This article contains an actual list of threat definitions available in the latest version of Cayosoft Guardian. Cayosoft Guardian team constanly works on adding new threat definitions. To find information about recenly added threats and updates to the existing threat definitions check threat definition updates.
| Severity | Name | Threat description |
| Critical | CTD-000005: AdminSDHolder permissions modified | A modification of the AdminSDHolder object might be an indication of threat actor activities. Active Directory is using AdminSDHolder object, protected groups and Security Descriptor propagator (SDPROP) as protection for privileged users and groups. When an Active Directory group is marked a protected group; Active Directory will ensure that the owner, the ACLs and the inheritance applied on this group are the same as the ones applied on AdminSDHolder container. The same is applied on the protected group members. Threat actors might modify AdminSDHolder object to propagate altered permissions to the protected objects. |
| Critical | CTD-000012: Azure AD domain with federation settings modified | This rule checks if the domain's federation settings were recently modified. When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD. Due to this established trust, Azure AD honours the security token issued by the on-premises identity provider post-authentication, to grant access to resources protected by Azure AD. A malicious user might modify federation settings to get access to resources in Azure AD. |
| High | CTD-000012: Azure AD domain with federation settings modified | This rule checks if the domain's federation settings were recently modified. When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD. Due to this established trust, Azure AD honours the security token issued by the on-premises identity provider post-authentication, to grant access to resources protected by Azure AD. A malicious user might modify federation settings to get access to resources in Azure AD. |
| High | CTD-000013: Azure AD Global Administrator with elevated access to Azure Resources | A user that is a member of Global Admin role and elevated his access permissions to Azure resources poses a threat to your Azure resources. By design, Azure AD and Azure resources are secured independently from one another. Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Such a change might be a sign that a treat actor elevated his permissions to access Azure resources. If the change was approved, you should remove this elevated access once the administrator made the changes he needs to make at root scope. |
| High | CTD-000010: Azure AD app with risky write permissions | Apps with risky permissions pose a threat to your Azure AD tenant. Threat actors can use such Azure AD apps for long-term lowered visibility access to contacts, mail, notes, mailbox settings, user directory, and files. Write permissions allow a threat actor to modify your environment to inflict damage or establish persistence. Microsoft describes the consent grant attack:An attacker registers an app with an OAuth 2.0 provider, such as Azure AD. The app is configured in a way that makes it seem legitimate. For example, attackers might use the name of a popular product available in the same ecosystem. The attacker gets a link directly from users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or through other techniques. The user selects the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data. If a user selects 'Accept', they will grant the app permissions to access sensitive data. The app gets an authorization code, which it redeems for an access token, and potentially a refresh token.The access token is used to make API calls on behalf of the user. If the user accepts, the attacker can gain access to the user's mails, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources. |
| High | CTD-000011: Azure AD cloud-only user with immutable ID set | An Azure AD cloud-user with an immutable ID set might be an indication of threat activities. A threat actor can create a backdoor in the Azure AD tenant via federation configuration modification. When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD. Due to this established trust, Azure AD honors the security token issued by the on-premises identity provider post authentication, to grant access to resources protected by Azure AD. |
| High | CTD-000018: Azure AD tenant with auditing disabled | In Azure AD tenant with auditing disabled, user activities are not recorded in the auditing log. Without data from auditing log investigation of security issues might be difficult or impossible in some cases. A threat actor might disable auditing to perform some changes in your environment. |
| Medium | CTD-000037 Objects with priviledged SIDs in SID History | An Active Directory object with privileged SIDs in its sIDHistory attribute might be an indication of the threat actor´s activities. SID (Security Identifier) is a unique identifier that Active Directory uses to identify objects as security principals in security descriptors and access tokens. In most cases, the SID History attribute is only populated with SIDs during migrations. SID History injection is an attack technique that allows a threat actor to add privileged SIDs to regular accounts and escalate privileges. For example, adding Enterprise Admin SID in the SID History of a regular user allows elevating access for the user account to an effective Domain Admin in all domains in the forest. |
| Medium | CTD-000034 Privileged AD user synced to Azure AD | It is best practice from Microsoft to avoid syncing accounts to Azure AD that have high privileges in your existing Active Directory instance. A threat actor might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory. |
| Medium | CTD-000008 Azure AD app with client secrets | App registration with client secrets poses a threat. A client secret is a string value that might be used in config files or scripts, and it can be easily compromised. Once the secret is compromised, any permissions granted to the service principal can be used by a threat actor to perform actions on behalf of an application. |
| Medium | CTD-000038 Azure AD tenant with unsecure access to Azure management | Organizations use many Azure services and manage them from Azure Resource Manager based tools like Azure portal, Azure PowerShell, and Azure CLI. These tools can provide highly privileged access to resources. To protect these privileged resources, Microsoft recommends requiring multifactor authentication (MFA) for any user accessing these resources. Without MFA enforced, a threat actor might compromise an account and immediately get access to the privileged resources. |
| Medium | CTD-000039 Azure AD Application Registration with dangling URI |
A redirect URI, or reply URL, is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process. If the corresponding App Service is deleted, but redirect URI is not deleted from the Azure AD app registration, a threat actor could discover the dangling URI and register the App service instance. After registering the new App Server instance, threat actor will be able to get user sessions authorization tokens and other data. |
| Medium | CTD-000014: Azure AD tenant configured to allow guests to invite other guests | A guest invitation configuration where guest users can invite other guest users poses a threat to the tenant's identities. Even with limited access, guest users can collect some data about the environment, for example, they can verify other user's existence in the environment. A threat actor might use a guest account to collect information for future attacks. |
| Medium | CTD-000015: Azure AD tenant with unsecure Guest user access permissions | An Azure AD is configured with unsecure Guest user access permissions. With the current setting value, the threat actor might enumerate groups and users using a tool such as AADInternals. The API calls to Azure AD are not logged and therefore the actions of a threat actor can not be easily detected. |
| Medium | CTD-000016: Azure AD role with permanent active members | Permanent active role assignments might be an indication of threat activities. If an account with permanent active role membership is compromised, threat actor immediately gets access to administrative privileges. Using only time-limited role assignments for administrators increases security posture in your tenant as role activation might be protected with MFA on activation or approval. |
| Medium | CTD-000017: Azure AD role with permanent eligible members | Permanent eligible role assignments might be an indication of threat activities or misconfiguration. If an account with permanent eligible role membership is compromised, a threat actor might immediately get access to administrative privileges if role activation is not properly protected. Using only time-limited role assignments for administrators increases security posture in your tenant. |
| Medium | CTD-000006: Anonymous access enabled in AD forest | Enabled anonymous access poses a threat to the Active Directory forest. Threat actors might use anonymous access to your forest via the Lightweight Directory Access Protocol (LDAP) to collect information about the environment. The Lightweight Directory Access Protocol (LDAP) can be used to provide information about users, groups and other object types. |
| Medium | CTD-000008: Azure AD app with client secrets | App registration with client secrets poses a threat. A client secret is a string value that might be used in config files or scripts, and it can be easily compromised. Once the secret is compromised, any permissions granted to the service principal can be used by a threat actor to perform actions on behalf of an application. |
| Medium | CTD-000003: AD forest with anonymous access enabled over Name Service Provider Interface | Anonymous NSPI access to AD is enabled in the Active Directory forest. Anonymous name service provider interface (NSPI) access to AD is a feature that allows anonymous RPC-based binds to AD. A threat actor might use this protocol to get initial access to the environment. |
| Medium | CTD-000004: AD object with non-default primary group | A user or a computer account with Primary Group IDs (PGIDs) set to a non-default value is a possible indication of threat activities. When the PGID of an account is set to a value corresponding to the PGID of some group, the account has the same permissions as members of the primary group. However, some auditing solutions do not monitor changes in group membership by PGID. Changing the value of the primaryGroupID attribute allows a threat actor to silently elevate his permissions and hide his persistence in the domain. |
| Medium | CTD-000037: AD object with privileged SIDs in the sIDHistory | <p>An Active Directory object with privileged SIDs in its sIDHistory attribute might be an indication of the threat actor's activities.<br>SID (Security Identifier) is a unique identifier that Active Directory uses to identify objects as security principals in security descriptors and access tokens. In most cases, the SID History attribute is only populated with SIDs during migrations. SID History injection is an attack technique that allows a threat actor to add privileged SIDs to regular accounts and escalate privileges. For example, adding Enterprise Admin SID in the SID History of a regular user allows elevating access for the user account to an effective Domain Admin in all domains in the forest. |
| Medium | CTD-000020: Azure AD tenant with Privileged Identity Management not being used | In a tenant with Privileged Identity Management (PIM), Azure AD roles can be secured with an additional approval process and require MFA on activation. Without PIM, if a threat actor gets access to an account with membership in a powerful role such as Global Admin he will be able to use it right away. PIM provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. |
| Medium | CTD-000021: Azure AD tenant with security defaults not enabled | Azure AD supports the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication can't prompt users for second factor authentication or other authentication requirements needed to satisfy conditional access policies. With legacy authentication allowed in the tenant, a threat actor might use previously obtained credentials to log in and access resources. |
| Medium | CTD-000022: Azure AD tenant where regular users can register applications | Custom-developed applications might pose a threat to your environment. A threat actor might use an application to access data in the tenant on behalf of a user. It is recommended to prevent regular users from registering their own applications and let administrators review and register applications. This ensures that the application undergoes a security review before exposing the tenant's data to the application. |
| Medium | CTD-000027: Built-in domain Administrator account used recently | The usage of a built-in domain Administrator account might be an indication that the account has been compromised. The built-in domain Administrator account should not be used for day-to-day management tasks. |
| Medium | CTD-000032: Guest account with Azure AD role membership | A guest user account with membership in Azure AD role poses a threat to your environment. This guest user has an account in an external Azure AD organization or an external identity provider. If a guest user account in that external organization is compromised, a threat actor might access resources in your tenant. |
| Medium | CTD-000033: Privileged AD account password set to never expire | The privileged user account whose password never expires poses a threat to your environment. A password obtained by a malicious actor will be valid until the password is changed. In the meantime, the malicious actor will be able to log in to Active Directory, access resources, and inflict damage. Regular password rotation reduces the risk and effectiveness of password-based attacks and exploits by shortening the timeframe during which a compromised password may be valid. |
| Medium | CTD-000034: Privileged AD user synced to Azure AD | It is best practice from Microsoft to avoid syncing accounts to Azure AD that have high privileges in your existing Active Directory instance. A threat actor might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory. |
| Medium | CTD-000035: Privileged Azure AD account synced from on-premise | A synced user account that is a member of the Azure AD administrative roles poses a threat to your Azure AD tenant. If your on-premises account is compromised, a threat actor can get access to your Azure AD resources as well. |
| Medium | CTD-000024: Azure AD tenant with unsecure app consent policy configuration | A current tenant policy allows all users to consent to any permission that doesn't require admin consent, for any application. With such a policy enabled, threat actors might receive unwarranted access to users' data via so-called consent phishing. Threat actors trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user's password, a threat actor is seeking permission for an attacker-controlled app to access valuable data. |
| Medium | CTD-000025: Azure AD user that is an eligible role member and can be soft-matched with an on-premises account | Soft-matching is a process that uses the primary Simple Mail Transfer Protocol (SMTP) address to match the on-premises user account to the Office 365 user account. Using soft-matching, a threat actor, who previously compromised Active Directory environment might elevate his privileges in Azure AD. While soft-matching will not work for accounts with active role membership, an account with eligible role membership still can be soft-matched. If the role does not require MFA challenge on activation, a threat actor might immediately get privileged access to your tenant. |
| Low | CTD-000037 Objects with priviledged SIDs in SID History | An Active Directory object with privileged SIDs in its sIDHistory attribute might be an indication of the threat actor´s activities. SID (Security Identifier) is a unique identifier that Active Directory uses to identify objects as security principals in security descriptors and access tokens. In most cases, the SID History attribute is only populated with SIDs during migrations. SID History injection is an attack technique that allows a threat actor to add privileged SIDs to regular accounts and escalate privileges. For example, adding Enterprise Admin SID in the SID History of a regular user allows elevating access for the user account to an effective Domain Admin in all domains in the forest. |
| Low | CTD-000026: Regular Azure AD user with Exchange Online PowerShell enabled | A regular Azure AD user account with Exchange Online PowerShell enabled poses a threat to your environment. Access to Exchange Online PowerShell doesn't give users extra administrative powers in your organization, however, threat actors may use Exchange Online PowerShell to access the mailbox or modify inbox rules or configure forwarding SMTP addresses. Also, a compromised user mailbox with Exchange Online PowerShell enabled can be used to initiate a mass phishing attack by sending emails to other users in the tenant. Disabling Exchange Online PowerShell for users, who don't need it to perform administrative tasks, reduces the possible impact if such an account is compromised. |
| Low | CTD-000036: Stale administrative account in AD domain | Enabled administrative account that has not logged in during the specified period poses a threat to your Active Directory environment. Such an account could be used by a former employee or another threat actor. An unused administrative account increases the potential attack surface. |
| Low | CTD-000028: Computer not resetting its password periodically | A computer account that has not automatically changed its password might be an indication of threat activities. Computer accounts should automatically change their passwords every 30 days. If a threat actor obtains a password, she can potentially perform pass-through authentication to the domain controller. |
| Low | CTD-000023: Azure AD tenant with unsecure delegation of Global Admin role | Having only one global administrator account is a potential threat to your environment. There should be at least two accounts for redundancy and audit purposes. With only one global administrator a threat actor can perform malicious activities and she will not be discovered by another administrator. However, too many global administrator accounts increase the possibility that one of the accounts will be breached by a threat actor. |
| Low | CTD-000002: AD domain with built-in domain Guest account enabled | An enabled built-in guest account poses a threat to your Active Directory environment. A threat actor can use a guest account to gather the information that he can use to plan future malicious operations. |
| Low | CTD-000009: Azure AD app with risky read permissions | Apps with risky permissions pose a threat to your Azure AD tenant. Threat actors can use such Azure AD apps for long-term lowered visibility access to contacts, mail, notes, mailbox settings, user directory, and files. Microsoft describes the consent grant attack: An attacker registers an app with an OAuth 2.0 provider, such as Azure AD. The app is configured in a way that makes it seem legitimate. For example, attackers might use the name of a popular product available in the same ecosystem. The attacker gets a link directly from users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or through other techniques. The user selects the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data. If a user selects 'Accept', they will grant the app permissions to access sensitive data. The app gets an authorization code, which it redeems for an access token, and potentially a refresh token.The access token is used to make API calls on behalf of the user. If the user accepts, the attacker can gain access to the user's mails, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources. |
| Low | CTD-000019: Azure AD tenant with Microsoft 365 groups exposed to the whole organization | A public group might pose a threat as all users in the organization might have access to the group's content. A threat actor can add herself to any public group using the Azure portal and access resources such as SharePoint documents or Teams chats. |
| Informational | CTD-000007: Azure AD Administrative Units are not being used | Usage of Administrative Units enhances tenant's protection against threats. When planning your access control strategy, there are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time. The least privilege means you grant your administrators exactly the permission they need to do their job. By limiting scopes with Administrative units, you limit what resources are at risk if the security principal is ever compromised. |
| Informational | CTD-000001: AD domain account's password set to never expire | A user account whose password never expires poses a threat to your Active Directory environment. Password rotation reduces the risk and effectiveness of password-based attacks and exploits by shortening the timeframe during which a compromised password may be valid. A threat actor might obtain a password and use it until the password is valid. |
| Informational | CTD-000029: Computer with unsupported OS version in AD domain | A computer with an unsupported operating system version poses a threat to your Active Directory environment. A threat actor might specifically target computers running unsupported OS versions, as they might have unpatched vulnerabilities. |
| Informational | CTD-000030: Exchange Online mailbox with Full Access permission assigned | Exchange Online mailbox with Full Access permissions assigned might be an indication of threat activities. A threat actor might configure permissions to access the compromised mailbox without being noticed. |
| Informational | CTD-000031: Exchange Online mailbox with SMTP forwarding address | Exchange Online mailbox with SMTP forwarding address might be an indication of threat activities. A threat actor might use an SMTP forwarding address to receive emails from the compromised mailbox. |
Comments
0 comments
Please sign in to leave a comment.