Explore the Purple Knight Security Indicators

Filters
Category
  • Account Security
  • AD Delegation
  • AD Infrastructure
  • Entra ID
  • Group Policy Security
  • Hybrid Security
  • Kerberos Security
  • Okta
Indicator Name
Description
Severity
  • All
  • Warning
  • Informational
  • Critical
Framework
IOE/IOC

No results

AAD Connect sync account password reset
Checks for Conditional Access policies that have the Continuous Access Evaluation feature disabled. The Continuous Access Evaluation feature allows you to revoke the access token for Microsoft applications and limit the time an attacker has access to company data. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
AAD privileged users that are also privileged in AD
Checks for Azure AD privileged users that are also privileged users in on-premises AD. A compromise of an account that is privileged in both AD and AAD can result in both environments being compromised. Critical
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
Abnormal Password Refresh
Looks for user accounts with a recent pwdLastSet change without a corresponding password replication. If the “User must change password at next logon” option is set and then later cleared, could indicate an administrative error or an attempt to bypass the organization’s password policy. Warning
  • MITRE ATT&CK:

    Credential Access

    Persistence

  • IOE
  • IOC
Accounts with altSecurityIdentities configured
Checks for accounts with the altSecurityIdentities attribute configured. The altSecurityIdentities attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. When configured, it is possible to add values that essentially impersonate that account. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_delegation_a2d2

  • IOE
Accounts with Constrained Delegation configured to ghost SPN
Looks for accounts that have Constrained Delegation configured to ghost SPNs. When computers are decommissioned, their delegation configuration is not always cleaned up. Such a delegation could allow an attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on those services. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_delegation_a2d2

  • IOE
Accounts with Constrained Delegation configured to krbtgt
Looks for accounts that have Constrained Delegation configured to the krbtgt service. Creating a Kerberos delegation to the krbtgt account itself allows that principal (user or computer) to generate a Ticket Granting Service (TGS) request to the krbtgt account as any user, which has the effect of generating a Ticket Granting Ticket (TGT) similar to a Golden Ticket. Critical
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_delegation_a2d2

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
AD Certificate Authority with Web Enrollment (PetitPotam and ESC8)
Identifies AD CS servers in the domain that accept NTLM authentication to Web Enrollment. Attackers may abuse a flaw in AD CS Web Enrollment that enables NTLM relay attacks to authenticate as a privileged user. Critical
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
AD objects created within the last 10 days
Looks for any AD objects that were recently created. Allows you to spot unknown or illegitimate accounts. Meant to be used for threat hunting, post-breach investigation, or compromise validation. Informational
  • MITRE ATT&CK:

    Lateral Movement

    Persistence

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
  • IOC
AD privileged users that are synced to AAD
Checks for AD privileged users that are synchronized to AAD. When a privileged AD user is synchronized to AAD, a compromise of the AAD user can result in the on-premises environment being compromised as well. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
Administrative units are not being used
Checks for the use of administrative units in the Entra tenant. Administrative units are an Entra ID feature that allow for restricting administrative scope of privileged users. Organizations that leverage administrative units can have more granularity in role assignment. Informational
  • MITRE ATT&CK:

    Lateral Movement

  • IOE
Admins with old passwords
Looks for Admin accounts whose password has not changed in over 180 days. If Admin account passwords are not changed on a regular basis, these accounts could be ripe for password guessing attacks. Warning
  • MITRE ATT&CK:

    Discovery

  • ANSSI:

    vuln1_password_ change_priv

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Anonymous access to Active Directory enabled
Looks for the presence of the flag that enables anonymous access. Anonymous access would allow unauthenticated users to query AD. Critical
  • MITRE ATT&CK:

    Defense Evasion

    Initial Access

    Persistence

    Privilege Escalation

  • ANSSI:

    vuln2_compatible_2000_ anonymous

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Anonymous NSPI access to AD enabled
Detects when anonymous name service provider interface (NSPI) access is enabled. Allows anonymous RPC-based binds to AD. NSPI is rarely enabled, so if it is found to be enabled it should be a cause for concern. Warning
  • MITRE ATT&CK:

    Initial Access

  • ANSSI:

    vuln1_dsheuristics_bad

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Application expired secrets and certificates
Checks for certificates or secrets that have reached their expiration dates. This indicator does not indicate a direct risk or likelihood of compromise. Informational
  • MITRE ATT&CK:

    Credential Access

  • IOE
Application Name and Geographic Location additional contexts are disabled on MFA
Checks if the application name and geographic location additional contexts are disabled on multi-factor authentication (MFA). Enabling the application name and geographic location additional contexts on MFA provides an additional level of security for a user sign-in. Warning
  • MITRE ATT&CK:

    Initial Access

  • MITRE D3FEND:

    Harden – Multi-factor Authentication

  • IOE
Built-in domain Administrator account used within the last two weeks
Checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been recently updated. Could indicate that the user has been compromised. Warning
  • MITRE ATT&CK:

    Defense Evasion

  • MITRE D3FEND:

    Detect – Credential Compromise Scope Analysis

    Harden – Strong Password Policy

  • IOE
  • IOC
Built-in domain Administrator account with old password (180 days)
Checks to see if the pwdLastSet attribute on the built-in Domain Administrator account has been changed within the last 180 days. If this password is not changed on a regular basis, this account can be vulnerable to brute force password attacks. Informational
  • MITRE ATT&CK:

    Credential Access

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Built-in guest account is enabled
Checks to ensure that the built-in AD “guest” account is disabled. An enabled guest account allows for passwordless access to the domain, which could present a security risk. Informational
  • MITRE ATT&CK:

    Discovery

    Reconnaissance

  • MITRE D3FEND:

    Evict – Account Locking

  • IOE
Certificate templates that allow requesters to specify a subjectAltName
Checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR. When certificate templates allow requesters to specify a subjectAltName in the CSR, the result is that they can request a certificate as anyone (for example, a domain admin). When that is combined with an authentication EKU present in the certificate template, it can become extremely dangerous. Critical
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Certificate Analysis

  • IOE
Certificate templates with three or more insecure configurations
Checks if certificate templates in the forest have a minimum of three insecure configurations: Manager approval is disabled, No authorized signatures are required, SAN enabled, Authentication EKU present. Each of these configurations can be exploited by adversaries to gain access. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Certificate Analysis

  • IOE
Certificate-Based Authentication Persistence
Assesses the presence of specific Entra ID Microsoft graph app roles and permissions, that when combined can enable a user to establish persistence through certificate-based authentication (CBA). Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
Changes to AD display specifiers in the past 90 days
Looks for recent changes made to the adminContextMenu attribute on AD display specifiers. Modifying this attribute can potentially allow attackers to utilize context menus to get users to run arbitrary code. Informational
  • MITRE ATT&CK:

    Defense Evasion

    Execution

  • IOE
  • IOC
Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days
Looks for recent changes to the Default Domain Policy and Default Domain Controllers Policy GPOs. These GPOs control domain-wide and domain controller-wide security settings and can be misused to gain privileged access to AD. Informational
  • MITRE ATT&CK:

    Lateral Movement

    Persistence

  • IOE
  • IOC
Changes to default security descriptor schema in the last 90 days
Detects recent schema attribute changes made on the default security descriptor. If an attacker gets access to the schema instance in a forest, any changes made can propagate to newly created objects in AD, potentially weakening AD security posture. Warning
  • MITRE ATT&CK:

    Defense Evasion

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
  • IOC
Changes to MS LAPS read permissions
Looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use Microsoft LAPS. Attackers may use this capability to laterally move through a domain using compromised local administrator accounts. Informational
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Changes to PreWindows 2000 Compatible Access Group membership
Looks for changes to the built-in “Pre-Windows 2000 Compatible Access” group. It is best to ensure this group does not contain the “Anonymous Logon” or “Everyone” groups. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
  • IOC
Changes to privileged group membership in the last 7 days
Looks for recent changes to the built-in-privileged groups. Could indicate attempts to escalate privilege. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
  • IOC
Changes to unprivileged group memberships in the last 7 days
Looks for unprivileged groups with memberships changes made during the last 7 days. Membership changes to unprivileged groups may give access to resources using group privileges. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
Check for guests having permission to invite other guests
Check for guest invite permissions. It is not recommended to allow guests to send guest invitations. o prevent unauthorized guests from inviting others into the organization, consider updating the “Guest invite settings” to restrict this ability. Warning
  • MITRE ATT&CK:

    Lateral Movement

  • IOE
Check for risky API permissions granted to application service principals
Checks for API permissions that could be risky if not properly planned and approved. Malicious application administrators could use these permissions to grant administrative privileges to themselves or others. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
Check for users with weak or no MFA
Checks all users for multi-factor authentication (MFA) registration and the methods configured. Due to the lack of uniform security measures within mobile networks, SMS and Voice are considered less secure than mobile applications and FIDO. A malicious user can vish/smish codes and trick users into providing authentication. Warning
  • MITRE ATT&CK:

    Initial Access

    Lateral Movement

  • IOE
Check if legacy authentication is allowed
Checks whether legacy authentication is blocked, either using conditional access policies or security defaults. Allowing legacy authentication increases the risk that an attacker will logon using previously compromised credentials. Informational
  • MITRE ATT&CK:

    Credential Access

  • IOE
Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD)
Looks for the msDS-Allowed-ToActOnBehalfOfOtherIdentity attribute on computer objects. Attackers could use Kerberos RBCD configuration to escalate privileges through a computer they control if that computer has delegation to the target system. Informational
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

    Privilege Escalation

  • IOE
  • IOC
Computer accounts in privileged groups
Looks for computer accounts that are a member of a domain privileged group. If a computer account is a member of the domain privileged group, then anyone that compromises that computer account can act as a member of that group. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
Computer or user accounts with SPN that have unconstrained delegation
Looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts store users’ Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained delegation are easily targeted for Kerberos-based attacks. Warning
  • MITRE ATT&CK:

    Defense Evasion

    Lateral Movement

  • ANSSI:

    vuln2_delegation_t4d

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
Computers with older OS versions
Looks for machine accounts that are running versions of Windows older than Windows Server 2012 R2 and Windows 8.1. Computers running older and unsupported OS versions could be targeted with known or unpatched exploits. Informational
  • MITRE ATT&CK:

    Lateral Movement

    Persistence

  • MITRE D3FEND:

    Harden – Software Update

  • IOE
Computers with password last set over 90 days ago
Looks for computer accounts that have not automatically rotated their passwords. Computer accounts should automatically rotate their passwords every 30 days; objects that are not doing this could show evidence of tampering. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln2_password_ change_server_no_ change_90

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Conditional Access policies contain private IP addresses
Checks if any Conditional Access policies contain named locations with private IP addresses. Having private IP addresses in named locations associated with Conditional Access policies could result in an undesired security posture. Warning
  • MITRE ATT&CK:

    Initial Access

  • IOE
Conditional Access Policy that disables admin token persistence
Looks for Conditional Access policies that disable token persistence for users with admin roles and have a sign-in frequency that is less than or equal to nine hours. When an admin login has their token cached on the client, they are vulnerable for a Primary Refresh Token related attack. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
Conditional Access Policy that does not require a password change from high risk users
Checks whether a Conditional Access policy exists that requires a password change if the user is determined to be high risk by the Azure AD Identity Protection user risk API. A high user risk represents a high probability that an account has been compromised. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
Conditional Access Policy that does not require MFA when sign-in risk has been identified
Checks whether a Conditional Access policy exists that requires MFA if the authentication request risk is determined to be medium or high by the Azure AD Identity Protection sign-in risk API. A medium or high sign-in risk represents a medium to high probability that an unauthorized authentication request was made. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
Conditional Access policy with Continuous Access Evaluation disabled
Checks for Conditional Access policies that have the Continuous Access Evaluation feature disabled. The Continuous Access Evaluation feature allows you to revoke the access token for Microsoft applications and limit the time an attacker has access to company data. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOC
Dangerous control paths expose certificate containers
Looks for non-default principals with permissions on the NTAuthCertificates container, which holds the intermediate CA certificates used to authenticate to Active Directory. Unprivileged users with permissions on the NTAuthCerticates container have the ability to escalate their access and make the domain trust a rogue CA. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln1_adcs_control

  • MITRE D3FEND:

    Harden – Credential Transmission Scoping

  • IOE
  • IOC
Dangerous control paths expose certificate templates
Looks for non-default principals with the ability to write properties on a certificate template. Unprivileged users with write properties on certificate templates have the ability to escalate their access and create vulnerable certificates to enroll. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln1_adcs_template_ control

  • MITRE D3FEND:

    Detect – Certificate Analysis

  • IOE
  • IOC
Dangerous GPO logon script path
Looks for logon script paths to scripts that do not exist and where a low-privileged user has permissions on their parent folder. It also checks for logon script paths to existing scripts that give less-privileged users permissions to modify the script. By inserting a new script or changing an existing script that gives a normal user permission to change the script or access to their parent folder, an attacker can remotely run code on a larger part of the network without special privileges. Warning
  • MITRE ATT&CK:

    Lateral Movement

    Privilege Escalation

  • MITRE D3FEND:

    Detect- File Creation Analysis

    Detect- Script Execution Analysis

  • IOE
Dangerous Trust Attribute Set
Identifies trusts with either of the following attributes set: TRUST_ATTRIBUTE_ CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or TRUST_ATTRIBUTE_ PIM_TRUST. Setting these attributes will either allow a Kerberos ticket to be delegated or reduce the protection that SID filtering provides. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Harden – Domain Trust Policy

  • IOE
  • IOC
Dangerous user rights granted by GPO
Looks for non-privileged users who are granted elevated permissions through GPO. An attacker can potentially exploit the user rights granted by a GPO to gain access to systems, steal sensitive information, or cause other types of damage. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Detect- Local Account Monitoring

    Harden – Strong Password Policy

  • IOE
Domain Controller owner is not an administrator
Looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in Administrator account. Gaining control of DC machine accounts allows for an easy path to compromising the domain. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_dc

  • MITRE D3FEND:

    Harden – System Configuration Permissions

  • IOE
Domain controllers in an inconsistent state
Looks for domain controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-functional DC. Illegitimate machines acting as DCs could indicate someone has compromised the environment (e.g., using DCShadow or similar DC spoofing attack). Informational
  • MITRE ATT&CK:

    Privilege Escalation

    Resource Development

  • ANSSI:

    vuln1_dc_inconsistent_ uac

  • IOE
Domain controllers that have not authenticated to the domain for more than 45 days
Looks for domain controllers that have not authenticated to the domain in over 45 days. Lack of domain authentication reveals out-of-sync machines. If an attacker compromises an offline DC and cracks the credentials or re-connects to the domain, they may be able to introduce unwanted changes to Active Directory. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • ANSSI:

    vuln1_password_ change_inactive_dc

  • MITRE D3FEND:

    Isolate – Execution Isolation

  • IOE
Domain controllers with old passwords
Looks for domain controller machine accounts whose password has not been reset in over 45 days. Machine accounts with older passwords could indicate a DC that is no longer functioning in the domain. In addition, DCs with older machine account passwords could be more easily taken over. Informational
  • MITRE ATT&CK:

    Privilege Escalation

    Resource Development

  • ANSSI:

    vuln1_password_ change_dc_no_change

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Domain controllers with Resource-Based Constrained Delegation (RBCD) enabled
Detects a configuration that grants certain accounts with complete delegation to domain controllers. Warning
  • MITRE ATT&CK:

    Defense Evasion

    Lateral Movement

    Privilege Escalation

  • ANSSI:

    vuln1_delegation_sour- cedeleg

  • IOE
  • IOC
Domain trust to a third-party domain without quarantine
Looks for outbound forest trusts that have the Quarantine flag set to false. An attacker that has compromised the remote domain can create a “spoofable” account to gain access to every resource on the local domain. If a dangerous control path is exposed, any “spoofable” account could also escalate his privileges up to Domain Admins and compromise the entire forest.” Warning
  • MITRE ATT&CK:

    Lateral Movement

  • ANSSI:

    vuln1_trusts_domain_ notfiltered

  • MITRE D3FEND:

    Harden – Domain Trust Policy

  • IOE
Domains with obsolete functional levels
Looks for AD domains that have a domain functional level set to Windows Server 2012 or lower. Lower functional levels mean that newer security features available in AD cannot be leveraged. Informational
  • MITRE ATT&CK:

    Reconnaissance

  • MITRE D3FEND:

    Harden – Software Update

  • IOE
Enabled admin accounts that are inactive
Looks for admin accounts that are enabled, but have not log in for the past 90 days. Attackers who can compromise these accounts will be able to operate unnoticed. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • ANSSI:

    vuln1_password_ change_priv

    vuln1_user_accounts_ dormant

  • MITRE D3FEND:

    Evict – Account Locking

  • IOE
Enterprise Key Admins with full access to domain
Looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the Enterprise Key Admins group. This issue was corrected in a subsequent release of Windows 2016; however, if this fix has not been applied, this bug grants this group the ability to replicate all changes from AD (DCSync attack). Warning
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

    Privilege Escalation

  • ANSSI:

    vuln2_adupdate_bad

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Entra tenant is susceptible to Hidden Consent Grant attack
Checks app permissions and settings to determine if the Entra tenant is susceptible to Hidden Consent Grant attacks. A Hidden Consent Grant attack is a type of phishing attack where a malicious actor who controls an application with Directory.ReadWrite.All permissions gains access to an application and exploits granted permissions to escalate his privileges. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
Ephemeral Admins
Looks for users that were added and removed from an Admin group within a 48-hour period. Such short-lived accounts may indicate malicious activity. Informational
  • MITRE ATT&CK:

    Persistence

  • MITRE D3FEND:

    Harden – Strong Password Policy

    Harden – User Account Permissions

  • IOE
  • IOC
Evidence of Mimikatz DCShadow attack
Looks for evidence that a machine has been used to inject arbitrary changes into AD using a “fake” domain controller. These changes bypass the security event log and cannot be spotted using standard monitoring tools. Critical
  • MITRE ATT&CK:

    Defense Evasion

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

    Isolate – Execution Isolation

  • IOE
  • IOC
FGPP not applied to Group
Looks for fine-grained password policy (FGPP) targeted to a Universal or Domain Local group. Changing a group’s scope setting from Global to Universal or Domain Local, results in FGPP settings no longer applying to that group, thus decreasing its password security controls. Warning
  • MITRE ATT&CK:

    Credential Access

    Persistence

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Foreign Security Principals in Privileged Group
Looks for members of built-in protected groups which are Foreign Security Principals. Special care should be taken when including accounts from other domains as members of privileged groups. Foreign Security Principals do not have the adminCount attribute and therefore may not be detected by some security auditing tools. Additionally, an attacker may add a privileged account and attempt to hide it using this method. Warning
  • MITRE ATT&CK:

    Defense Evasion

    Persistence

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
Forest contains more than 50 privileged accounts
Counts the number of privileged accounts defined in the forest. In general, the more privileged accounts you have, the more opportunities there are for attackers to compromise one of these accounts. Warning
  • MITRE ATT&CK:

    Privilege Escalation

    Reconnaissance

  • ANSSI:

    vuln1_privileged_members

  • IOE
Global Administrators that signed in during the last 14 days
Looks for Global Administrators that have signed in during the past 14 days. Users that hold the Global Administrator role are the most privileged users in Entra ID. An attacker will find users with the Global Administrator role as high-valued, and a compromised Global Administrator can lead to several attacks against the organization. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Credential Compromise Scope Analysis

  • IOE
gMSA not used
Checks for enabled group Managed Service Accounts (gMSA) objects in the domain. The gMSA feature in Windows Server 2016 allows automatic rotation of passwords for service accounts, making them much more difficult for attackers to compromise. Informational
  • MITRE ATT&CK:

    Credential Access

  • IOE
gMSA objects with old passwords
Looks for group managed service accounts (gMSA) that have not automatically rotated their passwords. Objects that are not rotating their passwords regularly could show evidence of tampering. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
GPO linking delegation at the AD Site level
Looks for non-privileged principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. When non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers. They can potentially elevate access and change domain-wide security posture. Warning
  • MITRE ATT&CK:

    Execution

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_gpo_ priv

  • IOE
GPO linking delegation at the domain controller OU level
Looks for non-privileged principals who have write permissions on the GPLink attribute or Write DAC/Write Owner on the object. When non-privileged users can link GPOs at the domain controller OU level, they have the ability to effect change on domain controllers. They can potentially elevate access and change domain-wide security posture. Warning
  • MITRE ATT&CK:

    Execution

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_gpo_ priv

  • IOE
GPO linking delegation at the domain level
Looks for non-privileged principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object. When non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers in the domain. They can potentially elevate access and change domain-wide security posture. Warning
  • MITRE ATT&CK:

    Defense Evasion

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_gpo_ priv

  • IOE
GPO Weak LM Hash storage enabled
Detects when the “Network security: Do not store LAN Manager hash value on next password change” Group Policy Object setting is disabled within the Windows operating system. When this setting is disabled, LAN Manager (LM) hashes, which are vulnerable to password cracking techniques, continue to be stored during password changes. Enabling this setting strengthens security by preventing the storage of weak LM hashes and prompting the use of stronger password storage mechanisms. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
GPO with scheduled tasks configured
When a scheduled task launches an executable, this indicator checks to see if low privilege users have permissions to modify GPOs. Scheduled tasks configured through group policies can be risky if not set up correctly. They can cause unintended problems and potential security vulnerabilities. Informational
  • MITRE ATT&CK:

    Lateral Movement

    Privilege Escalation

  • MITRE D3FEND:

    Detect- File Creation Analysis

    Detect- Script Execution Analysis

  • IOE
Guest accounts that were inactive for more than 30 days
Checks for guest accounts that have not signed in, using an interactive or non-interactive sign in, during the past 30 days. Inactive guest accounts leave an open gate to your Azure tenant. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
Guest invites not accepted in last 30 days
Checks for guest invites that were not accepted within 30 days of the invitation. Stale guest invitations pose a security risk and should be deleted. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
Guest users are not restricted
Checks guest users are restricted in the tenant. Attackers may use unrestricted guest users to perform enumeration of users and groups in the tenant. Informational
  • MITRE ATT&CK:

    Reconnaissance

  • IOE
High privileged custom roles
Checks for custom roles that grant elevated privileges to allow a user to perform actions on other users’ passwords and MFA. Custom roles grant elevated privileges and potentially pose a significant security risk if not properly managed. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Inheritance enabled on AdminSDHolder object
Checks for inheritance being enabled on the Access Control List (ACL) of the AdminSDHolder object, which could indicate an attempt to modify permissions on privileged objects that are subject to AdminSDHolder (for example, users or groups with adminCount=1). Changes to the AdminSDHolder object are very rare. Administrators should know that a change was made and be able to articulate the reason for the change. If the change was not intentional, the likelihood of compromise is very high. Critical
  • MITRE ATT&CK:

    Defense Evasion

    Privilege Escalation

  • IOE
  • IOC
Kerberos krbtgt account with old password
Looks for a krbtgt user account whose password has not changed in the past 180 days. If the krbtgt account’s password is compromised, Golden Ticket attacks can be performed to obtain access to any resource in an AD domain. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln2_krbtgt

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Kerberos protocol transition delegation configured
Looks for services that have been configured to allow Kerberos protocol transition, which basically says that a delegated service can use any available authentication protocol. Compromised services can reduce the quality of their authentication protocol that is more easily compromised (e.g., NTLM). Warning
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

    Privilege Escalation

  • IOE
  • IOC
krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled
Looks for a krbtgt account that has Resource-Based Constrained Delegation (RBCD) defined. Normally, delegations should not be created on the krbtgt account; if found, they could represent significant risk and should be mitigated quickly. Critical
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_delegation_a2d2

  • IOE
  • IOC
Less than 2 Global Administrators exist
Checks for the presence of less than two Global Administrators. This indicator aligns with Microsoft recommendations that customers should have at least two Global Administrators in the tenant. Informational
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
List of risky users (medium or high level)
Checks for risky users in the tenant with medium or high level of risk. Risky users are individuals or accounts exhibiting behaviors increasing the likelihood of security incidents or breaches, such as weak authentication practices, susceptibility to phishing, unusual activity patterns, accessing resources from unsecured devices or networks, or holding elevated privileges. These users pose significant risks, potentially leading to credential compromises, data breaches, or insider threats. Warning
  • MITRE ATT&CK:

    Initial Access

  • IOE
MFA not configured for privileged accounts
Checks whether Multi-Factor Authentication (MFA) is enabled for users with administrative rights. Accounts with privileged access are more vulnerable targets to attackers. A compromise of a privileged user represents a significant risk and therefore requires extra protection. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
More than 10 Privileged Administrators exist
Checks for the presence of 10 or more Privileged Assigned Roles. This indicator aligns with Microsoft recommendations that customers have no more than 10 privileged role assignments. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
More than 5 Global Administrators exist
Checks for the presence of five or more Global Administrators. Global Administrators control your Azure AD environment and have access to all administrative features and full control of Azure AD. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
New API token was created
Checks if a new API token has been created in the last 7 days. API tokens with high privileges allow unauthorized access and actions in Okta. If an attacker gains access to the token’s password, they can leverage it to query and perform actions potentially leading to persistence and compromising the environment. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
New permission has been granted to a group
Checks if any permissions have been granted to a group in the last 7 days. Members of a group with high privileges can perform significant actions in Okta. Therefore, it is important to know which groups grant strong privileges. Informational
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
New permission has been granted to user
Checks if any permissions have been granted to a user in the last 7 days. Users with high privileges can perform significant actions in Okta. Therefore, it is important to identify and monitor users who have been granted elevated privileges to mitigate the risk of unauthorized access and potential misuse of sensitive data. Informational
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
New Super Admin permission has been granted to user
Checks for users who were granted “Super Admin” permissions in the last 7 days. Users with “Super Admin” privileges have extensive privileges and control over critical aspects of the Okta environment. Unauthorized or excessive granting of the “Super Admin” permission can significantly increase the risk of compromise and unauthorized access to Okta. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
New Super Admin permissions has been granted to a group
Checks for groups where “Super Admin” permissions have been granted in the last 7 days. Members in a group with “Super Admin” privileges have extensive access and can perform significant actions in Okta. Therefore, it is important to closely monitor and control which groups are granted these strong privileges to prevent unauthorized access and potential compromise of the Okta environment. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Non-admin users can register custom applications
Checks for an authorization policy that enables non-admin users to register custom applications. If non-admin users are allowed to register custom-developed enterprise applications, attackers might use that loophole to register nefarious applications, which they can then leverage to gain additional permissions. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
Non-default access to DPAPI key
Checks domain controllers for non-default principals that are permitted to retrieve the domain DPAPI backup key(using LsaRetrievePrivateData). With these permissions, an attacker could recover all domain data encrypted via DPAPI. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln1_permissions_dpapi

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Non-default access to gMSA root key
Looks for non-default principals with permissions to read the msKds-RootKeyData attribute on the KDS root key. Users with read permissions to this property could compromise every gMSA account in the forest. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln1_permissions_ gmsa_keys

    vuln2_permissions_ gmsa_keys

  • IOE
  • IOC
Non-default principals with DC Sync rights on the domain
Looks for security principals with Replicating Changes All or Replicating Directory Changes permissions on the domain naming context object. Security principals with these permissions on the domain naming context object can potentially retrieve password hashes for users in an AD domain (DCSync attack). Critical
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln1_permissions_naming_context

  • IOE
Non-default value on ms-Mcs-AdmPwd SearchFlags
Looks for changes to the default searchFlags on the ms-Mcs-AdmPwd schema. Some flags may inadvertently cause the password to be visible to unintended users allowing an attacker to use it as a stealthy backdoor. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
  • IOC
Non-privileged users with access to gMSA passwords
Looks for principals listed within the MSDS-groupMSAmembership that are not in the built-in admin groups. An attacker that controls access to the gMSA account can retrieve passwords for resources managed with gMSA. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
  • IOC
Non-standard schema permissions
Looks for additional principals with any permissions beyond generic Read to the schema partitions. By default, modification permissions on the schema are limited to Schema Admins. These permissions grant the trusted principal complete control over the Active Directory. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_ schema

  • MITRE D3FEND:

    Harden – System Configuration Permissions

  • IOE
  • IOC
Non-synced AAD user that is eligible for a privileged role
Checks for Azure AD users that are eligible for a high-privilege role and have the proxyAddress attribute but are not synchronized with an AD account. An attacker might use SMTP matching to synchronize controlled AD users with AAD users that are eligible for high-privilege roles. This process overwrites the AAD password and could result in privilege escalation over AAD. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
NTFRS SYSVOL replication
Looks for indication of usage of FRS for SYSVOL replication. NTFRS is an older protocol that has been replaced by DFSR. Attackers that can manipulate NTFRS vulnerabilities to compromise SYSVOL can potentially change GPOs and logon scripts to propagate malware and move laterally across the environment. Warning
  • MITRE ATT&CK:

    Collection

  • ANSSI:

    vuln2_sysvol_ntfrs

  • IOE
Objects in privileged groups without adminCount=1 (SDProp)
Looks for objects in built-in privileged groups whose adminCount attribute is not set to 1. If an object within these groups has an adminCount not equal to 1, they could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. Informational
  • MITRE ATT&CK:

    Defense Evasion

    Persistence

  • IOE
  • IOC
Objects with constrained delegation configured
Looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e., constrained delegation) and does not have the UserAccountControl bit for protocol transition set. Attackers may use delegations to move laterally or escalate privileges if they compromise a service that is trusted to delegate. Informational
  • MITRE ATT&CK:

    Lateral Movement

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
  • IOC
Operator groups no longer protected by AdminSDHolder and SDProp
Checks if dwAdminSDExMask on dsHeurstics has been set, which indicates a change to the SDProp behavior that could compromise security. A change to the AdminSDHolder SDProp behavior could indicate an attempt at defense evasion. Warning
  • MITRE ATT&CK:

    Defense Evasion

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Operator Groups that are not empty
Looks for operator groups (Account Operators, Server Operators, Backup Operators, Print Operators) that contain members. These groups have write access to critical resources on the domain; attackers that are members of these groups can take indirect control of the domain. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Outbound forest trust with SID History enabled
Looks for outbound forest trusts that have the TRUST_ATTRIBUTE_TREAT_AS_ EXTERNAL flag set to true. If this flag is set, a cross-forest trust to a domain is treated as an external trust for the purposes of SID filtering. This attribute relaxes the more stringent filtering performed on cross-forest trusts. Warning
  • MITRE ATT&CK:

    Lateral Movement

  • ANSSI:

    vuln1_trusts_forest_sid- history

  • MITRE D3FEND:

    Harden – Domain Trust Policy

  • IOE
Password policy check
Evaluates all password policies and verifies they adhere to Okta’s recommendations. A strong password policy is crucial in preventing unauthorized access to the environment through brute force attacks. Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
Permission changes on AdminSDHolder object
Looks for Access Control List (ACL) changes on the AdminSDHolder object. Could indicate an attempt to modify permissions on privileged objects that are subject to AdminSDHolder. Critical
  • MITRE ATT&CK:

    Defense Evasion

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_ adminsdholder

    vuln1_privileged_members_perm

  • IOE
  • IOC
Primary users with SPN not supporting AES encryption on Kerberos
Shows all primary users with servicePrincipalNames (SPNs) that do not support AES-128 or AES-256 encryption type. AES encryption is stronger than RC4 encryption. Configuring primary users with SPNs that support AES encryption will not mitigate attacks such as kerberoasting. However, it does force AES encryption by default, meaning that it is possible to monitor for encryption downgrade attacks to RC4 (kerberoasting attacks). Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
Principals with constrained authentication delegation enabled for a DC service
Looks for computers and users that have constrained delegation enabled for a service running on a DC. If an attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
  • IOC
Principals with constrained delegation using protocol transition enabled for a DC service
Looks for computers and users that have constrained delegation using protocol transition defined against a service running on a DC. If an attacker can create such a delegation for a service that they can control or compromise an existing service, they can effectively gain a TGS for any user with privileges to the DC. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_delegation_t2a4d

  • IOE
  • IOC
Print spooler service is enabled on a DC
Looks for domain controllers that have the print spooler service running, which is enabled by default. Several critical flaws were found in Windows Print Spooler services, which directly affect Print spoolers installed on domain controllers, enabling remote code execution. Critical
  • MITRE ATT&CK:

    Execution

    Lateral Movement

    Privilege Escalation

  • MITRE D3FEND:

    Harden – Software Update

  • IOE
Privileged accounts with a password that never expires
Identifies privileged accounts (adminCount = 1) where the “Password Never Expires” flag is set. User accounts whose passwords never expire are ripe targets for brute force password guessing. If these accounts are also administrative or privileged accounts, this makes them more of a target. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • ANSSI:

    vuln1_dont_expire_priv

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Privileged group contains guest account
Checks whether any privileged roles have been assigned to guest accounts. External attackers covet privileged accounts, as they provide a fast track to an organization’s most critical systems. Guest accounts represent an external entity that does not undergo the same security as users in your tenant; therefore, assigning privileged roles to them poses a heightened risk. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
Privileged objects with unprivileged owners
Looks for privileged objects (adminCount =1) that are owned by an unprivileged account. Any compromise of an unprivileged account could result in a privileged object’s delegation being modified. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_permissions_ adminsdholder

  • IOE
Privileged user credentials cached on RODC
Looks for privileged users with credentials that are cached on RODCs. While not immediately indicative of an attack, privileged user accounts are sensitive and should not be cached on RODCs since their physical security is not as robust as a full DC. Informational
  • MITRE ATT&CK:

    Lateral Movement

    Privilege Escalation

  • IOE
Privileged users that are disabled
Looks for privileged user accounts that are disabled. If a privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse. Informational
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Privileged users with ServicePrincipalNames defined
Looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. Privileged accounts that have an SPN defined are targets for Kerberos-based attacks that can elevate privileges to those accounts. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • ANSSI:

    vuln1_spn_priv

  • IOE
  • IOC
Privileged users with weak password policy
Looks for privileged users in each domain that do not have a strong password policy enforced, according to ANSSI framework . It checks both the Fine-Grained Password Policy (FGPP) and the password policy applied to the domain. A strong password defined by ANSSI is at least eight characters long and updated no later than every three years. Weak passwords are easier to crack via brute-force attacks and can provide attackers opportunities for moving laterally or escalating privileges. The risk is even higher for privileged accounts, for when compromised they improve the attacker’s chance to quickly advance within the network. Critical
  • MITRE ATT&CK:

    Discovery

  • ANSSI:

    vuln2_privileged_mem- bers_password

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
  • IOC
Prohibited Entra ID roles assigned
Checks for the assignment of roles in Entra ID that are deprecated or prohibited from use. Deprecated roles or roles marked as “never use” can pose significant security risks if assigned. These roles may have unintended permissions or may not be properly maintained, potentially leading to security vulnerabilities. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
Protected Users group not in use
Detects when privileged users are not a member of the Protected Users group. The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Informational
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln3_protected_users

  • IOE
Query policies that have the attribute of ldap deny list set
Checks for LDAP IP deny lists (ldapipdenylist attribute) across multiple domains in an AD environment. Unauthorized or unexpected entries in the LDAP IP deny list could suggest a security breach or an attempt to limit access to critical resources maliciously. Informational
  • MITRE ATT&CK:

    Impact

  • IOE
RC4 or DES encryption type is supported by Domain Controllers
Checks if RC4 or DES encryption is supported by domain controllers. RC4 and DES are considered an insecure form of encryption, susceptible to various cryptographic attacks. Multiple vulnerabilities in the RC4 or DES algorithm allow MITM (Man-in-the-Middle) and deciphering attacks. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
Recent privileged account creation activity
Looks for any privileged users or groups (adminCount = 1) that were recently created. Allows you to spot privileged accounts and groups that were created without prior knowledge. Informational Informational
  • MITRE ATT&CK:

    Persistence

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
  • IOC
Recent sIDHistory changes on objects
Detects any recent changes to the sIDHistory on objects, including changes to non-privileged accounts where privileged SIDs are added. Attackers need privileged access to AD to be able to write to sIDHistory, but if such rights exist then writing privileged SIDs to regular user accounts is a stealthy way of creating backdoor accounts. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
  • IOC
Resource Based Constrained Delegation applied to AZUREADSSOACC account
Looks for Resource Based Constrained Delegation configured for the Azure SSO account, AZUREADSSOACC. An account with Resource Based Constrained Delegation would allow that principal to generate a Ticket Granting Service (TGS) request to the Azure tenant on behalf of the AZUREADSSOACC account as any user and impersonate that user. Warning
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

  • IOE
Reversible passwords found in GPOs
Looks in the SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (so-called “Cpassword” entries). This area is one of the first things attackers look for when they’ve gained access to an AD environment. Critical
  • MITRE ATT&CK:

    Credential Access

  • MITRE D3FEND:

    Detect – Emulated File Analysis

  • IOE
Risky RODC credential caching
Looks for a Password Replication Policy that allows privileged objects. If privileged users are in the allow list, they can be exposed to credential theft on an RODC. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln2_rodc_priv_ revealed

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Security defaults not enabled
When there are no conditional access policies configured, this indicator checks whether security defaults are enabled. It is recommended that security defaults be used for tenants that have no conditional access policies configured. Security defaults will require MFA, block legacy authentication, and require additional authentication when accessing the Azure portal, Azure PowerShell, and the Azure CLI. Warning
  • MITRE ATT&CK:

    Credential Access

    Initial Access

  • IOE
Self-service password reset enabled for privileged roles
Checks whether users in privileged roles in Entra ID can use self-service password reset. Self-service password reset (SSPR) is beneficial in organizations for end users but has security trade-offs for privileged accounts. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
Shadow Credentials on privileged objects
Looks for users with write access to the msDS-KeyCredentialLink attribute of privileged users and domain controllers. Users who can write to these privileged objects and Kerberos PKINIT is enabled can elevate privileges to these objects. Warning
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
SMB Signing is not required on Domain Controllers
Looks for domain controllers where SMB signing is not required. Unsigned network traffic is susceptible to attacks abusing the NTLM challenge-response protocol. A common example of such attacks is SMB Relay, where an attacker is positioned between the client and the server in order to capture data packets transmitted between the two, thus gaining unauthorized access to the server or other servers on the network. Critical
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
SMBv1 is enabled on Domain Controllers
Looks for domain controllers where SMBv1 protocol is enabled. SMBv1 is an old protocol (deprecated by Microsoft in 2014), which is considered unsafe and susceptible to all kinds of attacks. Critical
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • IOE
SSO computer account with password last set over 90 days ago
Checks the Azure SSO computer account (AZUREADSSOACC) to determine if the password has been rotated in the last 90 days. The password for the Azure SSO computer account is not automatically changed every 30 days. If the password for this account is compromised, an attacker could generate a Ticket Granting Service (TGS) request to the AZUREADSSOACC account as any user, which has the effect of generating a ticket to Azure and impersonating that user. Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln2_password_ change_server_no_ change_90

  • IOE
Suspicious credentials on Microsoft service principals
Checks if certain Microsoft service principals have secrets assigned to them. In Entra ID it is possible to assign credentials such as secrets or keys to service principals for Microsoft applications. In certain scenarios, this would then allow you to act with the same rights the application has using OAuth 2.0 client credential grant flows against Microsoft Graph API. Critical
  • MITRE ATT&CK:

    Defense Evasion

    Persistence

    Privilege Escalation

  • IOE
SYSVOL Executable Changes
Looks for modifications to executable files within SYSVOL. Changes to the executable files within SYSVOL should be accounted for or investigated to look for potential security posture weakening. Informational
  • MITRE ATT&CK:

    Execution

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Detect – File Analysis

  • IOE
  • IOC
Trust accounts with old passwords
Looks for trust accounts whose password has not changed within the last year. Trust accounts facilitate authentication across trusts and should be protected like privileged user accounts. Normally, trust account passwords are rotated automatically, so a trust account without a recent password change could indicate an orphaned trust account. Informational
  • MITRE ATT&CK:

    Initial Access

  • ANSSI:

    vuln2_trusts_accounts

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Unexpected accounts in Cert Publishers Group
Checks to see if the Cert Publishers Group contains members that aren’t expected to be there. Individuals belonging to the Cert Publishers Group have the ability to introduce a potentially harmful Certificate Authority (CA) within an ADCS environment that will be trusted by all clients. Warning
  • MITRE ATT&CK:

    Credential Access

    Privilege Escalation

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
Unprivileged accounts with adminCount=1
Looks for any users or groups that may be under the control of SDProp (adminCount=1) but are no longer members of privileged groups. Might be evidence of an attacker that attempted to cover their tracks and remove a user they used for compromise. Informational
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
  • IOC
Unprivileged owner of a privileged group
Checks for the presence of an unprivileged owner of a group with privileged roles. Assigning roles to a group instead of individual principals streamlines the process of adding or removing users and ensures consistent permissions for all group members. However, group owner can add themselves to the group at any time, posing a privilege escalation risk if the owner is an unprivileged principal. Warning
  • MITRE ATT&CK:

    Lateral Movement

    Persistence

  • IOE
Unprivileged principals as DNS Admins
Looks for any member of the DNS Admins group that is not a privileged user. Members of this group can be delegated to non-AD administrators (e.g. Admins with networking responsibilities, such as DNS, DHCP, etc.), which can result in these accounts being prime targets for compromise. Warning
  • MITRE ATT&CK:

    Execution

    Privilege Escalation

  • ANSSI:

    vuln1_dnsadmins

    vuln1_permissions_msdn

  • IOE
Unprivileged users can add computer accounts to domain
Checks to see if unprivileged domain members are allowed to add computer accounts to a domain. Having the ability to add computer accounts to a domain can be abused by Kerberos-based attacks. Informational
  • MITRE ATT&CK:

    Credential Access

    Lateral Movement

  • IOE
Unrestricted user consent allowed
Checks if users are allowed to add application from unverified publishers. When users are allowed to consent to any third-party applications, there is considerable risk that an allowed application will take intrusive or risky actions. Warning
  • MITRE ATT&CK:

    Lateral Movement

    Persistence

  • IOE
Unsecured DNS configuration
Looks for DNS zones configure with ZONE_UPDATE_UNSECURE, which allows updating a DSN record anonymously. An attacker could leverage this exposure to add a new DSN record or replace an existing DNS record to spoof a management interface, then wait for incoming connections in order to steal credentials. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_dnszone_bad_ prop

  • IOE
User accounts that store passwords with reversible encryption
Identifies accounts with the “ENCRYPTED_TEXT_PWD_ALLOWED” flag enabled. Attackers may be able to derive these users’ passwords from the ciphertext and take over these accounts. Informational
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln3_reversible_password

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
User accounts that use DES encryption
Identifies user accounts with the “Use Kerberos DES encryption types for this account” flag set. Attackers can easily crack DES passwords using widely available tools, making these accounts ripe for takeover. Informational
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln2_kerberos_properties_deskey

  • IOE
User accounts with password not required
Identifies user accounts where a password is not required. Accounts with weak access controls are often targeted to move laterally or gain a persistence foothold with the environment. Informational
  • MITRE ATT&CK:

    Lateral Movement

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
User activation in the last 7 days
Checks for users who were activated in the past 7 days. Activated users have the ability to authenticate and perform actions within the Okta environment. Therefore, it is important to monitor and verify the activation status of users to ensure that only authorized individuals have access. Informational
  • MITRE ATT&CK:

    Persistence

  • MITRE D3FEND:

    Harden – User Account Permissions

  • IOE
User consent is allowed for risky applications
Checks for an Entra ID authorization policy that allows users to grant consent for risky applications. To enhance security, it is recommended to set the allowUserConsentForRiskyApps property to false. This prevents users from granting consent to risky applications independently. Warning
  • MITRE ATT&CK:

    Initial Access

    Persistence

    Privilege Escalation

  • MITRE D3FEND:

    Model- Access Modeling

  • IOE
User deactivation in the last 7 days
Checks for users who were deactivated in the past 7 days. Deactivated users no longer have the ability to authenticate and perform actions within the Okta environment. However, an attacker may intentionally deactivate a user to disrupt the functioning of the environment or to hide their activities. It is important to monitor and verify the deactivation status of users to ensure it aligns with the intended access controls. Informational
  • IOE
Users and computers with non-default Primary Group IDs
Returns a list of all users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and computers. Modifying the Primary Group ID is a stealthy way for an attacker to escalate privileges without triggering member attribute auditing for group membership changes. Informational
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_primary_group_ id_1000

    vuln3_primary_group_ id_nochange

  • IOE
  • IOC
Users and computers without readable PGID
Finds users and computers that can not read the Primary Group ID (PGID). May be caused by removing the default Read permission, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute). Warning
  • MITRE ATT&CK:

    Defense Evasion

  • IOE
  • IOC
Users or devices inactive for at least 90 days
Checks for users or devices that have not signed in during the past 90 days. Users or devices that have been inactive for 90 days or more are likely no longer in use and leave an open gate to the Azure AD tenant. Warning
  • MITRE ATT&CK:

    Persistence

    Privilege Escalation

  • IOE
Users with Kerberos pre- authentication disabled
Looks for users with Kerberos pre-authentication disabled. These users can be targeted for ASREP-Roasting attacks (like “Kerberoasting”). Warning
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln1_kerberos_prop- erties_preauth_priv

    vuln2_kerberos_prop- erties_preauth

  • IOE
Users with old passwords
Looks for user accounts whose password has not changed in over 180 days. These accounts could be ripe for password guessing attacks. Warning
  • MITRE ATT&CK:

    Credential Access

    Persistence

  • MITRE D3FEND:

    Harden – Strong Password Policy

  • IOE
Users with Password Never Expires flag set
Identifies user accounts where the “Password Never Expires” flag is set. These accounts can be potential targets for brute force password attacks. Informational
  • MITRE ATT&CK:

    Credential Access

  • ANSSI:

    vuln2_dont_expire

  • IOE
Users with permissions to set Server Trust Account
Checks the domain NC head permissions to see if the Server_Trust_Account flag is set on computer objects. An attacker that can seed authenticated users with these permissions can utilize their access to promote any computer they control to Domain Controller status, enabling privilege escalation to AD services and carrying out credential access attacks such as DCSync. Critical
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE
Users with ServicePrincipalName defined
Provides a way to visually inventory all user accounts that have ServicePrincipalNames (SPNs) defined. Generally, SPNs are only defined for “Kerberized” services; other accounts with an SPN may be cause for concern. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
  • IOC
Users with the attribute userPassword set
Checks if the userPassword attribute exists on accounts. The userPassword attribute saves passwords in clear text and can be queried using LDAP, which can potentially expose passwords. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • MITRE D3FEND:

    Detect – Domain Account Monitoring

  • IOE
Users without Multi- Factor Authentication (MFA)
Checks all users to identity those who have not registered for Multi-Factor Authentication (MFA). Users who are not configured with MFA are at a high risk of being compromised. This poses a significant threat not only to the user but also the entire environment. Warning
  • MITRE ATT&CK:

    Initial Access

  • IOE
Weak certificate encryption
Looks for certificates stored in Active Directory with keysize smaller than 2048 bits or using DSA encryption. Weak certificates can be abused by attackers to gain access to systems who use certificate authentication. Warning
  • MITRE ATT&CK:

    Privilege Escalation

  • ANSSI:

    vuln1_certificates_vuln

  • MITRE D3FEND:

    Harden – Certificate-based Authentication

  • IOE
Well-known privileged SIDs in sIDHistory
Looks for security principals that contain specific SIDs of accounts from built-in privileged groups within the sIDHistory attribute. Allows those security principals to have the same privileges as those privileged accounts, but in a way that is not obvious to monitor (e.g., through group membership). Critical
  • MITRE ATT&CK:

    Defense Evasion

    Privilege Escalation

  • ANSSI:

    vuln2_sidhistory_dan- gerous vuln3_sidhistory_present

  • IOE
  • IOC
Writable shortcuts found in GPO
Looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privileged users. When low privileged users have the ability to modify shortcuts within GPOs, it could potentially lead to security risks and unauthorized modifications. Warning
  • MITRE ATT&CK:

    Lateral Movement

    Privilege Escalation

  • MITRE D3FEND:

    Detect- File Creation Analysis

    Detect- Script Execution Analysis

  • IOE
Write access to RBCD on DC
Looks for users who are not in Domain Admins, Enterprise Admins, or Built-in Admins groups that have write access on Resource-Based Constrained Delegation (RBCD) for domain controllers. Attackers that can gain write access to RBCD for a resource can cause the resource to impersonate any user (except where delegation is explicitly disallowed). Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
Write access to RBCD on krbtgt account
Looks for users who are not in Domain Admins, Enterprise Admins, or Built-in Admins groups that have write access on Resource-Based Constrained Delegation (RBCD) for the krbtgt account. Attackers that can gain write access to RBCD for a resource can cause the resource to impersonate any user (except where delegation is explicitly disallowed). Warning
  • MITRE ATT&CK:

    Credential Access

  • IOE
Zerologon vulnerability
Looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain. Critical
  • MITRE ATT&CK:

    Privilege Escalation

  • IOE

Security indicators regularly updated by our threat research team

Purple Knight scans your Active Directory environment for 150+ security indicators of exposure or compromise—including risky configurations and unpatched vulnerabilities—that could lead to an attack.

Who’s behind the research?

Led by CTO and Microsoft MVP Guy Teverovsky, our expert research team continuously studies how cybercriminals are plotting to exploit AD–and develop indicators to uncover your AD weaknesses before attackers do.

100+ years

combined Microsoft experience

What do Purple Knight users say?

 

Purple Knight is a powerful tool with a nicely packaged set of scripts that does a fantastic job of showing you some of the hidden aspects of your AD that are just waiting to be discovered by the wrong person. Patrick Emerick Senior Systems Engineer | Bethel School District
I recommend Purple Knight for its ease of use—it’s GUI-based, it gives you a quick report card, and gives you a good, easy checklist of things to start working on. Jim Shakespear Director of IT Security | Southern Utah University
Purple Knight is the first utility I’ve used that digs this deep into Active Directory. It works so well, I didn’t need to find anything else. Micah Clark IT Manager | Central Utah Emergency Communications
The Purple Knight report helped us take action on items right away, such as shutting down or disabling Active Directory accounts that shouldn’t have been enabled. And then it helped us develop a long-term maintenance plan. CISO Canadian manufacturing company