Detections
Analytics
Indicators of Exposure
| Name | Description | Severity |
|---|---|---|
| WSUS Dangerous Misconfigurations | Lists the misconfigured parameters related to Windows Server Update Services (WSUS). | critical |
| Dangerous SYSVOL Replication Configuration | Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS). | medium |
| Detection of Password Weaknesses | Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts. | high |
| Insufficient Hardening Against Ransomware | Ensures that the domain implemented hardening measures to protect against ransomware. | medium |
| ADCS Dangerous Misconfigurations | List dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI). | critical |
| GPO Execution Sanity | Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane. | high |
| Logon Restrictions for Privileged Users | Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft. | high |
| Unsecured Configuration of Netlogon Protocol | CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege | critical |
| Vulnerable Credential Roaming Related Attributes | Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker. | low |
| Potential Clear-Text Password | Checks for objects containing potential clear-text passwords in attributes readable by domain users. | high |
| Dangerous Sensitive Privileges | Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure. | high |
| Mapped Certificates on Accounts | Ensures that privileged objects do not have any mapped certificate assigned to them. | critical |
| Domain Without Computer-Hardening GPOs | Checks hardening GPOs have been deployed on the domain. | medium |
| Protected Users Group Not Used | Verifies for privileged users who are not members of the Protected Users group. | high |
| Account with Possible Empty Password | Identifies user accounts that allow empty passwords. | high |
| Users Allowed to Join Computers to the Domain | Verify that regular users cannot join external computers to the domain. | medium |
| Last Change of the Microsoft Entra SSO Account Password | Ensures regular changes to the Microsoft Entra SSO account password. | high |
| Dangerous Rights in the AD Schema | Lists schema entries considered anomalous that could potentially offer a means of persistence. | high |
| User Account Using Old Password | Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk. | medium |
| Verify Permissions Related to Microsoft Entra Connect Accounts | Ensure the permissions set on Microsoft Entra Connect accounts are sane | critical |
| Domain Controllers Managed by Illegitimate Users | Some domain controllers can be managed by non-administrative users due to dangerous access rights. | critical |
| Application of Weak Password Policies on Users | Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft. | critical |
| Verify Sensitive GPO Objects and Files Permissions | Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure. | critical |
| Domain with Unsafe Backward-Compatibility Configuration | The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk. | low |
| Domains with an Outdated Functional Level | Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options. | medium |
| Local Administrative Account Management | Ensures the secure and central management of local administrative accounts using LAPS. | medium |
| Kerberos Configuration on User Account | Detects accounts that use weak Kerberos configuration. | medium |
| Root Objects Permissions Allowing DCSync-Like Attacks | Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials. | critical |
| Accounts Using a Pre-Windows 2000 Compatible Access Control | Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures. | high |
| Disabled Accounts in Privileged Groups | Accounts that are not used anymore should not stay in privileged groups. | low |
| Computers Running an Obsolete OS | Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability. | high |
| Accounts With a Dangerous SID History Attribute | Checks user or computer accounts using a privileged SID in SID history attribute. | high |
| Use of Weak Cryptography Algorithms in Active Directory PKI | Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI. | critical |
| Recent Use of the Default Administrator Account | Checks for recent uses of the built-in administrator account. | medium |
| User Primary Group | Verify users' Primary Group has not been changed | critical |
| Dangerous Kerberos Delegation | Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it. | critical |
| Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium |
| Reversible Passwords in GPO | Checks that GPO preferences do not allow passwords in a reversible format. | medium |
| Ensure SDProp Consistency | Control that the adminSDHolder object is in a clean state. | critical |
| Last Password Change on KRBTGT account | Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval. | high |
| Native Administrative Group Members | Abnormal accounts in the native administrative groups of Active Directory | critical |
| Privileged Accounts Running Kerberos Services | Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security. | critical |
| AdminCount Attribute Set on Standard Users | Checks for the adminCount attribute on decommissioned accounts leading to permission issues that are difficult to manage. | medium |
| Dormant Accounts | Detects unused dormant accounts that can lead to security risks. | medium |
| Dangerous Trust Relationships | Identifies misconfigured trust relationship attributes that decrease the security of a directory infrastructure. | high |
| Accounts With Never Expiring Passwords | Checks for accounts with the DONT_EXPIRE_PASSWORD property flag in the userAccountControl attribute that allows indefinite use of the same password, bypassing password renewal policies. | medium |
| Unlinked, Disabled or Orphan GPO | Unused or disabled GPOs slow directory performance and RSoP computation, and can lead to security policy confusion. Reactivating them by mistake can weaken existing policies. | low |