ID | Title and description | Threat definitions release |
17446 |
NEW: CTD-000140: Constrained authentication delegation to a domain controller service
This threat definition detects principals (computers or users) that have constrained delegation enabled for a service running on a Domain Controller. |
2024.08 |
17447 |
NEW: CTD-000138: Resource-based constrained delegation on domain controllers
This threat definition detects a configuration that grants certain accounts with complete delegation to domain controllers. A threat actor who gains control over a service account can exploit improperly configured Resource-Based Constrained Delegation (RBCD) settings. By leveraging these misconfigurations, the attacker can delegate credentials from a lower-privileged account to a higher-privileged resource, escalating their privileges.
|
2024.08 |
17449 |
NEW: CTD-000139: Constrained delegation with protocol transition to the krbtgt account
This threat definition detects users and computers with constrained delegation with protocol transition to the krbtgt account. Link: |
2024.08 |
17451 |
NEW: CTD-000136: AD domain controller not changing its password
This threat definition detects domain controllers that haven't had their passwords changed in over 45 days which could mean their security credentials are outdated. A threat actor can compromise the Domain Controller. This may indicate security issues and bring potential breaches. Link: |
2024.08 |
17400 |
NEW: CTD-000135: Privileged AD user not protected against delegation
This threat definition detects all privileged users without the "Account is sensitive and cannot be delegated" account option turned on. A threat actor with control of a delegated account can perform actions on other services or systems, potentially escalating their privileges.
Link: |
2024.08 |
17784, 17718, 17689, 17330, 17428, 16686, 17144, 17515, 17753 |
UPDATE: CTD-000082, CTD-000129, CTD-000035, CTD-000130, CTD-000140, CTD-000141, CTD-000104, CTD-000109, CTD-000093, |
2024.08 |
17642 |
NEW: CTD-000141: AD domain with unsecure ESX authentication bypass
This threat detection detects an AD group named ESX Admins, this group and any members of this group is granted full administrator control over all ESXi hosts. A threat actor with sufficient Active Directory (AD) permissions can gain full access to an ESX host that was previously configured to use AD for user management by a new group called ESX Admins or by renaming an existing Active Directory group to ESX Admins. Link: |
2024.08 |
14470 |
NEW: CTD-000112: Enterprise Key Admins group with full access to the AD domain
This threat definition detects groups with the Full Control permission over the Enterprise Key Admins. This group had permission to replicate all changes from Active Directory. A threat actor with this membership might perform the DCSync attack in some environments. The Enterprise Key Admins group, lacking the additional protections given to other high-privilege groups such as Built-in Admins (BA), Domain Admins (DA), and Enterprise Admins (EA), becomes a more vulnerable target for actors seeking to compromise the entire forest.
Link: |
2024.07 |
16688 |
NEW: CTD-000128: AD object with Migrate SID history permission
This threat definition detects users or groups with The Migrate sIDHistory permission in Active Directory. Delegating this permission to a regular user poses significant security threats. A threat actor can exploit this by migrating the SID of a high-privilege account into their own account, effectively gaining the same access rights and privileges. They can also add SIDs to access restricted resources, maintain persistence by hiding elevated privileges in a stealthy account, and evade security monitoring by masking their activities.
Link: |
2024.07 |
17129 |
NEW: CTD-000131: Regular AD object with unexpected adminCount value The threat actor can utilize the regular object with unexpected adminCount value to Access Control List (ACL) Attacks.
Link: |
2024.07 |
16697 |
NEW: CTD-000133: External trust without SID filtering enabled
This threat definition detects users who have gained control of a domain controller in a trusted domain. The threat actor can exploit the SID history attribute (sIDHistory) to associate SIDs with new user accounts, thereby granting themselves unauthorized access.
Link: |
2024.07 |
9152 |
NEW: CTD-000134: Microsoft Entra tenant has Exchange Organization without mail-flow rules restricting attachments with executables
This threat definition detects all users who do not have mail-flow rules restricting attachments with executables. The threat actor may distribute an email containing an executable file. If the user executes this file, it can result in significant security risks.
Links: |
|
17136, 17145, 11242, 17078, 17075, 17267 |
UPDATE: CTD-000044, CTD-000045, CTD-000062, CTD-000075, CTD-000077, CTD-000081, CTD-000086, CTD-000088, |
2024.07 |
17075, 17146, 17078 |
Update: CTD-000006, CTD-000003, CTD-000049, CTD-000063, CTD-000064, CTD-000065, CTD-000066, CTD-000067, CTD-000076, CTD-000071, CTD-000085, CTD-000109, CTD-000121, CTD-000123, CTD-000125, CTD-000129, CTD-000130 |
2024.06 |
15333 |
New: CTD-000122: AD forest with unsecure schema update permissions
This threat definition detects all users who are not members of Schema Admins but have 'update' permissions for the schema. This check is a part of the ANSSI framework called vuln_permissions_schema. The threat actor with permission to modify the schema might compromise the Active Directory Forest or make it inoperable.
Link: |
2024.06 |
15671 |
New: CTD-000125: Folder on SYSVOL with non-default access permissions
This threat definition detects standard user accounts that have permissions other than read or execute to the SYSVOL and its sub folders. The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Improper access permissions for directory data files could allow unauthorized users including threat actors to read, modify, or delete directory data.
Link: |
2024.06 |
14192 |
New: CTD-000127: Regular AD object with access to gMSA passwords Link: |
2024.06 |
16639, 16692 |
Update: Enhanced detection algorithm in CTD-000109, CTD-000129 The threat detection mechanism has been improved. |
|
16240 |
New! CTD-000109 Entra: Entra object created by unusual Initiator This threat definition detects all object creations initiated by users who did not create objects before, within the specified time period. A threat actor may use a previously compromised account to create other temporary accounts to perform malicious activities. Link: |
2024.05 |
16135 |
New: CTD-000126: AD domain with recent authoritative restores Links: |
2024.05 |
16239 |
New: CTD-000129: AD object created by unusual Initiator This threat definition detects all object creations initiated by users who did not create objects before, within the specified time period. A threat actor may use a previously compromised account to create other temporary accounts to perform malicious activities. Link: |
2024.05 |
16318 |
New: CTD-000130 AD: Privileged AD object with permissions allowing takeover by a regular user This threat definition detects all the privileged objects where regular users have the following permissions:
Active Directory objects such as users, computers, and groups are securable. A Discretionary Access Control List (DACL) is an internal list attached to an object in Active Directory that specifies which users and groups can access the object and what kinds of operations they can perform on it. It is implemented using access control lists. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access. A threat actor might modify the DACLs of privileged objects to keep their presence in the environment and stay unnoticed. With such permissions configured in advance, the threat actor having access to a regular account might obtain access to a privileged object at any time.
|
2024.05 |
15125 |
New: CTD-000118: AD domain with multiple failed authentication attempts from invalid users via NTLM (Password Spray) This threat definition detects reoccurring failed authentication attempts using invalid user accounts via NTLM. Multiple failed authentication attempts from invalid users via NTLM may indicate that a threat actor is performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. The detection mechanism uses event 4776 and error code 0xC0000064, meaning that 'The username you typed does not exist'.
Links:
|
2024.04 |
16040 |
Update: Enhanced detection algorithm in CTD-000016, CTD-000017, CTD-000041, CTD-000045, CTD-000044,CTD-000035, CTD-000043, CTD-000081 Previously, Microsoft suggested that privileged roles could be identified by their names containing the word Admin. However, some roles, like Global Reader, were also considered privileged, so the isPrivileged attribute was introduced to help identify privileged roles. Cayosoft Guardian finds roles by name, mask, and isPrivileged attribute. Links: |
2024.04 |
12756 |
New: CTD-000123: AD object with modified msDS-KeyCredentialLink (Shadow credentials attack) This threat definition detects and alerts in real time on unexpected changes to the msDS-KeyCredentialLink attribute. The Kerberos protocol uses tickets and pre-authentication to grant access. Pre-authentication can be symmetrical (DES, RC4, AES128, AES256) or asymmetrical (PKINIT). PKINIT requires a public-private key pair, with the client encrypting pre-auth data with their private key and the KDC decrypting it with the public key. In Active Directory, a KCL attribute (msDS-KeyCredentialLink) stores raw public keys. If a threat actor has control over an account that can edit the KCL, they can gain persistent access to the target user or computer by creating a key pair and appending the public key to the attribute. Thus, unexpected changes to the msDS-KeyCredentialLink attribute might be an indication of threat activities.
Links:
|
2024.04 |
16172 |
New: CTD-000124: Privileged AD user with failed logon attempts This threat definition detects failed logon attempts by privileged users on domain controllers. Microsoft recommends monitoring activities of high-value domain accounts. As these accounts have high-level permissions in your Active Directory, a threat actor may attempt to log in using these credentials to gain access to valuable resources and data in your environment. Failed login attempts may indicate threat activities and should be thoroughly investigated. Links: |
2024.04 |
14997 |
New: CTD-000110: AD domain with multiple failed authentication attempts via Kerberos (Password Spray) This threat definition detects if an endpoint repeatedly tries to authenticate with different unique user accounts using the Kerberos protocol. This might be a threat actor performing a Password Spraying attack against an Active Directory environment. The detection mechanism uses native events from Security Log. The event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) and failure code 0x18 means `wrong password provided` while the attempted user is a legitimate domain user. Links: |
2024.03 |
15119 |
New: CTD-000107: AD domain controller with multiple failed authentication attempts (Password Spray) This threat definition detects if an endpoint repeatedly tries to authenticate with different unique user accounts against a single domain controller. This might be a threat actor performing a Password Spraying attack against an Active Directory environment. The detection mechanism uses native events from Security Log. Event 4625 documents failed attempts to log on to the computer and Logon Type value 3 describes a remote authentication attempt.
Links: |
2024.03 |
15120 |
New: CTD-000106: AD domain with multiple failed authentication attempts via process (Password Spray) This treat definition detects if a process repeatedly fails to authenticate with multiple users. This might be an indication of a threat actor trying to obtain initial access or elevate privileges by performing a Password Spraying attack against an Active Directory environment. The detection mechanism uses native events from Security Log. Event 4625 documents failed attempts to log on to the computer and Logon Type value 2 describes an interactive logon attempt.
Links: |
2024.03 |
15122 |
New: CTD-000108: AD domain controller with multiple failed authentication attempts by non-existing users using Kerberos This threat definition searches for failed logon attempts with multiple disabled domain users. This might indicate a threat actor trying to perform a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. The detection mechanism uses event 4768 with the failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).
Links: |
2024.03 |
11584 |
New! CTD-000113: AD forest with Java schema extension This threat definition checks if a schema extension enabling the representation of Java objects in the AD has been applied. A threat actor might insert malicious code in the Java attribute of an Active Directory object. Using Java Naming and Directory Interface, a threat actor might force an external application to execute pre-uploaded malicious code. Check if you have a legitimate application that requires the extension. Either perform research and steps to mitigate the risks or disable the extension if no longer in use. |
2024.03 |
12745 |
New: CTD-000114 Threat: Medium: DNS: AD-integrated DNS zone with WINS forward lookup enabled This threat definition checks if there is an AD-integrated DNS zone with WINS forward lookup enabled. The vulnerability related to WINS forwarding in AD-integrated DNS occurs when the DNS server performs a WINS forward lookup. This means that if the DNS server receives an address record query for which it does not have an answer, it sends an NBT-NS Query Request to a pre-configured WINS server. This process can be exploited by a threat actor who can forge DNS responses to compromise user accounts. This is because the DNS server trusts the responses it receives from the WINS server, even if they are not authentic. The threat actor can send malicious responses that trick the DNS server into providing incorrect information, potentially leading to security breaches or unauthorized access to sensitive information. As a result, it is important to properly secure the WINS server and the communication between the DNS server and the WINS server to prevent this type of vulnerability. |
2024.03 |
15669 |
New: CTD-000121: AD domain with executable files in SYSVOL
This threat definition checks if there are e xecutable files in the SYSVOL. Such files might pose a risk as they might be infected or compromised. These infected files are also likely included in your backups for forest recovery and might transfer infection into a recovered forest. |
2024.03 |
12555 |
New: CTD-000105: AAD: Rejected PIM role membership request from Entra user This threat definition finds records indicating rejected requests for a privileged role elevation via Privileged Identity Management in Entra ID. When a user request is repeatedly rejected, it might indicate that a threat actor compromised the requestor account and is trying to get someone to approve its privilege elevation. |
2024.03 |
15668 |
New: CTD-000119: AD forest is not protected against forest-wide failure by Cayosoft Guardian This threat definition checks if Guardian Forest is configured to create the backups of managed forests. A threat actor might cause a forest-wide failure and without a proper backup and recovery technology in place you might not be able to recover at all.
|
2024.03 |
14778 |
New: CTD-000115: AD domain with Operator Groups that are not empty
Account Operators, Server Operators, Backup Operators, and Print Operators groups can have permissions to access resources in your environment. A threat actor could compromise accounts that are members of these groups to get access to critical data. Also, in many cases, members of these groups can elevate their permission to Domain Admins. |
2024.02 |
11683 |
New: CTD-000103: Entra tenant where regular users can create Microsoft 365 Groups This threat definition checks if regular users can create Microsoft 365 groups that can be used to manage access to resources and services in Entra ID. If a regular user can create such groups in the tenant, a threat actor might create a group and use that group to get access to other user accounts. Microsoft 365 Groups creation should be restricted to administrators only. |
2024.02 |
15020 |
Updated: New categories for all threat definitions New categories such as Indicator of Exposure, Indicator of Compromise, and Indicator of Attack have been added to all threat definitions. These categories help to prioritize threat alerts, so immediate threats could be resolved earlier. |
2023.12 |
14788 |
Updated: Up-to-date threat definitions and remediation texts Threat definitions and remediation texts have been updated to use new Microsoft Entra naming and terminology. Step-by-step instructions provided by Cayosoft now redirect you to Microsoft Entra admin center instead of the legacy Azure AD portal.
References:
|
2023.12 |
14441 |
New! CTD-000098: AD Domain Controller with non-admin owner This threat definition detects domain controllers with non-admin owners. A threat actor might use a compromised account that is the owner of a domain controller to elevate their permissions. This threat definition is included in the ANSSI cybersecurity framework (vuln1_permissions_dc). References: |
2023.12 |
14809 |
New! CTD-000101: Microsoft Entra tenant with unsecure configuration of user risk policy This threat definition detects if the Entra ID tenant does not use the user risk policy to protect user accounts. Microsoft's recommendation is to require a secure password change when user risk level is High. Microsoft Entra multifactor authentication is required before the user can create a new password with password writeback to remediate their risk. Identity Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user has been compromised. If a user has risky sign-in behavior, or their credentials have been leaked, Identity Protection will use these signals to calculate the user risk level. Administrators can configure user risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as:
References: |
2023.12 |
14810 |
New! CTD-000102: Azure AD tenant with unsecure configuration of sign-in risk policy This threat definition detects if the Entra ID tenant does not use the sign-in risk policy to protect user accounts. Sign-in risk policy in Conditional Access allows mitigation of sign-in risks preventing threat actors from getting access to user accounts. Organizations must decide the level of risk they want to require access control on balancing user experience and security posture. Microsoft recommends requiring Microsoft Entra multifactor authentication when sign-in risk level is Medium or High, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
References: |
2023.12 |
14777 |
New! CTD-000104: AD computer account that is a member of privileged groups This threat definition finds AD computer accounts that are members of privileged groups. A threat actor might compromise an AD computer to be able to act as a member of that group. |
2023.12 |
11456 |
New! CTD-000095: Privileged Azure AD user accounts susceptible to MFA fatigue attacks This threat definition finds privileged accounts in Azure AD with voice-based authentication methods. According to Microsoft, with adoption of strong authentication, multi-factor authentication (MFA) fatigue attacks (aka, MFA spamming) are on the rise. These attacks rely on the user’s ability to approve a simple voice notification that doesn’t require the user to have the context of the session they are authenticating. Anytime users are doing “press hash key” or “enter your PIN to approve” instead of entering a code they see on-screen, they are doing “simple approvals”. Microsoft's studies show that about 1% of users will accept a “simple approval” request without actually authenticating into a particular session, others might do so on subsequent calls, thus allowing threat actors to get authenticated. To mitigate the risk, Microsoft recommends using strong authentication methods instead.
References:
|
2023.11 |
11546 |
New! CTD-000094: AD domain with unsecure configuration of Cloud Kerberos Trust This threat definition checks, if there is an AD domain with Cloud Kerberos Trust configured and if there are some privileged accounts that are not denied from using this trust. Cloud Kerberos Trust enables passwordless authentication from Azure AD to AD forest for all accounts except those specifically denied. We generate a list of privileged accounts that have not been denied from using Cloud Kerberos Trust and thus can be used for lateral movement from Azure AD to on-premises AD by potential attackers. References:
|
2023.11 |
14440 |
New! CTD-000093: Short-lived privileged AD user This threat definition finds accounts in the Active Directory domain that are no longer members of the privileged groups but were members during a short period of time. An AD user account that was added to a privileged group and then removed might be an indication of threat activities. Accounts that were once in a privileged group might have gotten or retained some permissions tied to privileged access and thus these accounts should not be re-used by regular users. References:
|
2023.11 |
11494 |
New! CTD-000096: Azure AD tenant with device settings allowing brute force attacks This threat definition checks if the tenant's policies allow an unlimited number of sign-in attempts on devices. If a device allows a threat actor to guess a password by making an unlimited number of attempts, because of so many attempts a threat actor might gain access to the device and compromise credentials, data, or install malicious software.
|
2023.11 |
14036 |
Updated! CTD-000060: AD computer with suspicious change of sAMAccountName The detection algorithm of this threat definition has been updated.
|
2023.11 |
11546 |
New! CTD-000092: Stale Azure AD Service Principal This threat definition finds stale Service Principals (Enterprise Applications) in Azure AD. A compromised Enterprise Application could be used by a threat actor to access data in your tenant. If there is an application without sign-ins, it might be an indication that this Service Principal is no longer used. It is recommended to disable the Service Principal to reduce the attack surface. |
2023.10 |
12744 |
New! CTD-000091: AD-integrated DNS zone allowing unsecure updates This threat definition finds AD-integrated DNS zones allowing unsecure updates. Unsecure dynamic updates allow a threat actor to update a DNS record without authentication. Threat actors can replace an existing DNS record and redirect people to another server. If enabling dynamic updates is required for your company, it is highly recommended to use the Secure Only dynamic updates option. Learn more. |
2023.10 |
14187 |
New! CTD-000090: AD user with suspicious password refresh This threat definition finds users with suspicious changes to their password. If the option User Must Change Password at Next Logon is turned “on” and then turned “off” again later, it could mean a potential problem with a threat actor trying to break the organization's password policies.
|
2023.10 |
14029 |
New! CTD-000088: AD domain controller using unsecure encryption type This threat definition checks if domain controllers are configured to use weak encryption types. While RC4 (Rivest Cipher 4) is remarkable for its simplicity and speed, multiple vulnerabilities have been discovered since its original release, rendering it insecure. RC4 is especially vulnerable when the beginning of the output key stream isn't discarded, or when non-random or related keys are used. A threat actor employing MITM (Man-in-the-Middle) tactics could execute successful deciphering operations in an environment with weak encryption. |
2023.10 |
14516 |
New! CTD-000089: AD domain with unsecure RBCD delegation on domain controllers This threat definition checks permissions on domain controllers. A threat actor could exploit this vulnerability by identifying non-privileged users outside of the Domain Admins, Enterprise Admins, or Built-in Admins groups who possess write access to Resource-Based Constrained Delegation (RBCD) settings on domain controllers. With write access, attackers can enable a resource to impersonate any user, except those explicitly restricted by delegation settings. This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI. |
2023.10 |
14027 |
New! CTD-000087: AD domain with unsecure RBCD delegation on krbtgt account This threat definition checks permissions on KRBTGT account. A threat actor with permission to modify the KRBTGT account can compromise it. Using the KRBTGT account, they can create a Kerberos ticket-granting ticket (TGT) that provides authorization to any resource and sets the ticket expiration to any arbitrary time. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI |
2023.10 |
14561 |
Update! CTD-000051 A typo was corrected in the description of the threat definition. |
2023.10 |
14035 |
Update! CTD-000060 An issue was resolved when this threat definition did not raise real-time alerts for undelete operations. |
2023.10 |
10729 |
New! CTD-000086: Forest with recent schema changes This threat definition detects recent changes in the schema of your Active Directory forest. The schema is the underlying definition of all objects and attributes that make up the forest. A threat actor with permission to modify schema might compromise overall security posture. Schema changes could not be reversed without a forest recovery process that can be automated with Cayosoft Guardian Forest Recovery. |
2023.09 |
14332 |
Updated! CTD-000069: The performance of the threat definition was significantly improved. |
2023.09 |
14037 |
Updated! CTD-000046: AD computer using dNSHostName that belongs to another computer account An issue was resolved when a real-time alert was not raised for undeletes. |
2023.09 |
13999 |
New! CTD-000083: Azure AD tenant with recent changes in the configuration of cross-tenant synchronization This threat definition checks if there are recent changes in the configuration of cross-tenant synchronization. For more detail about how cross-tenant synchronization can be abused see this article. |
2023.09 |
13679 |
New! CTD-000084: AD domain where domain controllers allow authentication with keys vulnerable to ROCA This threat definition checks if there are domain controllers that are not protected from ROCA vulnerability. Learn more about ROCA vulnerability and remediation steps. |
2023.09 |
14215 |
New! CTD-000085 Medium: AD: Regular AD user with permission to link GPOs <>This threat definition follows the recommendations from the Active Directory Security Assessment Checklist by ANSSI (tag:vuln1_permissions_gpo_priv) and it detects regular users with suspicious permissions allowing them to link GPOs to privileged accounts with the possibility to elevate their permissions. |
2023.09 |
14023 |
New! CTD-000082: AD forest with too many privileged accounts This threat definition counts privileged accounts in AD and raises an alert if the number exceeds the threashold. |
2023.08 |
10764 |
New! CTD-000081: Stale privileged Azure AD user account This threat definition finds privileged accounts in Azure AD that are not used. |
2023.08 |
10726 |
New! CTD-000080: Regular AD user account with permissions to modify DNS server objects This threat definition detects regular AD users with dangerous permissions over DNS objects. |
2023.08 |
13755 |
New! CTD-000075: AD forest with Recycle Bin not enabled This threat definition checks if Recycle Bin is enabled in your Active Directory Forest. |
2023.08 |
13678 |
New! CTD-000076: AD CS server vulnerable to NTLM relay attacks This threat definition detects AD CS server vulnerable to NTLM relay attacks. |
2023.08 |
12790 |
New! CTD-000079: Privileged AD user not protected from using unsecure authentication methods This threat definition detects privileged users who are not members of the Protected Users group. |
2023.08 |
12785 |
New! CTD-000077: AD domain allowing NTLM authentication
This threat definition checks if there is a group policy restricting NTLM authentication methods. |
2023.08 |
11449 |
New! CTD-000078: Stale Azure AD guest account This threat definition detects stale guest user accounts in your tenant.
|
2023.08 |
10726 |
New! CTD-000079: Regular AD user account with permissions to modify DNS server objects This threat definition detects regular users who are members of the DNS Admins group or have permissions over this group. |
2023.08 |
13711, 13712, 13713, 13714, 13715, 13885 |
Updated! CTD-000067, CTD-000066, CTD-000065, CTD-000064, CTD-000063 Additional configuration parameters were added. |
2023.07 |
13710 |
New! CTD-000071: Azure AD tenant with bulk changes of devices
This threat definition detects bulk changes of devices in Azure AD tenants. |
2023.07 |
13677 |
New! CTD-000070: Privileged group members with weak password policy This threat definition detects if privileged domain accounts are not protected by a stronger password policy. |
2023.07 |
12776 |
New! CTD-000069: AD forest allowing vulnerable Netlogon secure channel connections
This threat definition detects computers allowing vulnerable Netlogon secure channel connections. |
2023.07 |
12709 |
Updated! CTD-000013, CTD-000023 Additional configuration parameters were added. |
2023.07 |
11742 |
New! CTD-000073: AD forest with password hash synchronization not enabled This threat definition detects if password hash synchronization is not enabled. |
2023.07 |
10728 |
New! CTD-000072: AD user account with old password This threat definition detects a user account whose password is not changed periodically. |
2023.07 |
13410, 13483, 13470 |
Updated! All treat definitions: MITRE and ANSSI classification Additional references to threat classification frameworks such as ANSSI and MITRE were added for all threat definitions. |
2023.06-1 |
13449 |
New! CTD-000004: AD object with non-default primary group Additional configuration parameters were added to the threat definition. |
2023.06-1 |
13226 |
New! CTD-0000065, CTD-0000066, CTD-0000067, CTD-0000063, CTD-0000064 These threat definitions detect when a specific number of the changes of objects is detected in the managed system over a short period of time. |
2023.06-1 |
12908 |
New! CTD-000062: AD domain controller with enabled print spooler
This threat definition detects if the Print spooler service is stopped and disabled on a domain controller. Print spooler is a software service that manages printing processes. The spooler accepts print jobs from computers and makes sure that printer resources are available. The spooler also schedules the order in which print jobs are sent to the print queue for printing. While seemingly harmless, any authenticated user can remotely connect to a print spooler service on domain controllers, and request an update on new print jobs. Also, users can tell the domain controller to send the notification to the system with unconstrained delegation. These actions test the connection and expose the domain controller computer account credential (SYSTEM owns the Print spooler). |
2023.06-1 |
|
New! CTD-000068: Azure AD user retrieving Bitlocker keys This threat definition detects when an Azure AD user retrieved a BitLocker key. A threat actor having access to the physical machine might use these recovery keys to decrypt drives and get access to data. |
2023.06-1 |
12549 |
New! CTD-000061: Stale Azure AD device This threat definition identifies Azure AD devices that are no longer used. Devices can become stale when a user gets a new device or loses a device, or when an Azure AD joined device is wiped or reprovisioned. Devices might also remain registered or joined when the user is no longer associated with the tenant. Stale devices should be removed so the primary refresh tokens (PRTs) cannot be used by a threat actor. |
2023.06-1 |
13245 |
Updated! CTD-000048: AD computer with traces of DCShadow attack The evidence content and text were updated.
|
2023.06-1 |
|
Updated! CTD-000008: Azure AD app with client secrets The issue has been resolved when the threat definition failed with an error if the client secret had an empty description.
|
2023.05-1 |
12759 |
New! CTD-000060:AD computer with a suspicious change of sAMAccountName This threat definition detects suspicious changes in the computer´s sAMAccountName. The Common Vulnerabilities and Exposures (CVEs) CVE-2021-42278 and CVE-2021-42287 are security flaws that can be exploited by a threat actor who has obtained access to low-privileged domain user credentials. These vulnerabilities enable the attacker to obtain a Kerberos Service Ticket for a Domain Controller computer account, which provides elevated privileges within a domain. |
2023.05 |
12728 |
New! CTD-000058: Privileged AD user account with associated SPNs This threat definition detects privileged AD accounts with Service Principal Names (SPN). Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name. Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources. |
2023.05 |
11467 |
New! CTD-000057: AD forest with the Azure SSO computer account not changing its password This threat definition checks if the Azure SSO computer account not changing its password regularly. A special computer account AZUREADSSOACC is used to provide Azure AD Seamless SSO functionality. If a threat actor can compromise password of AZUREADSSOACC, then the threat actor could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user. With the ticket received threat actor can impersonate a user in Azure AD. The password of the AZUREADSSOACC account never changes, so the stolen hash/key will work forever unless password is changed. This security flaw could be misused by highly privileged employees to retain access to the environment after leaving the company. |
2023.05 |
10706 |
New! CTD-000005:AD security principal with replication permissions This threat definition detects accounts with replication permissions. Threat actors might use such accounts in the DCSync attack. By leveraging DCSync, threat actors can escalate privileges, perform unauthorized actions, or move laterally within the network, posing a significant risk to the security of the Active Directory infrastructure. |
2023.05 |
13108 |
Updated! CTD-000053: AD domain accounts with password not required This threat definition was updated to raise alerts only for enabled AD user accounts. |
2023.05 |
13397 |
Updated! CTD-000048: AD computer with traces of DCShadow attack An issue has been resolved when Cayosoft Guardian raised an unexpected alert for AD computers with instances of AD LDS. |
2023.05 |
13092 |
New! CTD-000056: AD domain allows unprivileged users to add computer accounts This threat definition detects Active Directory domains where unprivileged users have the ability to add computer accounts. This can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure by creating their own computer accounts with elevated privileges.
|
2023.04 |
12763 |
New! CTD-000055: AD domain account with password stored using reversible encryption This threat definition detects AD domain accounts where passwords are stored using reversible encryption. Reversible encryption is an unsecure method that can be easily decrypted, allowing threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
12730 |
New! CTD-000054: AD user account with DES encryption type enabled This threat definition detects AD user accounts with DES encryption type enabled, which is an insecure encryption type that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure. |
2023.04 |
12751 |
New! CTD-000053: AD domain accounts with password not required This threat definition detects AD domain accounts where a password is not required, which can allow threat actors to gain unauthorized access to your Active Directory infrastructure without the need for a password. |
2023.04 |
|
New! CTD-000052: AD domain account with Kerberos pre-authentication disabled This threat definition detects AD domain accounts with Kerberos pre-authentication disabled. Kerberos pre-authentication is an important security feature that protects against password guessing attacks, and disabling it can increase the risk of unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000051: AD Krbtgt account password was not reset recently This threat definition detects Active Directory domains where the Krbtgt account password has not been reset recently. The Krbtgt account is used for Kerberos authentication and a compromised password can allow threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000050: Security principals with dangerous replication permissions This threat definition detects security principals with dangerous replication permissions, such as the ability to replicate passwords or to create or modify users, groups, or computers. These permissions can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000049: AD domain account with unconstrained delegation This threat definition detects AD domain accounts with unconstrained delegation enabled. Unconstrained delegation allows a user to impersonate any other user without restriction, making it a high-risk setting that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000048: AD computer with traces of DCShadow attack This threat definition detects AD computers with traces of DCShadow attack, which is a technique used by threat actors to create a fake domain controller and take control of your Active Directory infrastructure.
|
2023.04 |
|
New! CTD-000047: AD domain controller with SMB1 enabled This threat definition detects AD domain controllers with SMB1 enabled. SMB1 is an outdated and insecure protocol that can be exploited by threat actors to gain unauthorized access to your Active Directory infrastructure.
|
2023.04 |
12715 |
New! CTD-000046: AD computer using dNSHostName that belongs to another computer account This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources.
|
2023.04 |
10749 |
New! CTD-000045: Azure AD user account not registered with MFA This threat definition detects regular Azure AD user accounts that have not registered for MFA. These accounts are at risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant. |
2023.03 |
10733 |
New! CTD-000044: Privileged Azure AD account not registered for MFA This threat definition detects privileged Azure AD accounts that have not registered for Multi-Factor Authentication (MFA). These accounts have elevated permissions and are at high risk of being targeted by threat actors attempting to gain unauthorized access to your Azure AD tenant. |
2023.03 |
11769 |
New! CTD-000043: Service Principal promoted an account to privileged role members This threat definition detects suspicious promotions to privileged roles made by Service Principals. A threat actor might use an Azure AD application to promote user accounts to privileged role members without detection.
|
2023.03 |
12715 |
New! CTD-000046: AD computer using dNSHostName that belongs to another computer account
This threat definition detects AD computers using dNSHostName that belongs to another computer account. If the dNSHostName attribute is set to the value of another computer account, threat actors could potentially use this to impersonate that computer and gain unauthorized access to resources. |
2023.03 |
11452 |
New! CTD-000040: Azure AD guest account with an unredeemed invitation This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant. |
2023.01.0.7 |
11463 |
New! CTD-000041: Azure AD tenant with unsecured token persistence
This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. |
2023.01.0.7 |
11730 |
Updated! CTD-000010: Azure AD app with risky write permissions Now, this threat definition also checks additional permissions, including:
|
2023.01.0.7 |
11731 |
New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA. |
2023.01.0.7 |
11616 |
Updated! CTD-000035: Privileged Azure AD account synced from on-premise Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles. |
2022.12.0.1 |
10724 |
New! CTD-000037: Objects with privileged SIDs in SID History This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls. |
2022.12.0.1 |
10759 |
New! CTD-000012: Modified federation settings in Azure AD domain This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack. |
2022.12.0.1 |
11171 |
New! CTD-000008: Azure AD app with client secrets This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets. |
2022.12.0.1 |
11226 |
Updated! CTD-000018: Azure AD tenant with auditing disabled Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check. |
2022.12.0.1 |
11462 |
New! CTD-000034: Privileged AD user synced to Azure AD This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory. |
2022.12.0.1 |
11481 |
New! CTD-000038 Azure AD tenant with unsecured access to Azure management This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. |
2022.12.0.1 |
11507 |
New! CTD-000039 Azure AD Application Registration with dangling URI This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity. |
2022.12.0.1 |
Comments
0 comments
Please sign in to leave a comment.