Indicators

Tenable Identity Exposure allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable Identity Exposure's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks.

Search

Indicators of Attack

  • The critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as domain controller account password change, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on one of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.

  • The branded Zerologon vulnerability is related to a critical vulnerability (CVE-2020-1472) in Windows Server that has received a CVSS score of 10.0 from Microsoft. It consists of an elevation of privileges that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to compromise a domain and acquire domain administrators privileges.

  • Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The classic Kerberoasting method is covered by the Kerberoasting IOA. As mentioned in the name of the indicator, there is another way to do a Kerberoasting attack, with a stealthy approach that could bypass a lot of detections. Advanced attackers may favor this method to hope to remain invisible to most detection heuristics.

  • DNSAdmins exploitation is an attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service. A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.

  • DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls. Microsoft recognizes that there is no supported method to rotate nor change these keys. Therefore, if the DPAPI backup keys for the domain are compromised, they recommend creating an entire new domain from scratch which is a costly and lengthy operation.

  • The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.

  • NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

  • Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack requires the activation of Tenable Identity Exposure's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.

  • A massive number of authentication requests on multiple computers, using NTLM or Kerberos protocols and coming from the same source can be an indication of an attack.

  • The local Administrators group was enumerated with SAMR RPC interface, more than likely with BloodHound/SharpHound.


See all Indicators of Attack

Indicators of Exposure


See all Indicators of Exposure