Threat definition updates

11456

New! CTD-000095: Privileged Azure AD user accounts susceptible to MFA fatigue attacks

This threat definition finds privileged accounts in Azure AD with voice-based authentication methods. According to Microsoft, with adoption of strong authentication, multi-factor authentication (MFA) fatigue attacks (aka, MFA spamming) are on the rise. These attacks rely on the user’s ability to approve a simple voice notification that doesn’t require the user to have the context of the session they are authenticating. Anytime users are doing “press hash key” or “enter your PIN to approve” instead of entering a code they see on-screen, they are doing “simple approvals”. Microsoft's studies show that about 1% of users will accept a “simple approval” request without actually authenticating into a particular session, others might do so on subsequent calls, thus allowing threat actors to get authenticated. To mitigate the risk, Microsoft recommends using strong authentication methods instead.

References:

1. Defend your users from MFA fatigue attacks - Microsoft Community Hub
2. It's Time to Hang Up on Phone Transports for Authentication - Microsoft Community Hub

11546

New! CTD-000094: AD domain with unsecure configuration of Cloud Kerberos Trust

This threat definition checks, if there is an AD domain with Cloud Kerberos Trust configured and if there are some privileged accounts that are not denied from using this trust. Cloud Kerberos Trust enables passwordless authentication from Azure AD to AD forest for all accounts except those specifically denied. We generate a list of privileged accounts that have not been denied from using Cloud Kerberos Trust and thus can be used for lateral movement from Azure AD to on-premises AD by potential attackers.  

References: 

1. https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/

14440

New! CTD-000093: Short-lived privileged AD user

This threat definition finds accounts in the Active Directory domain that are no longer members of the privileged groups but were members during a short period of time. An AD user account that was added to a privileged group and then removed might be an indication of threat activities. Accounts that were once in a privileged group might have gotten or retained some permissions tied to privileged access and thus these accounts should not be re-used by regular users. 

References:

1. https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts

11494 

New! CTD-000096: Azure AD tenant with device settings allowing brute force attacks

This threat definition checks if the tenant's policies allow an unlimited number of sign-in attempts on devices. If a device allows a threat actor to guess a password by making an unlimited number of attempts, because of so many attempts a threat actor might gain access to the device and compromise credentials, data, or install malicious software.

14036

Updated! CTD-000060: AD computer with suspicious change of sAMAccountName

The detection algorithm of this threat definition has been updated.

11546

New! CTD-000092: Stale Azure AD Service Principal

This threat definition finds stale Service Principals (Enterprise Applications) in Azure AD. A compromised Enterprise Application could be used by a threat actor to access data in your tenant. If there is an application without sign-ins, it might be an indication that this Service Principal is no longer used. It is recommended to disable the Service Principal to reduce the attack surface.

12744

New! CTD-000091: AD-integrated DNS zone allowing unsecure updates

This threat definition finds AD-integrated DNS zones allowing unsecure updates. Unsecure dynamic updates allow a threat actor to update a DNS record without authentication. Threat actors can replace an existing DNS record and redirect people to another server. If enabling dynamic updates is required for your company, it is highly recommended to use the Secure Only dynamic updates option. Learn more. 

14187

New! CTD-000090: AD user with suspicious password refresh

This threat definition finds users with suspicious changes to their password. If the option User Must Change Password at Next Logon is turned “on” and then turned “off” again later, it could mean a potential problem with a threat actor trying to break the organization's password policies. 

14029

New! CTD-000088: AD domain controller using unsecure encryption type

This threat definition checks if domain controllers are configured to use weak encryption types. While RC4 (Rivest Cipher 4) is remarkable for its simplicity and speed, multiple vulnerabilities have been discovered since its original release, rendering it insecure. RC4 is especially vulnerable when the beginning of the output key stream isn't discarded, or when non-random or related keys are used. A threat actor employing MITM (Man-in-the-Middle) tactics could execute successful deciphering operations in an environment with weak encryption. 

14516

New! CTD-000089: AD domain with unsecure RBCD delegation on domain controllers

This threat definition checks permissions on domain controllers. A threat actor could exploit this vulnerability by identifying non-privileged users outside of the Domain Admins, Enterprise Admins, or Built-in Admins groups who possess write access to Resource-Based Constrained Delegation (RBCD) settings on domain controllers. With write access, attackers can enable a resource to impersonate any user, except those explicitly restricted by delegation settings. This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI. 

14027

New! CTD-000087: AD domain with unsecure RBCD delegation on krbtgt account

This threat definition checks permissions on KRBTGT account. A threat actor with permission to modify the KRBTGT account can compromise it. Using the KRBTGT account, they can create a Kerberos ticket-granting ticket (TGT) that provides authorization to any resource and sets the ticket expiration to any arbitrary time. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI

14561

Update! CTD-000051

A typo was corrected in the description of the threat definition.

14035

Update! CTD-000060

An issue was resolved when this threat definition did not raise real-time alerts for undelete operations.

10729

New! CTD-000086: Forest with recent schema changes

This threat definition detects recent changes in the schema of your Active Directory forest. The schema is the underlying definition of all objects and attributes that make up the forest. A threat actor with permission to modify schema might compromise overall security posture. Schema changes could not be reversed without a forest recovery process that can be automated with Cayosoft Guardian Forest Recovery. 

14332

Updated! CTD-000069: The performance of the threat definition was significantly improved.

14037

Updated! CTD-000046: AD computer using dNSHostName that belongs to another computer account

An issue was resolved when a real-time alert was not raised for undeletes. 

13999

New! CTD-000083: Azure AD tenant with recent changes in the configuration of cross-tenant synchronization

This threat definition checks if there are recent changes in the configuration of cross-tenant synchronization. For more detail about how cross-tenant synchronization can be abused see this article. 

13679

New! CTD-000084: AD domain where domain controllers allow authentication with keys vulnerable to ROCA

This threat definition checks if there are domain controllers that are not protected from ROCA vulnerability. Learn more about ROCA vulnerability and remediation steps. 

14215

New! CTD-000085 Medium: AD: Regular AD user with permission to link GPOs

<>This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI (tag:vuln1_permissions_gpo_priv) and it detects regular users with suspicious permissions allowing them to link GPOs to privileged accounts with the possibility to elevate their permissions. 

New! CTD-000082: AD forest with too many privileged accounts

This threat definition counts privileged accounts in AD and raises an alert if the number exceeds the threashold.

New! CTD-000081: Stale privileged Azure AD user account 

This threat definition finds privileged accounts in Azure AD that are not used.

New! CTD-000080: Regular AD user account with permissions to modify DNS server objects

This threat definition detects regular AD users with dangerous permissions over DNS objects. 

New! CTD-000075: AD forest with Recycle Bin not enabled

This threat definition checks if Recycle Bin is enabled in your Active Directory Forest.

New! CTD-000076: AD CS server vulnerable to NTLM relay attacks 

This threat definition detects AD CS server vulnerable to NTLM relay attacks.

New! CTD-000079: Privileged AD user not protected from using unsecure authentication methods

This threat definition detects privileged users who are not members of the Protected Users group.

This threat definition checks if there is a group policy restricting NTLM authentication methods.

New! CTD-000078: Stale Azure AD guest account

This threat definition detects stale guest user accounts in your tenant.

New! CTD-000079: Regular AD user account with permissions to modify DNS server objects

This threat definition detects regular users who are members of the DNS Admins group or have permissions over this group.

13711,

13712,

13713,

13714,

13715,

13885

Updated! CTD-000067, CTD-000066, CTD-000065, CTD-000064, CTD-000063

Additional configuration parameters were added. 

13710

This threat definition detects bulk changes of devices in Azure AD tenants.

13677

New! CTD-000070: Privileged group members with weak password policy

This threat definition detects if privileged domain accounts are not protected by a stronger password policy.

12776

This threat definition detects computers allowing vulnerable Netlogon secure channel connections.

12709

Updated! CTD-000013, CTD-000023

Additional configuration parameters were added. 

11742

New! CTD-000073: AD forest with password hash synchronization not enabled

This threat definition detects if password hash synchronization is not enabled.

10728

New! CTD-000072: AD user account with old password

This threat definition detects a user account whose password is not changed periodically.

13410, 13483, 13470

Updated! All treat definitions: MITRE and ANSSI classification

Additional references to threat classification frameworks such as ANSSI and MITRE were added for all threat definitions.

13449

New! CTD-000004: AD object with non-default primary group

Additional configuration parameters were added to the threat definition.

13226

New! CTD-0000065, CTD-0000066, CTD-0000067, CTD-0000063, CTD-0000064

These threat definitions detect when a specific number of the changes of objects is detected in the managed system over a short period of time.

12908

This threat definition detects if the Print spooler service is stopped and disabled on a domain controller. Print spooler is a software service that manages printing processes. The spooler accepts print jobs from computers and makes sure that printer resources are available. The spooler also schedules the order in which print jobs are sent to the print queue for printing. While seemingly harmless, any authenticated user can remotely connect to a print spooler service on domain controllers, and request an update on new print jobs. Also, users can tell the domain controller to send the notification to the system with unconstrained delegation. These actions test the connection and expose the domain controller computer account credential (SYSTEM owns the Print spooler).

New! CTD-000068: Azure AD user retrieving Bitlocker keys 

This threat definition detects when an Azure AD user retrieved a BitLocker key. A threat actor having access to the physical machine might use these recovery keys to decrypt drives and get access to data. 

12549

New! CTD-000061: Stale Azure AD device

This threat definition identifies Azure AD devices that are no longer used. Devices can become stale when a user gets a new device or loses a device, or when an Azure AD joined device is wiped or reprovisioned. Devices might also remain registered or joined when the user is no longer associated with the tenant. Stale devices should be removed so the primary refresh tokens (PRTs) cannot be used by a threat actor.

13245

Updated! CTD-000048: AD computer with traces of DCShadow attack

The evidence content and text were updated.

Updated! CTD-000008: Azure AD app with client secrets

The issue has been resolved when the threat definition failed with an error if the client secret had an empty description.  

12759

New! CTD-000060:AD computer with a suspicious change of sAMAccountName

This threat definition detects suspicious changes in the computer´s sAMAccountName. The Common Vulnerabilities and Exposures (CVEs) CVE-2021-42278 and CVE-2021-42287 are security flaws that can be exploited by a threat actor who has obtained access to low-privileged domain user credentials. These vulnerabilities enable the attacker to obtain a Kerberos Service Ticket for a Domain Controller computer account, which provides elevated privileges within a domain.

12728

New! CTD-000058: Privileged AD user account with associated SPNs

This threat definition detects privileged AD accounts with Service Principal Names (SPN).

Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name. Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources.
To reduce the impact of possible kerberoasting attacks make sure that service accounts do not have administrative privileges.

11467

New! CTD-000057: AD forest with the Azure SSO computer account not changing its password

This threat definition checks if the Azure SSO computer account not changing its password regularly. A special computer account AZUREADSSOACC is used to provide Azure AD Seamless SSO functionality. If a threat actor can compromise password of AZUREADSSOACC, then the threat actor could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user. With the ticket received threat actor can impersonate a user in Azure AD. The password of the AZUREADSSOACC account never changes, so the stolen hash/key will work forever unless password is changed. This security flaw could be misused by highly privileged employees to retain access to the environment after leaving the company.

10706

New! CTD-000005:AD security principal with replication permissions

This threat definition detects accounts with replication permissions. Threat actors might use such accounts in the DCSync attack. By leveraging DCSync, threat actors can escalate privileges, perform unauthorized actions, or move laterally within the network, posing a significant risk to the security of the Active Directory infrastructure.

13108

Updated! CTD-000053: AD domain accounts with password not required

This threat definition was updated to raise alerts only for enabled AD user accounts.

13397

Updated! CTD-000048: AD computer with traces of DCShadow attack

An issue has been resolved when Cayosoft Guardian raised an unexpected alert for AD computers with instances of AD LDS.

13092 

New! CTD-000056: AD domain allows unprivileged users to add computer accounts

This threat definition detects Active Directory domains where unprivileged users have the ability to add computer accounts. This can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure by creating their own computer accounts with elevated privileges.

12763

New! CTD-000055: AD domain account with password stored using reversible encryption

This threat definition detects AD domain accounts where passwords are stored using reversible encryption. Reversible encryption is an unsecure method that can be easily decrypted, allowing threat actors to gain unauthorized access to your Active Directory infrastructure.

12730

New! CTD-000054: AD user account with DES encryption type enabled

This threat definition detects AD user accounts with DES encryption type enabled, which is an insecure encryption type that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

12751

New! CTD-000053: AD domain accounts with password not required

This threat definition detects AD domain accounts where a password is not required, which can allow threat actors to gain unauthorized access to your Active Directory infrastructure without the need for a password.

New! CTD-000052: AD domain account with Kerberos pre-authentication disabled

This threat definition detects AD domain accounts with Kerberos pre-authentication disabled. Kerberos pre-authentication is an important security feature that protects against password guessing attacks, and disabling it can increase the risk of unauthorized access to your Active Directory infrastructure.

New! CTD-000051: AD Krbtgt account password was not reset recently

This threat definition detects Active Directory domains where the Krbtgt account password has not been reset recently. The Krbtgt account is used for Kerberos authentication and a compromised password can allow threat actors to gain unauthorized access to your Active Directory infrastructure.

New! CTD-000050: Security principals with dangerous replication permissions

This threat definition detects security principals with dangerous replication permissions, such as the ability to replicate passwords or to create or modify users, groups, or computers. These permissions can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

New! CTD-000049: AD domain account with unconstrained delegation

This threat definition detects AD domain accounts with unconstrained delegation enabled. Unconstrained delegation allows a user to impersonate any other user without restriction, making it a high-risk setting that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

New! CTD-000048: AD computer with traces of DCShadow attack

This threat definition detects AD computers with traces of DCShadow attack, which is a technique used by threat actors to create a fake domain controller and take control of your Active Directory infrastructure.

New! CTD-000047: AD domain controller with SMB1 enabled

This threat definition detects AD domain controllers with SMB1 enabled. SMB1 is an outdated and insecure protocol that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

12715

New! CTD-000046: AD computer using dNSHostName that belongs to another computer account

This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.

10749

New! CTD-000045: Azure AD user account not registered with MFA

This threat definition detects regular Azure AD user accounts that have not registered for MFA. These accounts are at risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant.

10733

New! CTD-000044: Privileged Azure AD account not registered for MFA

This threat definition detects privileged Azure AD accounts that have not registered for Multi-Factor Authentication (MFA). These accounts have elevated permissions and are at high risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant.

11769

New! CTD-000043: Service Principal promoted an account to privileged role members 

This threat definition detects suspicious promotions to privileged roles made by Service Principals. A threat actor might use an Azure AD application to promote user accounts to privileged role members without detection. 

12715

This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.

11452

New! CTD-000040: Azure AD guest account with an unredeemed invitation

This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant.

11463

This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. 

11730

Updated! CTD-000010: Azure AD app with risky write permissions

Now, this threat definition also checks additional permissions, including:

1. Policy.*Write*
2. Organization.*Write*
3. AppRoleAssignment.*Write*
4. RoleManagement.*Write*
5. ServicePrincipalEndpoint.*Write*
6. Application.*Write*
   
7. *update_device_attributes*

11731

New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled

This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA.

11616

Updated! CTD-000035: Privileged Azure AD account synced from on-premise

Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles.  

10724

New! CTD-000037: Objects with privileged SIDs in SID History

This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls.

New! CTD-000012: Modified federation settings in Azure AD domain

This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack.

New! CTD-000008: Azure AD app with client secrets

This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets.

Updated! CTD-000018: Azure AD tenant with auditing disabled

Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check.  

New! CTD-000034: Privileged AD user synced to Azure AD

This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory.

New! CTD-000038 Azure AD tenant with unsecured access to Azure management

This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. 

New! CTD-000039 Azure AD Application Registration with dangling URI

This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity.