Purple Knight Introduces Azure AD Security Indicators

By Tammy Mindel July 07, 2022 | Active Directory

Purple Knight, the free Active Directory (AD) security assessment tool downloaded by 5,000-plus users, now enables you to identify and address security gaps across your hybrid identity environment. That’s right: The latest release of Purple Knight introduces Azure AD security indicators. The ability to address security gaps across both on-prem AD and Azure AD gives you an edge when defending against current threats.

With a hybrid scenario, the potential attack surface expands for adversaries. Attacks now often start on-premises and move to the cloud—as in the SolarWinds attack—or move from cloud to on-prem. The new release of Purple Knight helps organizations uncover security gaps that can expose their hybrid identity systems to attackers.

Purple Knight 1.5—available for download here—also includes support for the MITRE D3FEND™ model, new on-prem AD security indicators, report enhancements, and a few bug fixes and script improvements.

What’s new in Purple Knight 1.5

In addition to introducing 10 Azure AD security indicators, Purple Knight 1.5 includes new security framework tags for the MITRE D3FEND model, a beta framework for network defense. MITRE D3FEND is a knowledge base of cybersecurity countermeasure techniques that can help you design, deploy, and better defend networked systems. Purple Knight also includes seven new security indicators for on-prem AD as well as HTML and PDF report enhancements. Here’s what Purple Knight 1.5 includes:

  • 10 Azure AD security indicators to help you understand your overall security posture across the hybrid identity environment
  • Security framework tags for the MITRE D3FEND model, a beta framework for network defense
  • HTML Security Assessment Report enhancements, including a navigation pane that enables you to quickly locate specific information within the report without scrolling and an updated report structure that includes both AD and Azure AD assessments when run in a hybrid environment
  • Ability to generate an enhanced PDF version of the Security Assessment Report
  • Various bug fixes and script improvements
Purple Knight 1.5 Report Summary
Purple Knight 1.5 Report Summary

Using Purple Knight to assess security of your hybrid identity environment

Purple Knight 1.5 scans your Azure AD environment for the following indicators of exposure (IOEs), which signal risky configurations that attackers can exploit:

  • AAD privileged users that are also privileged in AD
  • Administrative units are not being used
  • Check for guests having permissions to invite other guests
  • Check for risky API permissions granted to application service principals
  • Check if legacy authentication is allowed
  • MFA not configured for privileged accounts
  • Non-admin users can register custom applications
  • Privileged groups contain guest accounts
  • Security defaults not enabled
  • Unrestricted user consent allowed

Download script for connecting Purple Knight to Azure Active Directory

To run Purple Knight in your Azure AD environment, you need to create and update the app registration in Azure AD with a defined and consented set of application permissions for the Microsoft Graph. Jorge de Almeida Pinto, Semperis Senior Solutions Architect and Product Manager, created a PowerShell script that automates this step.

To use the script, you’ll need two PowerShell modules—AzureAD and Az.Accounts—and the account creating the application registration must be a Global Admin. The script supports the following tasks:

  • Creates and updates the app registration in Azure AD for Purple Knight 1.5 to be able to scan for vulnerabilities in Azure AD
  • Deletes the app registration in Azure AD
  • Assigns the required Microsoft Graph application permissions and provides consent when creating or updating the app
  • Creates a client secret that by default is valid for one hour when creating or updating the app (if needed, you can provide a customer lifetime in days for the client secret)
  • Deletes all client secrets from the app registration in Azure AD
  • Displays the tenant ID, the application ID, the assigned and consented permissions, and the client secret to be used in the Purple Knight executable file

See the full list of functions and examples and download the Purple Knight 1.5 PowerShell script at the Semperis GitHub account.

New Active Directory security indicators

In addition to introducing Azure AD security indicators, Purple Knight 1.5 includes seven new on-prem AD security indicators:

  • Accounts with Constrained Delegation configured to krbtgt
  • Certificate templates that allow requesters to specify a subjectAltName
  • Certificate templates with three or more insecure configurations
  • FGPP not applied to group
  • LDAP signing is not required on domain controllers
  • Operator Groups that are not empty
  • RC4 encryption type is supported by domain controllers

Getting access to Purple Knight 1.5

You can download Purple Knight 1.5 here. Remember to review the latest Purple Knight quick start document for important guidance before unzipping and executing Purple Knight. You’ll find the latest version details and SHA 256 here.

If you’re new to Purple Knight, also check out the following resources:

Purple Knight introduces Azure AD security indicators to combat hybrid identity attacks

With the introduction of Azure AD security indicators, Purple Knight is a powerful resource in your defense against attacks that target hybrid AD environments. We welcome your feedback and questions on the Purple Knight Slack channel, or you can email us here.

About the author
Tammy Mindel
Tammy Mindel Security Product Manager
Tammy Mindel, Semperis Security Product Manager, has held customer and product-centric roles in the cybersecurity sector and has experience in application security, infrastructure/network security, incident response and forensics, and security best practices and standards. Linkedin
Unlock cyber resilience. Get a demo