ID | Title and description | Threat definitions release |
11456 |
New! CTD-000095: Privileged Azure AD user accounts susceptible to MFA fatigue attacks This threat definition finds privileged accounts in Azure AD with voice-based authentication methods. According to Microsoft, with adoption of strong authentication, multi-factor authentication (MFA) fatigue attacks (aka, MFA spamming) are on the rise. These attacks rely on the user’s ability to approve a simple voice notification that doesn’t require the user to have the context of the session they are authenticating. Anytime users are doing “press hash key” or “enter your PIN to approve” instead of entering a code they see on-screen, they are doing “simple approvals”. Microsoft's studies show that about 1% of users will accept a “simple approval” request without actually authenticating into a particular session, others might do so on subsequent calls, thus allowing threat actors to get authenticated. To mitigate the risk, Microsoft recommends using strong authentication methods instead.
References:
|
2023.11 |
11546 |
New! CTD-000094: AD domain with unsecure configuration of Cloud Kerberos Trust This threat definition checks, if there is an AD domain with Cloud Kerberos Trust configured and if there are some privileged accounts that are not denied from using this trust. Cloud Kerberos Trust enables passwordless authentication from Azure AD to AD forest for all accounts except those specifically denied. We generate a list of privileged accounts that have not been denied from using Cloud Kerberos Trust and thus can be used for lateral movement from Azure AD to on-premises AD by potential attackers. References:
|
2023.11 |
14440 |
New! CTD-000093: Short-lived privileged AD user This threat definition finds accounts in the Active Directory domain that are no longer members of the privileged groups but were members during a short period of time. An AD user account that was added to a privileged group and then removed might be an indication of threat activities. Accounts that were once in a privileged group might have gotten or retained some permissions tied to privileged access and thus these accounts should not be re-used by regular users. References:
|
2023.11 |
11494 |
New! CTD-000096: Azure AD tenant with device settings allowing brute force attacks This threat definition checks if the tenant's policies allow an unlimited number of sign-in attempts on devices. If a device allows a threat actor to guess a password by making an unlimited number of attempts, because of so many attempts a threat actor might gain access to the device and compromise credentials, data, or install malicious software.
|
2023.11 |
14036 |
Updated! CTD-000060: AD computer with suspicious change of sAMAccountName The detection algorithm of this threat definition has been updated.
|
2023.11 |
11546 |
New! CTD-000092: Stale Azure AD Service Principal This threat definition finds stale Service Principals (Enterprise Applications) in Azure AD. A compromised Enterprise Application could be used by a threat actor to access data in your tenant. If there is an application without sign-ins, it might be an indication that this Service Principal is no longer used. It is recommended to disable the Service Principal to reduce the attack surface. |
2023.10 |
12744 |
New! CTD-000091: AD-integrated DNS zone allowing unsecure updates This threat definition finds AD-integrated DNS zones allowing unsecure updates. Unsecure dynamic updates allow a threat actor to update a DNS record without authentication. Threat actors can replace an existing DNS record and redirect people to another server. If enabling dynamic updates is required for your company, it is highly recommended to use the Secure Only dynamic updates option. Learn more. |
2023.10 |
14187 |
New! CTD-000090: AD user with suspicious password refresh This threat definition finds users with suspicious changes to their password. If the option User Must Change Password at Next Logon is turned “on” and then turned “off” again later, it could mean a potential problem with a threat actor trying to break the organization's password policies.
|
2023.10 |
14029 |
New! CTD-000088: AD domain controller using unsecure encryption type This threat definition checks if domain controllers are configured to use weak encryption types. While RC4 (Rivest Cipher 4) is remarkable for its simplicity and speed, multiple vulnerabilities have been discovered since its original release, rendering it insecure. RC4 is especially vulnerable when the beginning of the output key stream isn't discarded, or when non-random or related keys are used. A threat actor employing MITM (Man-in-the-Middle) tactics could execute successful deciphering operations in an environment with weak encryption. |
2023.10 |
14516 |
New! CTD-000089: AD domain with unsecure RBCD delegation on domain controllers This threat definition checks permissions on domain controllers. A threat actor could exploit this vulnerability by identifying non-privileged users outside of the Domain Admins, Enterprise Admins, or Built-in Admins groups who possess write access to Resource-Based Constrained Delegation (RBCD) settings on domain controllers. With write access, attackers can enable a resource to impersonate any user, except those explicitly restricted by delegation settings. This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI. |
2023.10 |
14027 |
New! CTD-000087: AD domain with unsecure RBCD delegation on krbtgt account This threat definition checks permissions on KRBTGT account. A threat actor with permission to modify the KRBTGT account can compromise it. Using the KRBTGT account, they can create a Kerberos ticket-granting ticket (TGT) that provides authorization to any resource and sets the ticket expiration to any arbitrary time. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI |
2023.10 |
14561 |
Update! CTD-000051 A typo was corrected in the description of the threat definition. |
2023.10 |
14035 |
Update! CTD-000060 An issue was resolved when this threat definition did not raise real-time alerts for undelete operations. |
2023.10 |
10729 |
New! CTD-000086: Forest with recent schema changes This threat definition detects recent changes in the schema of your Active Directory forest. The schema is the underlying definition of all objects and attributes that make up the forest. A threat actor with permission to modify schema might compromise overall security posture. Schema changes could not be reversed without a forest recovery process that can be automated with Cayosoft Guardian Forest Recovery. |
2023.09 |
14332 |
Updated! CTD-000069: The performance of the threat definition was significantly improved. |
2023.09 |
14037 |
Updated! CTD-000046: AD computer using dNSHostName that belongs to another computer account An issue was resolved when a real-time alert was not raised for undeletes. |
2023.09 |
13999 |
New! CTD-000083: Azure AD tenant with recent changes in the configuration of cross-tenant synchronization This threat definition checks if there are recent changes in the configuration of cross-tenant synchronization. For more detail about how cross-tenant synchronization can be abused see this article. |
2023.09 |
13679 |
New! CTD-000084: AD domain where domain controllers allow authentication with keys vulnerable to ROCA This threat definition checks if there are domain controllers that are not protected from ROCA vulnerability. Learn more about ROCA vulnerability and remediation steps. |
2023.09 |
14215 |
New! CTD-000085 Medium: AD: Regular AD user with permission to link GPOs <>This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI (tag:vuln1_permissions_gpo_priv) and it detects regular users with suspicious permissions allowing them to link GPOs to privileged accounts with the possibility to elevate their permissions. |
2023.09 |
14023 |
New! CTD-000082: AD forest with too many privileged accounts This threat definition counts privileged accounts in AD and raises an alert if the number exceeds the threashold. |
2023.08 |
10764 |
New! CTD-000081: Stale privileged Azure AD user account This threat definition finds privileged accounts in Azure AD that are not used. |
2023.08 |
10726 |
New! CTD-000080: Regular AD user account with permissions to modify DNS server objects This threat definition detects regular AD users with dangerous permissions over DNS objects. |
2023.08 |
13755 |
New! CTD-000075: AD forest with Recycle Bin not enabled This threat definition checks if Recycle Bin is enabled in your Active Directory Forest. |
2023.08 |
13678 |
New! CTD-000076: AD CS server vulnerable to NTLM relay attacks This threat definition detects AD CS server vulnerable to NTLM relay attacks. |
2023.08 |
12790 |
New! CTD-000079: Privileged AD user not protected from using unsecure authentication methods This threat definition detects privileged users who are not members of the Protected Users group. |
2023.08 |
12785 | New! CTD-000077: AD domain allowing NTLM authentication
This threat definition checks if there is a group policy restricting NTLM authentication methods. |
2023.08 |
11449 |
New! CTD-000078: Stale Azure AD guest account This threat definition detects stale guest user accounts in your tenant.
|
2023.08 |
10726 |
New! CTD-000079: Regular AD user account with permissions to modify DNS server objects This threat definition detects regular users who are members of the DNS Admins group or have permissions over this group. |
2023.08 |
13711, 13712, 13713, 13714, 13715, 13885 |
Updated! CTD-000067, CTD-000066, CTD-000065, CTD-000064, CTD-000063 Additional configuration parameters were added. |
2023.07 |
13710 |
New! CTD-000071: Azure AD tenant with bulk changes of devices
This threat definition detects bulk changes of devices in Azure AD tenants. |
2023.07 |
13677 |
New! CTD-000070: Privileged group members with weak password policy This threat definition detects if privileged domain accounts are not protected by a stronger password policy. |
2023.07 |
12776 |
New! CTD-000069: AD forest allowing vulnerable Netlogon secure channel connections
This threat definition detects computers allowing vulnerable Netlogon secure channel connections. |
2023.07 |
12709 |
Updated! CTD-000013, CTD-000023 Additional configuration parameters were added. |
2023.07 |
11742 |
New! CTD-000073: AD forest with password hash synchronization not enabled This threat definition detects if password hash synchronization is not enabled. |
2023.07 |
10728 |
New! CTD-000072: AD user account with old password This threat definition detects a user account whose password is not changed periodically. |
2023.07 |
13410, 13483, 13470 |
Updated! All treat definitions: MITRE and ANSSI classification Additional references to threat classification frameworks such as ANSSI and MITRE were added for all threat definitions. |
2023.06-1 |
13449 |
New! CTD-000004: AD object with non-default primary group Additional configuration parameters were added to the threat definition. |
2023.06-1 |
13226 |
New! CTD-0000065, CTD-0000066, CTD-0000067, CTD-0000063, CTD-0000064 These threat definitions detect when a specific number of the changes of objects is detected in the managed system over a short period of time. |
2023.06-1 |
12908 |
New! CTD-000062: AD domain controller with enabled print spooler
This threat definition detects if the Print spooler service is stopped and disabled on a domain controller. Print spooler is a software service that manages printing processes. The spooler accepts print jobs from computers and makes sure that printer resources are available. The spooler also schedules the order in which print jobs are sent to the print queue for printing. While seemingly harmless, any authenticated user can remotely connect to a print spooler service on domain controllers, and request an update on new print jobs. Also, users can tell the domain controller to send the notification to the system with unconstrained delegation. These actions test the connection and expose the domain controller computer account credential (SYSTEM owns the Print spooler). |
2023.06-1 |
|
New! CTD-000068: Azure AD user retrieving Bitlocker keys This threat definition detects when an Azure AD user retrieved a BitLocker key. A threat actor having access to the physical machine might use these recovery keys to decrypt drives and get access to data. |
2023.06-1 |
12549 |
New! CTD-000061: Stale Azure AD device This threat definition identifies Azure AD devices that are no longer used. Devices can become stale when a user gets a new device or loses a device, or when an Azure AD joined device is wiped or reprovisioned. Devices might also remain registered or joined when the user is no longer associated with the tenant. Stale devices should be removed so the primary refresh tokens (PRTs) cannot be used by a threat actor. |
2023.06-1 |
13245 |
Updated! CTD-000048: AD computer with traces of DCShadow attack The evidence content and text were updated.
|
2023.06-1 |
|
Updated! CTD-000008: Azure AD app with client secrets The issue has been resolved when the threat definition failed with an error if the client secret had an empty description.
|
2023.05-1 |
12759 |
New! CTD-000060:AD computer with a suspicious change of sAMAccountName This threat definition detects suspicious changes in the computer´s sAMAccountName. The Common Vulnerabilities and Exposures (CVEs) CVE-2021-42278 and CVE-2021-42287 are security flaws that can be exploited by a threat actor who has obtained access to low-privileged domain user credentials. These vulnerabilities enable the attacker to obtain a Kerberos Service Ticket for a Domain Controller computer account, which provides elevated privileges within a domain. |
2023.05 |
12728 |
New! CTD-000058: Privileged AD user account with associated SPNs This threat definition detects privileged AD accounts with Service Principal Names (SPN). Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name. Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources. |
2023.05 |
11467 |
New! CTD-000057: AD forest with the Azure SSO computer account not changing its password This threat definition checks if the Azure SSO computer account not changing its password regularly. A special computer account AZUREADSSOACC is used to provide Azure AD Seamless SSO functionality. If a threat actor can compromise password of AZUREADSSOACC, then the threat actor could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user. With the ticket received threat actor can impersonate a user in Azure AD. The password of the AZUREADSSOACC account never changes, so the stolen hash/key will work forever unless password is changed. This security flaw could be misused by highly privileged employees to retain access to the environment after leaving the company. |
2023.05 |
10706 |
New! CTD-000005:AD security principal with replication permissions This threat definition detects accounts with replication permissions. Threat actors might use such accounts in the DCSync attack. By leveraging DCSync, threat actors can escalate privileges, perform unauthorized actions, or move laterally within the network, posing a significant risk to the security of the Active Directory infrastructure. |
2023.05 |
13108 |
Updated! CTD-000053: AD domain accounts with password not required This threat definition was updated to raise alerts only for enabled AD user accounts. |
2023.05 |
13397 |
Updated! CTD-000048: AD computer with traces of DCShadow attack An issue has been resolved when Cayosoft Guardian raised an unexpected alert for AD computers with instances of AD LDS. |
2023.05 |
13092 |
New! CTD-000056: AD domain allows unprivileged users to add computer accounts This threat definition detects Active Directory domains where unprivileged users have the ability to add computer accounts. This can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure by creating their own computer accounts with elevated privileges.
|
2023.04 |
12763 |
New! CTD-000055: AD domain account with password stored using reversible encryption This threat definition detects AD domain accounts where passwords are stored using reversible encryption. Reversible encryption is an unsecure method that can be easily decrypted, allowing threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
12730 |
New! CTD-000054: AD user account with DES encryption type enabled This threat definition detects AD user accounts with DES encryption type enabled, which is an insecure encryption type that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure. |
2023.04 |
12751 |
New! CTD-000053: AD domain accounts with password not required This threat definition detects AD domain accounts where a password is not required, which can allow threat actors to gain unauthorized access to your Active Directory infrastructure without the need for a password. |
2023.04 |
|
New! CTD-000052: AD domain account with Kerberos pre-authentication disabled This threat definition detects AD domain accounts with Kerberos pre-authentication disabled. Kerberos pre-authentication is an important security feature that protects against password guessing attacks, and disabling it can increase the risk of unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000051: AD Krbtgt account password was not reset recently This threat definition detects Active Directory domains where the Krbtgt account password has not been reset recently. The Krbtgt account is used for Kerberos authentication and a compromised password can allow threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000050: Security principals with dangerous replication permissions This threat definition detects security principals with dangerous replication permissions, such as the ability to replicate passwords or to create or modify users, groups, or computers. These permissions can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000049: AD domain account with unconstrained delegation This threat definition detects AD domain accounts with unconstrained delegation enabled. Unconstrained delegation allows a user to impersonate any other user without restriction, making it a high-risk setting that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000048: AD computer with traces of DCShadow attack This threat definition detects AD computers with traces of DCShadow attack, which is a technique used by threat actors to create a fake domain controller and take control of your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000047: AD domain controller with SMB1 enabled This threat definition detects AD domain controllers with SMB1 enabled. SMB1 is an outdated and insecure protocol that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
12715 |
New! CTD-000046: AD computer using dNSHostName that belongs to another computer account This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.
|
2023.04 |
10749 |
New! CTD-000045: Azure AD user account not registered with MFA This threat definition detects regular Azure AD user accounts that have not registered for MFA. These accounts are at risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant. |
2023.03 |
10733 |
New! CTD-000044: Privileged Azure AD account not registered for MFA This threat definition detects privileged Azure AD accounts that have not registered for Multi-Factor Authentication (MFA). These accounts have elevated permissions and are at high risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant. |
2023.03 |
11769 |
New! CTD-000043: Service Principal promoted an account to privileged role members This threat definition detects suspicious promotions to privileged roles made by Service Principals. A threat actor might use an Azure AD application to promote user accounts to privileged role members without detection.
|
2023.03 |
12715 |
New! CTD-000046: AD computer using dNSHostName that belongs to another computer account
This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources. |
2023.03 |
11452 |
New! CTD-000040: Azure AD guest account with an unredeemed invitation This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant. |
2023.01.0.7 |
11463 |
New! CTD-000041: Azure AD tenant with unsecured token persistence
This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. |
2023.01.0.7 |
11730 |
Updated! CTD-000010: Azure AD app with risky write permissions Now, this threat definition also checks additional permissions, including:
|
2023.01.0.7 |
11731 |
New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA. |
2023.01.0.7 |
11616 |
Updated! CTD-000035: Privileged Azure AD account synced from on-premise Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles. |
2022.12.0.1 |
10724 |
New! CTD-000037: Objects with privileged SIDs in SID History This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls. |
2022.12.0.1 |
10759 |
New! CTD-000012: Modified federation settings in Azure AD domain This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack. |
2022.12.0.1 |
11171 |
New! CTD-000008: Azure AD app with client secrets This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets. |
2022.12.0.1 |
11226 |
Updated! CTD-000018: Azure AD tenant with auditing disabled Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check. |
2022.12.0.1 |
11462 |
New! CTD-000034: Privileged AD user synced to Azure AD This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory. |
2022.12.0.1 |
11481 |
New! CTD-000038 Azure AD tenant with unsecured access to Azure management This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. |
2022.12.0.1 |
11507 |
New! CTD-000039 Azure AD Application Registration with dangling URI This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity. |
2022.12.0.1 |
Comments
0 comments
Please sign in to leave a comment.