This article contains an actual list of threat definitions available in the latest version of Cayosoft Guardian. Cayosoft Guardian team constanly works on adding new threat definitions. To find information about recenly added threats and updates to the existing threat definitions check threat definition updates.
|Critical||CTD-000005: AdminSDHolder permissions modified||A modification of the AdminSDHolder object might be an indication of threat actor activities. Active Directory is using AdminSDHolder object, protected groups and Security Descriptor propagator (SDPROP) as protection for privileged users and groups. When an Active Directory group is marked a protected group; Active Directory will ensure that the owner, the ACLs and the inheritance applied on this group are the same as the ones applied on AdminSDHolder container. The same is applied on the protected group members. Threat actors might modify AdminSDHolder object to propagate altered permissions to the protected objects.|
|Critical||CTD-000012: Modified federation settings in Azure AD domain||This rule checks if the domain's federation settings were recently modified. When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD. Due to this established trust, Azure AD honours the security token issued by the on-premises identity provider post-authentication, to grant access to resources protected by Azure AD. A malicious user might modify federation settings to get access to resources in Azure AD.|
|High||CTD-000013: Azure AD Global Administrator with elevated access to Azure Resources||A user that is a member of Global Admin role and elevated his access permissions to Azure resources poses a threat to your Azure resources. By design, Azure AD and Azure resources are secured independently from one another. Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Such a change might be a sign that a treat actor elevated his permissions to access Azure resources. If the change was approved, you should remove this elevated access once the administrator made the changes he needs to make at root scope.|
|High||CTD-000018: Azure AD tenant with auditing disabled||In Azure AD tenant with auditing disabled, user activities are not recorded in the auditing log. Without data from auditing log investigation of security issues might be difficult or impossible in some cases. A threat actor might disable auditing to perform some changes in your environment.|
|High||CTD-000042: Azure AD tenant with Certificate-Based Authentication enabled for all users||
If a threat actor gains control of a root CA trusted by Azure AD, they can impersonate any user without knowing their password. Configuring Certificate-Based Authentication and impersonating a Global Admin doesn't require Global Admin rights. The threat actor might use this technique to elevate their privileges without being noticed.
|High||CTD-000046: AD computer using dNSHostName that belongs to another computer account||A threat actor might change dNSHostName of a computer account to the value of the attribute of another computer account. Then the treat actor might obtain a certificate that allows impersonating the target computer account and escalate his privileges.|
|High||CTD-000010: Azure AD app with risky write permissions||
Apps that request risky permissions present a threat to Azure AD tenants. Threat actors can use such apps to gain prolonged, covert access to sensitive information such as contacts, emails, mailbox settings, user directories, and files. With write permissions, a threat actor can modify the environment and cause damage or establish persistence. Microsoft describes the consent grant attack in the following steps:
|High||CTD-000011: Azure AD cloud-only user with immutable ID set||An Azure AD cloud-user with an immutable ID set might be an indication of threat activities. A threat actor can create a backdoor in the Azure AD tenant via federation configuration modification. When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD. Due to this established trust, Azure AD honors the security token issued by the on-premises identity provider post authentication, to grant access to resources protected by Azure AD.|
|High||CTD-000044: Privileged Azure AD account not registered for MFA||An account that is not registered with MFA doesn't have sufficient protection against modern threats. Administrative accounts without additional protection pose a threat as a malicious actor might use them to conceal persistence in the environment, inflict damage or get access to resources and data. According to a report by Microsoft, you can block more than 99.9% of account hacking attempts by using multi-factor authentication. Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. Using only a password to authenticate a user, allows a malicious actor to easily get access if he guesses a weak password or finds it exposed elsewhere. When the second form of authentication is required, security is increased because in most cases a malicious actor can´t pass this additional challenge.|
|High||CTD-000043: Service Principal promoted a service principal to privileged role members||
A service principal is an identity that is used by applications or services to access resources in Azure Active Directory. Service principals are created with specific permissions, such as the 'AppRoleAssignment.ReadWrite.All' permission, which allows the service principal to manage role assignments in Azure AD.
This can include promoting itself or other service principals to members of privileged roles, such as administrators or owners. This means that a threat actor who has gained access to a previously created service principal with the 'AppRoleAssignment.ReadWrite.All' permission could use it to persist in the environment and elevate their privileges when needed.
|High||CTD-000048: AD computer with traces of DCShadow attack||The computer object with specific values in the servicePrincipalName attribute is an indication of hacker tools used in your environment. The Mimikatz tool creates a shadow domain controller to push malicious changes to the Active Directory and leaves identifiable traces on a computer object that was used in an attack. Changes in the Active Directory made by the Mimikatz tool bypass native security logs and allow a malicious user to stay unnoticed. However, Cayosoft Guardian is able to detect changes made with the Mimikatz tool. You will be able to identify such changes by the missing initiator in the Who column in the Change History.|
|High||CTD-000056: AD domain allows unprivileged users to add computer accounts||
The default value for the ms-DS-MachineAccountQuota attribute is set to 10 in Active Directory, allowing any user to create up to 10 computer accounts associated with their account. While this is a legitimate usage scenario, attackers can exploit this attribute if a compromised user doesn't have 10 actual devices associated with their account. Attackers can create fake computer accounts in Active Directory that are not associated with any real device but can perform authentication requests.
Organizations can reduce the risk of attacks by setting the ms-DS-MachineAccountQuota attribute to 0. This prevents non-admin users from adding new devices to the domain, making it more difficult for attackers to leverage the attribute for their attacks. Attackers would then have to choose more complex methods to acquire a suitable resource for their attacks.
|High||CTD-000047: AD domain controller with SMB1 enabled||A threat actor can potentially compromise a domain controller that has the SMBv1 protocol enabled by exploiting vulnerabilities in the protocol, such as the EternalBlue exploit. This exploit can allow an attacker to remotely execute code on a vulnerable system and gain unauthorized access, potentially leading to a complete compromise of the domain controller and the associated network. To prevent such attacks, it is recommended to disable SMBv1 and only use newer, more secure versions of the SMB protocol.|
|High||CTD-000051: AD Krbtgt account password was not reset recently||
The krbtgt account password in an Active Directory environment is a critical component of the Kerberos authentication protocol, which authenticates users and services. Failing to change the krbtgt password regularly poses significant risks, as an attacker who gains access to it can carry out a range of attacks on the AD infrastructure, including:
To minimize the risk of compromise and ensure the security of the AD infrastructure, it is crucial to change the KRBGTG password regularly.
|High||CTD-000050: Security principals with dangerous replication permissions||Security principal with replication permissions poses a threat to your Active Directory domain. A malicious actor might use security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context object to execute a DCSync attack and retrieve password hashes for any user in an Active Directory domain. DCSync is an attack implemented in the Mimicatz tool. With DCSync, the Mimicatz tool emulates a domain controller's replication mechanism and requests other domain controllers to replicate information. As the Mimicatz tool uses native Directory Replication Service (DRS) Remote Protocol, an RPC protocol for replication and management of data in Active Directory, these requests look valid for other domain controllers.|
|Medium||CTD-000049: AD domain account with unconstrained delegation||
Unconstrained Kerberos delegation is a mechanism in which a user's credentials are sent to a service to allow the service to access resources on behalf of the user. For this mechanism to work, the service account in Active Directory must be marked as trusted for delegation.
Many modern web applications use unconstrained delegation to delegate the credentials of authenticated users to other services in the Active Directory, such as an SMTP server, file server, database server, or another web server. This allows the application account to delegate credentials to any service it contacts, making it an unconstrained delegation.
|Medium||CTD-000053: AD domain accounts with password not required||ms-DS-UserPasswordNotRequired attribute value indicates if the user require password to log in. Threat actor might use an account with password not required to access your environment.|
|Medium||CTD-000054: AD user account with DES encryption type enabled||DES encryption uses a 56-bit key to encrypt the content and is now considered to be highly insecure. Accounts that can use DES to authenticate to services are at significantly greater risk of having that account’s logon sequence decrypted and the account compromised.|
|Medium||CTD-000052: AD domain account with Kerberos pre-authentication disabled||
An account with Kerberos pre-authentication disabled is vulnerable to password-guessing attacks. The Key Distribution Center (KDC) is a component of the domain controller that performs two essential functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). By default, the KDC requires all accounts to use pre-authentication, which is a security feature that protects against password-guessing attacks.
When pre-authentication is enabled, a time stamp is encrypted using the user's password hash as an encryption key. If the KDC can decrypt the timestamp using the user's password hash, it knows that the request is not a replay of a previous request. However, when pre-authentication is disabled, a malicious actor can send a dummy request for authentication, and the KDC will return an encrypted TGT that can be brute-forced offline.
It is crucial to enable pre-authentication on all users. If pre-authentication is disabled, consider reducing the permissions of accounts with disabled pre-authentication. While Kerberos pre-authentication can prevent an active attacker, it does not prevent a passive attacker from sniffing the client's encrypted timestamp message to the KDC. To mitigate this problem, users should use lengthy passwords, and a good password rotation policy should be implemented in the domain to make offline brute-forcing infeasible or increasingly difficult. For more information about Kerberos pre-authentication, refer to this resource: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
|Medium||CTD-000035: Privileged Azure AD account synced from on-premise||A synced user account that is an active or eligible member of the Azure AD administrative roles poses a threat to your Azure AD tenant. If your on-premises account is compromised, a threat actor can get access to your Azure AD resources as well.|
|Medium||CTD-000032: Guest account with Azure AD role membership||A guest user account with membership in Azure AD role poses a threat to your environment. This guest user has an account in an external Azure AD organization or an external identity provider. If a guest user account in that external organization is compromised, a threat actor might access resources in your tenant.|
|Medium||CTD-000033: Privileged AD account password set to never expire||The privileged user account whose password never expires poses a threat to your environment. A password obtained by a malicious actor will be valid until the password is changed. In the meantime, the malicious actor will be able to log in to Active Directory, access resources, and inflict damage. Regular password rotation reduces the risk and effectiveness of password-based attacks and exploits by shortening the timeframe during which a compromised password may be valid.|
|Medium||CTD-000034: Privileged AD user synced to Azure AD||It is best practice from Microsoft to avoid syncing accounts to Azure AD that have high privileges in your existing Active Directory instance. A threat actor might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory.|
|Medium||CTD-000039: Azure AD Application Registration with dangling URI||
To prevent this type of attack, ensure that you remove unused redirect URIs from Azure AD app registration after deleting the corresponding App Service. Additionally, periodically review app registrations and remove any unused or dangling redirect URIs to reduce the risk of unauthorized access to sensitive data and resources.
|Medium||CTD-000014: Azure AD tenant configured to allow guests to invite other guests||A guest invitation configuration where guest users can invite other guest users poses a threat to the tenant's identities. Even with limited access, guest users can collect some data about the environment, for example, they can verify other user's existence in the environment. A threat actor might use a guest account to collect information for future attacks.|
|Medium||CTD-000015: Azure AD tenant with unsecure Guest user access permissions||An Azure AD is configured with unsecure Guest user access permissions. With the current setting value, the threat actor might enumerate groups and users using a tool such as AADInternals. The API calls to Azure AD are not logged and therefore the actions of a threat actor can not be easily detected.|
|Medium||CTD-000016: Azure AD role with permanent active members||Permanent active role assignments might be an indication of threat activities. If an account with permanent active role membership is compromised, threat actor immediately gets access to administrative privileges. Using only time-limited role assignments for administrators increases security posture in your tenant as role activation might be protected with MFA on activation or approval.|
|Medium||CTD-000017: Azure AD role with permanent eligible members||Permanent eligible role assignments might be an indication of threat activities or misconfiguration. If an account with permanent eligible role membership is compromised, a threat actor might immediately get access to administrative privileges if role activation is not properly protected. Using only time-limited role assignments for administrators increases security posture in your tenant.|
|Medium||CTD-000003: AD forest with anonymous access enabled over Name Service Provider Interface||Anonymous NSPI access to AD is enabled in the Active Directory forest. Anonymous name service provider interface (NSPI) access to AD is a feature that allows anonymous RPC-based binds to AD. A threat actor might use this protocol to get initial access to the environment.|
|Medium||CTD-000004: AD object with non-default primary group||A user or a computer account with Primary Group IDs (PGIDs) set to a non-default value is a possible indication of threat activities. When the PGID of an account is set to a value corresponding to the PGID of some group, the account has the same permissions as members of the primary group. However, some auditing solutions do not monitor changes in group membership by PGID. Changing the value of the primaryGroupID attribute allows a threat actor to silently elevate his permissions and hide his persistence in the domain.|
|Medium||CTD-000037: AD object with privileged SIDs in the sIDHistory||
An Active Directory object that has privileged SIDs in its sIDHistory attribute could indicate the activities of a threat actor. Security Identifier (SID) is a unique identifier that Active Directory uses to identify objects as security principals in security descriptors and access tokens. Typically, the SID History attribute is only populated with SIDs during migrations. However, threat actors can use a technique called SID History injection to add privileged SIDs to regular accounts and escalate privileges.
For example, adding the Enterprise Admin SID to the SID History of a regular user allows the user account to be elevated to an effective Domain Admin in all domains in the forest. Detecting privileged SIDs in the sIDHistory attribute can help identify potential security breaches and limit the impact of any privilege escalation attacks. Regularly monitoring and auditing the use of privileged SIDs is essential to maintaining the security of Active Directory.
|Medium||CTD-000006: Anonymous access enabled in AD forest||Enabled anonymous access poses a threat to the Active Directory forest. Threat actors might use anonymous access to your forest via the Lightweight Directory Access Protocol (LDAP) to collect information about the environment. The Lightweight Directory Access Protocol (LDAP) can be used to provide information about users, groups and other object types.|
|Medium||CTD-000008: Azure AD app with client secrets||App registration with client secrets poses a threat. A client secret is a string value that might be used in config files or scripts, and it can be easily compromised. Once the secret is compromised, any permissions granted to the service principal can be used by a threat actor to perform actions on behalf of an application.|
|Medium||CTD-000020: Azure AD tenant with Privileged Identity Management not being used||In a tenant with Privileged Identity Management (PIM), Azure AD roles can be secured with an additional approval process and require MFA on activation. Without PIM, if a threat actor gets access to an account with membership in a powerful role such as Global Admin he will be able to use it right away. PIM provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.|
|Medium||CTD-000021: Azure AD tenant with security defaults not enabled||Azure AD supports the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication can't prompt users for second factor authentication or other authentication requirements needed to satisfy conditional access policies. With legacy authentication allowed in the tenant, a threat actor might use previously obtained credentials to log in and access resources.|
|Medium||CTD-000038: Azure AD tenant with unsecure access to Azure management||Organizations use many Azure services and manage them from Azure Resource Manager based tools like Azure portal, Azure PowerShell, and Azure CLI. These tools can provide highly privileged access to resources. To protect these privileged resources, Microsoft recommends requiring multifactor authentication (MFA) for any user accessing these resources. Without MFA enforced, a threat actor might compromise an account and immediately get access to the privileged resources.|
|Medium||CTD-000022: Azure AD tenant where regular users can register applications||Custom-developed applications might pose a threat to your environment. A threat actor might use an application to access data in the tenant on behalf of a user. It is recommended to prevent regular users from registering their own applications and let administrators review and register applications. This ensures that the application undergoes a security review before exposing the tenant's data to the application.|
|Medium||CTD-000041: Azure AD tenant with unsecure token persistence||A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. After an administrator logs in on a device, PRT is cached on the client. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant bypassing MFA.|
|Medium||CTD-000024: Azure AD tenant with unsecure app consent policy configuration||A current tenant policy allows all users to consent to any permission that doesn't require admin consent, for any application. With such a policy enabled, threat actors might receive unwarranted access to users' data via so-called consent phishing. Threat actors trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user's password, a threat actor is seeking permission for an attacker-controlled app to access valuable data.|
|Medium||CTD-000027: Built-in domain Administrator account used recently||The usage of a built-in domain Administrator account might be an indication that the account has been compromised. The built-in domain Administrator account should not be used for day-to-day management tasks.|
|Low||CTD-000028: Computer not resetting its password periodically||A computer account that has not automatically changed its password might be an indication of threat activities. Computer accounts should automatically change their passwords every 30 days. If a threat actor obtains a password, she can potentially perform pass-through authentication to the domain controller.|
|Low||CTD-000045: Azure AD user not registered with MFA||
An account of a regular user that is not registered with MFA or uses insecure authentication methods lacks sufficient protection against modern threats. According to a report by Microsoft, multi-factor authentication can block more than 99.9% of account hacking attempts. Multi-factor authentication is a security process that prompts users for an additional form of identification, such as a code on their cellphone or a fingerprint scan, during the sign-in process.
Using only a password to authenticate a user is risky because a malicious actor can easily gain access if they guess a weak password or find it exposed elsewhere. However, requiring a second form of authentication increases security because, in most cases, a malicious actor cannot bypass this additional challenge. By enabling multi-factor authentication, organizations can significantly improve their security posture and protect against various forms of attacks, such as phishing, brute force, and credential stuffing.
|Low||CTD-000026: Regular Azure AD user with Exchange Online PowerShell enabled||A regular Azure AD user account with Exchange Online PowerShell enabled poses a threat to your environment. Access to Exchange Online PowerShell doesn't give users extra administrative powers in your organization, however, threat actors may use Exchange Online PowerShell to access the mailbox or modify inbox rules or configure forwarding SMTP addresses. Also, a compromised user mailbox with Exchange Online PowerShell enabled can be used to initiate a mass phishing attack by sending emails to other users in the tenant. Disabling Exchange Online PowerShell for users, who don't need it to perform administrative tasks, reduces the possible impact if such an account is compromised.|
|Low||CTD-000023: Azure AD tenant with unsecure delegation of Global Admin role||Having only one global administrator account is a potential threat to your environment. There should be at least two accounts for redundancy and audit purposes. With only one global administrator a threat actor can perform malicious activities and she will not be discovered by another administrator. However, too many global administrator accounts increase the possibility that one of the accounts will be breached by a threat actor.|
|Low||CTD-000019: Azure AD tenant with Microsoft 365 groups exposed to the whole organization||A public group might pose a threat as all users in the organization might have access to the group's content. A threat actor can add herself to any public group using the Azure portal and access resources such as SharePoint documents or Teams chats.|
|Low||CTD-000040: Azure AD guest account with unredeemed invite||Unredeemed invitations might be used by a threat actor to create a persistence in the tenant. As there are multiple attacks that use unredeemed invitations and there is no expiration for invitations, it is strongly recommended to delete such invitations.|
|Low||CTD-000009: Azure AD app with risky read permissions||
Apps with risky permissions can pose a significant threat to your Azure AD tenant. Threat actors can exploit such apps to gain long-term access to sensitive data and resources, such as contacts, mail, notes, mailbox settings, user directory, and files. One of the attack techniques that threat actors use is the consent grant attack.
In this attack, an attacker registers an app with an OAuth 2.0 provider, such as Azure AD. The app is configured in a way that makes it seem legitimate, often using the name of a popular product available in the same ecosystem. The attacker then gets a link directly from users, which may be done through conventional email-based phishing, compromising a non-malicious website, or other techniques.
If the user clicks on the link, they are shown an authentic consent prompt asking them to grant the malicious app permissions to sensitive data. If the user accepts, the app receives an authorization code, which it redeems for an access token, and potentially a refresh token. The access token can be used to make API calls on behalf of the user.
If the user grants the app permissions, the attacker can gain access to the user's sensitive data and resources, such as mails, forwarding rules, files, contacts, notes, profile, and more. To mitigate the risk of such attacks, organizations should regularly review and monitor their Azure AD apps and permissions, educate users about the risks of granting permissions to unknown apps, and enforce the principle of least privilege to limit access to sensitive data and resources.
|Low||CTD-000002: AD domain with built-in domain Guest account enabled||An enabled built-in guest account poses a threat to your Active Directory environment. A threat actor can use a guest account to gather the information that he can use to plan future malicious operations.|
|Low||CTD-000055: AD domain account with password stored using reversible encryption||Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A threat actor who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable Store password using reversible encryption for users in the domain unless application requirements outweigh the need to protect password information|
|Low||CTD-000036: Stale administrative account in AD domain||Enabled administrative account that has not logged in during the specified period poses a threat to your Active Directory environment. Such an account could be used by a former employee or another threat actor. An unused administrative account increases the potential attack surface.|
|Informational||CTD-000007: Azure AD Administrative Units are not being used||Usage of Administrative Units enhances tenant's protection against threats. When planning your access control strategy, there are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time. The least privilege means you grant your administrators exactly the permission they need to do their job. By limiting scopes with Administrative units, you limit what resources are at risk if the security principal is ever compromised.|
|Informational||CTD-000001: AD domain account's password set to never expire||A user account whose password never expires poses a threat to your Active Directory environment. Password rotation reduces the risk and effectiveness of password-based attacks and exploits by shortening the timeframe during which a compromised password may be valid. A threat actor might obtain a password and use it until the password is valid.|
|Informational||CTD-000029: Computer with unsupported OS version in AD domain||A computer with an unsupported operating system version poses a threat to your Active Directory environment. A threat actor might specifically target computers running unsupported OS versions, as they might have unpatched vulnerabilities.|
|Informational||CTD-000030: Exchange Online mailbox with Full Access permission assigned||Exchange Online mailbox with Full Access permissions assigned might be an indication of threat activities. A threat actor might configure permissions to access the compromised mailbox without being noticed.|
|Informational||CTD-000031: Exchange Online mailbox with SMTP forwarding address||Exchange Online mailbox with SMTP forwarding address might be an indication of threat activities. A threat actor might use an SMTP forwarding address to receive emails from the compromised mailbox.|
Please sign in to leave a comment.