Threat definition updates

Updated! CTD-000008: Azure AD app with client secrets

The issue has been resolved when the threat definition failed with an error if the client secret had an empty description.  

12759

New! CTD-000060:AD computer with a suspicious change of sAMAccountName

This threat definition detects suspicious changes in the computer´s sAMAccountName. The Common Vulnerabilities and Exposures (CVEs) CVE-2021-42278 and CVE-2021-42287 are security flaws that can be exploited by a threat actor who has obtained access to low-privileged domain user credentials. These vulnerabilities enable the attacker to obtain a Kerberos Service Ticket for a Domain Controller computer account, which provides elevated privileges within a domain.

12728

New! CTD-000058: Privileged AD user account with associated SPNs

This threat definition detects privileged AD accounts with Service Principal Names (SPN).

Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name. Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources.
To reduce the impact of possible kerberoasting attacks make sure that service accounts do not have administrative privileges.

11467

New! CTD-000057: AD forest with the Azure SSO computer account not changing its password

This threat definition checks if the Azure SSO computer account not changing its password regularly. A special computer account AZUREADSSOACC is used to provide Azure AD Seamless SSO functionality. If a threat actor can compromise password of AZUREADSSOACC, then the threat actor could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user. With the ticket received threat actor can impersonate a user in Azure AD. The password of the AZUREADSSOACC account never changes, so the stolen hash/key will work forever unless password is changed. This security flaw could be misused by highly privileged employees to retain access to the environment after leaving the company.

10706

New! CTD-000005:AD security principal with replication permissions

This threat definition detects accounts with replication permissions. Threat actors might use such accounts in the DCSync attack. By leveraging DCSync, threat actors can escalate privileges, perform unauthorized actions, or move laterally within the network, posing a significant risk to the security of the Active Directory infrastructure.

13108

Updated! CTD-000053: AD domain accounts with password not required

This threat definition was updated to raise alerts only for enabled AD user accounts.

13397

Updated! CTD-000048: AD computer with traces of DCShadow attack

An issue has been resolved when Cayosoft Guardian raised an unexpected alert for AD computers with instances of AD LDS.

13092 

New! CTD-000056: AD domain allows unprivileged users to add computer accounts

This threat definition detects Active Directory domains where unprivileged users have the ability to add computer accounts. This can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure by creating their own computer accounts with elevated privileges.

12763

New! CTD-000055: AD domain account with password stored using reversible encryption

This threat definition detects AD domain accounts where passwords are stored using reversible encryption. Reversible encryption is an unsecure method that can be easily decrypted, allowing threat actors to gain unauthorized access to your Active Directory infrastructure.

12730

New! CTD-000054: AD user account with DES encryption type enabled

This threat definition detects AD user accounts with DES encryption type enabled, which is an insecure encryption type that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

12751

New! CTD-000053: AD domain accounts with password not required

This threat definition detects AD domain accounts where a password is not required, which can allow threat actors to gain unauthorized access to your Active Directory infrastructure without the need for a password.

New! CTD-000052: AD domain account with Kerberos pre-authentication disabled

This threat definition detects AD domain accounts with Kerberos pre-authentication disabled. Kerberos pre-authentication is an important security feature that protects against password guessing attacks, and disabling it can increase the risk of unauthorized access to your Active Directory infrastructure.

New! CTD-000051: AD Krbtgt account password was not reset recently

This threat definition detects Active Directory domains where the Krbtgt account password has not been reset recently. The Krbtgt account is used for Kerberos authentication and a compromised password can allow threat actors to gain unauthorized access to your Active Directory infrastructure.

New! CTD-000050: Security principals with dangerous replication permissions

This threat definition detects security principals with dangerous replication permissions, such as the ability to replicate passwords or to create or modify users, groups, or computers. These permissions can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

New! CTD-000049: AD domain account with unconstrained delegation

This threat definition detects AD domain accounts with unconstrained delegation enabled. Unconstrained delegation allows a user to impersonate any other user without restriction, making it a high-risk setting that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

New! CTD-000048: AD computer with traces of DCShadow attack

This threat definition detects AD computers with traces of DCShadow attack, which is a technique used by threat actors to create a fake domain controller and take control of your Active Directory infrastructure.

New! CTD-000047: AD domain controller with SMB1 enabled

This threat definition detects AD domain controllers with SMB1 enabled. SMB1 is an outdated and insecure protocol that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.

12715

New! CTD-000046: AD computer using dNSHostName that belongs to another computer account

This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.

10749

New! CTD-000045: Azure AD user account not registered with MFA

This threat definition detects regular Azure AD user accounts that have not registered for MFA. These accounts are at risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant.

10733

New! CTD-000044: Privileged Azure AD account not registered for MFA

This threat definition detects privileged Azure AD accounts that have not registered for Multi-Factor Authentication (MFA). These accounts have elevated permissions and are at high risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant.

11769

New! CTD-000043: Service Principal promoted an account to privileged role members 

This threat definition detects suspicious promotions to privileged roles made by Service Principals. A threat actor might use an Azure AD application to promote user accounts to privileged role members without detection. 

12715

This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.

11452

New! CTD-000040: Azure AD guest account with an unredeemed invitation

This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant.

11463

This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. 

11730

Updated! CTD-000010: Azure AD app with risky write permissions

Now, this threat definition also checks additional permissions, including:

1. Policy.*Write*
2. Organization.*Write*
3. AppRoleAssignment.*Write*
4. RoleManagement.*Write*
5. ServicePrincipalEndpoint.*Write*
6. Application.*Write*
   
7. *update_device_attributes*

11731

New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled

This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA.

11616

Updated! CTD-000035: Privileged Azure AD account synced from on-premise

Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles.  

10724

New! CTD-000037: Objects with privileged SIDs in SID History

This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls.

New! CTD-000012: Modified federation settings in Azure AD domain

This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack.

New! CTD-000008: Azure AD app with client secrets

This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets.

Updated! CTD-000018: Azure AD tenant with auditing disabled

Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check.  

New! CTD-000034: Privileged AD user synced to Azure AD

This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory.

New! CTD-000038 Azure AD tenant with unsecured access to Azure management

This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. 

New! CTD-000039 Azure AD Application Registration with dangling URI

This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity.