Tenable.ad Indicators

Tenable.ad allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable.ad's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks.


Indicators of Attack

  • Various tools can be used to exploit some misconfiguration of the DNS service and execute arbitrary code on a Domain Controller.

  • DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. A large variety of attack tools are focused on extracting those keys from Domain Controllers, using some LSA RPC calls.

  • An attacker tried to exploit the vulnerability related to sAMAccountName impersonation (CVE-2021-42287 / CVE-2021-42278).

  • A NTDS Extraction attack consists in a privileged attacker exfiltrating a copy of the Active Directory domain database represented by the domain controller local file NTDS.dit. Adversaries may attempt to access to an existing backup of the NTDS.dit file or to create a new one in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.

  • A Kerberoasting attack consists in an attacker requesting Kerberos service tickets in order to perform afterwards an offline brute force attack against ciphered technical parts of these service tickets. As these parts are ciphered thanks to the targeted service accounts passwords, if the passwords complexity is too low, they may be guessed and service accounts may be compromised. As a prerequisite to be fully functional, this indicator needs to have the Tenable.ad honey account well configured per monitored domain.

  • A massive number of authentication requests on multiple computers, using NTLM or Kerberos protocols and coming from the same source can be an indication of an attack.

  • The local Administrators group was enumerated with SAMR RPC interface, more likely with BloodHound/SharpHound.

  • PetitPotam


    PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks.

  • Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method

  • A password guessing (brute force) attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

See all Indicators of Attack

Indicators of Exposure

See all Indicators of Exposure