Tenable.ad Indicators

Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The classic Kerberoasting method is covered by the Kerberoasting IOA. As mentioned in the name of the indicator, there is another way to do a Kerberoasting attack, with a stealthy approach that could bypass a lot of detections. Advanced attackers may favor this method to hope to remain invisible to most detection heuristics.

DNSAdmins exploitation is an attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service. A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.

DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls.

The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.

NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack requires the activation of Tenable.ad's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.

A massive number of authentication requests on multiple computers, using NTLM or Kerberos protocols and coming from the same source can be an indication of an attack.

The local Administrators group was enumerated with SAMR RPC interface, more likely with BloodHound/SharpHound.

PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method

Ensure hardening measures against ransomware have been deployed on the domain

List dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI)

Ensure that GPOs applied on domain computers are sane.

Privileged users can connect to less privileged machines thus risking credential theft

CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege

Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.

Some clear-text passwords seem to be readable by every domain's users

Misconfigured sensitive privilege rights decrease the security of a directory infrastructure.

Ensure that no mapped certificate is set on privileged objects

Checks hardening GPOs have been deployed on the domain