Interesting Stuff

Indicators in Tenable Identity Exposure: What You Need to Know?

admin

Tenable Identity Exposure allows you to secure your infrastructure by anticipating threats, detecting breaches, and responding to incidents and attacks. Using an intuitive dashboard to monitor your Active Directory in real-time, you can identify at a glance the most critical vulnerabilities and their recommended courses of remediation. Tenable Identity Exposure’s Indicators of Attack and Indicators of Exposure allow you to discover underlying issues affecting your Active Directory, identify dangerous trust relationships, and analyze in-depth details of attacks.

>> https://www.tenable.com/indicators

Indicators of Attack

Critical Severity

  1. Suspicious DC Password Change: Exploits Netlogon vulnerability to change domain controller passwords.
  2. Zerologon Exploitation: Compromises domain controllers via CVE-2020-1472.
  3. DPAPI Domain Backup Key Extraction: Extracts keys critical for DPAPI secrets.
  4. NTDS Extraction: Exfiltrates the NTDS.dit database for offline password cracking.
  5. PetitPotam: Coerces authentication for NTLM relay attacks.
  6. DCShadow: Registers rogue domain controllers to push changes via replication.
  7. OS Credential Dumping: LSASS Memory: Accesses credential material stored in LSASS.
  8. Golden Ticket: Uses KRBTGT account to create valid Kerberos tickets.
  9. DCSync: Simulates a domain controller to retrieve password hashes.

High Severity

  1. DnsAdmins Exploitation: Allows DNSAdmins group members to control Domain Controllers.
  2. SAMAccountName Impersonation: Elevates privileges via flawed handling of sAMAccountName attributes.

Medium Severity

  1. Unauthenticated Kerberoasting: Targets Active Directory service account credentials for offline cracking.
  2. Kerberoasting: Similar to unauthenticated Kerberoasting, requires Honey Account feature.
  3. Password Spraying: Attempts to access multiple accounts with common passwords.
  4. Password Guessing: Uses brute-force methods to guess passwords.

Low Severity

  1. Massive Computers Reconnaissance: Detects massive authentication requests indicating potential attacks.
  2. Enumeration of Local Administrators: Enumerates local Administrators group via SAMR RPC interface.

Indicators of Exposure

Critical Severity

  1. Known Federated Domain Backdoor: Exploitation of federated domains for persistence and privilege escalation.
  2. Risky Service Principal Permissions: Dangerous permissions granted to service principals.
  3. Non-Privileged Account Without MFA: Lack of MFA on accounts exposes them to breaches.

High Severity

  1. Privileged Entra Account Synchronized With AD (Hybrid): Hybrid accounts pose risks due to potential AD compromise.
  2. First-Party Service Principal With Credentials: Attackers add credentials to powerful, hidden service principals.
  3. Dangerous API Permissions Affecting the Tenant: Certain API permissions pose threats to the tenant.
  4. Privilege Escalation Through OAuth Applications: Exploiting OAuth apps for privilege escalation.
  5. Unmanaged Devices with Access: Devices not managed by MDM but have access pose risks.
  6. Privileged Account with No Password Policy: Privileged accounts lacking password policies are vulnerable.
  7. Password Hash Sync: Synchronizing password hashes poses risks.
  8. Admin Accounts Without Recent Sign-Ins: Dormant admin accounts can be exploited.
  9. Risky Sign-In Locations: Unusual sign-in locations for admin accounts.
  10. Deprecated Protocols: Use of deprecated protocols for authentication.

Medium Severity

  1. Excessive Permissions for Service Accounts: Service accounts with unnecessary permissions.
  2. Long-lived Refresh Tokens: Tokens that don’t expire are risky.
  3. Non-Compliant Devices: Devices that don’t comply with security policies.
  4. Exposed Service Principal Credentials: Credentials of service principals exposed.
  5. Excessive Logins by Single Account: Indicates potential brute-force attacks.
  6. Suspicious App Consents: Consents to apps that request excessive permissions.
  7. Admin Accounts Without Conditional Access: Lack of conditional access policies.
  8. High-Risk Sign-Ins: Sign-ins flagged as high-risk.
  9. Suspicious Inbox Rules: Malicious rules set up in user inboxes.

Low Severity

  1. Inactive Users with Licenses: Licenses assigned to inactive users.
  2. Non-Privileged Accounts Without MFA: Regular accounts lacking MFA.
  3. Service Accounts Without Login Activity: Service accounts with no recent activity.
  4. Shared Accounts: Accounts shared by multiple users.
  5. Generic Names for Admin Accounts: Generic account names can be targeted.
  6. Unverified Applications: Applications not verified by Microsoft.
  7. External Forwarding Rules: Forwarding rules to external addresses.
  8. Guest Accounts with Admin Privileges: Guest accounts granted admin roles.
  9. SPNs Without Service Principal Owner: Service Principal Names lacking owners.
  10. Accounts with Password Set to Never Expire: Such accounts are susceptible to breaches.
  11. Risky Delegated Permissions: Delegated permissions that pose risks.
  12. Azure AD Connect Sync Failures: Failures in syncing with Azure AD.
  13. Unused Privileged Roles: Unused roles that should be removed.
  14. Unsupported Browsers: Use of browsers that are no longer supported.
  15. Suspicious Sign-In IP Addresses: IP addresses flagged for suspicious activity.
  16. Excessive Number of Tokens Issued: High number of tokens could indicate an attack.
  17. Accounts with Weak Passwords: Accounts not following strong password policies.
  18. Suspicious Service Principal Activity: Unusual activity detected.
  19. Unmanaged Devices Without Conditional Access: Such devices are at risk.
  20. External Users with Permissions: External users granted permissions.
  21. Non-Compliant Applications: Applications not complying with security policies.
  22. Expired Certificates: Certificates that have expired and need renewal.
  23. Service Principals with Delegated Admin Privileges: Such privileges pose risks.
  24. Long-Lasting Access Tokens: Tokens with long durations are risky.
  25. Missing Conditional Access Policies: Lack of conditional access policies.
  26. Inactive Users: Users who have not logged in recently.
  27. Unused Applications: Applications that are not in use.
  28. Service Principal Names with High Privileges: SPNs granted high privileges.
  29. Inactive Conditional Access Policies: Policies that are no longer active.
  30. Risky Sign-In Attempts: Attempts flagged as risky.
  31. Multiple Failed Sign-In Attempts: Indicates potential attacks.
  32. Devices Without Endpoint Protection: Devices lacking proper protection.
  33. Accounts Without Recovery Options: Accounts that lack recovery options.
Tags: VULNERABILITY, CVE, PASSWORD, PRIVILEGE, CREDENTIAL, BACKDOOR, RECONNAISSANCE, MONITOR