Detections
Analytics
Indicators of Exposure
| Name | Description | Severity |
|---|---|---|
| Service Accounts Misconfigurations | Shows potential misconfigurations of domain service accounts. | medium |
| Conflicting Security Principals | Checks that there are no duplicated (conflicting) users, computers, or groups. | low |
| Shadow Credentials | Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials. | high |
| Enabled Guest Account | Checks that the built-in guest account is disabled. | low |
| Managed Service Accounts Dangerous Misconfigurations | Ensures Managed Service Accounts (MSAs) are deployed and well configured. | high |
| Privileged AD User Accounts Synchronized to Microsoft Entra ID | Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID. | high |
| Privileged Authentication Silo Configuration | A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts. | high |
| Unsecure Dynamic DNS Zone Updates Allowed | Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates. | high |
| WSUS Dangerous Misconfigurations | Lists the misconfigured parameters related to Windows Server Update Services (WSUS). | critical |
| Property Sets Integrity | Checks for the integrity of property sets and validates permissions | medium |
| Dangerous SYSVOL Replication Configuration | Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS). | medium |
| Detection of Password Weaknesses | Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts. | high |
| Insufficient Hardening Against Ransomware | Ensures that the domain implemented hardening measures to protect against ransomware. | medium |
| ADCS Dangerous Misconfigurations | List dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI). | critical |
| GPO Execution Sanity | Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane. | high |
| Logon Restrictions for Privileged Users | Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft. | high |
| Unsecured Configuration of Netlogon Protocol | CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege | critical |
| Vulnerable Credential Roaming Related Attributes | Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker. | low |
| Potential Clear-Text Password | Checks for objects containing potential clear-text passwords in attributes readable by domain users. | high |
| Dangerous Sensitive Privileges | Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure. | high |
| Mapped Certificates on Accounts | Ensures that privileged objects do not have any mapped certificate assigned to them. | critical |
| Domain Without Computer-Hardening GPOs | Checks hardening GPOs have been deployed on the domain. | medium |
| Protected Users Group Not Used | Verifies for privileged users who are not members of the Protected Users group. | high |
| Account with Possible Empty Password | Identifies user accounts that allow empty passwords. | high |
| Users Allowed to Join Computers to the Domain | Verify that regular users cannot join external computers to the domain. | medium |
| Last Change of the Microsoft Entra SSO Account Password | Ensures regular changes to the Microsoft Entra SSO account password. | high |
| Dangerous Rights in the AD Schema | Lists schema entries considered anomalous that could potentially offer a means of persistence. | high |
| User Account Using Old Password | Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk. | medium |
| Verify Permissions Related to Microsoft Entra Connect Accounts | Ensure the permissions set on Microsoft Entra Connect accounts are sane | critical |
| Brute-Force Attack Detection | Detects brute-force and password spraying attacks. | critical |
| Domain Controllers Managed by Illegitimate Users | Some domain controllers can be managed by non-administrative users due to dangerous access rights. | critical |
| Application of Weak Password Policies on Users | Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft. | critical |
| Verify Sensitive GPO Objects and Files Permissions | Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure. | critical |
| Rogue Domain Controllers | Ensure only legitimate Domain controllers servers are registered into Active Directory infrastructure. | high |
| Domain with Unsafe Backward-Compatibility Configuration | The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk. | low |
| Domains with an Outdated Functional Level | Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options. | medium |
| Local Administrative Account Management | Ensures the secure and central management of local administrative accounts using LAPS. | medium |
| Kerberos Configuration on User Account | Detects accounts that use weak Kerberos configuration. | medium |
| Root Objects Permissions Allowing DCSync-Like Attacks | Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials. | critical |
| Accounts Using a Pre-Windows 2000 Compatible Access Control | Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures. | high |
| Disabled Accounts in Privileged Groups | Accounts that are not used anymore should not stay in privileged groups. | low |
| Computers Running an Obsolete OS | Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability. | high |
| Accounts With a Dangerous SID History Attribute | Checks user or computer accounts using a privileged SID in SID history attribute. | high |
| Use of Weak Cryptography Algorithms in Active Directory PKI | Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI. | critical |
| Recent Use of the Default Administrator Account | Checks for recent uses of the built-in administrator account. | medium |
| User Primary Group | Verify users' Primary Group has not been changed | critical |
| Dangerous Kerberos Delegation | Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it. | critical |
| Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium |
| Reversible Passwords in GPO | Checks that GPO preferences do not allow passwords in a reversible format. | medium |
| Ensure SDProp Consistency | Control that the adminSDHolder object is in a clean state. | critical |