ID | Title and description | Threat definitions release |
|
Updated! CTD-000008: Azure AD app with client secrets The issue has been resolved when the threat definition failed with an error if the client secret had an empty description.
|
2023.05-1 |
12759 |
New! CTD-000060:AD computer with a suspicious change of sAMAccountName This threat definition detects suspicious changes in the computer´s sAMAccountName. The Common Vulnerabilities and Exposures (CVEs) CVE-2021-42278 and CVE-2021-42287 are security flaws that can be exploited by a threat actor who has obtained access to low-privileged domain user credentials. These vulnerabilities enable the attacker to obtain a Kerberos Service Ticket for a Domain Controller computer account, which provides elevated privileges within a domain. |
2023.05 |
12728 |
New! CTD-000058: Privileged AD user account with associated SPNs This threat definition detects privileged AD accounts with Service Principal Names (SPN). Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name. Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources. |
2023.05 |
11467 |
New! CTD-000057: AD forest with the Azure SSO computer account not changing its password This threat definition checks if the Azure SSO computer account not changing its password regularly. A special computer account AZUREADSSOACC is used to provide Azure AD Seamless SSO functionality. If a threat actor can compromise password of AZUREADSSOACC, then the threat actor could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user. With the ticket received threat actor can impersonate a user in Azure AD. The password of the AZUREADSSOACC account never changes, so the stolen hash/key will work forever unless password is changed. This security flaw could be misused by highly privileged employees to retain access to the environment after leaving the company. |
2023.05 |
10706 |
New! CTD-000005:AD security principal with replication permissions This threat definition detects accounts with replication permissions. Threat actors might use such accounts in the DCSync attack. By leveraging DCSync, threat actors can escalate privileges, perform unauthorized actions, or move laterally within the network, posing a significant risk to the security of the Active Directory infrastructure. |
2023.05 |
13108 |
Updated! CTD-000053: AD domain accounts with password not required This threat definition was updated to raise alerts only for enabled AD user accounts. |
2023.05 |
13397 |
Updated! CTD-000048: AD computer with traces of DCShadow attack An issue has been resolved when Cayosoft Guardian raised an unexpected alert for AD computers with instances of AD LDS. |
2023.05 |
13092 |
New! CTD-000056: AD domain allows unprivileged users to add computer accounts This threat definition detects Active Directory domains where unprivileged users have the ability to add computer accounts. This can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure by creating their own computer accounts with elevated privileges.
|
2023.04 |
12763 |
New! CTD-000055: AD domain account with password stored using reversible encryption This threat definition detects AD domain accounts where passwords are stored using reversible encryption. Reversible encryption is an unsecure method that can be easily decrypted, allowing threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
12730 |
New! CTD-000054: AD user account with DES encryption type enabled This threat definition detects AD user accounts with DES encryption type enabled, which is an insecure encryption type that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure. |
2023.04 |
12751 |
New! CTD-000053: AD domain accounts with password not required This threat definition detects AD domain accounts where a password is not required, which can allow threat actors to gain unauthorized access to your Active Directory infrastructure without the need for a password. |
2023.04 |
|
New! CTD-000052: AD domain account with Kerberos pre-authentication disabled This threat definition detects AD domain accounts with Kerberos pre-authentication disabled. Kerberos pre-authentication is an important security feature that protects against password guessing attacks, and disabling it can increase the risk of unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000051: AD Krbtgt account password was not reset recently This threat definition detects Active Directory domains where the Krbtgt account password has not been reset recently. The Krbtgt account is used for Kerberos authentication and a compromised password can allow threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000050: Security principals with dangerous replication permissions This threat definition detects security principals with dangerous replication permissions, such as the ability to replicate passwords or to create or modify users, groups, or computers. These permissions can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000049: AD domain account with unconstrained delegation This threat definition detects AD domain accounts with unconstrained delegation enabled. Unconstrained delegation allows a user to impersonate any other user without restriction, making it a high-risk setting that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000048: AD computer with traces of DCShadow attack This threat definition detects AD computers with traces of DCShadow attack, which is a technique used by threat actors to create a fake domain controller and take control of your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000047: AD domain controller with SMB1 enabled This threat definition detects AD domain controllers with SMB1 enabled. SMB1 is an outdated and insecure protocol that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
12715 |
New! CTD-000046: AD computer using dNSHostName that belongs to another computer account This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.
|
2023.04 |
10749 |
New! CTD-000045: Azure AD user account not registered with MFA This threat definition detects regular Azure AD user accounts that have not registered for MFA. These accounts are at risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant. |
2023.03 |
10733 |
New! CTD-000044: Privileged Azure AD account not registered for MFA This threat definition detects privileged Azure AD accounts that have not registered for Multi-Factor Authentication (MFA). These accounts have elevated permissions and are at high risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant. |
2023.03 |
11769 |
New! CTD-000043: Service Principal promoted an account to privileged role members This threat definition detects suspicious promotions to privileged roles made by Service Principals. A threat actor might use an Azure AD application to promote user accounts to privileged role members without detection.
|
2023.03 |
12715 |
New! CTD-000046: AD computer using dNSHostName that belongs to another computer account
This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources. |
2023.03 |
11452 |
New! CTD-000040: Azure AD guest account with an unredeemed invitation This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant. |
2023.01.0.7 |
11463 |
New! CTD-000041: Azure AD tenant with unsecured token persistence
This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. |
2023.01.0.7 |
11730 |
Updated! CTD-000010: Azure AD app with risky write permissions Now, this threat definition also checks additional permissions, including:
|
2023.01.0.7 |
11731 |
New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA. |
2023.01.0.7 |
11616 |
Updated! CTD-000035: Privileged Azure AD account synced from on-premise Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles. |
2022.12.0.1 |
10724 |
New! CTD-000037: Objects with privileged SIDs in SID History This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls. |
2022.12.0.1 |
10759 |
New! CTD-000012: Modified federation settings in Azure AD domain This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack. |
2022.12.0.1 |
11171 |
New! CTD-000008: Azure AD app with client secrets This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets. |
2022.12.0.1 |
11226 |
Updated! CTD-000018: Azure AD tenant with auditing disabled Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check. |
2022.12.0.1 |
11462 |
New! CTD-000034: Privileged AD user synced to Azure AD This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory. |
2022.12.0.1 |
11481 |
New! CTD-000038 Azure AD tenant with unsecured access to Azure management This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. |
2022.12.0.1 |
11507 |
New! CTD-000039 Azure AD Application Registration with dangling URI This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity. |
2022.12.0.1 |
Comments
0 comments
Please sign in to leave a comment.