|
AAD Connect sync account password reset
|
Checks for Conditional Access policies that have the Continuous Access Evaluation feature disabled. The Continuous Access Evaluation feature allows you to revoke the access token for Microsoft applications and limit the time an attacker has access to company data. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
AAD privileged users that are also privileged in AD
|
Checks for Azure AD privileged users that are also privileged users in on-premises AD. A compromise of an account that is privileged in both AD and AAD can result in both environments being compromised. | Critical |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
Abnormal Password Refresh
|
Looks for user accounts with a recent pwdLastSet change without a corresponding password replication. If the “User must change password at next logon” option is set and then later cleared, could indicate an administrative error or an attempt to bypass the organization’s password policy. | Warning |
-
MITRE ATT&CK:
Credential Access Persistence
|
|
|
Accounts with altSecurityIdentities configured
|
Checks for accounts with the altSecurityIdentities attribute configured. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. When configured, it is possible to add values that essentially impersonate that account. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
-
ANSSI:
vuln1_delegation_a2d2
|
|
|
Accounts with Constrained Delegation configured to ghost SPN
|
Looks for accounts that have Constrained Delegation configured to ghost SPNs. When computers are decommissioned, their delegation configuration is not always cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
-
ANSSI:
vuln1_delegation_a2d2
|
|
|
Accounts with Constrained Delegation configured to krbtgt
|
Looks for accounts that have Constrained Delegation configured to the krbtgt service. Creating a Kerberos delegation to the krbtgt account itself allows that principal (user or computer) to generate a Ticket Granting Service (TGS) request to the krbtgt account as any user, which has the effect of generating a Ticket Granting Ticket (TGT) similar to a Golden Ticket. | Critical |
|
|
|
AD Certificate Authority with Web Enrollment (PetitPotam and ESC8)
|
Identifies AD CS servers in the domain that accept NTLM authentication to Web Enrollment. Attackers may abuse a flaw in AD CS Web Enrollment that enables NTLM relay attacks to authenticate as a privileged user. | Critical |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
AD objects created within the last 10 days
|
Looks for any AD objects that were recently created. Allows you to spot unknown or illegitimate accounts. Meant to be used for threat hunting, post-breach investigation, or compromise validation. | Informational |
|
|
|
AD privileged users that are synced to AAD
|
Checks for AD privileged users that are synchronized to AAD. When a privileged AD user is synchronized to AAD, a compromise of the AAD user can result in the on-premises environment being compromised as well. | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
Administrative units are not being used
|
Checks for the use of administrative units in the Entra
tenant. Administrative units are an Entra ID feature that allow for
restricting administrative scope of privileged users. Organizations that leverage administrative units can have more granularity in role assignment.
| Informational |
-
MITRE ATT&CK:
Lateral Movement
|
|
|
Admins with old passwords
|
Looks for Admin accounts whose password has not changed in over 180 days. If Admin account passwords are not changed on a regular basis, these accounts could be ripe for password guessing attacks. | Warning |
|
|
|
Anonymous access to Active Directory enabled
|
Looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. | Critical |
|
|
|
Anonymous NSPI access to AD enabled
|
Detects when anonymous name service provider interface (NSPI) access is enabled. Allows anonymous RPC-based binds to AD. NSPI is rarely enabled, so if it is found to be enabled it should be a cause for concern. | Warning |
|
|
|
Application expired secrets and certificates
|
Checks for certificates or secrets that have reached their expiration dates. This indicator does not indicate a direct risk or likelihood of compromise. | Informational |
-
MITRE ATT&CK:
Credential Access
|
|
|
Application Name and Geographic Location additional contexts are disabled on MFA
|
Checks if the application name and geographic location additional contexts are disabled on multi-factor authentication (MFA). Enabling the application name and geographic location additional contexts on MFA provides an additional level of security for a user sign-in. | Warning |
|
|
|
Built-in domain Administrator account used within the last two weeks
|
Checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been recently updated. Could indicate that the user has been compromised. | Warning |
|
|
|
Built-in domain Administrator account with old password (180 days)
|
Checks to see if the pwdLastSet attribute on the built-in Domain Administrator account has been changed within the last 180 days. If this password is not changed on a regular basis, this account can be vulnerable to brute force password attacks. | Informational |
|
|
|
Built-in guest account is enabled
|
Checks to ensure that the built-in AD “guest” account is disabled. An enabled guest account allows for passwordless access to the domain, which could present a security risk. | Informational |
-
MITRE ATT&CK:
Discovery Reconnaissance
-
MITRE D3FEND:
Evict – Account Locking
|
|
|
Certificate templates that allow requesters to specify a subjectAltName
|
Checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. When certificate templates allow requesters to specify a subjectAltName in the CSR, the result is that they can request a certificate as anyone (for example, a domain admin). When that is combined with an authentication EKU present in the certificate template, it can become extremely dangerous. | Critical |
|
|
|
Certificate templates with three or more insecure configurations
|
Checks if certificate templates in the forest have a minimum of three insecure configurations: Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. Each of these configurations can be exploited by adversaries to gain access. | Warning |
|
|
|
Certificate-Based Authentication Persistence
|
Assesses the presence of specific Entra ID Microsoft graph app roles and permissions, that when combined can enable a user to establish persistence through certificate-based authentication (CBA). | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Changes to AD display specifiers in the past 90 days
|
Looks for recent changes made to the adminContextMenu attribute on AD display specifiers. Modifying this attribute can potentially allow attackers to utilize context menus to get users to run arbitrary code. | Informational |
-
MITRE ATT&CK:
Defense Evasion Execution
|
|
|
Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days
|
Looks for recent changes to the Default Domain Policy and Default Domain Controllers Policy GPOs. These GPOs control domain-wide and domain controller-wide security settings and can be misused to gain privileged access to AD. | Informational |
-
MITRE ATT&CK:
Lateral Movement Persistence
|
|
|
Changes to default security descriptor schema in the last 90 days
|
Detects recent schema attribute changes made on the default security descriptor. If an attacker gets access to the schema instance in a forest, any changes made can propagate to newly created objects in AD, potentially weakening AD security posture. | Warning |
|
|
|
Changes to MS LAPS read permissions
|
Looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use Microsoft LAPS. Attackers may use this capability to laterally move through a domain using compromised local administrator accounts. | Informational |
|
|
|
Changes to PreWindows 2000 Compatible Access Group membership
|
Looks for changes to the built-in “Pre-Windows 2000 Compatible Access” group. It is best to ensure this group does not contain the “Anonymous Logon” or “Everyone” groups. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Changes to privileged group membership in the last 7 days
|
Looks for recent changes to the built-in-privileged groups. Could indicate attempts to escalate privilege. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Changes to unprivileged group memberships in the last 7 days
|
Looks for unprivileged groups with memberships changes made during the last 7 days. Membership changes to unprivileged groups may give access to resources using group privileges. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Check for guests having permission to invite other guests
|
Check for guest invite permissions. It is not recommended to allow guests to send guest invitations.
o prevent unauthorized guests from inviting others into the organization, consider updating the “Guest invite settings” to restrict this ability. | Warning |
-
MITRE ATT&CK:
Lateral Movement
|
|
|
Check for risky API permissions granted to application service principals
|
Checks for API permissions that could be risky if not properly planned and approved. Malicious application administrators could use these permissions to grant administrative privileges to themselves or others. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Check for users with weak or no MFA
|
Checks all users for multi-factor authentication (MFA) registration and the methods configured. Due to the lack of uniform security measures within mobile networks, SMS and Voice are considered less secure than mobile applications and FIDO. A malicious user can vish/smish codes and trick users into providing authentication. | Warning |
-
MITRE ATT&CK:
Initial Access Lateral Movement
|
|
|
Check if legacy authentication is allowed
|
Checks whether legacy authentication is blocked, either using conditional access policies or security defaults. Allowing legacy authentication increases the risk that an attacker will logon using previously compromised credentials. | Informational |
-
MITRE ATT&CK:
Credential Access
|
|
|
Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD)
|
Looks for the msDS-Allowed-ToActOnBehalfOfOtherIdentity attribute on computer objects. Attackers could use Kerberos RBCD configuration to escalate privileges through a computer they control if that computer has delegation to the target system. | Informational |
-
MITRE ATT&CK:
Credential Access Lateral Movement Privilege Escalation
|
|
|
Computer accounts in privileged groups
|
Looks for computer accounts that are a member of a domain privileged group. If a computer account is a member of the domain privileged group, then anyone that compromises that computer account can act as a member of that group. | Warning |
|
|
|
Computer or user accounts with SPN that have unconstrained delegation
|
Looks for computer or user accounts with SPN that are
trusted for unconstrained Kerberos delegation. These
accounts store users’ Kerberos TGT locally to authenticate
to other systems on their behalf.
Computers and users trusted with unconstrained
delegation are easily targeted for Kerberos-based attacks.
| Warning |
|
|
|
Computers with older OS versions
|
Looks for machine accounts that are running versions of Windows older than Windows Server 2012 R2 and Windows 8.1. Computers running older and unsupported OS versions could be targeted with known or unpatched exploits. | Informational |
-
MITRE ATT&CK:
Lateral Movement Persistence
-
MITRE D3FEND:
Harden – Software Update
|
|
|
Computers with password last set over 90 days ago
|
Looks for computer accounts that have not automatically rotated their passwords. Computer accounts should automatically rotate their passwords every 30 days; objects that are not doing this could show evidence of tampering. | Warning |
|
|
|
Conditional Access policies contain private IP addresses
|
Checks if any Conditional Access policies contain named locations with private IP addresses. Having private IP addresses in named locations associated with Conditional Access policies could result in an undesired security posture. | Warning |
-
MITRE ATT&CK:
Initial Access
|
|
|
Conditional Access Policy that disables admin token persistence
|
Looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to nine hours. When an admin login has their token cached on the client, they are vulnerable for a Primary Refresh Token related attack. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Conditional Access Policy that does not require a password change from high risk users
|
Checks whether a Conditional Access policy exists that requires a password change if the user is determined to be high risk by the Azure AD Identity Protection user risk API. A high user risk represents a high probability that an account has been compromised. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Conditional Access Policy that does not require MFA when sign-in risk has been identified
|
Checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is determined to be medium or high by the Azure AD Identity Protection sign-in risk API. A medium or high sign-in risk represents a medium to high probability that an unauthorized authentication request was made. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Conditional Access policy with Continuous Access Evaluation disabled
|
Checks for Conditional Access policies that have the Continuous Access Evaluation feature disabled. The Continuous Access Evaluation feature allows you to revoke the access token for Microsoft applications and limit the time an attacker has access to company data. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Dangerous control paths expose certificate containers
|
Looks for non-default principals with permissions on the NTAuthCertificates container, which holds the intermediate CA certificates used to authenticate to Active Directory.
Unprivileged users with permissions on the NTAuthCerticates container have the ability to escalate their access and make the domain trust a rogue CA.
| Warning |
|
|
|
Dangerous control paths expose certificate templates
|
Looks for non-default principals with the ability to write properties on a certificate template. Unprivileged users with write properties on certificate templates have the ability to escalate their access and create vulnerable certificates to enroll. | Warning |
|
|
|
Dangerous GPO logon script path
|
Looks for logon script paths to scripts that do not exist and where a low-privileged user has permissions on their parent folder. It also checks for logon script paths to existing scripts that give less-privileged users permissions to modify the script. By inserting a new script or changing an existing script that gives a normal user permission to change the script or access to their parent folder, an attacker can remotely run code on a larger part of the network without special privileges. | Warning |
|
|
|
Dangerous Trust Attribute Set
|
Identifies trusts with either of the following attributes set: TRUST_ATTRIBUTE_ CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_ PIM_TRUST. Setting these attributes will either allow a Kerberos ticket to be delegated or reduce the protection that SID filtering provides. | Warning |
|
|
|
Dangerous user rights granted by GPO
|
Looks for non-privileged users who are granted elevated permissions through GPO. An attacker can potentially exploit the user rights granted by a GPO to gain access to systems, steal sensitive information, or cause other types of damage. | Warning |
|
|
|
Domain Controller owner is not an administrator
|
Looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. Gaining control of DC machine accounts allows for an easy path to compromising the domain. | Warning |
|
|
|
Domain controllers in an inconsistent state
|
Looks for domain controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. Illegitimate machines acting as DCs could indicate someone has compromised the environment (e.g., using DCShadow or similar DC spoofing attack). | Informational |
|
|
|
Domain controllers that have not authenticated to the domain for more than 45 days
|
Looks for domain controllers that have not authenticated to the domain in over 45 days. Lack of domain authentication reveals out-of-sync machines. If an attacker compromises an offline DC and cracks the credentials or re-connects to the domain, they may be able to introduce unwanted changes to Active Directory. | Warning |
|
|
|
Domain controllers with old passwords
|
Looks for domain controller machine accounts whose password has not been reset in over 45 days. Machine accounts with older passwords could indicate a DC that is no longer functioning in the domain. In addition, DCs with older machine account passwords could be more easily taken over. | Informational |
|
|
|
Domain controllers with Resource-Based Constrained Delegation (RBCD) enabled
|
Detects a configuration that grants certain accounts with complete delegation to domain controllers. | Warning |
|
|
|
Domain trust to a third-party domain without quarantine
|
Looks for outbound forest trusts that have the Quarantine flag set to false. An attacker that has compromised the remote domain can create a “spoofable” account to gain access to every resource on the local domain. If a dangerous control path is exposed, any “spoofable” account could also escalate his privileges up to Domain Admins and compromise the entire forest.” | Warning |
|
|
|
Domains with obsolete functional levels
|
Looks for AD domains that have a domain functional level set to Windows Server 2012 or lower. Lower functional levels mean that newer security features available in AD cannot be leveraged. | Informational |
-
MITRE ATT&CK:
Reconnaissance
-
MITRE D3FEND:
Harden – Software Update
|
|
|
Enabled admin accounts that are inactive
|
Looks for admin accounts that are enabled, but have not log in for the past 90 days. Attackers who can compromise these accounts will be able to operate unnoticed. | Warning |
|
|
|
Enterprise Key Admins with full access to domain
|
Looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. This issue was corrected in a subsequent release of Windows 2016; however, if this fix has not been applied, this bug grants this group the ability to replicate all changes from AD (DCSync attack). | Warning |
|
|
|
Ephemeral Admins
|
Looks for users that were added and removed from an Admin group within a 48-hour period. Such short-lived accounts may indicate malicious activity. | Informational |
|
|
|
Evidence of Mimikatz DCShadow attack
|
Looks for evidence that a machine has been used to inject arbitrary changes into AD using a “fake” domain controller. These changes bypass the security event log and cannot be spotted using standard monitoring tools. | Critical |
|
|
|
FGPP not applied to Group
|
Looks for fine-grained password policy (FGPP) targeted to a Universal or Domain Local group. Changing a group’s scope setting from Global to Universal or Domain Local, results in FGPP settings no longer applying to that group, thus decreasing its password security controls. | Warning |
|
|
|
Foreign Security Principals in Privileged Group
|
Looks for members of built-in protected groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. Foreign Security Principals do not have the adminCount attribute and therefore may not be detected by some security auditing tools. Additionally, an attacker may add a privileged account and attempt to hide it using this method. | Warning |
|
|
|
Forest contains more than 50 privileged accounts
|
Counts the number of privileged accounts defined in the forest. In general, the more privileged accounts you have, the more opportunities there are for attackers to compromise one of these accounts. | Warning |
-
MITRE ATT&CK:
Privilege Escalation Reconnaissance
-
ANSSI:
vuln1_privileged_members
|
|
|
Global Administrators that signed in during the last 14 days
|
Looks for Global Administrators that have signed in during the past 14 days. Users that hold the Global Administrator role are the most privileged users in Entra ID. An attacker will find users with the Global Administrator role as high-valued, and a compromised Global Administrator can lead to several attacks against the organization. | Warning |
|
|
|
gMSA not used
|
Checks for enabled group Managed Service Accounts (gMSA) objects in the domain. The gMSA feature in Windows Server 2016 allows automatic rotation of passwords for service accounts, making them much more difficult for attackers to compromise. | Informational |
-
MITRE ATT&CK:
Credential Access
|
|
|
gMSA objects with old passwords
|
Looks for group managed service accounts (gMSA) that have not automatically rotated their passwords. Objects that are not rotating their passwords regularly could show evidence of tampering. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
GPO linking delegation at the AD Site level
|
Looks for non-privileged principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. When non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers. They can potentially elevate access and change domain-wide security posture. | Warning |
|
|
|
GPO linking delegation at the domain controller OU level
|
Looks for non-privileged principals who have write permissions on the GPLink attribute or Write DAC/Write Owner on the object. When non-privileged users can link GPOs at the domain controller OU level, they have the ability to effect change on domain controllers. They can potentially elevate access and change domain-wide security posture. | Warning |
|
|
|
GPO linking delegation at the domain level
|
Looks for non-privileged principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. When non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain. They can potentially elevate access and change domain-wide security posture. | Warning |
|
|
|
GPO with scheduled tasks configured
|
When a scheduled task launches an executable, this indicator checks to see if low privilege users have permissions to modify GPOs. Scheduled tasks configured through group policies can be risky if not set up correctly. They can cause unintended problems and potential security vulnerabilities.
| Informational |
|
|
|
Guest accounts that were inactive for more than 30 days
|
Checks for guest accounts that have not signed in, using an interactive or non-interactive sign in, during the past 30 days. Inactive guest accounts leave an open gate to your Azure tenant. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Guest invites not accepted in last 30 days
|
Checks for guest invites that were not accepted within 30 days of the invitation. Stale guest invitations pose a security risk and should be deleted. | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
Guest users are not restricted
|
Checks guest users are restricted in the tenant. Attackers may use unrestricted guest users to perform enumeration of users and groups in the tenant. | Informational |
-
MITRE ATT&CK:
Reconnaissance
|
|
|
High privileged custom roles
|
Checks for custom roles that grant elevated privileges to allow a user to perform actions on other users’ passwords and MFA. Custom roles grant elevated privileges and potentially pose a significant security risk if not properly managed. | Warning |
|
|
|
Inheritance enabled on AdminSDHolder object
|
Checks for inheritance being enabled on the Access Control List (ACL) of the AdminSDHolder object, which could indicate an attempt to modify permissions on privileged objects that are subject to AdminSDHolder (for example, users or groups with adminCount=1). Changes to the AdminSDHolder object are very rare. Administrators should know that a change was made and be able to articulate the reason for the change. If the change was not intentional, the likelihood of compromise is very high. | Critical |
-
MITRE ATT&CK:
Defense Evasion Privilege Escalation
|
|
|
Kerberos krbtgt account with old password
|
Looks for a krbtgt user account whose password has not changed in the past 180 days. If the krbtgt account’s password is compromised, Golden Ticket attacks can be performed to obtain access to any resource in an AD domain. | Warning |
|
|
|
Kerberos protocol transition delegation configured
|
Looks for services that have been configured to allow Kerberos protocol transition, which basically says that a delegated service can use any available authentication protocol. Compromised services can reduce the quality of their authentication protocol that is more easily compromised (e.g., NTLM). | Warning |
-
MITRE ATT&CK:
Credential Access Lateral Movement Privilege Escalation
|
|
|
krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled
|
Looks for a krbtgt account that has Resource-Based Constrained Delegation (RBCD) defined. Normally, delegations should not be created on the krbtgt account; if found, they could represent significant risk and should be mitigated quickly. | Critical |
-
MITRE ATT&CK:
Privilege Escalation
-
ANSSI:
vuln1_delegation_a2d2
|
|
|
Less than 2 Global Administrators exist
|
Checks for the presence of less than two Global Administrators. This indicator aligns with Microsoft recommendations that customers should have at least two Global Administrators in the tenant. | Informational |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
List of risky users (medium or high level)
|
Checks for risky users in the tenant with medium or high level of risk. Risky users are individuals or accounts exhibiting behaviors increasing the likelihood of security incidents or breaches, such as weak authentication practices, susceptibility to phishing, unusual activity patterns, accessing resources from unsecured devices or networks, or holding elevated privileges. These users pose significant risks, potentially leading to credential compromises, data breaches, or insider threats. | Warning |
-
MITRE ATT&CK:
Initial Access
|
|
|
MFA not configured for privileged accounts
|
Checks whether Multi-Factor Authentication (MFA) is enabled for users with administrative rights. Accounts with privileged access are more vulnerable targets to attackers. A compromise of a privileged user represents a significant risk and therefore requires extra protection. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
More than 10 Privileged Administrators exist
|
Checks for the presence of 10 or more Privileged Assigned Roles. This indicator aligns with Microsoft recommendations that customers have no more than 10 privileged role assignments. | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
More than 5 Global Administrators exist
|
Checks for the presence of five or more Global Administrators. Global Administrators control your Azure AD environment and have access to all administrative features and full control of Azure AD. | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
New API token was created
|
Checks if a new API token has been created in the last 7 days. API tokens with high privileges allow unauthorized access and actions in Okta. If an attacker gains access to the token’s password, they can leverage it to query and perform actions potentially leading to persistence and compromising the environment. | Warning |
|
|
|
New permission has been granted to a group
|
Checks if any permissions have been granted to a group in the last 7 days. Members of a group with high privileges can perform significant actions in Okta. Therefore, it is important to know which groups grant strong privileges. | Informational |
|
|
|
New permission has been granted to user
|
Checks if any permissions have been granted to a user in the last 7 days. Users with high privileges can perform significant actions in Okta. Therefore, it is important to identify and monitor users who have been granted elevated privileges to mitigate the risk of unauthorized access and potential misuse of sensitive data. | Informational |
|
|
|
New Super Admin permission has been granted to user
|
Checks for users who were granted “Super Admin” permissions in the last 7 days. Users with “Super Admin” privileges have extensive privileges and control over critical aspects of the Okta environment. Unauthorized or excessive granting of the “Super Admin” permission can significantly increase the risk of compromise and unauthorized access to Okta. | Warning |
|
|
|
New Super Admin permissions has been granted to a group
|
Checks for groups where “Super Admin” permissions have been granted in the last 7 days. Members in a group with “Super Admin” privileges have extensive access and can perform significant actions in Okta. Therefore, it is important to closely monitor and control which groups are granted these strong privileges to prevent unauthorized access and potential compromise of the Okta environment. | Warning |
|
|
|
Non-admin users can register custom applications
|
Checks for an authorization policy that enables non-admin users to register custom applications. If non-admin users are allowed to register custom-developed enterprise applications, attackers might use that loophole to register nefarious applications, which they can then leverage to gain additional permissions. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Non-default access to DPAPI key
|
Checks domain controllers for non-default principals that are permitted to retrieve the domain DPAPI backup key(using LsaRetrievePrivateData). With these permissions, an attacker could recover all domain data encrypted via DPAPI. | Warning |
|
|
|
Non-default access to gMSA root key
|
Looks for non-default principals with permissions to read the msKds-RootKeyData attribute on the KDS root key. Users with read permissions to this property could compromise every gMSA account in the forest. | Warning |
|
|
|
Non-default principals with DC Sync rights on the domain
|
Looks for security principals with Replicating Changes All or Replicating Directory Changes permissions on the domain naming context object. Security principals with these permissions on the domain naming context object can potentially retrieve password hashes for users in an AD domain (DCSync attack). | Critical |
|
|
|
Non-default value on ms-Mcs-AdmPwd SearchFlags
|
Looks for changes to the default searchFlags on the ms-Mcs-AdmPwd schema. Some flags may inadvertently cause the password to be visible to unintended users allowing an attacker to use it as a stealthy backdoor. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Non-privileged users with access to gMSA passwords
|
Looks for principals listed within the MSDS-groupMSAmembership that are not in the built-in admin groups. An attacker that controls access to the gMSA account can retrieve passwords for resources managed with gMSA. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Non-standard schema permissions
|
Looks for additional principals with any permissions beyond generic Read to the schema partitions. By default, modification permissions on the schema are limited to Schema Admins. These permissions grant the trusted principal complete control over the Active Directory. | Warning |
|
|
|
Non-synced AAD user that is eligible for a privileged role
|
Checks for Azure AD users that are eligible for a high-privilege role and have the proxyAddress attribute but are not synchronized with an AD account. An attacker might use SMTP matching to synchronize controlled AD users with AAD users that are eligible for high-privilege roles. This process overwrites the AAD password and could result in privilege escalation over AAD. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
NTFRS SYSVOL replication
|
Looks for indication of usage of FRS for SYSVOL replication. NTFRS is an older protocol that has been replaced by DFSR. Attackers that can manipulate NTFRS vulnerabilities to compromise SYSVOL can potentially change GPOs and logon scripts to propagate malware and move laterally across the environment. | Warning |
-
MITRE ATT&CK:
Collection
-
ANSSI:
vuln2_sysvol_ntfrs
|
|
|
Objects in privileged groups without adminCount=1 (SDProp)
|
Looks for objects in built-in privileged groups whose adminCount attribute is not set to 1. If an object within these groups has an adminCount not equal to 1, they could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. | Informational |
-
MITRE ATT&CK:
Defense Evasion Persistence
|
|
|
Objects with constrained delegation configured
|
Looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e., constrained delegation) and does not have the UserAccountControl bit for protocol transition set. Attackers may use delegations to move laterally or escalate privileges if they compromise a service that is trusted to delegate. | Informational |
|
|
|
Operator groups no longer protected by AdminSDHolder and SDProp
|
Checks if dwAdminSDExMask on dsHeurstics has been set, which indicates a change to the SDProp behavior that could compromise security. A change to the AdminSDHolder SDProp behavior could indicate an attempt at defense evasion. | Warning |
|
|
|
Operator Groups that are not empty
|
Looks for operator groups (Account Operators, Server Operators, Backup Operators, Print Operators) that contain members. These groups have write access to critical resources on the domain; attackers that are members of these groups can take indirect control of the domain. | Warning |
|
|
|
Outbound forest trust with SID History enabled
|
Looks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_ EXTERNAL flag set to true. If this flag is set, a cross-forest trust to a domain is treated as an external trust for the purposes of SID filtering. This attribute relaxes the more stringent filtering performed on cross-forest trusts. | Warning |
|
|
|
Password policy check
|
Evaluates all password policies and verifies they adhere to Okta’s recommendations. A strong password policy is crucial in preventing unauthorized access to the environment through brute force attacks. | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Permission changes on AdminSDHolder object
|
Looks for Access Control List (ACL) changes on the AdminSDHolder object. Could indicate an attempt to modify permissions on privileged objects that are subject to AdminSDHolder. | Critical |
|
|
|
Primary users with SPN not supporting AES encryption on Kerberos
|
Shows all primary users with servicePrincipalNames (SPNs) that do not support AES-128 or AES-256 encryption type. AES encryption is stronger than RC4 encryption. Configuring primary users with SPNs that support AES encryption will not mitigate attacks such as kerberoasting. However, it does force AES encryption by default, meaning that it is possible to monitor for encryption downgrade attacks to RC4 (kerberoasting attacks). | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
Principals with constrained authentication delegation enabled for a DC service
|
Looks for computers and users that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. | Warning |
|
|
|
Principals with constrained delegation using protocol transition enabled for a DC service
|
Looks for computers and users that have constrained delegation using protocol transition defined against a service running on a DC. If an attacker can create such a delegation for a service that they can control or compromise an existing service, they can effectively gain a TGS for any user with privileges to the DC. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
-
ANSSI:
vuln1_delegation_t2a4d
|
|
|
Print spooler service is enabled on a DC
|
Looks for domain controllers that have the print spooler service running, which is enabled by default. Several critical flaws were found in Windows Print Spooler services, which directly affect Print spoolers installed on domain controllers, enabling remote code execution. | Critical |
-
MITRE ATT&CK:
Execution Lateral Movement Privilege Escalation
-
MITRE D3FEND:
Harden – Software Update
|
|
|
Privileged accounts with a password that never expires
|
Identifies privileged accounts (adminCount = 1) where the “Password Never Expires” flag is set. User accounts whose passwords never expire are ripe targets for brute force password guessing. If these accounts are also administrative or privileged accounts, this makes them more of a target. | Warning |
|
|
|
Privileged group contains guest account
|
Checks whether any privileged roles have been assigned to guest accounts. External attackers covet privileged accounts, as they provide a fast track to an organization’s most critical systems. Guest accounts represent an external entity that does not undergo the same security as users in your tenant; therefore, assigning privileged roles to them poses a heightened risk. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Privileged objects with unprivileged owners
|
Looks for privileged objects (adminCount =1) that are owned by an unprivileged account. Any compromise of an unprivileged account could result in a privileged object’s delegation being modified. | Warning |
|
|
|
Privileged user credentials cached on RODC
|
Looks for privileged users with credentials that are cached on RODCs. While not immediately indicative of an attack, privileged user accounts are sensitive and should not be cached on RODCs since their physical security is not as robust as a full DC. | Informational |
-
MITRE ATT&CK:
Lateral Movement Privilege Escalation
|
|
|
Privileged users that are disabled
|
Looks for privileged user accounts that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. | Informational |
|
|
|
Privileged users with ServicePrincipalNames defined
|
Looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. Privileged accounts that have an SPN defined are targets for Kerberos-based attacks that can elevate privileges to those accounts. | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
-
ANSSI:
vuln1_spn_priv
|
|
|
Privileged users with weak password policy
|
Looks for privileged users in each domain that do not have a strong password policy enforced, according to ANSSI framework . It checks both the Fine-Grained Password Policy (FGPP) and the password policy applied to the domain. A strong password defined by ANSSI is at least eight characters long and updated no later than every three years. Weak passwords are easier to crack via brute-force attacks and can provide attackers opportunities for moving laterally or escalating privileges. The risk is even higher for privileged accounts, for when compromised they improve the attacker’s chance to quickly advance within the network. | Critical |
|
|
|
Protected Users group not in use
|
Detects when privileged users are not a member of the Protected Users group. The Protected Users group provides privileged users with additional protection from direct credential theft attacks. | Informational |
-
MITRE ATT&CK:
Credential Access
-
ANSSI:
vuln3_protected_users
|
|
|
Query policies that have the attribute of ldap deny list set
|
Checks for LDAP IP deny lists (ldapipdenylist attribute) across multiple domains in an AD environment. Unauthorized or unexpected entries in the LDAP IP deny list could suggest a security breach or an attempt to limit access to critical resources maliciously. | Informational |
|
|
|
RC4 or DES encryption type is supported by Domain Controllers
|
Checks if RC4 or DES encryption is supported by domain controllers. RC4 and DES are considered an insecure form of encryption, susceptible to various cryptographic attacks. Multiple vulnerabilities in the RC4 or DES algorithm allow MITM (Man-in-the-Middle) and deciphering attacks. | Warning |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
Recent privileged account creation activity
|
Looks for any privileged users or groups (adminCount = 1) that were recently created. Allows you to spot privileged accounts and groups that were created without prior knowledge. Informational | Informational |
|
|
|
Recent sIDHistory changes on objects
|
Detects any recent changes to the sIDHistory on objects, including changes to non-privileged accounts where privileged SIDs are added. Attackers need privileged access to AD to be able to write to sIDHistory, but if such rights exist then writing privileged SIDs to regular user accounts is a stealthy way of creating backdoor accounts. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Resource Based Constrained Delegation applied to AZUREADSSOACC account
|
Looks for Resource Based Constrained Delegation configured for the Azure SSO account, AZUREADSSOACC. An account with Resource Based Constrained Delegation would allow that principal to generate a Ticket Granting Service (TGS) request to the Azure tenant on behalf of the AZUREADSSOACC account as any user and impersonate that user. | Warning |
-
MITRE ATT&CK:
Credential Access Lateral Movement
|
|
|
Reversible passwords found in GPOs
|
Looks in the SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (so-called “Cpassword” entries). This area is one of the first things attackers look for when they’ve gained access to an AD environment. | Critical |
|
|
|
Risky RODC credential caching
|
Looks for a Password Replication Policy that allows privileged objects. If privileged users are in the allow list, they can be exposed to credential theft on an RODC. | Warning |
|
|
|
Security defaults not enabled
|
When there are no conditional access policies configured, this indicator checks whether security defaults are enabled. It is recommended that security defaults be used for tenants that have no conditional access policies configured. Security defaults will require MFA, block legacy authentication, and require additional authentication when accessing the Azure portal, Azure PowerShell, and the Azure CLI. | Warning |
-
MITRE ATT&CK:
Credential Access Initial Access
|
|
|
Self-service password reset enabled for privileged roles
|
Checks whether users in privileged roles in Entra ID can use self-service password reset. Self-service password reset (SSPR) is beneficial in organizations for end users but has security trade-offs for privileged accounts. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Shadow Credentials on privileged objects
|
Looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and domain
controllers.
Users who can write to these privileged objects and
Kerberos PKINIT is enabled can elevate privileges to these
objects. | Warning |
|
|
|
SMB Signing is not required on Domain Controllers
|
Looks for domain controllers where SMB signing is not required. Unsigned network traffic is susceptible to attacks abusing the NTLM challenge-response protocol. A common example of such attacks is SMB Relay, where an attacker is positioned between the client and the server in order to capture data packets transmitted between the two, thus
gaining unauthorized access to the server or other servers on the network. | Critical |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
SMBv1 is enabled on Domain Controllers
|
Looks for domain controllers where SMBv1 protocol is enabled. SMBv1 is an old protocol (deprecated by Microsoft in 2014), which is considered unsafe and susceptible to all kinds of attacks. | Critical |
-
MITRE ATT&CK:
Credential Access Privilege Escalation
|
|
|
SSO computer account with password last set over 90 days ago
|
Checks the Azure SSO computer account (AZUREADSSOACC) to determine if the password has been rotated in the last 90 days. The password for the Azure SSO computer account is not automatically changed every 30 days. If the password for this account is compromised, an attacker could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user, which has the effect of generating a ticket to Azure and impersonating that user. | Warning |
|
|
|
SYSVOL Executable Changes
|
Looks for modifications to executable files within SYSVOL. Changes to the executable files within SYSVOL should be accounted for or investigated to look for potential security posture weakening. | Informational |
-
MITRE ATT&CK:
Execution Persistence Privilege Escalation
-
MITRE D3FEND:
Detect – File Analysis
|
|
|
Trust accounts with old passwords
|
Looks for trust accounts whose password has not changed within the last year. Trust accounts facilitate authentication across trusts and should be protected like privileged user accounts. Normally, trust account passwords are rotated automatically, so a trust account without a recent password change could indicate an orphaned trust account. | Informational |
|
|
|
Unexpected accounts in Cert Publishers Group
|
Checks to see if the Cert Publishers Group contains members that aren’t expected to be there. Individuals belonging to the Cert Publishers Group have the ability to introduce a potentially harmful Certificate Authority (CA) within an ADCS environment that will be trusted by all clients. | Warning |
|
|
|
Unprivileged accounts with adminCount=1
|
Looks for any users or groups that may be under the control of SDProp (adminCount=1) but are no longer members of privileged groups. Might be evidence of an attacker that attempted to cover their tracks and remove a user they used for compromise. | Informational |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Unprivileged principals as DNS Admins
|
Looks for any member of the DNS Admins group that is not a privileged user. Members of this group can be delegated to non-AD administrators (e.g. Admins with networking responsibilities, such as DNS, DHCP, etc.), which can result in these accounts being prime targets for compromise. | Warning |
-
MITRE ATT&CK:
Execution Privilege Escalation
-
ANSSI:
vuln1_dnsadmins vuln1_permissions_msdn
|
|
|
Unprivileged users can add computer accounts to domain
|
Checks to see if unprivileged domain members are allowed to add computer accounts to a domain. Having the ability to add computer accounts to a domain can be abused by Kerberos-based attacks. | Informational |
-
MITRE ATT&CK:
Credential Access Lateral Movement
|
|
|
Unrestricted user consent allowed
|
Checks if users are allowed to add application from unverified publishers. When users are allowed to consent to any third-party applications, there is considerable risk that an allowed application will take intrusive or risky actions. | Warning |
-
MITRE ATT&CK:
Lateral Movement Persistence
|
|
|
Unsecured DNS configuration
|
Looks for DNS zones configure with ZONE_UPDATE_UNSECURE, which allows updating a DSN record anonymously. An attacker could leverage this exposure to add a new DSN record or replace an existing DNS record to spoof a management interface, then wait for incoming connections in order to steal credentials. | Warning |
-
MITRE ATT&CK:
Privilege Escalation
-
ANSSI:
vuln1_dnszone_bad_ prop
|
|
|
User accounts that store passwords with reversible encryption
|
Identifies accounts with the “ENCRYPTED_TEXT_PWD_ALLOWED” flag enabled. Attackers may be able to derive these users’ passwords from the ciphertext and take over these accounts. | Informational |
|
|
|
User accounts that use DES encryption
|
Identifies user accounts with the “Use Kerberos DES encryption types for this account” flag set. Attackers can easily crack DES passwords using widely available tools, making these accounts ripe for takeover. | Informational |
|
|
|
User accounts with password not required
|
Identifies user accounts where a password is not required. Accounts with weak access controls are often targeted to move laterally or gain a persistence foothold with the environment. | Informational |
|
|
|
User activation in the last 7 days
|
Checks for users who were activated in the past 7 days. Activated users have the ability to authenticate and perform actions within the Okta environment. Therefore, it is important to monitor and verify the activation status of users to ensure that only authorized individuals have access. | Informational |
|
|
|
User consent is allowed for risky applications
|
Checks for an Entra ID authorization policy that allows users to grant consent for risky applications. To enhance security, it is recommended to set the allowUserConsentForRiskyApps property to false. This prevents users from granting consent to risky applications independently. | Warning |
-
MITRE ATT&CK:
Initial Access Persistence Privilege Escalation
-
MITRE D3FEND:
Model- Access Modeling
|
|
|
User deactivation in the last 7 days
|
Checks for users who were deactivated in the past 7 days. Deactivated users no longer have the ability to authenticate and perform actions within the Okta environment. However, an attacker may intentionally deactivate a user to disrupt the functioning of the environment or to hide their activities. It is important to monitor and verify the deactivation status of users to ensure it aligns with the intended access controls. | Informational |
|
|
|
Users and computers with non-default Primary Group IDs
|
Returns a list of all users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Modifying the Primary Group ID is a stealthy way for an attacker to escalate privileges without triggering member attribute auditing for group membership changes. | Informational |
|
|
|
Users and computers without readable PGID
|
Finds users and computers that can not read the Primary Group ID (PGID). May be caused by removing the default Read permission, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). | Warning |
-
MITRE ATT&CK:
Defense Evasion
|
|
|
Users or devices inactive for at least 90 days
|
Checks for users or devices that have not signed in during the past 90 days. Users or devices that have been inactive for 90 days or more are likely no longer in use and leave an open gate to the Azure AD tenant. | Warning |
-
MITRE ATT&CK:
Persistence Privilege Escalation
|
|
|
Users with Kerberos pre- authentication disabled
|
Looks for users with Kerberos pre-authentication disabled. These users can be targeted for ASREP-Roasting attacks (like “Kerberoasting”). | Warning |
|
|
|
Users with old passwords
|
Looks for user accounts whose password has not changed in over 180 days. These accounts could be ripe for password guessing attacks. | Warning |
|
|
|
Users with Password Never Expires flag set
|
Identifies user accounts where the “Password Never Expires” flag is set. These accounts can be potential targets for brute force password attacks. | Informational |
-
MITRE ATT&CK:
Credential Access
-
ANSSI:
vuln2_dont_expire
|
|
|
Users with permissions to set Server Trust Account
|
Checks the domain NC head permissions to see if the Server_Trust_Account flag is set on computer objects. An attacker that can seed authenticated users with these permissions can utilize their access to promote any computer they control to Domain Controller status, enabling privilege escalation to AD services and carrying out credential access attacks such as DCSync. | Critical |
-
MITRE ATT&CK:
Privilege Escalation
|
|
|
Users with ServicePrincipalName defined
|
Provides a way to visually inventory all user accounts that have ServicePrincipalNames (SPNs) defined. Generally, SPNs are only defined for “Kerberized” services; other accounts with an SPN may be cause for concern. | Warning |
|
|
|
Users without Multi- Factor Authentication (MFA)
|
Checks all users to identity those who have not registered for Multi-Factor Authentication (MFA). Users who are not configured with MFA are at a high risk of being compromised. This poses a significant threat not only to the user but also the entire environment. | Warning |
-
MITRE ATT&CK:
Initial Access
|
|
|
Weak certificate encryption
|
Looks for certificates stored in Active Directory with keysize smaller than 2048 bits or using DSA encryption. Weak certificates can be abused by attackers to gain access to systems who use certificate authentication. | Warning |
|
|
|
Well-known privileged SIDs in sIDHistory
|
Looks for security principals that contain specific SIDs of accounts from built-in privileged groups within the sIDHistory attribute. Allows those security principals to have the same privileges as those privileged accounts, but in a way that is not obvious to monitor (e.g., through group membership). | Critical |
|
|
|
Writable shortcuts found in GPO
|
Looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privileged users. When low privileged users have the ability to modify shortcuts within GPOs, it could potentially lead to security risks and unauthorized modifications. | Warning |
|
|
|
Write access to RBCD on DC
|
Looks for users who are not in Domain Admins, Enterprise Admins, or Built-in Admins groups that have write access on Resource-Based Constrained Delegation (RBCD) for domain controllers. Attackers that can gain write access to RBCD for a resource can cause the resource to impersonate any user (except where delegation is explicitly disallowed). | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Write access to RBCD on krbtgt account
|
Looks for users who are not in Domain Admins, Enterprise Admins, or Built-in Admins groups that have write access on Resource-Based Constrained Delegation (RBCD) for the krbtgt account. Attackers that can gain write access to RBCD for a resource can cause the resource to impersonate any user (except where delegation is explicitly disallowed). | Warning |
-
MITRE ATT&CK:
Credential Access
|
|
|
Zerologon vulnerability
|
Looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain. | Critical |
-
MITRE ATT&CK:
Privilege Escalation
|
|
