Indicators

A massive number of authentication requests on multiple computers, using NTLM or Kerberos protocols and coming from the same source can be an indication of an attack, likely with BloodHound/SharpHound.

The critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as domain controller account password change, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on one of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.

A Golden Ticket attack gains control over an Active Directory Key Distribution Service account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).

DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push arbitrary changes to a domain via domain replication (for example applying forbidden sidHistory values).

DNSAdmins exploitation is an attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service. A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.

The local Administrators group was enumerated with SAMR RPC interface, likely with BloodHound/SharpHound.

The DCSync command in Mimikatz allows an attacker to simulate a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method

PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.

After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls. Microsoft recognizes that there is no supported method to rotate nor change these keys. Therefore, if the DPAPI backup keys for the domain are compromised, they recommend creating an entire new domain from scratch which is a costly and lengthy operation.

A brute-force password guessing attack consists in submitting and checking all possible passwords and passphrases until it finds the correct one.

Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack requires the activation of Tenable Identity Exposure's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.

NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.

Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The classic Kerberoasting method is covered by the Kerberoasting IOA. As mentioned in the name of the indicator, there is another way to do a Kerberoasting attack, with a stealthy approach that could bypass a lot of detections. Advanced attackers may favor this method to hope to remain invisible to most detection heuristics.

The branded Zerologon vulnerability is related to a critical vulnerability (CVE-2020-1472) in Windows Server that has received a CVSS score of 10.0 from Microsoft. It consists of an elevation of privileges that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to compromise a domain and acquire domain administrators privileges.

Detects dynamic objects and insecure configuration related to them.

BadSuccessor is an Active Directory privilege escalation flaw in Windows Server 2025 that exploits dMSAs, allowing attackers to manipulate account links and potentially compromise the domain.

Verifies that no group is empty or contains only a single member.

Identify potentially unsafe permissions that impact Exchange resources or are assigned to Exchange groups.

Detects outdated Exchange servers that Microsoft no longer supports as well as those missing the latest Cumulative Updates.

Lists misconfigurations that impact Exchange resources or its underlying Active Directory schema objects.

Collects information such as hybrid users and computers from the on-premises Active Directory environment about resources synchronized with Microsoft Entra ID.

Unusual accounts in sensitive Exchange groups

Shows potential misconfigurations of domain service accounts.

Checks that there are no duplicated (conflicting) users, computers, or groups.

Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials.

Checks that the built-in guest account is disabled.

Ensures Managed Service Accounts (MSAs) are deployed and well configured.

Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates.

Lists the misconfigured parameters related to Windows Server Update Services (WSUS).

Checks for the integrity of property sets and validates permissions

Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS).

Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts.

Ensures that the domain implemented hardening measures to protect against ransomware.

List dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI).

Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane.

Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft.

CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege

Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.

Checks for objects containing potential clear-text passwords in attributes readable by domain users.

Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure.

Ensures there is no weak certificate mapping assigned to objects.

Checks hardening GPOs have been deployed on the domain.

Verifies for privileged users who are not members of the Protected Users group.

Identifies user accounts that allow empty passwords.

Verify that regular users cannot join external computers to the domain.

Ensures regular changes to the Microsoft Entra Seamless SSO account password.

Lists schema entries considered anomalous that could potentially offer a means of persistence.

Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk.

Ensure the permissions set on Microsoft Entra Connect accounts are sane

Some domain controllers can be managed by non-administrative users due to dangerous access rights.

Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft.

Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure.

The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk.

Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options.

Ensures the secure and central management of local administrative accounts using LAPS.

Detects accounts that use weak Kerberos configuration.

Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials.

Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures.

Accounts that are not used anymore should not stay in privileged groups.

Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability.

Checks user or computer accounts using a privileged SID in SID history attribute.

Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI.