Detections
Analytics
Indicators of Exposure
| Name | Description | Severity |
|---|---|---|
| Dangerous SYSVOL Replication Configuration | Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS). | medium |
| Detection of Password Weaknesses | Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts. | high |
| Insufficient hardening against ransomware | Ensure hardening measures against ransomware have been deployed on the domain | medium |
| ADCS Dangerous Misconfigurations | List dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI). | critical |
| GPO Execution Sanity | Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane. | high |
| Logon Restrictions for Privileged Users | Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft. | high |
| Unsecured configuration of Netlogon protocol | CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege | critical |
| Vulnerable credential roaming related attributes | Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker. | low |
| Potential Clear-Text Password | Checks for objects containing potential clear-text passwords in attributes readable by domain users. | high |
| Dangerous sensitive privileges | Misconfigured sensitive privilege rights decrease the security of a directory infrastructure. | high |
| Mapped certificates on accounts | Ensure that no mapped certificate is set on privileged objects | critical |
| Domain without computer-hardening GPOs | Checks hardening GPOs have been deployed on the domain | medium |
| Protected Users group not used | Some privileged users are not members of the Protected Users group. | high |
| Account that might have an empty password | Check the absence of user accounts whose password could be empty. | high |
| Users allowed to join computers to the domain | Verify that regular users cannot join external computers to the domain. | medium |
| Last Change of the Microsoft Entra SSO Account Password | Ensures regular changes to the Microsoft Entra SSO account password. | high |
| Dangerous rights in AD's schema | List the abnormal entries in the schema that can provide a persistence mechanism. | high |
| User account using old password | User account passwords must be changed regularly | medium |
| Verify Permissions Related to AAD Connect Accounts | Ensure the permissions set on AAD Connect accounts are sane | critical |
| Domain controllers managed by illegitimate users | Some domain controllers can be managed by non-administrative users due to dangerous access rights. | critical |
| Weak password policies are applied on users | Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft. | critical |
| Verify sensitive GPO objects and files permissions | Ensure the permissions set on the GPO objects and files that are linked to sensitive containers (like the Domain Controllers OU) are sane | critical |
| Domain using a dangerous backward-compatibility configuration | The dSHeuristics attribute can modify AD behavior and have security impacts | low |
| Domains have an outdated functional level | A low functional level prevents the use of advanced functionalities or improvements | medium |
| Local administrative account management | Ensure local administrative accounts are managed centrally and securely using LAPS | medium |
| Kerberos configuration on user account | Some accounts are using weak Kerberos configuration | medium |
| Root objects permissions allowing DCSync-like attacks | The permissions set on root objects could allow illegitimate users to steal authentication secrets | critical |
| Accounts using a Pre-Windows 2000 Compatible Access control | Account member of the Pre-Windows 2000 Compatible Access Group can bypass specific security measures. | high |
| Disabled accounts in privileged groups | Accounts that are not used anymore should not stay in privileged groups | low |
| Computers running an obsolete OS | Obsolete systems are not supported by the vendor anymore and greatly increase the infrastructure vulnerability | high |
| Accounts having a dangerous SID History attribute | Check user or computer accounts using a privileged SID in SID history attribute. | high |
| Use of Weak Cryptography Algorithms in Active Directory PKI | Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI. | critical |
| Recent use of the default administrator account | Built-in administrator account have been used recently | medium |
| User Primary Group | Verify users' Primary Group has not been changed | critical |
| Dangerous Kerberos delegation | Check that no dangerous Kerberos delegation (unconstrained, protocol transition, etc.) is authorized, and that privileged users are protected against such delegation | critical |
| Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium |
| Reversible passwords in GPO | Verify that no GPO contain passwords stored in a reversible format | medium |
| Ensure SDProp consistency | Control that the adminSDHolder object is in a clean state | critical |
| KDC password last change | KDC account password must be changed regularly | high |
| Native administrative group members | Abnormal accounts in the native administrative groups of Active Directory | critical |
| Privileged accounts running Kerberos services | List highly privileged, brute-forceable accounts with a Service Principal Name | critical |
| AdminCount attribute set on standard users | Some decommissioned administrative accounts are not globally manageable | medium |
| Sleeping accounts | Unused sleeping accounts are still activated | medium |
| Dangerous trust relationship | Misconfigured trust relationship attributes decrease the security of a directory infrastructure. | high |
| Accounts with never expiring passwords | Accounts with the DONT_EXPIRE property are not affected by password renewal policy | medium |
| Unlinked, disabled or orphan GPO | Having unlinked, disabled or orphan GPOs can lead to administrative errors | low |