Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Secure Active Directory and Disrupt Attack Paths

tenable-ad

Behind every breach headline is an insecure Active Directory (AD) deployment. AD has become the favored target for attackers to elevate privileges and facilitate lateral movement through leveraging known flaws and misconfigurations.

Unfortunately, most organizations struggle with Active Directory security due to misconfigurations piling up as domains increase in complexity, leaving security teams unable to find and fix flaws before they become business-impacting issues.

Tenable.ad enables you to see everything, predict what matters, and act to address risk in Active Directory to disrupt attack paths before attackers exploit them.

Request a Demo

No

Privilege Escalation

Lateral Movement

Next Step for Attackers

Find and Fix Active Directory Weaknesses Before Attacks Happen

Discover and prioritize weaknesses within your existing Active Directory domains and reduce your exposure by following Tenable.ad’s step-by-step remediation guidance.

Detect and Respond to Active Directory Attacks in Real Time

Detect Active Directory attacks like DCShadow, Brute Force, Password Spraying, DCSync and more. Tenable.ad enriches your SIEM, SOC or SOAR with attack insights so you can quickly respond and stop attacks.

Disrupt Attack Paths

The attack path is a well trodden route through networks for attackers to successfully monetize poor cyber hygiene. By combining Risk-based Vulnerability Management and Active Directory Security, Tenable enables you to disrupt the attack path, ensuring attackers struggle to find a foothold and have no next step if they do.

Initial Foothold

via phishing or vulnerability

The Attack Path

Elevate

Gain privileged access

Evade

Hide forensic footprints

Establish

Install code for permanence

Exfiltrate

Exfiltrate data or hold target to ransom

Explore

Lateral movement across the target environment

"The Tenable.ad solution freed us from Active Directory security concerns so that we could focus on new business incorporation." Dominique Tessaro, CIO, Vinci Energies
How the Pharmaceutical Leader Sanofi Successfully Protects Its Global Active Directory Infrastructures

How the Pharmaceutical Leader Sanofi Successfully Protects Its Global Active Directory Infrastructures

Read the Case Study
How Vinci Energies Achieved Strong Security Parameters On Its Ever-evolving Active Directory Infrastructures

How Vinci Energies Achieved Strong Security Parameters On Its Ever-evolving Active Directory Infrastructures

Read the Case Study
How Lagardère’s Small Entities Protect Their Active Directory Infrastructures With Limited Resources

How Lagardère’s Small Entities Protect Their Active Directory Infrastructures With Limited Resources

Read the Case Study

Secure Active Directory

  • Discover the underlying issues affecting your Active Directory
  • Identify dangerous trust relationships
  • Catch every change in your AD
  • Make the link between AD changes and malicious actions
  • Analyze in-depth details of attacks
  • Explore MITRE ATT&CK descriptions directly from incident details
Watch the Webinar

Continuously Detect and Prevent Active Directory Attacks

No Agents, No Privileges. No Delays

No Agents, No Privileges. No Delays

Prevents and detects sophisticated Active Directory attacks without agents and privileges.

Clouds Covered

Clouds Covered

Check the security of Azure Active Directory Domain Services, AWS Directory Service, or Google Managed Service for Active Directory in real time.

Deployed Anywhere

Deployed Anywhere

Tenable.ad provides the flexibility of two architectural designs. On-prem to keep your data on-site and under your control. SaaS, so you can leverage the cloud.

FAQs

What are the main capabilities of Tenable.ad?
Tenable.ad enables you to find & fix weaknesses in Active Directory before attackers exploit them and detect & respond to attacks in real time. The main capabilities of Tenable.ad are
  • Uncover any hidden weaknesses within your Active Directory configurations
  • Discover the underlying issues threatening your AD security
  • Dissect each misconfiguration – in simple terms
  • Get recommended fixes for each issue
  • Create custom dashboards to manage your AD security to drive risk reduction
  • Discover dangerous trust relationships
  • Catch every change in your AD
  • Uncover major attacks per domain in your AD
  • Visualize every threat from an accurate attack timeline
  • Consolidate attack distribution in a single view
  • Make the link between AD changes and malicious actions
  • Analyze in-depth details of an AD attack
  • Explore MITRE ATT&CK ® descriptions directly from detected incidents
What Active Directory attacks and techniques does Tenable.ad detect?
Tenable.ad detects many of the techniques used in cyber attacks to gain elevated privileges and enable lateral movement, including DCShadow, Brute Force, Password Spraying, DCSync, Golden Ticket and more.
What privilege attack vectors on Active Directory does Tenable.ad identify?
Tenable.ad has an extensive library of known attack vectors that attackers use to gain privilege. These include:

Attack Vector

Description

Known Offensive tools

Mitre Attack Matrix

Privileged accounts running Kerberos services

Highly privileged accounts using a brute-forceable Kerberos Service Principal Name

Kerberom

Privilege Escalation, Lateral movement, Persistence

Dangerous Kerberos delegation

Check that no dangerous delegation (unconstrained, protocol transition, etc.) is authorized

Nishang

Privilege Escalation, Lateral movement, Persistence

Use of weak cryptography algorithms into Active Directory PKI

Root certificates deployed on internal Active Directory PKI must not use weak cryptographic algorithms

ANSSI-ADCP

Persistence, Privilege escalation, Lateral movement

Dangerous access rights delegation on critical objects

Some access rights allowing illegitimate users to control critical objects have been found

BloodHound

Exfiltration, Lateral movement, Command and control, Credential access, Privilege escalation

Multiple issues in the password policy

On some specific accounts, the current password policies are insufficient to ensure robust credentials protection

Patator

Defense evasion, Lateral movement, Credential access, Privilege escalation

Dangerous RODC management accounts

The administrative groups in charge of Read-Only Domain Controllers contain abnormal accounts

Impacket

Credential access, Defense evasion, Privilege escalation

Sensitive GPO linked to critical objects

Some GPO managed by non-administrative accounts are linked to sensitive Active Directory objects (e.g. the KDC account, Domain Controllers, administrative groups, etc.)

ANSSI-ADCP

Command and control, Credential access, Persistence, Privilege escalation

Administrative accounts allowed to connect to other systems than the Domain Controllers

The security policies deployed on the monitored infrastructure does not prevent administrative accounts to connect to resources other than DC, leading to sensitive credentials exposure

CrackMapExec

Defense evasion, Credential access

Dangerous trust relationship

Misconfigured trust relationship attributes decrease the security of a directory infrastructure

Kekeo

Lateral movement, Credential access, Privilege escalation, Defense evasion

Reversible passwords in GPO

Verify that no GPO contain passwords stored in a reversible format

SMB Password crawler

Credential access, Privilege escalation

Computers running an obsolete OS

Obsolete systems are not supported by the editor anymore and greatly increase the infrastructure vulnerability

Metasploit

Lateral movement, Command and control

Accounts using a pre-Windows 2000 compatible access control

Account member of the pre-Windows 2000 Compatible Access Group can bypass specific security measures

Impacket

Lateral movement, Defense evasion

Local administrative account management

Ensure local administrative accounts are managed centrally and securely using LAPS

CrackMapExec

Defense evasion, Credential access, Lateral movement

Dangerous anonymous users configuration

Anonymous access is activated on the monitored Active Directory infrastructure leading to sensitive information leak

Impacket

Exfiltration

Abnormal RODC filtered attributes

The filtering policies applied on some Read-Only Domain Controllers can lead to sensitive information caching, allowing privilege escalations

Mimikatz (DCShadow)

Privilege escalation, Defense evasion

Lacking restriction on lateral movements attack scenario

Lateral movement restriction has not been activated on the monitored Active Directory infrastructure, allowing attackers to bounce from machine to machine with the same level of privileges

CrackMapExec

Lateral movement

Clear-text password stored in DC shares

Some files on DC shares, accessible by any authenticated user, are likely to contain clear-text password, allowing privilege escalation

SMBSpider

Credential access, Privilege escalation, Persistence

Dangerous access control rights on logon scripts

Some scripts, run during a computer or a user logon, have dangerous access rights, leading to privilege escalation

Metasploit

Lateral movement, Privilege escalation, Persistence

Dangerous parameters are used in GPO

Some dangerous parameters (e.g. restricted groups, LM hash computation, NTLM authentication level, sensitive parameters, etc.) are set by GPO, creating security breaches

Responder

Discovery, Credential access, Execution, Persistence, Privilege escalation, Defense evasion

Dangerous parameters defined in the User Account Control configuration

The User Account Control attribute of some user accounts defines dangerous parameters (e.g. PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), which endanger the security of said account

Mimikatz (LSADump)

Persistence, Privilege escalation, Defense evasion

Lacking application of security patches

Some server registered in Active Directory did not recently apply security updates

Metasploit

Command and control Privilege escalation, Defense evasion

Brute force attempt on user accounts

Some user accounts have been targeted by a brute force attempt

Patator

Credential access

Kerberos configuration on user account

Some accounts are using weak Kerberos configuration

Mimikatz (Silver Ticket)

Credential access, Privilege escalation

Abnormal share or file stored on the DC

Some domain controllers are used to host non-necessary files or network shares

SMBSpider

Discovery, Exfiltration

What backdooring techniques on Active Directory does Tenable.ad identify?
Tenable.ad has an extensive library of known backdooring techniques that attackers use to gain persistence. These include:

Backdooring technique

Description

Known Offensive tools

Mitre attack Matrix

Ensure SDProp consistency

Control that the adminSDHolder object is in a clean state

Mimikatz (Golden Ticket)

Privilege escalation, Persistence

Ensure SDProp consistency

Verify that users’ primary group has not been changed

BloodHound

Privilege escalation, Persistence

Verify root domain object permissions

Ensure the permissions set on the root domain object are sane

BloodHound

Privilege escalation, Persistence

Verify sensitive GPO objects and files permissions

Ensure that permissions set on the GPO objects and files linked to sensitive containers (like the Domain Controllers OU) are sane

BloodHound

Execution, Privilege escalation, Persistence

Dangerous access rights on RODC KDC account

The KDC account used on some Read-Only Domain Controllers can be controlled by illegitimate user account, leading to credential leaks

Mimikatz (DCSync)

Privilege escalation, Persistence

Sensitive certificates mapped to user accounts

Some X509 certificates are stored in the altSecurityIdentities user account attribute, allowing certificate’s private key owner to authenticate as this user

Command and control, Credential access, Privilege escalation, Persistence

Rogue Krbtgt SPN set on regular account

The Service Principal Name of the KDC is present on some regular user account, leading to Kerberos tickets forgery

Mimikatz (Golden Ticket)

Privilege escalation, Persistence

KDC password last change

KDC account password must be changed regularly

Mimikatz (Golden Ticket)

Credential access, Privilege escalation, Persistence

Accounts having a dangerous SID History attribute

Check user or computer accounts using a privileged SID in SID history attribute

DeathStar

Privilege escalation, Persistence

Rogue domain controllers

Ensure only legitimate Domain controller servers are registered into Active Directory infrastructure

Mimikatz (DCShadow)

Execution, Defense evasion, Privilege escalation, Persistence

Illegitimate Bitlocker key access control

Some Bitlocker recovery keys stored in Active Directory can be accessed by other people than administrators and linked computers

ANSSI-ADCP

Credential access, Privilege escalation, Persistence

Abnormal entries in the Schema security descriptor

The Active Directory Schema has been modified leading to new standard access rights or objects that can endanger the monitored infrastructure

BloodHound

Privilege escalation, Persistence

DSRM account activated

The Active Directory recovery account has been activated, exposing it to credential theft

Mimikatz (LSADump)

Credential access, Execution, Defense evasion, Privilege escalation, Persistence

Dangerous caching policy on RODC

The caching policy configured on some Read-Only Domain Controllers allows global administrative accounts to have their credentials cached and retrieved by RODC management accounts

Mimikatz (DCSync)

Privilege escalation, Persistence

Certificate deployed by GPO applied on DC

Some GPOs are used to deploy certificates on Domain Controllers, allowing certificate’s private key owner to compromise these servers

BloodHound

Privilege escalation, Persistence

Authentication hash not renewed when using smartcard

Some user accounts using smartcard authentication do not renew their credentials hash frequently enough

Mimikatz (LSADump)

Persistence

Reversible passwords for User accounts

Verify no parameter make passwords stored in a reversible format

Mimikatz (DC Sync)

Credential access

Use of explicit denied access on containers

Some Active Directory containers or OUs define explicit denied access, leading to potential backdoor concealment

BloodHound

Defense evasion, Persistence

How does Tenable.ad audit Active Directory?
Tenable.ad is the only solution on the market that does not need any deployment on Domain Controllers nor endpoints. Furthermore, Tenable.ad only needs user-level privileges to operate. This unique architecture enables security teams to rapidly audit the configuration of Active Directory without complex deployment issues.
Is Tenable.ad a point-in-time security audit tool for AD?

AD misconfigurations happen all the time, so that point-in-time audits become deprecated only minutes after they start and focus on misconfigurations rather than including indicators of compromise.

On the other hand, Tenable.ad is a security platform that continuously scans your AD for new weaknesses and attacks - alerting users in real-time to issues.

Can Tenable.ad detect Golden Ticket attacks?
Yes, Golden Ticket is one of the many attack techniques that Tenable.ad can detect and help you prevent. With hundreds of security checks and correlations running in parallel, Tenable.ad has the widest security scope available for AD.
Does Tenable.ad integrate with my SIEM / SOAR / ticketing system / etc.?

AD security is an important piece of your security puzzle, and Tenable.ad blends into your security ecosystem seamlessly.

Our Syslog integration ensures that all SIEM and most ticketing systems can integrate with Tenable.ad right out of the box. We also have native apps available for QRadar, Splunk, and Phantom.

Is Tenable.ad a cloud-based solution?
Our solution supports both cloud-based and on-premise deployments. There is no functional difference between these two deployment approaches.
Can Tenable.ad scale to mutil-org and multi-forest Active Directory deployments?
Some of the largest, most sensitive ADs are already protected by Tenable.ad. Our platform has been built as an enterprise-grade solution and its agent-less, AD-native architecture allows it to support complex, mutli-org, multi-forest Active Directory deployments.
How is Tenable.ad licensed?
Tenable.ad is licensed per enabled user account.
Does Tenable.ad require privileged access to Active Directory to find weaknesses and respond to attacks?
Tenable.ad only requires a standard user account for auditing of configurations and the identification of attacks against Active Directory.
How can I buy Tenable.ad?
You can purchase Tenable.ad by working with your local Tenable certified partner or contacting your Tenable representative.
Is there an evaluation of Tenable.ad available?
Yes, evaluations are available of Tenable.ad, please fill out the evaluation request form to start your eval today.

Related Resources

A King's Ransom: How to Stop Ransomware Spreading via AD

A Global Threat to Enterprises: the Impact of AD Attacks

Securing Active Directory: How to Proactively Detect Attacks

GET STARTED WITH TENABLE.AD


"By deploying Tenable.ad on our global perimeter, we gave stakeholders much-needed visibility of corporate cybersecurity risks." Jean-Yves Poichotte, Global Head of Cyber Security - Sanofi
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.