Tenable.ad Indicators

Tenable.ad allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable.ad's Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks.


Indicators of Attack

  • DNSAdmins exploitation is an attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service. A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.

  • DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls.

  • The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.

  • NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

  • Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack requires the activation of Tenable.ad's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.

  • A massive number of authentication requests on multiple computers, using NTLM or Kerberos protocols and coming from the same source can be an indication of an attack.

  • The local Administrators group was enumerated with SAMR RPC interface, more likely with BloodHound/SharpHound.

  • PetitPotam


    PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.

  • Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method

  • A brute-force password guessing attack consists in submitting and checking all possible passwords and passphrases until it finds the correct one.

See all Indicators of Attack

Indicators of Exposure

See all Indicators of Exposure