Direct Inward Dialing: +1 408 916 9393
Governance, risk, and compliance (GRC) is essential for maintaining security, ensuring regulatory compliance, and mitigating risks associated with identities. A thorough risk assessment helps identify vulnerabilities, such as excessive permissions, weak authentication mechanisms, and misconfigurations that could be exploited by attackers. ADManager Plus enhances risk assessment by providing key risk indicators that help organizations discover and address security gaps within their Active Directory (AD) and Microsoft 365 environments. Each risk indicator is analyzed based on its potential impact and likelihood of occurrence, allowing organizations to focus on the most critical threats and vulnerabilities. By leveraging these indicators, organizations gain actionable insights, can instantly remediate risks, and significantly strengthen their overall security posture.
| Category | Risk indicator | Description |
Severity
|
Framework |
|---|---|---|---|---|
| Account security | Inactive Users Privileged | Detects users who have been inactive for a specific period. The identified user accounts may belong to former employees or attackers, and their passwords may or may not have expired. These accounts are susceptible to Golden Ticket, DCShadow and DCSync attacks. | High |
MITRE Attack
ANSSI
|
| Account security | Users Who Never Logged On Privileged | Detects user accounts whose lastLogon attribute value is 0. These user accounts may have been created a few days back, and have never been logged in, as they might have common, default, or blank passwords, making them susceptible to password attacks. | High |
MITRE Attack
|
| Account security | Users with Unchanged Passwords Privileged | Identifies users who have not changed their passwords in the last N days (45 days by default). These accounts with unchanged passwords are more prone to insider attacks and can be compromised by password spraying, credential thefting, Kerberoasting, and brute force attacks, especially when their passwords are default, common, or weak. | High |
MITRE Attack
ANSSI
|
| Password and authentication security | Users Whose Password never expires Privileged | Looks for users whose passwords were never set to expire. These accounts are prone to brute force attacks and might lead to data breaches and exposure. | High |
MITRE Attack
ANSSI
|
| Password and authentication security | Users with Password Not Required Enabled Privileged | Identifies the users whose PasswordNotRequired attribute is set to True. These accounts can be used to gain access to critical resources and data and can also cause noncompliance and legal consequences. | Critical |
MITRE Attack
|
| Account security | Disabled Users Privileged | Detects the disabled user accounts in your domain. These accounts are likely to be left undeleted for auditing purposes or when there is no proper delete/disable policy in place. | Low |
MITRE Attack
|
| Password and authentication security | Groups Members of Privileged Privileged | Looks for the members of default privileged groups. Identified accounts are likely to fall prey to DCShadow DCSync, insider threats, and privilege escalation attacks. | Low |
MITRE Attack
|
| Account security | Users With SID History Privileged | Detects all the users with SID history value. When users migrate between domains, they may keep their old domain privileges through SID history, giving them access they shouldn't have. Injecting a high-level SID, like that of domain admins, into a lower-level user account can lead to unauthorized privilege escalation, allowing excessive control over sensitive resources. | Low |
MITRE Attack
ANSSI
|
| Password and authentication security | Kerberos Pre-authentication Disabled Users Privileged | Identifies all the users who have Kerberos pre-authentication disabled. Since attackers can request an encrypted authentication response (AS-REP) from the Kerberos service, accounts with Kerberos pre-authentication disabled pose a significant security risk. | High |
MITRE Attack
ANSSI
|
| Password and authentication security | Users Without Fine-grained Password Policy Privileged | Detects all the users who do not have fine-grained password policies applied on them. Without these policies, attackers can exploit vulnerabilities through brute force, dictionary, and phishing attacks to crack passwords, gaining access to sensitive information, and potentially leading to denial of service and man-in-the-middle attacks. | High |
MITRE Attack
|
| Password and authentication security | Encryption Accounts With Passwords Stored Using Reversible Privileged | Detects all the accounts whose passwords are stored using reversible encryption. These are particularly vulnerable, as these passwords can be easily decrypted, exposing clear-text credentials. This weakness enables attackers to obtain passwords swiftly, heightening the risk of unauthorized access and lateral movement across the network. | High |
MITRE Attack
ANSSI
|
| Password and authentication security | Kerberos DES Encryption Enabled Users Privileged | Identifies all the users for whom Kerberos DES encryption is enabled. These accounts are at a higher risk of compromise, as DES is an outdated and weak encryption protocol. Attackers can exploit these weaker encryption standards to crack credentials more easily, potentially gaining unauthorized access to resources and sensitive information. | High |
MITRE Attack
ANSSI
|
| AD Delegation and trust | Accounts With Service Principal Names (SPNs) Privileged | Identifies user accounts with service principal names (SPN). These accounts are often targeted by attackers in attacks like Kerberoasting, where attackers extract Kerberos tickets for services, crack them offline, and gain unauthorized access. Misconfigured or overlooked SPNs can create entry points for attackers, compromising the security of the entire AD environment. | Low |
MITRE Attack
ANSSI
|
| Password and authentication security | User Accounts With Weak Password Policy Privileged | Detects user accounts with a weak password policy from your default domain policy or password settings object (PSO). These accounts pose a serious threat to the organization's identity network, and threat actors often use brute force attacks, dictionary attacks, and phishing attacks to crack these accounts and move through the network to steal sensitive information. These instances might also result in denial of service and man-in-the-middle attacks. | Medium |
MITRE Attack
ANSSI
|
| Password and authentication security | Users Without MFA - Microsoft 365 Privileged | Detects Microsoft 365 users who do not have MFA enabled. These are susceptible to various attacks, including password spraying, brute force attacks, phishing, credential stuffing, man-in-the-middle attacks, session hijacking, malware, password sniffing, and social engineering. | High |
MITRE Attack
|
| Privileged identity security | Multitude of Privileged Users - Microsoft 365 Privileged | Detects and lists Microsoft 365 privileged users if the number is more than 10. A multitude of privileged users in an organization poses risks such as an expanded attack surface, increased insider threat potential, monitoring challenges, potential misuse, complex access management, and resource overutilization. | Low |
MITRE Attack
|
| Privileged identity security | Multitude of Global Administrators - Microsoft 365 Privileged | Detects and lists Microsoft 365 users holding the Global Administrator role. These users have extensive access to all resources within an organization and thus pose significant security risks like increased potential for privilege misuse, unauthorized access, difficulty in tracking changes, and challenges in compliance and audit management. The compromised account may also be utilized to create new accounts, alter permissions, or access resources without raising any suspicion. | Medium |
MITRE Attack
|
| Account security | Inactive Users - Microsoft 365 Privileged | Identifies inactive Microsoft 365 users. If the accounts of privileged users remain inactive but are not properly disabled or removed, they may still have access to sensitive resources. These users pose security and compliance risks, including the potential for unauthorized access, data breaches, and phishing attacks. | High |
MITRE Attack
|
| Account security | Never Logged On Users - Microsoft 365 Privileged | Detects users who have never logged onto any of the Microsoft 365 services. These pose a significant security risk if left unchecked and can be targeted by attackers, and compromised accounts with elevated privileges can result in unauthorized access to resources. | High |
MITRE Attack
|
| Account security | Blocked Users - Microsoft 365 Privileged | Detects blocked Microsoft 365 user accounts.These accounts are just blocked and often not deleted for auditing purposes or due to a lack of proper delete or disable policies. However, this leaves them vulnerable to being unblocked by attackers who can then gain access to resources. | High |
MITRE Attack
|
| Account security | Synced User Accounts - Microsoft 365 Privileged | Identifies Microsoft 365 user accounts synced from on-premises AD. Syncing users and groups from on-prem AD to Microsoft Entra ID enables unified access but risks security if privileged accounts like Global Administrators are included. A compromised ADaccount allows attackers to exploit the corresponding Entra ID account, especially weaker service accounts. | High |
MITRE Attack
|
| Password and authentication security | Users With AdminCount Value | Detects users with AdminCount value. When user accounts or groups show an AdminCount value of 1 but aren't in privileged groups, it could hint at potential tampering. This attribute might mean the account had elevated privileges via SDProp, allowing attackers to retain hidden access. | Low | |
| Account security | Inactive Users | Detects users who have been inactive for a specific period. The identified user accounts may belong to former employees or attackers, and their passwords may or may not have expired. These accounts are susceptible to Golden Ticket, DCShadow and DCSync attacks. | High |
MITRE Attack
ANSSI
|
| Account security | Disabled Users | Detects the disabled user accounts in your domain. These accounts are likely to be left undeleted for auditing purposes or when there is no proper delete/disable policy in place. | Low | NA* |
| Account security | Users with Unchanged Password | Identifies users who have not changed their passwords in the last N days (45 days by default). These accounts with unchanged passwords are more prone to insider attacks and can be compromised by password spraying, credential thefting, Kerberoasting, and brute force attacks, especially when their passwords are default, common, or weak. | Medium |
MITRE Attack
|
| Account security | Users Who Never Logged On | Detects user accounts whose lastLogon attribute value is 0. These user accounts may have been created a few days back, and have never been logged in, as they might have common, default, or blank passwords, making them susceptible to password attacks. | Medium |
MITRE Attack
|
| Password and authentication security | Users with Password Not Required Enabled | Identifies the users whose PasswordNotRequired attribute is set to True. These accounts can be used to gain access to critical resources and data and can also cause noncompliance and legal consequences. | High |
MITRE Attack
ANSSI |
| Password and authentication security | Users Whose Password never expires | Looks for users whose passwords were never set to expire. These accounts are prone to brute force attacks and might lead to data breaches and exposure. | Medium |
MITRE Attack
ANSSI
|
| Account security | Users With SID History | Detects all the users with SID history value. When users migrate between domains, they may keep their old domain privileges through SID history, giving them access they shouldn't have. Injecting a high-level SID, like that of domain admins, into a lower-level user account can lead to unauthorized privilege escalation, allowing excessive control over sensitive resources. | Low |
MITRE Attack
|
| Password and authentication security | Kerberos Pre-authentication Disabled Users | Identifies all the users who have Kerberos pre-authentication disabled. Since attackers can request an encrypted authentication response (AS-REP) from the Kerberos service, accounts with Kerberos pre-authentication disabled pose a significant security risk. | Medium |
MITRE Attack
|
| Password and authentication security | Accounts With Passwords Stored Using Reversible Encryption | Detects all the accounts whose passwords are stored using reversible encryption. These are particularly vulnerable, as these passwords can be easily decrypted, exposing clear-text credentials. This weakness enables attackers to obtain passwords swiftly, heightening the risk of unauthorized access and lateral movement across the network. | Medium |
MITRE Attack
ANSSI
|
| Password and authentication security | Kerberos DES Encryption Enabled Users | Identifies all the users for whom Kerberos DES encryption is enabled. These accounts are at a higher risk of compromise, as DES is an outdated and weak encryption protocol. Attackers can exploit these weaker encryption standards to crack credentials more easily, potentially gaining unauthorized access to resources and sensitive information. | Medium |
MITRE Attack
ANSSI
|
| Password and authentication security | User Accounts With Weak Password Policy | Detects user accounts with a weak password policy from your default domain policy or password settings object (PSO). These accounts pose a serious threat to the organization's identity network, and threat actors often use brute force attacks, dictionary attacks, and phishing attacks to crack these accounts and move through the network to steal sensitive information. These instances might also result in denial of service and man-in-the-middle attacks. | Medium |
MITRE Attack
|
| Password and authentication security | Users Without MFA - Microsoft 365 | Detects Microsoft 365 users who do not have MFA enabled. These are susceptible to various attacks, including password spraying, brute force attacks, phishing, credential stuffing, man-in-the-middle attacks, session hijacking, malware, password sniffing, and social engineering. | Medium |
MITRE Attack
|
| Account security | Inactive Users - Microsoft 365 | dentifies inactive Microsoft 365 users. If the accounts of privileged users remain inactive but are not properly disabled or removed, they may still have access to sensitive resources. These users pose security and compliance risks, including the potential for unauthorized access, data breaches, and phishing attacks. | Medium |
MITRE Attack
|
| Account security | Never Logged On Users - Microsoft 365 | Detects users who have never logged onto any of the Microsoft 365 services. These pose a significant security risk if left unchecked and can be targeted by attackers, and compromised accounts with elevated privileges can result in unauthorized access to resources. | Medium |
MITRE Attack
|
| Account security | Blocked Users - Microsoft 365 Privileged | Detects blocked Microsoft 365 user accounts.These accounts are just blocked and often not deleted for auditing purposes or due to a lack of proper delete or disable policies. However, this leaves them vulnerable to being unblocked by attackers who can then gain access to resources. | Low |
MITRE Attack
|
| Category | Indicator Name | Likelihood of compromise |
Severity
|
Framework |
|---|---|---|---|---|
| Account security | Disabled Computers | Detects all the disabled computers in an AD domain.They are likely to be compromised by credential theft attacks to gain administrative privileges and act as potential attack surfaces by providing unauthorized access to network resources and services. | Low | NA* |
| Account security | Inactive Computers | Identifies enabled computers that have been inactive for the past N days (90 days, by default). Stale computer objects take up a lot of space and might affect performance. They also serve as attack surfaces for attackers who are looking for a way in to your network. These accounts might not receive regular security updates and thus are prone to vulnerabilities. | Medium |
MITRE Attack
ANSSI
|
| AD Delegation and trust | Computers Trusted with Unconstrained Delegation | Detects computers trusted with unconstrained Kerberos delegation. Administrators might have accidentally enabled the Trust this computer for delegation (Kerberos delegation only) or they are unaware of the security risks that comes with unconstrained delegation. Attackers can directly access the resources and applications associated with the compromised account and might even have access to all the authentication tokens stored in it, using it to move laterally and attempt to compromise the entire domain. These computers are more likely to be compromised by Pass-the-Ticket and Silver Ticket attacks. | High |
MITRE Attack
ANSSI
|
| DC and server configurations | Computers Running Obsolete OS Versions | Detects computers running obsolete OS versions. These computers are either no longer actively used or are left running to cut down on upgradation costs. These are easily exploitable and susceptible to security vulnerabilities and might not support the latest software and applications. | Critical |
MITRE Attack
|
| DC and server configurations | Bitlocker Disabled Computers | Detects BitLocker disabled computers in an AD domain. These computers can contain unencrypted data and can be accessed by anyone having access to them. Compromised computers can cause data theft and Cold Boot attacks. Lost or stolen computers with BitLocker Drive Encryption disabled are at a risk of data theft, tampering, and exposure. | High |
MITRE Attack
|
| Account security | Computer Accounts With Unchanged Passwords | Looks for computer accounts whose passwords have not been changed in the last N days (90 days by default). These are more prone to insider attacks and can be compromised by password spraying, credential theft, Kerberoasting, and brute force attacks. Compromised accounts can help attackers gain access to resources and sensitive data. | Medium |
MITRE Attack
|
| Account security | Servers With Unchanged Passwords | Identifies servers with passwords that haven't been updated in the configured time period. These servers can lead to vulnerabilities like Pass-the-Hash attacks, Pass-the-Ticket attacks, and Remote Code Execution (RCE), which exploit weak authentication to gain administrative access. | High |
MITRE Attack
ANSSI
|
| AD Delegation and trust | Constrained Delegation With Protocol Transition To a Privileged Service | Identifies computers that have constrained delegation using protocol transition defined against a privileged service. A compromised machine could let an attacker interact with other services, leading to unauthorized access, data theft, or privilege escalation. Additionally, poorly managed Kerberos transitions can create security gaps in authentication processes, threatening the overall security of the AD environment. | High |
MITRE Attack
ANSSI
|
| DC and server configurations | Servers With SMB Version 1.0 | Looks for servers with SMB version 1.0 in an AD domain. SMB version 1 is an old protocol (deprecated by Microsoft in 2014), which is considered unsafe and susceptible to all kinds of attacks. The computers that use SMB version 1 for file sharing lack key protections such as encryption, pre-authentication integrity, secure guest logins, and improved message signing offered by the latest versions. Attackers could exploit the security loopholes and take over the computers using remote sessions, leading to data loss. | High |
MITRE Attack
|
| DC and server configurations | Computers With Anomalous Primary Group ID | Identifies computer accounts with anomalous primary group ID. Typically, the primary group set during computer creation in AD is Domain Computers (PGID=515). Cyber attackers can modify the PGID of an compromised computer object or use computer accounts with modified PGID and become part of privileged groups. This allows them to have high privileges necessary to move deeper into the network. It might result in exposure of the organization to data theft and other cyber attacks. | Medium |
MITRE Attack
ANSSI
|
| DC and server configurations | Computers With Unreadable Primary Group ID | Lists the computers that do not have read permissions over the primary group ID. Unreadable primary group IDs might make admins grant excess permissions and privileges for a computer account. If threat actors use these accounts to compromise the network, they can add them to any privileged groups and access confidential files and folders. | Medium |
MITRE Attack
|
| Category | Indicator Name | Likelihood of compromise |
Severity
|
Framework |
|---|---|---|---|---|
| Account security | Inactive DCs | Detects domain controllers in your domain whose lastLogonTimestamp attribute value is over 45 days. Stale DCs that have not replicated for more than 45 days or the replication interval (n) is set for more than 45 days can cause several security vulnerabilities within the organization, as it won't receive any security updates or group policy changes. They might also have outdated data such as user account changes, group memberships, or password updates. This can cause authentication and authorization issues across the network, and cyber attackers might exploit these loopholes to gain access to sensitive data. | Low |
MITRE Attack
ANSSI
|
| AD Delegation and trust | Resource-based Constrained Delegation Configured Domain Controllers | Identifies domain controllers that grant certain accounts full delegation rights to domain controllers. This configuration grants certain accounts full delegation rights to domain controllers, potentially providing entry points for attackers. If an attacker compromises a delegated service account, they could exploit this trust to impersonate users, access sensitive data, and perform a DC sync attack. | High |
MITRE Attack
ANSSI
|
| DC and server configurations | DCs With Unusual Configurations | Lists domain controllers that do not have the standard characteristics in your AD domain. Presence of non-functional and rogue domain controllers in domain makes the entire AD highly vulnerable to various cyberattacks such as DCShadow attacks and DCSync attacks. In such scenarios, threat actors can inject domain objects (such as accounts, access control lists, schemas, credentials, or access keys) and replicate changes into AD infrastructure. | Critical |
MITRE Attack
ANSSI
|
| Category | Indicator Name | Likelihood of compromise |
Severity
|
Framework |
|---|---|---|---|---|
| Group and membership management | Empty Groups | Detects empty security groups in an AD domain. These groups will have permissions and access to resources in your organization and serve as attack surfaces for attackers looking for an opportunity to exploit, providing unauthorized access to network resources. In addition, empty groups in an AD can consume a lot of space and might affect performance. | Low |
MITRE Attack
|
| Privileged identity security | Privileged Groups | Detects security groups with administrative privileges in an AD domain. These groups with administrative privileges are groups with elevated privileges and thus when an administrative group member is compromised, attackers can easily gain access and take control of your network. With excessive nesting, it might also cause administrative overhead. | Low |
MITRE Attack
|
| Group and membership management | Single-membered Groups | Identifies AD security groups with just one member, including nested groups and its members. Security groups are created to manage the access permissions of a certain group of objects. Having just one user in a group defeats the whole purpose of group memberships. There is also a possibility that administrators might accidentally add users to these groups, who do not require the permissions and resources that fall under the scope of this group. | Low |
MITRE Attack
|
| Group and membership management | Large Groups | Detects AD security groups whose member count exceeds the configured threshold value (20% of total domain users and computers, by default) of the total users and computers in an AD domain. These groups tend to take up a lot of space and might affect the performance and health of the AD domain. These groups can also be highly intricate and are thus complex to manage. | Low |
MITRE Attack
|
| Privileged identity security | Large Privileged Groups | Looks for security groups with administrative privileges whose member count is more than the configured threshold value (2% of totals domain users, by default) of the total users in an AD domain. Members of administrative groups will automatically inherit the permissions assigned to them and having a large number of members is a major security threat. Since they have a wider attack surface, compromising a single account can lead to the compromise of other privileged accounts and can pave way to privilege escalation attacks. | Low |
MITRE Attack
ANSSI
|
| Group and membership management | Groups With SID History | Detects groups with SID history value. Injecting a high-level SID, like that of administrators, into a lower-level group can lead to unauthorized privilege escalation, allowing excessive control over sensitive resources. When groups migrate between domains, they may keep their old domain privileges through SID history, giving them access they shouldn?t have. This situation increases the risk of misuse. | Low |
MITRE Attack
ANSSI
|
| Group and membership management | Empty Groups | Lists Microsoft 365 groups that do not have any members. Unused groups, particularly those with a specific purpose, can be neglected or overlooked, leading to security risks. Group nesting can hinder the efficiency of the directory, and unnecessary nesting can complicate understanding of group memberships. | Low |
MITRE Attack
|
| Category | Indicator Name | Likelihood of compromise |
Severity
|
Framework |
|---|---|---|---|---|
| Policy and permission misconfigurations | Unlinked GPOs | Identifies unlinked GPOs in an AD domain. These GPOs can take up a lot of space and might affect AD health. GPOs with security settings when not enforced can make systems vulnerable. and lead to administrative errors wherein, administrators can accidentally link it to a site, OU or domain that require different policy settings. | Low | NA* |
| Policy and permission misconfigurations | Disabled GPOs | Identifies disabled GPOs in your AD domain. These GPOs can introduce inefficiencies and create potential security gaps within AD. When GPOs with inactive policy settings accumulate, they can cause unnecessary clutter, making it challenging for administrators to navigate and manage policies effectively. In some cases, outdated or conflicting disabled GPOs might even be accidentally re-enabled, causing unexpected behavior across sites, OUs, or domains. | Low | NA* |
| Category | Indicator Name | Likelihood of compromise |
Severity
|
Framework |
|---|---|---|---|---|
| Privileged identity security | Objects With Permissions To Reset Passwords for Privileged Accounts | Detects objects with permissions to reset passwords for privileged accounts in your domain. Attackers who compromise these objects have the capability to reset any other account's password using tools like net user/domain, Set-ADAccountPassword -Reset, Active Directory Users and Computers, or PowerSploit. They can then authenticate as the affected user using the new password to exploit their privileges. Since attackers don't know the previous password, they can't revert to the original password. Thus, legitimate users and service accounts often become the victim of the attack and experience disruption of services. | Critical |
MITRE Attack
|
| Privileged identity security | Objects With Permissions To Change Group Memberships for Privileged Accounts | Identifies objects with permissions to modify group memberships of privileged accounts in your domain. If attackers gain access to such objects, they can exploit the access rights granted on the group, such as permissions to file shares and applications. It can lead to unauthorized access to sensitive data, resulting in privilege escalation cyber attacks. | Critical |
MITRE Attack
|
| Policy and permission misconfigurations | Non-Privileged Accounts With Permissions Over DCs | Looks for non-privileged accounts managing domain controllers in your domain. Domain controllers are usually set up by privileged accounts, and if non-privileged accounts have too many permissions, it can put the entire domain at risk. Unauthorized access can allow harmful changes, including the deletion of important objects and manipulation of critical settings, which may lead to data breaches. Keeping a tight grip on permissions is crucial for protecting the domain's security. | Critical |
MITRE Attack
ANSSI
|
| Policy and permission misconfigurations | Non-Privileged Accounts With AdminSDHolder Permissions | Detects non-privileged with AdminSDHolder permissions in your domain. When attackers use such non-privileged user credentials and modify the privileged accounts permissions, they could grant hidden administrative privileges to the compromised privileged accounts, through which they can access sensitive data. As such changes are harder to detect, it could become a smokescreen for many cyber attacks in an AD network. | Critical |
MITRE Attack
ANSSI
|
| Policy and permission misconfigurations | Non-Privileged Accounts Authorized for DC Replication | Detects non-privileged accounts with domain controller replication permissions in your domain. If a user account with this privilege is compromised, a DCSync attack can be initiated to get hold of the all the password hashes in an AD environment which could lead to the breach of multiple accounts. This might end in the organization becoming victims of ransomware attacks or phishing attacks and losing company data. | Critical |
MITRE Attack
|
| Policy and permission misconfigurations | Non-Privileged Accounts With Permissions Over GPOs | Identifies non-privileged user or computer accounts that can modify the DACL of GPO objects using any of the following permissions: Full Control, Write All Properties, Modify Permissions. If threat actors compromise accounts with permission to modify the DACL of GPOs, it would make GPO objects in AD highly vulnerable. They could tamper with security policies, such as account and password policies, leading to severe risks like creating back doors for persistent unauthorized access and manipulating organizational data. This could result in weakened password policies, disabled security controls, elevated privileges for attackers, and potential data breaches, severely compromising organizational security. | High |
MITRE Attack
|
| Policy and permission misconfigurations | Objects With No Inherited Permissions | Looks for objects whose permissions are different from their parent objects regardless of the permission tree in AD. Security policies often rely on inherited permissions to enforce consistent access controls across AD. Attackers can exploit broken inheritance to escalate privileges by taking advantage of incorrectly set custom permissions and gain unauthorized access to resources. | Low |
MITRE Attack
|
| Privileged identity security | Shadow Admins | Detects shadow admin accounts in your domain. Shadow admins are users with administrative rights over highly privileged accounts in an AD domain. When attackers infiltrate a network, they typically target domain admin privileges to access sensitive assets. Gaining administrative privileges using a compromised ordinary account is likely to trigger detection. However, if the compromised accounts are shadow admin accounts, they can discreetly gain administrative privileges and exploit them. This significantly increases cybersecurity risks, as such activities often go undetected, leading to severe security incidents. | Critical |
MITRE Attack
|
| Category | Indicator Name | Likelihood of compromise |
Severity
|
Framework |
|---|---|---|---|---|
| Account security | Accounts With Anomalous Primary Group ID | Identifies user accounts with modified primary group ID values. Typically, the primary group set during user creation in AD is Domain Users (PGID=513). Cyber attackers can modify the PGID of an compromised user object or use user accounts with modified PGID and make themselves a part of privileged groups by circumventing existing access control policies and gain elevated privileges. It might result in exposure of the organization to data theft and other cyber attacks | Low |
MITRE Attack
ANSSI
|
| Account security | Users Without a Readable Primary Group ID | Looks for user accounts that do not have readable permissions over the primary group ID (PGID). This might lead to incorrect or insufficient access controls, allowing unauthorized users to access sensitive resources or preventing legitimate users from accessing what they need. Admins may inadvertently grant excessive permissions to users or fail to apply necessary restrictions, increasing the risk of data breaches or unauthorized actions. Moreover, it may affect the overall security posture as misconfigured primary ID leads to incomplete audit trails. | High |
MITRE Attack
|
| Account security | Inactive Users On Specific Microsoft 365 Services | Detects non-privileged Microsoft 365 users who have been inactive for a period (30 days by default) or have never logged onto specific Microsoft 365 services like Exchange, OneDrive, Teams, SharePoint, Skype or Yammer. If the inactive accounts are not managed correctly, valid credentials linked to them could be exploited by individuals to gain unauthorized access or move laterally within your system. They also consume resources like licenses, storage, and computing power, leading to unnecessary costs for the organization. | Low | NA* |
Identify security gaps with detailed insights on each risk indicator and the risky objects responsible for it.
Focus efforts and resources on the most critical vulnerabilities based on indicators' severity and risk exposure.
Manage risky objects instantly from each risk indicator with on the fly management actions.
Get insights on how risks can be proactively mitigated with detailed recommendation measures.
