| Package Version | Indicator Version | Release Date | Indicator Name | Target Platform | Required Permissions | Update Type |
|---|---|---|---|---|---|---|
| 4.0.380469 | 1.310.0 | 2025/06/10 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.380469 | 1.312.0 | 2025/06/10 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.380469 | 1.319.0 | 2025/06/10 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.380469 | 1.317.0 | 2025/06/10 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.380469 | 1.313.0 | 2025/06/10 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | Updated |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.380469 | 1.311.0 | 2025/06/10 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.380469 | 1.313.0 | 2025/06/10 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.380469 | 1.313.0 | 2025/06/10 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.380469 | 1.316.0 | 2025/06/10 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.380469 | 1.314.0 | 2025/06/10 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.380469 | 1.315.0 | 2025/06/10 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.380469 | 1.318.0 | 2025/06/10 | Objects with Reanimate-Tombstones extended right | AD | New Indicator | |
DescriptionThis indicator checks if there are any non-default principals with the Reanimate-Tombstones extended right configured. |
||||||
| 4.0.380469 | 1.322.0 | 2025/06/10 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.380469 | 1.310.0 | 2025/06/10 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.372460 | 1.295.0 | 2025/05/28 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Dangerous control paths expose certificate containers | AD | Updated | |
DescriptionThis indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the intermediate CA certificates that can be used to authenticate to AD. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.372460 | 1.295.0 | 2025/05/28 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.372460 | 1.309.0 | 2025/05/28 | OU permissions enabling BadSuccessor dMSA escalation | AD | New Indicator | |
DescriptionThis indicator checks for excessive permissions to create delegated Managed Service Accounts (dMSAs) within Active Directory organizational units (OU) or NC head (NC Head is the top-level object of a Naming Context (NC) in Active Directory) across domains that contain Windows Server 2025 domain controllers. The indicator identifies non-privileged identities that have been granted CreateChild, GenericAll, WriteDACL, or WriteOwner permissions on OUs or NC head, which could enable the execution of the "BadSuccessor" Privilege Escalation attack. The "BadSuccessor" attack is a technique which exploits vulnerabilities in Microsoft's Active Directory and enables domain takeover. The attack leverages a feature called Delegated Managed Service Accounts (dMSA), which was introduced in Windows Server 2025. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Smart card password rotation disabled | AD | Updated | |
DescriptionThis indicator checks whether the mcDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute, which determines if smart card-only accounts must follow regular password rotation schedules, is disabled. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.372460 | 1.301.0 | 2025/05/28 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.372460 | 1.301.0 | 2025/05/28 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Weak certificate cipher | AD | Updated | |
DescriptionThis indicator looks for certificates stored in active directory with keysize smaller than 2048 bits or utilize DSA encryption. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.364185 | 1.294.0 | 2025/05/15 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.364185 | 1.293.0 | 2025/05/15 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | User accounts using Smart Card authentication with old password | AD | Updated | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users with the attribute userPassword set | AD | Updated | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Application instance property lock disabled | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | User consent is allowed for risky applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an Entra ID authorization policy that allows users to grant consent for risky applications. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | Updated |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Updated |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Updated |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | Updated |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Guest invites not accepted in last 30 day | AAD | User.Read.All | Updated |
DescriptionThis indicator checks for guest invites that were not redeemed within 30 days of the invitation. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.362949 | 1.283.0 | 2025/05/13 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.362949 | 1.280.1 | 2025/05/13 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Smart card password rotation disabled | AD | New Indicator | |
DescriptionThis indicator checks whether the mcDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute, which determines if smart card-only accounts must follow regular password rotation schedules, is disabled. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | gMSA not in use | AD | Updated | |
DescriptionThis indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. |
||||||
| 4.0.362949 | 1.281.0 | 2025/05/13 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.362949 | 1.278.0 | 2025/05/13 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Distributed COM Users group or Performance Log Users group are not empty | AD | Updated | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to MS LAPS read permissions | AD | Updated | |
DescriptionThis indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution. These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | High-privileged custom roles | Okta | Updated | |
DescriptionCustom roles were found that allow a user to perform actions on users' passwords. These custom roles grant elevated privileges and potentially pose a significant security risk if not properly managed. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Password policy check | Okta | Updated | |
DescriptionThis indicator evaluates the password policies in place and verifies if they adhere to Okta's recommendations. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.362949 | 1.277.0 | 2025/05/13 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | User accounts using Smart Card authentication with old password | AD | Updated | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.353464 | 1.271.0 | 2025/04/29 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.353464 | 1.272.0 | 2025/04/29 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.353464 | 1.271.0 | 2025/04/29 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days | AD | Updated | |
DescriptionThe Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Application instance property lock disabled | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | User consent is allowed for risky applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an Entra ID authorization policy that allows users to grant consent for risky applications. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.345190 | 1.261.0 | 2025/04/16 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | Updated |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Updated |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Updated |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.345190 | 1.269.0 | 2025/04/16 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | Updated |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Guest invites not accepted in last 30 day | AAD | User.Read.All | Updated |
DescriptionThis indicator checks for guest invites that were not redeemed within 30 days of the invitation. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Dangerous control paths expose certificate containers | AD | Updated | |
DescriptionThis indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the intermediate CA certificates that can be used to authenticate to AD. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.345190 | 1.252.0 | 2025/04/16 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computer Accounts in Privileged Groups | AD | Updated | |
DescriptionThis indicator looks for computer accounts that are members of built-in privileged groups. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.345190 | 1.252.0 | 2025/04/16 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged users that are disabled | AD | Updated | |
DescriptionThis indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.345190 | 1.252.0 | 2025/04/16 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | gMSA not in use | AD | Updated | |
DescriptionThis indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.345190 | 1.244.0 | 2025/04/16 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Reversible passwords found in GPOs | AD | Updated | |
DescriptionThis indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries). Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Distributed COM Users group or Performance Log Users group are not empty | AD | Updated | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unprivileged accounts with adminCount=1 | AD | Updated | |
DescriptionThis indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer members of privileged groups and should not be considered privileged. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.345190 | 1.238.0 | 2025/04/16 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users and computers without readable PGID | AD | Updated | |
DescriptionThis indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to MS LAPS read permissions | AD | Updated | |
DescriptionThis indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution. These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Kerberos protocol transition delegation configured | AD | Updated | |
DescriptionThis indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated service to use any available authentication protocol. This means that compromised services can reduce the quality of their authentication protocol to something that is more easily compromised (e.g. NTLM). |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) | AD | Updated | |
DescriptionWith sufficient permissions on a computer account and the ability to create another user or computer security principal, it is possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Write access to RBCD on DC | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Write access to RBCD on krbtgt account | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.345190 | 1.262.0 | 2025/04/16 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts using Smart Card authentication with old password | AD | New Indicator | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users with the attribute userPassword set | AD | Updated | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.325842 | 1.226.0 | 2025/03/10 | Application instance property lock disabled | AAD | Application.Read.All | New Indicator |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.325842 | 1.229.0 | 2025/03/10 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.325842 | 1.229.0 | 2025/03/10 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.325842 | 1.230.0 | 2025/03/10 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.325842 | 1.228.0 | 2025/03/10 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | New Indicator |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.325842 | 1.229.0 | 2025/03/10 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.325842 | 1.232.0 | 2025/03/10 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | New Indicator |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days | AD | Updated | |
DescriptionThe Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | User consent is allowed for risky applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an Entra ID authorization policy that allows users to grant consent for risky applications. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.289828 | 1.220.0 | 2025/02/12 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Updated |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.224.0 | 2025/02/12 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Guest invites not accepted in last 30 day | AAD | User.Read.All | Updated |
DescriptionThis indicator checks for guest invites that were not redeemed within 30 days of the invitation. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.289828 | 1.223.0 | 2025/02/12 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous control paths expose certificate containers | AD | Updated | |
DescriptionThis indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the intermediate CA certificates that can be used to authenticate to AD. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Computer Accounts in Privileged Groups | AD | Updated | |
DescriptionThis indicator looks for computer accounts that are members of built-in privileged groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged users that are disabled | AD | Updated | |
DescriptionThis indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Reversible passwords found in GPOs | AD | Updated | |
DescriptionThis indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries). Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non default value on ms-Mcs-AdmPwd SearchFlags | AD | Updated | |
DescriptionSome flags on the ms-Mcs-AdmPwd schema may inadvertently cause passwords to be visible to users allowing an attacker to use it as stealthy backdoor. This indicator looks for any changes to default searchFlags, which may create an exposure. Detection of changes to the default will result in a score of 80 for this indicator, signifying that a review should be conducted. Any removal of the default flags will result in a score of 0 due to their importance to security. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Distributed COM Users group or Performance Log Users group are not empty | AD | Updated | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged accounts with adminCount=1 | AD | Updated | |
DescriptionThis indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer members of privileged groups and should not be considered privileged. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users and computers without readable PGID | AD | Updated | |
DescriptionThis indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to MS LAPS read permissions | AD | Updated | |
DescriptionThis indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution. These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Kerberos protocol transition delegation configured | AD | Updated | |
DescriptionThis indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated service to use any available authentication protocol. This means that compromised services can reduce the quality of their authentication protocol to something that is more easily compromised (e.g. NTLM). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | High-privileged custom roles | Okta | Updated | |
DescriptionCustom roles were found that allow a user to perform actions on users' passwords. These custom roles grant elevated privileges and potentially pose a significant security risk if not properly managed. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New permission has been granted to a group | Okta | Updated | |
DescriptionIn the last 7 days, permission was given to a group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New permission has been granted to a user | Okta | Updated | |
DescriptionThis indicator checks if any permissions have been granted to a user within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New API token was created | Okta | Updated | |
DescriptionIn the last 7 days,a new API token was created. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New Super Admin permission has been granted to a group | Okta | Updated | |
DescriptionIn the last 7 days, "Super Admin" permission was given to a group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New Super Admin permission has been granted to a user | Okta | Updated | |
DescriptionThis indicator checks if the "Super Admin" permission was given to a user in the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Password policy check | Okta | Updated | |
DescriptionThis indicator evaluates the password policies in place and verifies if they adhere to Okta's recommendations. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User activation in the last 7 days | Okta | Updated | |
DescriptionThis indicator checks if a user has been activated within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User deactivation in the last 7 days | Okta | Updated | |
DescriptionThis indicator checks if a user has been deactivated within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users without Multi-Factor Authentication (MFA) | Okta | Updated | |
DescriptionThis indicator checks all users to identify those who have not registered for Multi-Factor Authentication (MFA). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) | AD | Updated | |
DescriptionWith sufficient permissions on a computer account and the ability to create another user or computer security principal, it is possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Write access to RBCD on DC | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Write access to RBCD on krbtgt account | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with the attribute userPassword set | AD | Updated | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Weak certificate cipher | AD | Updated | |
DescriptionThis indicator looks for certificates stored in active directory with keysize smaller than 2048 bits or utilize DSA encryption. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.273013 | 1.208.0 | 2025/01/16 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.273013 | 1.189.0 | 2025/01/16 | Application instance property lock disabled | AAD | Application.Read.All | Removed |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Updated |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.273013 | 1.207.0 | 2025/01/16 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.273013 | 1.212.0 | 2025/01/16 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | New Indicator |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.273013 | 1.200.0 | 2025/01/16 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.273013 | 1.209.0 | 2025/01/16 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.273013 | 1.213.0 | 2025/01/16 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.273013 | 1.202.0 | 2025/01/16 | Distributed COM Users group or Performance Log Users group are not empty | AD | New Indicator | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.259168 | 1.198.0 | 2024/12/12 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.259168 | 1.198.1 | 2024/12/12 | Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days | AD | Updated | |
DescriptionThe Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days. |
||||||
| 4.0.259168 | 1.178.0 | 2024/12/12 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.259168 | 1.189.0 | 2024/12/12 | Application instance property lock disabled | AAD | Application.Read.All | New Indicator |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.259168 | 1.160.0 | 2024/12/12 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.259168 | 1.171.0 | 2024/12/12 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.259168 | 1.176.0 | 2024/12/12 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | New Indicator |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | New Indicator |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.259168 | 1.193.0 | 2024/12/12 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | New Indicator |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.259168 | 1.162.0 | 2024/12/12 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.259168 | 1.170.0 | 2024/12/12 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.259168 | 1.182.0 | 2024/12/12 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | New Indicator |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.259168 | 1.188.0 | 2024/12/12 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | New Indicator |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.259168 | 1.180.0 | 2024/12/12 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.259168 | 1.164.0 | 2024/12/12 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.259168 | 1.152.0 | 2024/12/12 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.259168 | 1.161.0 | 2024/12/12 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.259168 | 1.183.0 | 2024/12/12 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.259168 | 1.156.0 | 2024/12/12 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.259168 | 1.167.0 | 2024/12/12 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.220574 | 1.129.0 | 2024/09/10 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.220574 | 1.128.0 | 2024/09/10 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.220574 | 1.130.0 | 2024/09/10 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.220574 | 1.139.0 | 2024/09/10 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | New Indicator |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.220574 | 1.147.0 | 2024/09/10 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | New Indicator |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.220574 | 1.135.0 | 2024/09/10 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.220574 | 1.132.0 | 2024/09/10 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computer Accounts in Privileged Groups | AD | Updated | |
DescriptionThis indicator looks for computer accounts that are members of built-in privileged groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged users that are disabled | AD | Updated | |
DescriptionThis indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.220574 | 1.131.0 | 2024/09/10 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | New Indicator |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | gMSA not in use | AD | Updated | |
DescriptionThis indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | GPO Weak LM Hash storage enabled | AD | New Indicator | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Reversible passwords found in GPOs | AD | Updated | |
DescriptionThis indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries). Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unprivileged accounts with adminCount=1 | AD | Updated | |
DescriptionThis indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer members of privileged groups and should not be considered privileged. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users and computers without readable PGID | AD | Updated | |
DescriptionThis indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Kerberos protocol transition delegation configured | AD | Updated | |
DescriptionThis indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated service to use any available authentication protocol. This means that compromised services can reduce the quality of their authentication protocol to something that is more easily compromised (e.g. NTLM). |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) | AD | Updated | |
DescriptionWith sufficient permissions on a computer account and the ability to create another user or computer security principal, it is possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Write access to RBCD on DC | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Write access to RBCD on krbtgt account | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.220574 | 1.150.0 | 2024/09/10 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.220574 | 1.144.1 | 2024/09/10 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.220574 | 1.148.0 | 2024/09/10 | Users with the attribute userPassword set | AD | New Indicator | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.220574 | 1.146.0 | 2024/09/10 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.220574 | 1.146.0 | 2024/09/10 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Application instance property lock disabled | AAD | Application.Read.All | Removed |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.197307 | 1.291.0 | 2024/07/15 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Removed |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | Removed |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Removed |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Removed |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Removed |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.197307 | 1.294.0 | 2024/07/15 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Removed |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | Removed |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.197307 | 1.291.0 | 2024/07/15 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Removed |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.197307 | 1.291.0 | 2024/07/15 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Removed |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.197307 | 1.309.0 | 2024/07/15 | OU permissions enabling BadSuccessor dMSA escalation | AD | Removed | |
DescriptionThis indicator checks for excessive permissions to create delegated Managed Service Accounts (dMSAs) within Active Directory organizational units (OU) or NC head (NC Head is the top-level object of a Naming Context (NC) in Active Directory) across domains that contain Windows Server 2025 domain controllers. The indicator identifies non-privileged identities that have been granted CreateChild, GenericAll, WriteDACL, or WriteOwner permissions on OUs or NC head, which could enable the execution of the "BadSuccessor" Privilege Escalation attack. The "BadSuccessor" attack is a technique which exploits vulnerabilities in Microsoft's Active Directory and enables domain takeover. The attack leverages a feature called Delegated Managed Service Accounts (dMSA), which was introduced in Windows Server 2025. |
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Removed |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.197307 | 1.291.0 | 2024/07/15 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Removed |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.197307 | 1.300.0 | 2024/07/15 | Smart card password rotation disabled | AD | Removed | |
DescriptionThis indicator checks whether the mcDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute, which determines if smart card-only accounts must follow regular password rotation schedules, is disabled. |
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | GPO Weak LM Hash storage enabled | AD | Removed | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.197307 | 1.290.0 | 2024/07/15 | Distributed COM Users group or Performance Log Users group are not empty | AD | Removed | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.197307 | 1.291.0 | 2024/07/15 | User accounts using Smart Card authentication with old password | AD | Removed | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.197307 | 1.291.0 | 2024/07/15 | Users with the attribute userPassword set | AD | Removed | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.372460 | 1.295.0 | 2025/05/28 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Dangerous control paths expose certificate containers | AD | Updated | |
DescriptionThis indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the intermediate CA certificates that can be used to authenticate to AD. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.372460 | 1.295.0 | 2025/05/28 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.372460 | 1.309.0 | 2025/05/28 | OU permissions enabling BadSuccessor dMSA escalation | AD | New Indicator | |
DescriptionThis indicator checks for excessive permissions to create delegated Managed Service Accounts (dMSAs) within Active Directory organizational units (OU) or NC head (NC Head is the top-level object of a Naming Context (NC) in Active Directory) across domains that contain Windows Server 2025 domain controllers. The indicator identifies non-privileged identities that have been granted CreateChild, GenericAll, WriteDACL, or WriteOwner permissions on OUs or NC head, which could enable the execution of the "BadSuccessor" Privilege Escalation attack. The "BadSuccessor" attack is a technique which exploits vulnerabilities in Microsoft's Active Directory and enables domain takeover. The attack leverages a feature called Delegated Managed Service Accounts (dMSA), which was introduced in Windows Server 2025. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Smart card password rotation disabled | AD | Updated | |
DescriptionThis indicator checks whether the mcDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute, which determines if smart card-only accounts must follow regular password rotation schedules, is disabled. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.372460 | 1.301.0 | 2025/05/28 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.372460 | 1.301.0 | 2025/05/28 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | Weak certificate cipher | AD | Updated | |
DescriptionThis indicator looks for certificates stored in active directory with keysize smaller than 2048 bits or utilize DSA encryption. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.372460 | 1.300.0 | 2025/05/28 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.364185 | 1.294.0 | 2025/05/15 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.364185 | 1.293.0 | 2025/05/15 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | User accounts using Smart Card authentication with old password | AD | Updated | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users with the attribute userPassword set | AD | Updated | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.364185 | 1.291.0 | 2025/05/15 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Application instance property lock disabled | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | User consent is allowed for risky applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an Entra ID authorization policy that allows users to grant consent for risky applications. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | Updated |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Updated |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Updated |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | Updated |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Guest invites not accepted in last 30 day | AAD | User.Read.All | Updated |
DescriptionThis indicator checks for guest invites that were not redeemed within 30 days of the invitation. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.362949 | 1.283.0 | 2025/05/13 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.362949 | 1.280.1 | 2025/05/13 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Smart card password rotation disabled | AD | New Indicator | |
DescriptionThis indicator checks whether the mcDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute, which determines if smart card-only accounts must follow regular password rotation schedules, is disabled. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | gMSA not in use | AD | Updated | |
DescriptionThis indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. |
||||||
| 4.0.362949 | 1.281.0 | 2025/05/13 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.362949 | 1.278.0 | 2025/05/13 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Distributed COM Users group or Performance Log Users group are not empty | AD | Updated | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to MS LAPS read permissions | AD | Updated | |
DescriptionThis indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution. These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | High-privileged custom roles | Okta | Updated | |
DescriptionCustom roles were found that allow a user to perform actions on users' passwords. These custom roles grant elevated privileges and potentially pose a significant security risk if not properly managed. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Password policy check | Okta | Updated | |
DescriptionThis indicator evaluates the password policies in place and verifies if they adhere to Okta's recommendations. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.362949 | 1.277.0 | 2025/05/13 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | User accounts using Smart Card authentication with old password | AD | Updated | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.362949 | 1.290.0 | 2025/05/13 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.353464 | 1.271.0 | 2025/04/29 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.353464 | 1.272.0 | 2025/04/29 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.353464 | 1.271.0 | 2025/04/29 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.345541 | 1.270.0 | 2025/04/16 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days | AD | Updated | |
DescriptionThe Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Application instance property lock disabled | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | User consent is allowed for risky applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an Entra ID authorization policy that allows users to grant consent for risky applications. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.345190 | 1.261.0 | 2025/04/16 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | Updated |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Updated |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Updated |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.345190 | 1.269.0 | 2025/04/16 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | Updated |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Guest invites not accepted in last 30 day | AAD | User.Read.All | Updated |
DescriptionThis indicator checks for guest invites that were not redeemed within 30 days of the invitation. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Dangerous control paths expose certificate containers | AD | Updated | |
DescriptionThis indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the intermediate CA certificates that can be used to authenticate to AD. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.345190 | 1.252.0 | 2025/04/16 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computer Accounts in Privileged Groups | AD | Updated | |
DescriptionThis indicator looks for computer accounts that are members of built-in privileged groups. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.345190 | 1.252.0 | 2025/04/16 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged users that are disabled | AD | Updated | |
DescriptionThis indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.345190 | 1.252.0 | 2025/04/16 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.345190 | 1.260.0 | 2025/04/16 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | gMSA not in use | AD | Updated | |
DescriptionThis indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.345190 | 1.244.0 | 2025/04/16 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Reversible passwords found in GPOs | AD | Updated | |
DescriptionThis indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries). Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Distributed COM Users group or Performance Log Users group are not empty | AD | Updated | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unprivileged accounts with adminCount=1 | AD | Updated | |
DescriptionThis indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer members of privileged groups and should not be considered privileged. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.345190 | 1.238.0 | 2025/04/16 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users and computers without readable PGID | AD | Updated | |
DescriptionThis indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to MS LAPS read permissions | AD | Updated | |
DescriptionThis indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution. These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Kerberos protocol transition delegation configured | AD | Updated | |
DescriptionThis indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated service to use any available authentication protocol. This means that compromised services can reduce the quality of their authentication protocol to something that is more easily compromised (e.g. NTLM). |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) | AD | Updated | |
DescriptionWith sufficient permissions on a computer account and the ability to create another user or computer security principal, it is possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Write access to RBCD on DC | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Write access to RBCD on krbtgt account | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.345190 | 1.262.0 | 2025/04/16 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts using Smart Card authentication with old password | AD | New Indicator | |
DescriptionThis indicator looks for user accounts that are using Smart Card authentication whose password has not changed in the last 90 days. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users with the attribute userPassword set | AD | Updated | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.345190 | 1.268.0 | 2025/04/16 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.345190 | 1.240.0 | 2025/04/16 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.325842 | 1.226.0 | 2025/03/10 | Application instance property lock disabled | AAD | Application.Read.All | New Indicator |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.325842 | 1.229.0 | 2025/03/10 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.325842 | 1.229.0 | 2025/03/10 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.325842 | 1.230.0 | 2025/03/10 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.325842 | 1.228.0 | 2025/03/10 | Detect MFA policy changes for groups and users | AAD | AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All | New Indicator |
DescriptionThis indicator looks for changes (removal of users and groups) from MFA policies. It relates to events invoked more than 4 hours after the policy's creation. Required permissions
|
||||||
| 4.0.325842 | 1.229.0 | 2025/03/10 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.325842 | 1.232.0 | 2025/03/10 | Report suspicious MFA activity disabled | AAD | Policy.Read.All, GroupMember.Read.All | New Indicator |
DescriptionThis indicator checks if the setting to report suspicious MFA activity is enabled. Required permissions
|
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.325842 | 1.231.0 | 2025/03/10 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days | AD | Updated | |
DescriptionThe Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | User consent is allowed for risky applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an Entra ID authorization policy that allows users to grant consent for risky applications. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.289828 | 1.220.0 | 2025/02/12 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | Updated |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.289828 | 1.224.0 | 2025/02/12 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Guest invites not accepted in last 30 day | AAD | User.Read.All | Updated |
DescriptionThis indicator checks for guest invites that were not redeemed within 30 days of the invitation. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.289828 | 1.215.0 | 2025/02/12 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.289828 | 1.223.0 | 2025/02/12 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Anonymous access to Active Directory enabled | AD | Updated | |
DescriptionIt is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Anonymous NSPI access to AD enabled | AD | Updated | |
DescriptionAnonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This indicator detects when NSPI access is enabled. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous control paths expose certificate containers | AD | Updated | |
DescriptionThis indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the intermediate CA certificates that can be used to authenticate to AD. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Certificate templates with 3 or more insecure configurations | AD | Updated | |
DescriptionThis indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous control paths expose certificate templates | AD | Updated | |
DescriptionThis indicator looks for non-default principals with the ability to write properties on a certificate template. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Certificate templates that allow requesters to specify a subjectAltName | AD | Updated | |
DescriptionThis indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Computer Accounts in Privileged Groups | AD | Updated | |
DescriptionThis indicator looks for computer accounts that are members of built-in privileged groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged users that are disabled | AD | Updated | |
DescriptionThis indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Operator groups no longer protected by AdminSDHolder and SDProp | AD | Updated | |
DescriptionThis indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior that could compromise security. Certain groups can be removed from SDProp protection with this setting. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Reversible passwords found in GPOs | AD | Updated | |
DescriptionThis indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries). Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non default value on ms-Mcs-AdmPwd SearchFlags | AD | Updated | |
DescriptionSome flags on the ms-Mcs-AdmPwd schema may inadvertently cause passwords to be visible to users allowing an attacker to use it as stealthy backdoor. This indicator looks for any changes to default searchFlags, which may create an exposure. Detection of changes to the default will result in a score of 80 for this indicator, signifying that a review should be conducted. Any removal of the default flags will result in a score of 0 due to their importance to security. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Distributed COM Users group or Performance Log Users group are not empty | AD | Updated | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged accounts with adminCount=1 | AD | Updated | |
DescriptionThis indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer members of privileged groups and should not be considered privileged. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users and computers without readable PGID | AD | Updated | |
DescriptionThis indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Changes to MS LAPS read permissions | AD | Updated | |
DescriptionThis indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution. These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Kerberos protocol transition delegation configured | AD | Updated | |
DescriptionThis indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated service to use any available authentication protocol. This means that compromised services can reduce the quality of their authentication protocol to something that is more easily compromised (e.g. NTLM). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | High-privileged custom roles | Okta | Updated | |
DescriptionCustom roles were found that allow a user to perform actions on users' passwords. These custom roles grant elevated privileges and potentially pose a significant security risk if not properly managed. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New permission has been granted to a group | Okta | Updated | |
DescriptionIn the last 7 days, permission was given to a group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New permission has been granted to a user | Okta | Updated | |
DescriptionThis indicator checks if any permissions have been granted to a user within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New API token was created | Okta | Updated | |
DescriptionIn the last 7 days,a new API token was created. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New Super Admin permission has been granted to a group | Okta | Updated | |
DescriptionIn the last 7 days, "Super Admin" permission was given to a group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | New Super Admin permission has been granted to a user | Okta | Updated | |
DescriptionThis indicator checks if the "Super Admin" permission was given to a user in the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Password policy check | Okta | Updated | |
DescriptionThis indicator evaluates the password policies in place and verifies if they adhere to Okta's recommendations. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User activation in the last 7 days | Okta | Updated | |
DescriptionThis indicator checks if a user has been activated within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User deactivation in the last 7 days | Okta | Updated | |
DescriptionThis indicator checks if a user has been deactivated within the last 7 days. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users without Multi-Factor Authentication (MFA) | Okta | Updated | |
DescriptionThis indicator checks all users to identify those who have not registered for Multi-Factor Authentication (MFA). |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.289828 | 1.222.0 | 2025/02/12 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged Users with Weak Password Policy | AD | Updated | |
DescriptionThis indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password as defined by ANSSI is at least 8 characters long and updated no later than every 3 years. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) | AD | Updated | |
DescriptionWith sufficient permissions on a computer account and the ability to create another user or computer security principal, it is possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Write access to RBCD on DC | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Write access to RBCD on krbtgt account | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with the attribute userPassword set | AD | Updated | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | Weak certificate cipher | AD | Updated | |
DescriptionThis indicator looks for certificates stored in active directory with keysize smaller than 2048 bits or utilize DSA encryption. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.289828 | 1.219.0 | 2025/02/12 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.273013 | 1.208.0 | 2025/01/16 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.273013 | 1.189.0 | 2025/01/16 | Application instance property lock disabled | AAD | Application.Read.All | Removed |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | Updated |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | Updated |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.273013 | 1.211.0 | 2025/01/16 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | Updated |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | Updated |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.273013 | 1.207.0 | 2025/01/16 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.273013 | 1.212.0 | 2025/01/16 | Unresolved Entra ID privileged role members | AAD | RoleManagement.Read.All, Directory.Read.All | New Indicator |
DescriptionThis indicator identifies privileged role assignments where the member cannot be found, either due to deleted eligible users or GDAP partner relationships. Required permissions
|
||||||
| 4.0.273013 | 1.200.0 | 2025/01/16 | AD Certificate Authority with Web Enrollment - ESC8 | AD | Updated | |
DescriptionThis indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to https://IP/certsrv and http://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft. The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the posture score) for any endpoint. The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security posture) on any endpoint. The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
|
||||||
| 4.0.273013 | 1.209.0 | 2025/01/16 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.273013 | 1.213.0 | 2025/01/16 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.273013 | 1.202.0 | 2025/01/16 | Distributed COM Users group or Performance Log Users group are not empty | AD | New Indicator | |
DescriptionThis indicator checks if either the Distributed COM Users group and/or Performance Log Users group in Active Directory are populated. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.273013 | 1.210.0 | 2025/01/16 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.259168 | 1.198.0 | 2024/12/12 | Changes to AD Display Specifiers in the past 90 days | AD | Updated | |
DescriptionThis indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers. Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked. |
||||||
| 4.0.259168 | 1.198.1 | 2024/12/12 | Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days | AD | Updated | |
DescriptionThe Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days. |
||||||
| 4.0.259168 | 1.178.0 | 2024/12/12 | Zerologon vulnerability | AD | Updated | |
DescriptionThis indicator checks for security vulnerability CVE-202-1472. |
||||||
| 4.0.259168 | 1.189.0 | 2024/12/12 | Application instance property lock disabled | AAD | Application.Read.All | New Indicator |
DescriptionThis indicator checks for applications that have app instance property lock disabled. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Application name and geographic location additional contexts are disabled on MFA | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if the Microsoft Authenticator App settings are configured to display the name of the target application and geographical location of the request when a user receives a push notification. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access policy with Continuous Access Evaluation disabled | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Conditional Access policies that have Continuous Access Evaluation disabled. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Administrative units are not being used | AAD | AdministrativeUnit.Read.All | Updated |
DescriptionThis indicator checks for the use of administrative units in the Entra tenant. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access policies contain private IP addresses | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any named locations contains private IP addresses and are assigned to enabled Conditional Access policies. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check for guests having permission to invite other guests | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for guest users that have permission to invite other guests. Required permissions
|
||||||
| 4.0.259168 | 1.160.0 | 2024/12/12 | Users or devices inactive for at least 90 days | AAD | User.Read.All, Device.Read.All | Updated |
DescriptionThis indicator checks for users or devices that have not signed in to Entra ID in the past 90 days. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check if legacy authentication is allowed | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if legacy authentication is blocked either by Conditional Access policies or Security Defaults. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access policies that contain MFA Trusted IPs | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if any enabled Conditional Access policies contain references to MFA Trusted IPs. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Privileged group contains guest account | AAD | User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks whether any privileged roles have been assigned to guest accounts. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check for risky API permissions granted to application service principals | AAD | Application.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if one of the following risky application permissions have been granted to a service principal in Microsoft Graph: RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Check for users with weak or no MFA | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks all users for their registered MFA types. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Security defaults not enabled | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether security defaults are enabled when there are no Conditional Access policies configured. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Unrestricted user consent allowed | AAD | Policy.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks if users are allowed to add applications from unverified publishers to Entra ID. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Custom banned password protection not in use | AAD | Directory.Read.All | Updated |
DescriptionThis indicator checks if custom banned password protection is enabled in Entra ID. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access Policy that disable admin token persistence | AAD | Policy.Read.All | Updated |
DescriptionThis indicator looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to 9 hours. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Application expired secrets and certificates | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for certificates or secrets that have reached their expiration date. It does not indicate a direct risk or likelihood of compromise. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | FIDO2 Attestation is not enforced | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if FIDO2 security key attestation is enforced in Entra ID. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Entra Connect sync account password reset | AAD | AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if there have been any password resets against Entra Connect sync Sync_ accounts not logged on in the past three days, which are considered stale. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Global Administrators that signed in during the last 14 days | AAD | RoleManagement.Read.All, User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator looks for Global Administrators that have signed in during the past 14 days. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Guest users are not restricted | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if guest users are restricted in the Entra tenant. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | Updated |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Guest accounts that were inactive for more than 30 days | AAD | User.Read.All, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for Guest accounts that have not signed in, using an interactive or non-interactive sign in, in the past 30 days. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Less than 2 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of less than 2 Global Administrators. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | MFA bombing attack occurred in the past day | AAD | AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator detects MFA bombing attempts on privileged accounts by monitoring login activity to identify unusual patterns of login activity of more than 5 failed MFA attempts within the last day. Note that this indicator will not detect activity of users using passwordless authentication. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | More than 10 Privileged Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 10 or more Privileged Assigned Roles. Required permissions
|
||||||
| 4.0.259168 | 1.171.0 | 2024/12/12 | More than 5 Global Administrators exist | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the presence of 5 or more Global Administrators. Please note: If a given user has both an active and eligible assignment for a given role, the user will appear twice in the results. Required permissions
|
||||||
| 4.0.259168 | 1.176.0 | 2024/12/12 | Password hash synchronization is not enabled | AAD | OnPremDirectorySynchronization.Read.All | New Indicator |
DescriptionThis indicator checks whether password hash synchronization is enabled in the tenant. Required permissions |
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Permanent Active Privileged Role Assignment | AAD | RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All | New Indicator |
DescriptionThis indicator checks for the presence of permanent active privileged role Assignments. Required permissions
|
||||||
| 4.0.259168 | 1.193.0 | 2024/12/12 | Privileged accounts with mailbox | AAD | RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read | New Indicator |
DescriptionThis indicator searches for privileged accounts in the Entra tenant that have an associated mailbox. Required permissions
|
||||||
| 4.0.259168 | 1.162.0 | 2024/12/12 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.259168 | 1.170.0 | 2024/12/12 | Conditional Access Policy does not require MFA on privileged accounts | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether Conditional Access policies require mutli-factor authentication (MFA) for privileged accounts. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access Policy that does not require MFA when sign-in risk has been identified | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is medium or high as determined by Entra ID Protection. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Conditional Access Policy that does not require a password change from high risk users | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether a conditional access policy exists that requires a password change for users marked as high-risk by Entra ID Protection. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.259168 | 1.182.0 | 2024/12/12 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Security questions are in use | AAD | Reports.Read.All | Updated |
DescriptionThis indicator checks if security questions are in use for Entra self-service password reset. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Enterprise applications using SAML for SSO | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks for enterprise applications (service principals) in Entra ID configured to use SAML for SSO. Required permissions
|
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Self-service password reset enabled for privileged roles | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks whether users in privileged roles in Entra ID can use self-service password reset. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Suspicious Directory Synchronization Accounts role member | AAD | Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All | Updated |
DescriptionThis indicator checks for objects assigned the Directory Synchronization Accounts role that are not the default Entra Connect users. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Unprivileged owner of a privileged group | AAD | RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup | New Indicator |
DescriptionThis indicator checks for the presence of an unprivileged owner of a group with privileged roles. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Users are not using their privileged roles | AAD | RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All | Updated |
DescriptionThis indicator checks for users who have not activated their a role assigned to them for over 30 days. For users eligible via group membership, audit log retention in Entra ID may prevent gathering an accurate 'EligibleSince' date. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Users can create security groups | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users can create security groups. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Non-admin users can create tenants | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks if non-admin users are allowed to create Entra tenants. Required permissions
|
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Non-admin users can register custom applications | AAD | Policy.Read.All | Updated |
DescriptionThis indicator checks for an authorization policy that allows non-admin users to register applications in your Entra tenant. Required permissions
|
||||||
| 4.0.259168 | 1.188.0 | 2024/12/12 | Ensure all non-privileged users can complete MFA | AAD | AuditLog.Read.All, User.Read.All | New Indicator |
DescriptionIndicates whether non-privileged users in the tenant can use and complete the MFA process based on the authentication details that the user entered. Required permissions
|
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.259168 | 1.180.0 | 2024/12/12 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Changes to default security descriptor schema in the last 90 days | AD | Updated | |
DescriptionThis indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening AD security posture. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.259168 | 1.164.0 | 2024/12/12 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.259168 | 1.168.0 | 2024/12/12 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | Updated |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.259168 | 1.152.0 | 2024/12/12 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.259168 | 1.161.0 | 2024/12/12 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.259168 | 1.183.0 | 2024/12/12 | GPO Weak LM Hash storage enabled | AD | Updated | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Non-standard schema permissions | AD | Updated | |
DescriptionThis indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of three main Active Directory naming context. It contains every object attribute definitions of the forest. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.259168 | 1.156.0 | 2024/12/12 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.259168 | 1.167.0 | 2024/12/12 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.259168 | 1.158.0 | 2024/12/12 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.259168 | 1.186.0 | 2024/12/12 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.220574 | 1.129.0 | 2024/09/10 | Certificate-Based Authentication Persistence | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All | Updated |
DescriptionThis indicator looks for the presence of specific Entra ID Microsoft Graph app roles and permissions that, when combined, can enable a user to establish persistence through certificate-based authentication (CBA). Required permissions
|
||||||
| 4.0.220574 | 1.128.0 | 2024/09/10 | MFA not configured for privileged accounts | AAD | RoleManagement.Read.Directory, Reports.Read.All | Updated |
DescriptionThis indicator checks that MFA (Multi-factor Authentication) is enabled for users assigned privileged roles. Required permissions
|
||||||
| 4.0.220574 | 1.130.0 | 2024/09/10 | Non-synced Entra user that is eligible for a privileged role | AAD | User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for Entra users that are eligible for a high-privilege role and have the proxyAddress attribute, but are not synchronized with an AD account. Required permissions:
|
||||||
| 4.0.220574 | 1.139.0 | 2024/09/10 | Entra tenant is susceptible to Hidden Consent Grant attack | AAD | Directory.Read.All, Policy.Read.All | New Indicator |
DescriptionThis indicator checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Entra ID privileged users that are also privileged in AD | AAD, AD | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All | Updated |
DescriptionThis indicator checks for Entra ID privileged users that are also privileged in on-premise AD. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | AD privileged users that are synced to Entra ID | AAD, AD | User.Read.All | Updated |
DescriptionThis indicator checks for AD privileged users that are synced to Entra ID. Required permissions
|
||||||
| 4.0.220574 | 1.147.0 | 2024/09/10 | Prohibited Entra ID Roles Assigned | AAD | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All | New Indicator |
DescriptionThis indicator checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Resource Based Constrained Delegation applied to AZUREADSSOACC account | AAD, AD | Updated | |
DescriptionThis indicator looks for Resource Based Constrained Delegation configured on the Entra Seamless SSO account. |
||||||
| 4.0.220574 | 1.135.0 | 2024/09/10 | Entra custom Roles with risky permissions | AAD | RoleManagement.Read.Directory | Updated |
DescriptionThis indicator checks if a custom role contains risky permissions Required permissions
|
||||||
| 4.0.220574 | 1.132.0 | 2024/09/10 | List of Risky users (medium or high level) | AAD | IdentityRiskyUser.Read.All, Organization.Read.All | Updated |
DescriptionThis indicator checks for risky users in the tenant with medium or high level of risk. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SSO computer account with password last set over 90 days ago | AAD, AD | Updated | |
DescriptionThis indicator checks the Entra Seamless Single Sign-On computer account, AZUREADSSOACC, to determine if the password has been rotated in the last 90 days. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Abnormal Password Refresh | AD | Updated | |
DescriptionThis indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unexpected accounts in Cert Publishers Group | AD | Updated | |
DescriptionThis indicator checks to see if the Cert Publishers Group contains members that aren't expected to be there. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Built-in domain Administrator account with old password (180 days) | AD | Updated | |
DescriptionThis indicator checks if the password of the built-in Domain Administrator account is older than 180 days. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Inheritance enabled on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for inheritance enabled on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Permission changes on AdminSDHolder object | AD | Updated | |
DescriptionThis indicator checks for modifications on the access control list (ACL) of the AdminSDHolder object. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Built-in domain Administrator account used within the last two weeks | AD | Updated | |
DescriptionThe Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last two weeks. If so, it could indicate that the user has been compromised. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Accounts with altSecurityIdentities configured | AD | Updated | |
DescriptionIt is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator checks for accounts with the altSecurityIdentities attribute configured. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computers with older OS versions | AD | Updated | |
DescriptionThis indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computers with password last set over 90 days ago | AD | Updated | |
DescriptionThis indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers with old passwords | AD | Updated | |
DescriptionThis indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default, machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older than that could indicate a DC that is no longer functioning in the domain. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computer Accounts in Privileged Groups | AD | Updated | |
DescriptionThis indicator looks for computer accounts that are members of built-in privileged groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computer or user accounts with SPN that have unconstrained delegation | AD | Updated | |
DescriptionThis indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are good targets for Kerberos-based attacks. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Accounts with Constrained Delegation configured to krbtgt | AD | Updated | |
DescriptionThis indicator checks for accounts that have constrained delegation configured to the KRBTGT account. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Dangerous Trust Attribute Set | AD | Updated | |
DescriptionThis indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID Filtering provides. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Print spooler service is enabled on a DC | AD | Updated | |
DescriptionThis indicator checks for Domain Controllers running the print spooler service. This indicator requires the local server to be running the print spooler service to function, or it will return Failed to run. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Evidence of Mimikatz DCShadow attack | AD | Updated | |
DescriptionThis indicator checks for certain evidence of a DCShadow attack performed using Mimikatz. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Accounts with Constrained Delegation configured to ghost SPN | AD | Updated | |
DescriptionWhen computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for accounts that have Constrained Delegation configured to ghost SPNs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged users that are disabled | AD | Updated | |
DescriptionThis indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unsecured DNS configuration | AD | Updated | |
DescriptionThis indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers in inconsistent state | AD | Updated | |
DescriptionThis indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. DCs in a consistent state are characterized by the following:
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controller owner is not an administrator | AD | Updated | |
DescriptionThis indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domains with obsolete functional levels | AD | Updated | |
DescriptionThis indicator looks for AD domains that have a domain functional level set to Windows Server 2012 R2 or lower. These lower functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in AD. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Non-default access to DPAPI key | AD | Updated | |
DescriptionThis indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup key (using LsaRetrievePrivateData). |
||||||
| 4.0.220574 | 1.131.0 | 2024/09/10 | Suspicious credentials on Microsoft service principals | AAD | Application.Read.All | New Indicator |
DescriptionThis indicator checks if certain Microsoft service principals have secrets assigned to them. Required permissions
|
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Enabled admin accounts that are inactive | AD | Updated | |
DescriptionThis indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can compromise these accounts may be able to operate unnoticed. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Enterprise Key Admins with full access to domain | AD | Updated | |
DescriptionThis indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Ephemeral Admins | AD | Updated | |
DescriptionThis indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived accounts may indicate malicious activity. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | FGPP not applied to Global group | AD | Updated | |
DescriptionThis indicator looks for FGPP targeted to a Universal or Domain Local group. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Foreign Security Principals in Privileged Group | AD | Updated | |
DescriptionThis indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | gMSA not in use | AD | Updated | |
DescriptionThis indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | gMSA objects with old passwords | AD | Updated | |
DescriptionThis indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords should be changed automatically every 30 days by default. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Non-privileged users with access to gMSA passwords | AD | Updated | |
DescriptionThis indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Writable shortcuts found in GPO | AD | Updated | |
DescriptionThis indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful feature in Windows domains that are used to manage various settings and configurations for multiple computers and users. Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to identify such misconfigurations and take appropriate actions. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Dangerous GPO logon script path | AD | Updated | |
DescriptionThis indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to modify them. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | GPO with Scheduled Tasks configured | AD | Updated | |
DescriptionWhen a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Dangerous user rights granted by GPO | AD | Updated | |
DescriptionGroup Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated permissions through GPO. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | GPO Weak LM Hash storage enabled | AD | New Indicator | |
DescriptionThis indicator detects when the "Network security: Do not store LAN Manager hash value on next password change" Group Policy Object setting is disabled within the Windows operating system. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Reversible passwords found in GPOs | AD | Updated | |
DescriptionThis indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries). Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Built-in guest account is enabled | AD | Updated | |
DescriptionThis indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no password access to the domain and is disabled in most AD environments. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers that have not authenticated to the domain for more than 45 days | AD | Updated | |
DescriptionDomain Controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing so, use of the Djoin utility is advised. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with permissions to set Server Trust Account | AD | Updated | |
DescriptionChecks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects. This flag gives that computer object special permissions similar to a domain controller. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Kerberos KRBTGT account with old password | AD | Updated | |
DescriptionThis indicator checks the age of the password on the KRBTGT account. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Query policies that have the attribute of LDAP deny list set | AD | Updated | |
DescriptionThis security indicator is designed to check for LDAP IP deny lists across multiple domains in an Active Directory environment. For each available domain, it query the Active Directory for "query policies" associated with that domain, specifically looking for LDAP IP deny lists (ldapipdenylist attribute). |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | LDAP signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator checks for domain controllers where LDAP signing is not required. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Forest contains more than 50 privileged accounts | AD | Updated | |
DescriptionThis indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | AD objects created within the last 10 days | AD | Updated | |
DescriptionThis indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-breach investigation or compliance validation. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Recent privileged account creation activity | AD | Updated | |
DescriptionThis indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by having their adminCount attribute set to 1. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unprivileged accounts with adminCount=1 | AD | Updated | |
DescriptionThis indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer members of privileged groups and should not be considered privileged. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users and computers with non-default Primary Group IDs | AD | Updated | |
DescriptionThis indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users and computers without readable PGID | AD | Updated | |
DescriptionThis indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | NTFRS SYSVOL Replication | AD | Updated | |
DescriptionThis indicator looks for indication of usage of FRS for sysvol replication. Domain Controllers are configured to use the NTFRS replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents migration to the latest versions. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Objects in privileged groups without adminCount=1 (SDProp) | AD | Updated | |
DescriptionThis indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Objects with constrained delegation configured | AD | Updated | |
DescriptionThis indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and does not have the UserAccountControl bit for protocol transition set. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Principals with constrained authentication delegation enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Kerberos protocol transition delegation configured | AD | Updated | |
DescriptionThis indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated service to use any available authentication protocol. This means that compromised services can reduce the quality of their authentication protocol to something that is more easily compromised (e.g. NTLM). |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Principals with constrained delegation using protocol transition enabled for a DC service | AD | Updated | |
DescriptionThis indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a service running on a DC. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with old passwords | AD | Updated | |
DescriptionThis indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for password guessing attacks. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Admins with old passwords | AD | Updated | |
DescriptionThis indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for password guessing attacks. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Operators Groups that are not empty | AD | Updated | |
DescriptionThis indicator checks if the Account Operators, Server Operators, Backup Operators and Print Operators groups in Active Directory are populated. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Outbound forest trust with SID History enabled | AD | Updated | |
DescriptionThis indicator checks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain trust to a third-party domain without quarantine | AD | Updated | |
DescriptionThis indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not subject to SID filtering. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Changes to Pre-Windows 2000 Compatible Access Group membership | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access to Active Directory. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with SPN defined | AD | Updated | |
DescriptionThis indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for "Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Primary users with SPN not supporting AES encryption on Kerberos | AD | Updated | |
DescriptionThis indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Changes to privileged group membership in the last 7 days | AD | Updated | |
DescriptionThis indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate privilege. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged users with SPN defined | AD | Updated | |
DescriptionThis indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not considered part of this indicator. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Protected Users group not in use | AD | Updated | |
DescriptionThis indicator checks if privileged users are in the Protected Users security group. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) | AD | Updated | |
DescriptionWith sufficient permissions on a computer account and the ability to create another user or computer security principal, it is possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target resource, as opposed to other delegation types that are configured on the accounts accessing the resource. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled | AD | Updated | |
DescriptionThis indicator checks if the KRBTGT account has resource-based constrained delegation (RBCD) defined. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Write access to RBCD on DC | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Write access to RBCD on krbtgt account | AD | Updated | |
DescriptionThis indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins and Built-in Admins groups. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | RC4 or DES encryption type are supported by Domain Controllers | AD | Updated | |
DescriptionThis indicator checks if RC4 or DES encryption is supported by Domain Controllers |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Recent SIDHistory changes on objects | AD | Updated | |
DescriptionThis indicator checks for any recent changes to SIDHistory on objects. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Non-default principals with DC Sync rights on the domain | AD | Updated | |
DescriptionAny security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL / Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden and Silver Ticket attacks. |
||||||
| 4.0.220574 | 1.150.0 | 2024/09/10 | Risky RODC credential caching | AD | Updated | |
DescriptionThis indicator checks the password replication policy on RODCs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged user credentials cached on RODC | AD | Updated | |
DescriptionThis indicator checks for privileged user credentials that are cached to RODCs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Shadow Credentials on privileged objects | AD | Updated | |
DescriptionThis indicator looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and DCs. |
||||||
| 4.0.220574 | 1.144.1 | 2024/09/10 | Well-known privileged SIDs in SIDHistory | AD | Updated | |
DescriptionThis indicator checks security principal SIDHistory for well-known privileged SIDs. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SMB Signing is not required on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMB signing is not required. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SMBv1 is enabled on Domain Controllers | AD | Updated | |
DescriptionThis indicator looks for domain controllers where SMBv1 protocol is enabled. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | SYSVOL Executable Changes | AD | Updated | |
DescriptionThis indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access to them. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Trust accounts with old passwords | AD | Updated | |
DescriptionThis indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust relationship was removed but its corresponding trust account wasn't cleaned up. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unprivileged principals as DNS Admins | AD | Updated | |
DescriptionThis indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged objects with unprivileged owners | AD | Updated | |
DescriptionIf a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation on an object, if only temporarily. |
||||||
| 4.0.220574 | 1.148.0 | 2024/09/10 | Users with the attribute userPassword set | AD | New Indicator | |
DescriptionThis indicator checks for the attribute of userPassword existing on accounts. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Unprivileged users can add computer accounts to the domain | AD | Updated | |
DescriptionThis indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain. By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | User accounts that use DES encryption | AD | Updated | |
DescriptionThis indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and environments that only support DES. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with Password Never Expires flag set | AD | Updated | |
DescriptionThis indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service accounts with privileged access to applications and services, including Kerberos-based services. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Privileged accounts with a password that never expires | AD | Updated | |
DescriptionThis indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | User accounts with password not required | AD | Updated | |
DescriptionThis indicator identifies user accounts where a password is not required. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | User accounts that store passwords with reversible encryption | AD | Updated | |
DescriptionThis indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | Users with Kerberos pre-authentication disabled | AD | Updated | |
DescriptionThis indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks, such as 'Kerberoasting'. |
||||||
| 4.0.220574 | 1.146.0 | 2024/09/10 | GPO linking delegation at the AD Site level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.220574 | 1.146.0 | 2024/09/10 | GPO linking delegation at the domain controller OU level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||
| 4.0.220574 | 1.143.0 | 2024/09/10 | GPO linking delegation at the domain level | AD | Updated | |
DescriptionWhen non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. |
||||||