Indicators of Exposure Reference

Understanding Alsid's IOE

Alsid provides simple, non-specialist procedures to improve the security posture of an Active Directory service without tampering with its critical functions. Active Directory Monitoring uses Indicators of Exposure (IoE) to consistently detect infrastructure breaches as soon as they appear.

Each IoE measures the feasibility of a real-world attack scenario, ranging from "textbook" actions to the most recent and elaborate attacks identified by Active Threat Intelligence, making Alsid a pragmatic, field-oriented security solution.

These Indicators of Exposure also help support standards and regulatory requirements and automate the production of compliance reports.

Privilege escalation attack vectors
Backdooring and persistence techniques
Dangerous security model design

Privilege escalation attack vectors

These IoEs ensure that the monitored Active Directory infrastructures cannot be exploited by attackers to let them gain administrative privileges.

IOE Name Details Known offensive tools Known attacker groups using this technique
Privileged accounts running Kerberos services yer Details :Highly privileged accounts using a brute-forceable Kerberos Service Principal Name Known offensive tools :Kerberom Known attacker groups using this technique :Regin APT
Dangerous Kerberos delegation Details :Check that no dangerous delegation (unconstrained, protocol transition, etc.) is authorized Known offensive tools :Nishang Known attacker groups using this technique :APT29
Use of weak cryptography algorithms into Active Directory PKI Details :Root certificates deployed on internal Active Directory PKI must not use weak cryptographic algorithms Known offensive tools :ANSSI-ADCP Known attacker groups using this technique :Not used by attacker (yet)
Dangerous access rights delegation on critical objects Details :Some access rights allowing illegitimate users to control critical objects have been found Known offensive tools :BloodHound Known attacker groups using this technique :Carbanak APT
Dangerous parameters defined in the User Account Control configuration Details :The User Account Control attribute of some user accounts defines dangerous parameters (e.g. PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), which endanger the security of said account Known offensive tools :Mimikatz (LSADump) Known attacker groups using this technique :Operation Olympic Games
Accounts using a pre-Windows 2000 compatible access control Details :Account member of the pre-Windows 2000 Compatible Access Group can bypass specific security measures Known offensive tools :Impacket Known attacker groups using this technique :DarkHotel
Administrative accounts allowed to connect to other systems than the Domain Controllers Details :The security policies deployed on the monitored infrastructure does not prevent administrative accounts to connect to resources other than DC, leading to sensitive credentials exposure Known offensive tools :CrackMapExec Known attacker groups using this technique :Operation Olympic Games
Dangerous parameters are used in GPO Details :Some dangerous parameters (e.g. restricted groups, LM hash computation, NTLM authentication level, sensitive parameters, etc.) are set by GPO, creating security breaches Known offensive tools :Responder Known attacker groups using this technique :Viceroy tiger
Lacking restriction on lateral movements attack scenario Details :Lateral movement restriction has not been activated on the monitored Active Directory infrastructure, allowing attackers to bounce from machine to machine with the same level of privileges Known offensive tools :CrackMapExec Known attacker groups using this technique :APT28
Computers running an obsolete OS Details :Obsolete systems are not supported by the editor anymore and greatly increase the infrastructure vulnerability Known offensive tools :Metasploit Known attacker groups using this technique :Shell_Crew
Sensitive GPO linked to critical objects Details :Some GPO managed by non-administrative accounts are linked to sensitive Active Directory objects (e.g. the KDC account, Domain Controllers, administrative groups, etc.) Known offensive tools :ANSSI-ADCP Known attacker groups using this technique :Deadeye Jackal
Dangerous access control rights on logon scripts Details :Some scripts, run during a computer or a user logon, have dangerous access rights, leading to privilege escalation Known offensive tools :Metasploit Known attacker groups using this technique :DarkHotel
Abnormal RODC filtered attributes Details :The filtering policies applied on some Read-Only Domain Controllers can lead to sensitive information caching, allowing privilege escalations Known offensive tools :Mimikatz (DCShadow) Known attacker groups using this technique :Not used by attacker (yet)
Reversible passwords in GPO Details :Verify that no GPO contain passwords stored in a reversible format Known offensive tools :SMB Password crawler Known attacker groups using this technique :APT28
Dangerous RODC management accounts Details :The administrative groups in charge of Read-Only Domain Controllers contain abnormal accounts Known offensive tools :Impacket Known attacker groups using this technique :Not used by attacker (yet)
Dangerous anonymous users configuration Details :Anonymous access is activated on the monitored Active Directory infrastructure leading to sensitive information leak Known offensive tools :Impacket Known attacker groups using this technique :SAMAS Ransomware
Clear-text password stored in DC shares Details :Some files on DC shares, accessible by any authenticated user, are likely to contain clear-text password, allowing privilege escalation Known offensive tools :SMBSpider Known attacker groups using this technique :Corsair Jackal
Local administrative account management Details :Ensure local administrative accounts are managed centrally and securely using LAPS Known offensive tools :CrackMapExec Known attacker groups using this technique :Operation Aurora
Dangerous trust relationship Details :Misconfigured trust relationship attributes decrease the security of a directory infrastructure Known offensive tools :Kekeo Known attacker groups using this technique :NotPetya
Multiple issues in the password policy Details :On some specific accounts, the current password policies are insufficient to ensure robust credentials protection Known offensive tools :Patator Known attacker groups using this technique :Carbanak APT
Lacking application of security patches Details :Lateral movement restriction has not been activated on the monitored Active Directory infrastructure, allowing attackers to bounce from machine to machine with the same level of privileges Known offensive tools :Metasploit Known attacker groups using this technique :Putter Panda
Brute force attempt on user accounts Details :Some user accounts have been targeted by a brute force attempt Known offensive tools :Patator Known attacker groups using this technique :APT28
Kerberos configuration on user account Details :Some accounts are using weak Kerberos configuration Known offensive tools :Mimikatz (Silver Ticket) Known attacker groups using this technique :APT28
Anormal share or file stored on the DC Details :Some domain controllers are used to host non-necessary files or network shares Known offensive tools :SMBSpider Known attacker groups using this technique :Flying Kitten

Backdooring and persistence techniques

These IoEs control that no Active Directory backdoors have been set on your environnement by attackers and ensure the efficiency of deployed security strategies.

IOE Name Details Known offensive tools Known attacker groups using this technique
Ensure SDProp consistency Details :Control that the adminSDHolder object is in a clean state Known offensive tools :Mimikatz (Golden Ticket) Known attacker groups using this technique :Equation Group
Accounts having a dangerous SID History attribute Details :Check user or computer accounts using a privileged SID in SID history attribute Known offensive tools :DeathStar Known attacker groups using this technique :APT28
KDC password last change Details :KDC account password must be changed regularly Known offensive tools :Mimikatz (Golden Ticket) Known attacker groups using this technique :Epic Turla
Verify sensitive GPO objects and files permissions Details :Ensure that permissions set on the GPO objects and files linked to sensitive containers (like the Domain Controllers OU) are sane Known offensive tools :BloodHound Known attacker groups using this technique :Equation Group
Sensitive certificates mapped to user accounts Details :Some X509 certificates are stored in the altSecurityIdentities user account attribute, allowing certificate's private key owner to authenticate as this user Known offensive tools :Not implemented (yet) Known attacker groups using this technique :Not used by attacker (yet)
Verify root domain object permissions Details :Ensure the permissions set on the root domain object are sane Known offensive tools :BloodHound Known attacker groups using this technique :Operation Olympic Games
Rogue domain controllers Details :Ensure only legitimate Domain controller servers are registered into Active Directory infrastructure Known offensive tools :Mimikatz (DCShadow) Known attacker groups using this technique :Not used by attacker (yet)
Rogue Krbtgt SPN set on regular account Details :The Service Principal Name of the KDC is present on some regular user account, leading to Kerberos tickets forgery Known offensive tools :Mimikatz (Golden Ticket) Known attacker groups using this technique :Not used by attacker (yet)
User primary group ID Details :Verify that users' primary group has not been changed Known offensive tools :BloodHound Known attacker groups using this technique :Operation Ke3chang
Dangerous access rights on RODC KDC account Details :The KDC account used on some Read-Only Domain Controllers can be controlled by illegitimate user account, leading to credential leaks Known offensive tools :Mimikatz (DCSync) Known attacker groups using this technique :Not used by attacker (yet)
Dangerous caching policy on RODC Details :The caching policy configured on some Read-Only Domain Controllers allows global administrative accounts to have their credentials cached and retrieved by RODC management accounts Known offensive tools :Mimikatz (DCSync) Known attacker groups using this technique :Not used by attacker (yet)
DSRM account activated Details :The Active Directory recovery account has been activated, exposing it to credential theft Known offensive tools :Mimikatz (LSADump) Known attacker groups using this technique :Shamoon
Anormal entries in the Schema security descriptor Details :The Active Directory Schema has been modified leading to new standard access rights or objects that can endanger the monitored infrastructure Known offensive tools :BloodHound Known attacker groups using this technique :DUQU 2.0
Illegitimate Bitlocker key access control Details :Some Bitlocker recovery keys stored in Active Directory can be accessed by other people than administrators and linked computers Known offensive tools :ANSSI-ADCP Known attacker groups using this technique :Equation Group
Certificate deployed by GPO applied on DC Details :Some GPOs are used to deploy certificates on Domain Controllers, allowing certificate's private key owner to compromise these servers Known offensive tools :BloodHound Known attacker groups using this technique :Not used by attacker (yet)
Reversible passwords for User accounts Details :Verify no parameter make passwords stored in a reversible format Known offensive tools :Mimikatz (DC Sync) Known attacker groups using this technique :Poseidon APT
Authentication hash not renewed when using smartcard Details :Some user accounts using smartcard authentication do not renew their credentials hash frequently enough Known offensive tools :Mimikatz (LSADump) Known attacker groups using this technique :Rescator
Use of explicit denied access on containers Details :Some Active Directory containers or OUs define explicit denied access, leading to potential backdoor concealment Known offensive tools :BloodHound Known attacker groups using this technique :DarkHotel

Dangerous security model design

These IoEs ensure that monitored Active Directory infrastructures are implementing recommended security strategies which participate to making information system more resilient against cyber attacks.

IOE Name Details Known offensive tools Known attacker groups using this technique
Disabled accounts in privileged groups Details :Accounts that are not used anymore should not stay in privileged groups Known offensive tools :Mimikatz (Silver Ticket) Known attacker groups using this technique :Guardians of Peace
Inappropriate number of Domain Controllers Details :Compared to the monitored Active Directory infrastructures, the number of Domain Controllers seems inappropriate Known offensive tools :Metasploit Known attacker groups using this technique :APT1
Accounts with never expiring passwords Details :Accounts with the DONT_EXPIRE property are not affected by password renewal policy Known offensive tools :Impacket Known attacker groups using this technique :DUQU 2.0
AdminCount attribute set on standard users Details :Some decommissioned administrative accounts are not globally manageable Known offensive tools :CrackMapExec Known attacker groups using this technique :APT1
Presence of blocking OU Details :Some organization units are blocking the application of security policies deployed by GPO Known offensive tools :Responder Known attacker groups using this technique :APT28
Native administrative group members Details :Abnormal accounts in the native administrative groups of Active Directory Known offensive tools :Impacket Known attacker groups using this technique :APT28
Domain using a dangerous backward-compatibility configuration Details :The dSHeuristics attribute can modify AD behavior and have security impacts Known offensive tools :Enum Known attacker groups using this technique :Epic Turla
Sleeping accounts Details :Unused sleeping accounts are still activated Known offensive tools :Mimikatz (Token Impersonate) Known attacker groups using this technique :Poseidon APT
Protected Users group not created or not used Details :Verify the Protected Users group has been created on the Active Directory forest and is used Known offensive tools :Mimikatz (Silver Ticket) Known attacker groups using this technique :Rescator
Domains have an outdated functional level Details :A low functional level prevents the use of advanced functionalities or improvements Known offensive tools :Patator Known attacker groups using this technique :Epic Turla
Unlinked, disabled or orphan GPO Details :Having unlinked, disabled or orphan GPO can lead to administrative errors Known offensive tools :GPOInjection Known attacker groups using this technique :Equation Group
Recent use of the default administrator account Details :Built-in administrator account has been used recently Known offensive tools :Mimikatz (Token Impersonate) Known attacker groups using this technique :Hurricane Panda
Account naming convention not fully respected Details :Some accounts do not follow the naming convention defined for the monitored infrastructure Known offensive tools :Responder Known attacker groups using this technique :Putter Panda
Lacking the use of Managed Service Accounts Details :Some compatible service accounts are not using the Active Directory Managed Service Accounts feature to automatically renew their password Known offensive tools :Patator Known attacker groups using this technique :NotPetya
Active Directory event logs not centralized Details :Active Directory event logs do not appear to be centralized and harvested to ensure efficient incident response Known offensive tools :Metasploit Known attacker groups using this technique :Regin APT
Lacking the use of Advanced Audit Policy Details :The modern Active Directory event logging feature is not used, leading to inappropriate security event monitoring Known offensive tools :Mimikatz (LSADump) Known attacker groups using this technique :Guardians of Peace
Regular users can add new computers into AD domain Details :Regular users are allowed to add new computers in the monitored Active Directory domains without administrative teams approval Known offensive tools :Mimikatz (DCShadow) Known attacker groups using this technique :Operation Aurora
Use of non-canonical ACE Details :Some access control policies set on Active Directory object use non-canonical ACEs which could lead to misleading information Known offensive tools :Empire Known attacker groups using this technique :Equation Group
Lack of Active Directory backups Details :The monitored AD infrastructure does not seem to make regular backups Known offensive tools :Impacket Known attacker groups using this technique :WananCry Ransomware

Get In Touch

Explore how Alsid can boost your organisation’s IT security and give you better peace of mind.