presence of a custom property set in the environment. However, you still must validate that any modifications from a third-party product align with security best practices, including member attributes, permissions settings, and more.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Analyze and Remediate Risks in Property Sets Configuration","description":"To mitigate the risks associated with potential privilege escalation or backdoor installation by attackers, you should thoroughly assess and correct the configuration of property sets.\n","exec_summary":"\u003cp\u003eMisconfigurations of property sets can significantly impact the security of the Active Directory. Hence, it is crucial to provide them with attention and supervision.\u003c/p\u003e\n","detail":"\u003cp\u003e\u003cstrong\u003e⚠️IMPORTANT NOTE (DISCLAIMER)⚠️\u003c/strong\u003e\n\u003cbr\u003e\u003cstrong\u003eThe issues addressed in this IoE pertain to a complex topic that can have significant implications for the Active Directory (AD) if mishandled. It is advisable not to attempt fixes unless you are comfortable making manual changes to the AD schema. If you lack confidence in this regard, it is best to seek assistance from a partner with a recognized AD expertise to validate your proposed changes.\nPlease note that the commands provided below are without any guarantee by Tenable, and are merely illustrative examples that you must customize to suit your specific requirements. Additionally, it is of utmost importance to ensure flawless replication between domain controllers before proceeding with schema alterations. Lastly, it is advisable to conduct prior thorough testing in a non-production environment.\u003c/strong\u003e\u003c/p\u003e\n\u003ch4\u003eUpdate the AD schema with the latest version\u003c/h4\u003e\n\u003cp\u003eTo enable full IoE analysis, ensure that you applied the latest AD schema updates. If needed, follow Microsoft's documentation and a community best-practices guide (cf. resources section), using the adprep tool from a recent Windows Server ISO. Exercise care when executing these commands, as with any AD schema modifications.\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eadprep.exe /forestprep\nadprep.exe /domainprep\nadprep.exe /domainprep /gpprep\nadprep.exe /rodcprep\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cbr\u003eBefore implementing any changes in your production environment, it's advisable to conduct testing within your test environment.\u003c/p\u003e\n\u003ch4\u003eValidate then reset sensitive attributes in a default property set\u003c/h4\u003e\n\u003cp\u003eUse PowerShell to fix an incorrect attribute set for a property set (\"appliesTo\" or \"rightsGuid\" attributes). For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity \"CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" -Replace @{'rightsGuid'=\"E45795B3-9455-11d1-AEBD-0000F80367C1\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou should first verify the \"expected value\" provided in the deviance details for the modified attribute to avoid potential issues with existing references to this property set.\u003c/p\u003e\n\u003ch4\u003eValidate then reset sensitive attributes in a default AD schema attribute\u003c/h4\u003e\n\u003cp\u003eUse PowerShell to fix an incorrect attribute set for an AD schema attribute (\"attributeSecurityGUID\" or \"schemaIDGUID\" attributes). For example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Set-ADObject -Identity \"CN=WWW-Page-Other,CN=Schema,CN=Configuration,DC=DOMAIN,DC=CORP\" -Replace @{'attributeSecurityGUID'=\"e45795b3-9455-11d1-aebd-0000f80367c1\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn the deviance details for the modified attribute, you should first verify the \"expected value\" to prevent potential issues (such as losing its association with the property set or existing ACL references). If you accept this change, you should then add this schema attribute to the allow list in the dedicated option. In the case of the PowerShell example, it would be \"WWW-Page-Other\".\u003c/p\u003e\n\u003ch4\u003eFix dangerous permissions set on property sets and schema attributes\u003c/h4\u003e\n\u003cp\u003eYou can make permission modifications through the GUI (ADSI Edit) or by using PowerShell commands.\u003c/p\u003e\n\u003cp\u003eIf you need to reset the \u003cstrong\u003eowner\u003c/strong\u003e of a property set, the procedure is as follows (\u003cstrong\u003eNote: Adapt this to your environment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $securityPrincipalAccount = \"DOMAIN\\Enterprise Admins\"\nPS\u0026gt; $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount)\nPS\u0026gt; $propSetPath = \"AD:CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" \n#### $propSetPath can be replaced by $attributSchemaPath, the commands are similar for these two objects\nPS\u0026gt; $aclPropSet = Get-Acl -Path $propSetPath\nPS\u0026gt; $aclPropSet.SetOwner($securityPrincipalObject)\nPS\u0026gt; $aclPropSet | Set-Acl -Path $propSetPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf you need to remove a problematic \u003cstrong\u003eACE\u003c/strong\u003e from a property set, you can follow the procedure below (\u003cstrong\u003eNote: Adapt this to your envronment.\u003c/strong\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Import-Module ActiveDirectory\nPS\u0026gt; $propSetPath = \"AD:CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" \n#### $propSetPath can be replaced by $attributSchemaPath, the commands are similar for these two objects\nPS\u0026gt; $aclPropSet = Get-Acl -Path $propSetPath\nPS\u0026gt; $aceToRemove = $aclPropSet.Access | ? { $_.ActiveDirectoryRights -eq 'WriteProperty' -and $_.IdentityReference -eq 'DOMAIN\\unpriv' }\nPS\u0026gt; $aclPropSet.RemoveAccessRule($aceToRemove)\nPS\u0026gt; $aclPropSet | Set-Acl -Path $propSetPath\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eValidate legitimacy of a custom property set\u003c/h4\u003e\n\u003cp\u003eThird-party products can introduce a custom property set through a schema extension procedure.\nIf this product is no longer present in your environment or if you have confirmation that this property set is malicious or poses a risk, you can remove it using the following PowerShell command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Remove-ADObject -Identity \"CN=Z-Custom-PropSet,CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=CORP\" -Confirm:$false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn option is available if the property set is legitimate.\u003c/p\u003e\n\u003ch4\u003eValidate then fix sensitive attributes belonging to a custom property set\u003c/h4\u003e\n\u003cp\u003eIt is not advisable to set a sensitive attribute within a custom property set, unless you have a specific requirement to do so. This practice can conceal potential backdoors created on AD objects from attackers and is also susceptible to errors, like unintentionally granting access to a security-sensitive attribute to basic users, which they could exploit to elevate privileges within the AD.\n\u003cbr\u003eUse the following PowerShell command to reset the reference of the property set to the correct value:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; $originalGuid = [System.Guid]::Parse(\"4c164200-20c0-11d0-a768-00aa006e0529\")\nPS\u0026gt; Set-ADObject -Identity \"CN=ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity,CN=Schema,CN=Configuration,DC=DOMAIN,DC=CORP\" -Replace @{'attributeSecurityGUID'=$originalGuid}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNote that the deviance related to this issue would also show up in the integrity checks results (although the risk is higher for a deviance on a sensitive attribute).\u003c/p\u003e\n","resources":[{"name":"Upgrading AD DS Schema to Windows Server 2016","url":"https://samilamppu.com/2016/11/06/upgrading-ad-ds-schema-to-windows-server-2016/","type":"hyperlink"},{"name":"Best Practices for Implementing Schema Updates","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/best-practices-for-implementing-schema-updates/ba-p/255611","type":"hyperlink"},{"name":"Active Directory schema changes in Exchange Server","url":"https://learn.microsoft.com/en-us/exchange/plan-and-deploy/active-directory/ad-schema-changes?view=exchserver-2019","type":"hyperlink"}]},"resources":[{"name":"Control Access Rights (AD DS)","url":"https://learn.microsoft.com/en-us/windows/win32/ad/control-access-rights","type":"hyperlink"},{"name":"Property Sets (AD Schema)","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/property-sets","type":"hyperlink"},{"name":"Creating a Control Access Right","url":"https://learn.microsoft.com/en-us/windows/win32/ad/creating-a-control-access-right","type":"hyperlink"},{"name":"Windows Server Active Directory schema updates","url":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/schema-updates","type":"hyperlink"},{"name":"Abusing forgotten permissions on computer objects in Active Directory","url":"https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/","type":"hyperlink"}],"applicable_resource_types":["ad_dmd","ad_control_access_right","ad_attribute_schema"],"attacker_known_tools":[],"category_id":4,"mitre_attacks":[{"tactic":"TA0003 - Persistence","techniques":["T1098 - Account Manipulation"]},{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Indicator of Exposure","released":true,"available_languages":["de_DE","es_001","zh_CN","fr_FR","ja_JP","zh_TW","ko_KR","en_US"],"tvdb_export_source":{"file_name":"diff-202411050200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-PROP-SET-SANITY","created_at":"2024-11-05T02:08:18","updated_at":"2024-11-05T02:08:18"},"severity":"medium","type":"ioe","subType":"ad","availableLocales":["de","es","zh-CN","fr","ja","zh-TW","ko","en"],"mitre_attack_information":[{"tactic":{"id":"TA0003","name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},"techniques":[{"id":"T1098","name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098"}]},{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"}]}],"index":"1728494537425_indicator_ad_ioe_en_us"},"sort":[52]}],"ioaIndicators":[{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-Zerologon","_score":null,"_source":{"language_code":"en_US","codename":"I-Zerologon","name":"Zerologon Exploitation","description":"\u003cp\u003eThe branded Zerologon vulnerability is related to a critical vulnerability (CVE-2020-1472) in Windows Server that has received a CVSS score of 10.0 from Microsoft. It consists of an elevation of privileges that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to compromise a domain and acquire domain administrators privileges.\u003c/p\u003e\n","criticity":"critical","resources":[{"name":"Secura Zerologon whitepaper","url":"https://www.secura.com/uploads/whitepapers/Zerologon.pdf","type":"hyperlink"},{"name":"Microsoft documentation about CVE-2020-1472","url":"https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e","type":"hyperlink"},{"name":"Microsoft security update","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1210/\" target=\"_blank\"\u003eT1210\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1210\" target=\"_blank\"\u003eT1210\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0008\" target=\"_blank\"\u003eTA0008\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["es_001","zh_CN","de_DE","ja_JP","ko_KR","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"diff-202411050410.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-Zerologon","created_at":"2024-11-05T04:23:20","updated_at":"2024-11-05T04:23:20"},"severity":"critical","type":"ioa","availableLocales":["es","zh-CN","de","ja","ko","fr","zh-TW","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-DCShadow","_score":null,"_source":{"language_code":"en_US","codename":"I-DCShadow","name":"DCShadow","description":"\u003cp\u003eDCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push arbitrary changes to a domain via domain replication (for example applying forbidden sidHistory values).\u003c/p\u003e\n","criticity":"critical","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1207/","type":"hyperlink"},{"name":"DCShadow official","url":"https://www.DCShadow.com/","type":"hyperlink"},{"name":"DCShadow explained","url":"https://blog.alsid.eu/DCShadow-explained-4510f52fc19d","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1207/\" target=\"_blank\"\u003eT1207\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1207\" target=\"_blank\"\u003eT1207\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0005\" target=\"_blank\"\u003eTA0005\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["es_001","zh_TW","fr_FR","de_DE","zh_CN","ja_JP","ko_KR","en_US"],"tvdb_export_source":{"file_name":"diff-202410251410.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-DCShadow","created_at":"2024-10-25T14:21:47","updated_at":"2024-10-25T14:21:47"},"severity":"critical","type":"ioa","availableLocales":["es","zh-TW","fr","de","zh-CN","ja","ko","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-DnsEnumeration","_score":null,"_source":{"language_code":"en_US","codename":"I-DnsEnumeration","name":"DNS Enumeration","description":"\u003cp\u003eDNS zone transfer is a legitimate feature to replicate a DNS zone from a primary DNS server to a secondary one, using the AXFR query type. However, attackers often abuse this mechanism during the reconnaissance phase in order to retrieve all DNS records, providing them valuable information for attacking the environment. In particular, a successful DNS zone transfer can give an attacker useful information about the computers listed in the DNS zone, how to access them and also guessing their roles. Note that failed zone transfer (ex. not having the necessary rights, zone transfer not configured on the server, etc.) are also detected.\u003c/p\u003e\n","criticity":"low","resources":[{"name":"DNS Logging and Diagnostics","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)","type":"hyperlink"},{"name":"DNS zone transfer","url":"https://en.wikipedia.org/wiki/DNS_zone_transfer","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1046/\" target=\"_blank\"\u003eT1046\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1046\" target=\"_blank\"\u003eT1046\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0007\" target=\"_blank\"\u003eTA0007\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["zh_CN","es_001","fr_FR","ko_KR","zh_TW","ja_JP","de_DE","en_US"],"tvdb_export_source":{"file_name":"all-202410080210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-DnsEnumeration","created_at":"2024-10-09T17:22:24","updated_at":"2024-10-09T17:22:24"},"severity":"low","type":"ioa","availableLocales":["zh-CN","es","fr","ko","zh-TW","ja","de","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-ReconAdminsEnum","_score":null,"_source":{"language_code":"en_US","codename":"I-ReconAdminsEnum","name":"Enumeration of Local Administrators","description":"\u003cp\u003eThe local Administrators group was enumerated with SAMR RPC interface, more than likely with BloodHound/SharpHound.\u003c/p\u003e\n","criticity":"low","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1069/001/","type":"hyperlink"},{"name":"BloodHound tool","url":"https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1069/001\" target=\"_blank\"\u003eT1069.001\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1069\" target=\"_blank\"\u003eT1069\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0007\" target=\"_blank\"\u003eTA0007\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["es_001","ko_KR","fr_FR","zh_CN","ja_JP","de_DE","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202410080210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-ReconAdminsEnum","created_at":"2024-10-09T17:22:24","updated_at":"2024-10-09T17:22:24"},"severity":"low","type":"ioa","availableLocales":["es","ko","fr","zh-CN","ja","de","zh-TW","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-DcPasswordChange","_score":null,"_source":{"language_code":"en_US","codename":"I-DcPasswordChange","name":"Suspicious DC Password Change","description":"\u003cp\u003eThe critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as \u003cstrong\u003edomain controller account password change\u003c/strong\u003e, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on \u003cstrong\u003eone\u003c/strong\u003e of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.\u003c/p\u003e\n","criticity":"critical","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1210/","type":"hyperlink"},{"name":"CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability","url":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472","type":"hyperlink"},{"name":"Security policy settings - Domain member: Maximum machine account password age","url":"https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age","type":"hyperlink"},{"name":"Use Netdom.exe to reset machine account passwords of a Windows Server domain controller","url":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-netdom-reset-domain-controller-password","type":"hyperlink"},{"name":"Machine Account Password Process","url":"https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/machine-account-password-process/ba-p/396026","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1210/\" target=\"_blank\"\u003eT1210\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1210\" target=\"_blank\"\u003eT1210\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0008\" target=\"_blank\"\u003eTA0008\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["fr_FR","zh_TW","ja_JP","es_001","zh_CN","de_DE","ko_KR","en_US"],"tvdb_export_source":{"file_name":"diff-202411050210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-DcPasswordChange","created_at":"2024-11-05T02:21:46","updated_at":"2024-11-05T02:21:46"},"severity":"critical","type":"ioa","availableLocales":["fr","zh-TW","ja","es","zh-CN","de","ko","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-SamNameImpersonation","_score":null,"_source":{"language_code":"en_US","codename":"I-SamNameImpersonation","name":"SAMAccountName Impersonation","description":"\u003cp\u003eThe critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.\u003c/p\u003e\n","criticity":"high","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1068/","type":"hyperlink"},{"name":"CVE-2021-42287/CVE-2021-42278 Weaponisation","url":"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html","type":"hyperlink"},{"name":"PACRequestorEnforcement and Kerberos Authentication","url":"https://blog.netwrix.com/2022/01/10/pacrequestorenforcement-and-kerberos-authentication/","type":"hyperlink"},{"name":"KB5008380 - Authentication updates (CVE-2021-42287)","url":"https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1068/\" target=\"_blank\"\u003eT1068\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1068\" target=\"_blank\"\u003eT1068\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0004\" target=\"_blank\"\u003eTA0004\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["ko_KR","zh_TW","fr_FR","ja_JP","zh_CN","es_001","de_DE","en_US"],"tvdb_export_source":{"file_name":"diff-202411050210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-SamNameImpersonation","created_at":"2024-11-05T02:21:46","updated_at":"2024-11-05T02:21:46"},"severity":"high","type":"ioa","availableLocales":["ko","zh-TW","fr","ja","zh-CN","es","de","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-ProcessInjectionLsass","_score":null,"_source":{"language_code":"en_US","codename":"I-ProcessInjectionLsass","name":"OS Credential Dumping: LSASS Memory\n","description":"\u003cp\u003eAfter a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\u003c/p\u003e\n","criticity":"critical","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1003/001/","type":"hyperlink"},{"name":"ADsecurity.org - Extract Hashes from LSASS","url":"https://adsecurity.org/?p=462","type":"hyperlink"},{"name":"Microsoft - Using ProcDump","url":"https://learn.microsoft.com/en-us/sysinternals/downloads/procdump#using-procdump","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1003/001\" target=\"_blank\"\u003eT1003.001\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1003\" target=\"_blank\"\u003eT1003\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0006\" target=\"_blank\"\u003eTA0006\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["de_DE","ja_JP","zh_TW","es_001","fr_FR","ko_KR","zh_CN","en_US"],"tvdb_export_source":{"file_name":"all-202410080210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-ProcessInjectionLsass","created_at":"2024-10-09T17:22:24","updated_at":"2024-10-09T17:22:24"},"severity":"critical","type":"ioa","availableLocales":["de","ja","zh-TW","es","fr","ko","zh-CN","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-NtdsExtraction","_score":null,"_source":{"language_code":"en_US","codename":"I-NtdsExtraction","name":"NTDS Extraction","description":"\u003cp\u003eNTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.\u003c/p\u003e\n","criticity":"critical","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1003/003/","type":"hyperlink"},{"name":"How Attackers Dump Active Directory Database Credentials","url":"https://adsecurity.org/?p=2398","type":"hyperlink"},{"name":"Extracting Password Hashes from the Ntds.dit File","url":"https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1003/003\" target=\"_blank\"\u003eT1003.003\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1003\" target=\"_blank\"\u003eT1003\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0006\" target=\"_blank\"\u003eTA0006\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["es_001","zh_TW","de_DE","ja_JP","fr_FR","ko_KR","zh_CN","en_US"],"tvdb_export_source":{"file_name":"all-202410080210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-NtdsExtraction","created_at":"2024-10-09T17:22:24","updated_at":"2024-10-09T17:22:24"},"severity":"critical","type":"ioa","availableLocales":["es","zh-TW","de","ja","fr","ko","zh-CN","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-PasswordSpraying","_score":null,"_source":{"language_code":"en_US","codename":"I-PasswordSpraying","name":"Password Spraying","description":"\u003cp\u003ePassword spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method\u003c/p\u003e\n","criticity":"medium","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1110/003/","type":"hyperlink"},{"name":"Microsoft - Protecting your organization against password spray attacks","url":"https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/","type":"hyperlink"},{"name":"Domain PasswordSpray Tool","url":"https://github.com/dafthack/DomainPasswordSpray","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1110/003\" target=\"_blank\"\u003eT1110.003\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1110\" target=\"_blank\"\u003eT1110\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0006\" target=\"_blank\"\u003eTA0006\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["zh_CN","zh_TW","fr_FR","es_001","ko_KR","de_DE","ja_JP","en_US"],"tvdb_export_source":{"file_name":"all-202410080210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-PasswordSpraying","created_at":"2024-10-09T17:22:24","updated_at":"2024-10-09T17:22:24"},"severity":"medium","type":"ioa","availableLocales":["zh-CN","zh-TW","fr","es","ko","de","ja","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]},{"_index":"1728494544006_indicator_ad_ioa_en_us","_type":"_doc","_id":"I-PetitPotam","_score":null,"_source":{"language_code":"en_US","codename":"I-PetitPotam","name":"PetitPotam","description":"\u003cp\u003ePetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.\u003c/p\u003e\n","criticity":"critical","resources":[{"name":"MITRE ATT\u0026CK description","url":"https://attack.mitre.org/techniques/T1187/","type":"hyperlink"},{"name":"PetitPotam tool","url":"https://github.com/topotam/PetitPotam","type":"hyperlink"},{"name":"Coercer tool","url":"https://github.com/p0dalirius/Coercer","type":"hyperlink"},{"name":"Microsoft - KB5005413 - Use of PetitPotam for AD CS vulnerability","url":"https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429","type":"hyperlink"}],"mitre_attack_description":"\u003cspan\u003eID: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1187/\" target=\"_blank\"\u003eT1187\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eSub-technique of: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/techniques/T1187\" target=\"_blank\"\u003eT1187\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003eTactic: \u003ca rel=\"noopener noreferrer\" href=\"https://attack.mitre.org/tactics/TA0006\" target=\"_blank\"\u003eTA0006\u003c/a\u003e\u003cbr /\u003e\u003c/span\u003e\u003cspan\u003e\u003cbr /\u003e\u003c/span\u003e","indicator_type":"Indicator of Attack","released":true,"available_languages":["fr_FR","ja_JP","es_001","ko_KR","de_DE","zh_CN","zh_TW","en_US"],"tvdb_export_source":{"file_name":"all-202410080210.tar.gz","file_path":"exports/tenable_ad_ioa/v2","data_file_name":"I-PetitPotam","created_at":"2024-10-09T17:22:24","updated_at":"2024-10-09T17:22:24"},"severity":"critical","type":"ioa","availableLocales":["fr","ja","es","ko","de","zh-CN","zh-TW","en"],"index":"1728494544006_indicator_ad_ioa_en_us"},"sort":[-9223372036854776000]}]},"cookies":{},"user":null,"flash":null,"env":{"baseUrl":"https://www.tenable.com","host":"www.tenable.com","ga4TrackingId":""},"isUnsupportedBrowser":true,"__N_SSP":true},"page":"/indicators","query":{},"buildId":"l4vcnKDxIXiOkUtvMoFnX","isFallback":false,"isExperimentalCompile":false,"gssp":true,"appGip":true,"locale":"en","locales":["en","de","es","fr","ja","ko","zh-CN","zh-TW"],"defaultLocale":"en","domainLocales":[{"domain":"www.tenable.com","defaultLocale":"en"},{"domain":"de.tenable.com","defaultLocale":"de"},{"domain":"es-la.tenable.com","defaultLocale":"es"},{"domain":"fr.tenable.com","defaultLocale":"fr"},{"domain":"jp.tenable.com","defaultLocale":"ja"},{"domain":"kr.tenable.com","defaultLocale":"ko"},{"domain":"www.tenablecloud.cn","defaultLocale":"zh-CN"},{"domain":"zh-tw.tenable.com","defaultLocale":"zh-TW"}],"scriptLoader":[]}</script></body></html>

CINXE.COM

Indicators | Tenable®