test.mysmartlogon.com

Date: 2018-07-25 - Engine version: 2.5.1.0

Indicators

050100

Domain Risk Level: 100 / 100

It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better

050100

Stale Object : 46 /100

It is about operations related to user or computer objects

5 rules matched

050100

Trusts : 100 /100

It is about links between two Active Directories

3 rules matched

050100

Privileged Accounts : 45 /100

It is about administrators of the Active Directory

3 rules matched

050100

Anomalies : 100 /100

It is about specific security control points

9 rules matched

Staled ObjectsPrivileged accountsTrustsAnomalies
Inactive user or computer
ACL Check
Old trust protocol
Backup
Network topography
Admin control
SID Filtering
Certificate take over
Object configuration
Irreversible change
SIDHistory
Golden ticket
Obsolete OS
Privilege control
Trust impermeability
Local group vulnerability
Old authentication protocols
Trust inactive
Network sniffing
Provisioning
Pass-the-credential
Replication
Password retrieval
Unfinished migration
Reconnaissance
Vulnerability management
Temporary admins
Weak password
Legend:
  score is 0 - no risk identified but some improvements detected
  score between 1 and 10 - a few actions have been identified
  score between 10 and 30 - rules should be looked with attention
  score higher than 30 - major risks identified

SIDHistory check

Description:

The purpose is to ensure that a migration has been completed correctly and that the SIDHistory attribute has been cleared out from user and computer accounts. This attribute is indeed set when migrating a user or a computer from one domain to another

Technical explanation:

The SIDHistory attribute is useful when doing a migration because it allows to keep the reference to the former account. On the other hand, once the migration is over, it is mandatory that this attribute is removed to evaluate the permissions in regards with the new account and not the former one.

Advised solution:

To solve the security issue, you should remove all the SIDHistory attributes. To do so, you can list the objects having an SIDHistory attribute using the command: get-ADObject -ldapfilter "(sidhistory=*)" -properties sidhistory.
Each security descriptor of the domain (including file shares for example) should be reviewed to be rewritten with the new SID of the account. Then, the attribute can be removed of these accounts using the migration tool or a powershell snippet Remove-SIDHistory once the migration is completed. Please note that once the SID History has been removed, it cannot be added back again without doing a real migration. Hopefully hacking tools such as mimikatz can be used to undo a deletion with for example the lsadump::dcshadow attack.

Points:

5 points per discovery with a minimal of 15 points

Details:

S-1-5-18 [1 object(s)]

Check for hidden group membership for computer accounts

Description:

The purpose is to check for unsual value in the primarygroupid attribute used to store group membership

Technical explanation:

In Active Directory, group membersip is stored on the "members" attribute and on the "primarygroupid" attribute. The default primary group value is "Domain Users" for the users, "Domain Computers" for the computers and "Domain Controllers" for the domain controllers. The primarygroupid contains the RID (last digits of a SID) of the group targeted. It can be used to store hidden membership as this attribute is not often analyzed.

Advised solution:

Unless stronly justified, change the primary group id to its default. 513 or 514 for users, 516 or 521 for domain controllers, 514 or 515 for computers. The primary group can be edited in a friendly manner by editing the account with the "Active Directory Users and Computers" and after selecting the "Member Of" tab, "set primary group".

Points:

15 points if present

Documentation:

https://support.microsoft.com/en-us/help/297951/how-to-use-the-primarygroupid-attribute-to-find-the-primary-group-for

Check the procesuss of registration of computers to the domain

Description:

The purpose is to ensure that basic users cannot register extra computers in the domain

Technical explanation:

By default, a basic user can register up to 10 computers within the domain. This default set up represents a security issue as basic users shouldn't be able to create such accounts, this task being handled by administrators

Advised solution:

To solve the issue, the limit number of extra computers that can be registered by a basic user should be reduced by modifying the value of ms-DS-MachineAccountQuota to zero (0). Another solution can be to remove altogether the authenticated users group in the domain controllers policy. Do note that if you need to set delegation to an account so it can add computers to the domain, it can be done through 2 methods: Delegation in the OU or by assigning the SeMachineAccountPrivilege to a special group

Points:

10 points if present

Documentation:

http://support.microsoft.com/?id=243327
http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html

Check for completeness of network declaration

Description:

The purpose is to ensure that the minimum set of subnet as been configured in the domain

Technical explanation:

When multiple sites are created in a domain, networks should be declared in the domain in order to optimize processes such as DC attribution. In addition, PingCastle can collect the information to be able to build a network map. This rule has been triggerd because at least one domain controller has an IP address which was not found in subnet declaration.

Advised solution:

Locate the IP address which was found as not being part of declared subnet then add this subnet to the "Active Directory Sites" tool.

Points:

5 points if present

Details:

Domain Controller WIN-PGAHI2ECI8E ip address fe80::7da2:529:c55a:b931%11

DC Vulnerability (SMB v1)

Description:

The purpose is to verify if Domain Controller are vulnerable to the SMB v1 vulnerability

Technical explanation:

The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed

Advised solution:

It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionnalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing this issues before disabling SMB v1, as it will generates additionnal errors.

Points:

1 points if present

Documentation:

https://github.com/lgandx/Responder-Windows
https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
ttps://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Details:

Domain controller: WIN-PGAHI2ECI8E

Check for Trusts whose security is not maximum

Description:

The purpose is to check if all trusts are protected using the functionality named SID Filtering

Technical explanation:

SID Filtering is a mechanism used to block account presenting a SID History property. SID History is used to link to an existing account to another account and can be use to propagage a compromission through trusts. SID Filtering for domain to domain trust is called quarantine and is disabled by default. SID Filtering to a forest is enabled by default and disabling it is called "enabling SID History".

The algorithm to compute the SID Filtering is:
get the attribute trustDirection and TrustAttributes of the trust object.
if the direction is 0 or 1 or if the trust is intra forest (trustattributes & 32 != 0) then SID Filtering is not applicable.
Then, if the trust is a forest trust (trusattributes & 8 != 0) then
check if /enablesidhistory has been enabled - trustattributes & 64 != 0.
If enabled: SID Filtering is deactivated.
Else if not a forest trust (trustattributes & 8 == 0) then check for the quarantined attribute (trustattributes & 4 != 0).
If the quarantine flag is set, SID Filtering is enabled.

You can use the powershell command to get its status:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetSidFilteringStatus('my.domain.to.test.local')

Advised solution:

A trust without SID Filtering means either that a migration is in progress or that the domain can be compromised instantly via the trust.
The solution is to complete exisring migration ASAP and enable the SID Filtering feature

If the trust is a domain trust, you should use netdom /quarantine and set it to yes
If the trust is a forest trust, you should use netdom /enablesidhistory and set it to no
Do not apply /quarantine on a forest trust: you will break the transitivity of the trust.

Points:

100 points if the occurence is greater or equals than 4
then 80 points if the occurence is greater or equals than 2
then 50 points if present

Documentation:

https://msdn.microsoft.com/en-us/library/cc237940.aspx
STIG V-8538

Details:

trust without SID Filtering: mil

Check for local backdoor stored in SID History

Description:

The purpose is to ensure that accounts are not linked for more privileged accounts in the same domain

Technical explanation:

SID History is an attribute used in migration to link with a former account. It is not possible to have an account linked with an account belonging to the same domain. This can be analyzed by comparing the domain part of the SID History with the domain SID.

Advised solution:

It is not possible to have this occurrence except if a user from domain A has been migrated to domain B and then migrated again to domain A. This should be strongly investigated as it may be linked to a compromission of the domain.

Points:

50 points if present

Check for inactive trusts

Description:

The purpose is to verify that every trust has a remote domain which is active.

Technical explanation:

When a trust is active, it is using a shared secret to communicate to a domain. This secret is hold an a special account whose name is the remote domain name. This password is changed every month and as consequence the whenChanged attribute of this account is changed. When there is no modification of the whenChanged attribute, it can be guessed that the secret has not being changed and that there was either a problem with the remote domain or that the remote domain does not exist anymore.

Advised solution:

Check for network connectivity issues from the remote domain or if the remote domain still exists. If it doesn't exist anymore, the trust should be removed. Indeed the secret used by the trust can be used to issue fake kerberos tickets and be used as a backdoor.

Points:

20 points if present

Documentation:

https://msdn.microsoft.com/fr-fr/library/ms680921(v=vs.85).aspx

Details:

mil

At least one Administrator Account can be delegated

Description:

The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated"

Technical explanation:

Whitout the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.

Advised solution:

To correct the situation, you should make sure that all your Administrator Accounts has the checkbox "This account is sensitive and cannot be delegated" active.

Points:

20 points if present

Documentation:

STIG V-36435

Ensure that all login scripts cannot be modified by any user

Description:

The purpose is to ensure that standard users cannot modify login scripts

Technical explanation:

When the group Authenticated Users, Everyone or any similar groups have permission to modify a login script, it can be abused to take control of the accounts using this script. It can potentically lead to the compromise of the domain

Advised solution:

Edit the Access Control List (ACL) of the script object or the directory where the file is located. Then remove any write permission given to the group.

Points:

15 points per discovery

Details:

Script: test.ps1 Account: Authenticated Users Right: Modify, Synchronize

Avoid unexpected schema modifications which could result in domain rebuild

Description:

The purpose is to ensure that no account can make unexpected modifications to the schema

Technical explanation:

The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best pratice is to have this group empty and to add an administrator when a schema update is required then to remove this group membership.

Advised solution:

Remove the accounts or groups belonging to the "schema administrators" group.

Points:

10 points if present

Documentation:

STIG V-72835

Find Password GPO

Description:

The purpose is to alert when a clear text password has been identified in the GPO. Regardless of whether the password is present or not, both the account and password should be considered compromised

Technical explanation:

A check is performed to identify passwords in the GPO. If a password is identified through the PingCastle solution, it means that it can be identified through many other means by attackers, and that the account should be considered compromised.
Do note that the AES key used to encrypt password in the GPO has been made public for interoperability reasons, which is why even an encrypted password is compromised. It has been revealed in this page

Advised solution:

In order to solve this issue, you should manually change the password to a new one. If this password is shared on many systems, each system should have a different password. If the GPO was used to define the native local administrator account, it is recommended to install a password solution manager such as the LAPS solution.

Points:

20 points per discovery

Documentation:

https://msdn.microsoft.com/en-us/library/cc422924.aspx

Details:

GPO: test nfc 2 login: administrator password: vletoux
GPO: test nfc 2 login: adiant password: vletoux
GPO: test nfc 2 login: test password: test

Mitigate golden ticket attack via a regular change of the krbtgt password

Description:

The purpose is to alert when the password for the krbtgt account can be used to compromise the whole domain. This password can be used to sign every kerberos ticket, and monitoring it closely often mitigates the risk of golden ticket attacks greatly.

Technical explanation:

Kerberos is an authentication protocol. It is using to sign its tickets a secret stored as the password of the krbtgt account. If the hash of the password of the krbtgt account is retrieved, it can be use to generate authentication tickets at will.
To mitigate this attack, it is recommanded to change the krbtgt password every 40 days. If it not the case, every backups done until the last password change of the krbtgt account can be used to emit Goldent tickets, compromising the entiere domain.
Retrieval of this secret is one of the highest priority in an attack, as this password is rarely changed and offer a long term backdoor.
Also this attack can also be performed using the former password of the krbtgt account

Advised solution:

The password of the krbtgt account should be changed twice to invalidate the golden ticket attack.
Beware: two changes of the krbtgt password not replicated to domain controllers can break these domain controllers
There are several possibilities to change the krbtgt password. First, a Microsoft script can be run in order to guarantee the correct replication of these secrets. Unfortunately this script supports only English operating systems. Second, a more manual way is to essentialy reset the password manually once, then to wait 3 days, then to reset it again. This is the safest way as it ensures the password is no longer usable by the Golden ticket attack.

Points:

50 points if the occurence is greater or equals than 732
then 40 points if the occurence is greater or equals than 366
then 30 points if the occurence is greater or equals than 180
then 20 points if the occurence is greater or equals than 70

Documentation:

https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51

Check if the LAPS tool to handle the native local administrator password is installed

Description:

The purpose is to make sure that there is a proper password policy in place for the native local administrator account.

Technical explanation:

LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.

Advised solution:

If you don't have any provisionning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.

Points:

15 points if present

Documentation:

https://www.microsoft.com/en-us/download/details.aspx?id=46899
STIG V-36438

Check for the last backup date according to Microsoft standard

Description:

The purpose is check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is back up using non recommended methods

Technical explanation:

A verification is done on the backups, ensuring that the backup is performed according to Microsoft standard. Indeed at each backup the DIT Database Partition Backup Signature is updated.  if for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.

Advised solution:

Planify backups based on Microsoft standard. These standards depends on the Operating System. Example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:

Points:

15 points if the occurence is greater or equals than 7

Documentation:

https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
STIG V-25385

Check for Short password length in password policy

Description:

The purpose is to verify if the password policy of the domain enforces users to have at least 8 characters in their password

Technical explanation:

A check is perfomed to identify if the GPO regarding password policy allows less than 8 characters password. Short passwords represents a high risk because they can fairly easily be brute-forced. Most CERT and agencies advises for at least 8 characters (and often this number goes up to 12)

Advised solution:

To solve the issue, the best way is to either remove the GPO enabling short password, or to modify it in order to increase the password length to at least 8 characters

Points:

10 points if present

Documentation:

https://www.microsoft.com/en-us/research/publication/password-guidance/

Details:

Found in GPO Default Domain Policy
Found in GPO Default Domain Controllers Policy
Found in GPO test nfc 2
Found in GPO PSO:test

Retrieve data from the domain without any account

Description:

The purpose is to access without any account, aka NULL Sessions, within the Active Directory. A NULL Session is a session opened anonymously to access the AD, often used by attackers to perform a reckon operation on the AD, to identify weaknesses

Technical explanation:

Unless other rules which check for known cause of anonymous access, this rule try to enumerate accounts from the domain without any account. The program use two methods: MS-SAMR with a NULL connection and MS-LSAT which forces SID resolution with well known SID.
NULL sessions are deactivated by default since Windows 2003 and Windows XP. But for compatibility reasons, a setting enabling them may be still active years after.
It is possible to verify the results provided by the PingCastle solution by using a Kali distribution. You should run [rpcclient -U " target_ip_address] and press enter at the password prompt to finally type [enumdomusers].

Advised solution:

Locate other PingCastle rules such as A-PreWin2000Anonymous or A-DsHeuristicsAnonymous which triggered and apply the solutions. You can use the PingCastle scanner mode to do a manual check and proove the extraction of the data.

Points:

10 points if present

Documentation:

https://www.sans.org/reading-room/whitepapers/windows/null-sessions-nt-2000-286

Details:

DC involved: WIN-PGAHI2ECI8E

Check for Intermediate Certificates using unsafe hashing algorithm (SHA1)

Description:

The purpose is to ensure that there is no use of the SHA1 hashing algorithm in Intermediate Certificate

Technical explanation:

The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time

Advised solution:

To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.

Points:

1 points if present

Documentation:

https://tools.ietf.org/html/rfc6194

Details:

Found in GPO NTLMStore Subject is CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Found in GPO NTLMStore Subject is CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Found in GPO NTLMStore Subject is CN=COMODO Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Found in GPO GPO:Default Domain Policy;Machine Subject is SERIALNUMBER=200804, CN=Foreigner CA, C=BE
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Check for presence of the Protected users group

Description:

The purpose is to ensure that the schema has been updated for the creation of Protected Users group.

Technical explanation:

The Protected Users group is a special group which is a very effective mitigation solution to counter attacks using Credential theft starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.

Advised solution:

The Protected Users group is automatically created when a Windows 2012 R2 domain controller is installed and upgraded it as PDC (primary DC). The group is then be automatically created and replicated.
Warning: Do not add service account into this group as this will result in "authentication failure" messages. Use "protected accounts" instead

Points:

Informative rule (0 point)

Documentation:

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
STIG V-78131

Check for Root Certificates using unsafe hashing algorithm (SHA1)

Description:

The purpose is to ensure that there is no use of the SHA1 hashing algorithm in Root Certificate

Technical explanation:

The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time

Advised solution:

To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.

Points:

Informative rule (0 point)

Documentation:

https://tools.ietf.org/html/rfc6194

Details:

Found in GPO NTLMStore Subject is CN=CA, DC=test, DC=mysmartlogon, DC=com
Found in GPO NTLMStore Subject is CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE
Found in GPO NTLMStore Subject is CN=Belgium Root CA2, C=BE
Found in GPO NTLMStore Subject is CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI
Found in GPO NTLMStore Subject is CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Found in GPO NTLMStore Subject is CN=CA, DC=test, DC=mysmartlogon, DC=com
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=Belgium Root CA2, C=BE
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=CA, DC=test, DC=mysmartlogon, DC=com
Found in GPO GPO:Default Domain Policy;Machine Subject is CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI

Domain Netbios Name Domain Functional Level Forest Functional Level Creation date DC count Schema version
test.mysmartlogon.com TEST Windows Server 2008 Windows Server 2008 2012-03-03 18:12:40Z 2 47
Nb User Accounts Nb Enabled Nb Disabled Nb Active Nb Inactive Nb Locked Nb pwd never Expire Nb SidHistory Nb Bad PrimaryGroup Nb Password not Req. Nb Des enabled. Nb Trusted delegation Nb Reversible password
2015531204200000
Name Creation Last logon Distinguished name
123456789 2017-11-15 13:47:44Z Never CN=tata yoyo.123456789,CN=Users,DC=test,DC=mysmartlogon,DC=com
HINSON 2014-11-30 16:02:50Z Never CN=Kimberly Hinson,CN=Users,DC=test,DC=mysmartlogon,DC=com
min 2014-06-21 21:19:29Z 2014-07-03 21:24:07Z CN=min,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount1 2015-06-26 10:20:33Z Never CN=wrongAccount1,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount2 2015-06-26 10:20:48Z Never CN=wrongAccount2,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongaccount3 2015-06-26 11:13:15Z Never CN=wrongaccount3,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount5 2015-06-26 15:47:18Z Never CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
wrongAccount6 2015-06-26 15:47:35Z Never CN=wrongAccount6,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
wrongAccount7 2015-06-27 07:26:05Z 2015-06-27 09:27:23Z CN=wrongAccount7,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
wrongaccount8 2016-03-28 10:40:52Z Never CN=wrongaccount8,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongaccount9 2016-03-30 13:02:35Z Never CN=wrongaccount9,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
wronguser4 2015-06-26 15:21:03Z 2015-06-26 17:44:35Z CN=wronguser4,CN=Users,DC=test,DC=mysmartlogon,DC=com
Name Creation Last logon Distinguished name
Administrator 2012-03-03 18:13:00Z 2018-07-14 22:09:23Z CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com
HINSON 2014-11-30 16:02:50Z Never CN=Kimberly Hinson,CN=Users,DC=test,DC=mysmartlogon,DC=com
min 2014-06-21 21:19:29Z 2014-07-03 21:24:07Z CN=min,CN=Users,DC=test,DC=mysmartlogon,DC=com
test 2013-03-31 11:33:16Z 2018-07-03 07:11:49Z CN=test,CN=Users,DC=test,DC=mysmartlogon,DC=com
Name Creation Last logon Distinguished name
test 2013-03-31 11:33:16Z 2018-07-03 07:11:49Z CN=test,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongaccount8 2016-03-28 10:40:52Z Never CN=wrongaccount8,CN=Users,DC=test,DC=mysmartlogon,DC=com

SID History

SID History from domain First date seen Last date seen Count
S-1-5-182013-03-31 11:33:16Z2013-03-31 11:33:16Z1
test.mysmartlogon.com2016-03-28 10:40:52Z2016-03-28 10:40:52Z1
Nb Computer Accounts Nb Enabled Nb Disabled Nb Active Nb Inactive Nb SidHistory Nb Bad PrimaryGroup Nb Trusted delegation Nb Reversible password
5 5 0 2 30100
Name Creation Last logon Distinguished name
ADIANT-2CC70D66$ 2013-04-01 09:32:22Z 2013-04-01 11:32:26Z CN=ADIANT-2CC70D66,CN=Computers,DC=test,DC=mysmartlogon,DC=com
ADIANT-A7B9AAC6$ 2013-04-01 10:10:33Z 2016-09-15 19:25:37Z CN=ADIANT-A7B9AAC6,CN=Computers,DC=test,DC=mysmartlogon,DC=com
WINDOWS7X86$ 2012-03-03 22:07:05Z 2016-09-15 23:54:27Z CN=WINDOWS7X86,CN=Computers,DC=test,DC=mysmartlogon,DC=com
Name Creation Last logon Distinguished name
ADIANT-A7B9AAC6$ 2013-04-01 10:10:33Z 2016-09-15 19:25:37Z CN=ADIANT-A7B9AAC6,CN=Computers,DC=test,DC=mysmartlogon,DC=com

Operating Systems

Operating System Nb OS Nb Enabled Nb Disabled Nb Active Nb Inactive Nb SidHistory Nb Bad PrimaryGroup Nb Trusted delegation Nb Reversible password
Windows XP 2 2 0 0 20100
Windows 7 2 2 0 1 10000
Windows 2008 1 1 0 1 00000

Domain controllers

Domain controller OS Creation Date Startup Time Uptime Owner Null sessions SMB v1
WIN-PGAHI2ECI8E Windows 2008 2012-03-03 18:17:15Z 2018-07-22 17:16:47Z 3 days TEST\Domain Admins YES YES
Group Name Nb Admins Nb Enabled Nb Disabled Nb Inactive Nb PWd never expire Nb can be delegated Nb external users
Account Operators 0 0 0 0 0 0 0
Administrators 5 4 1 2 1 4 0
Backup Operators 0 0 0 0 0 0 0
Cert Publishers 0 0 0 0 0 0 0
Crypto Operators 0 0 0 0 0 0 0
Domain Admins 5 4 1 2 1 4 0
Enterprise Admins 1 1 0 0 1 0 0
Incoming Forest Trust Builders 0 0 0 0 0 0 0
Network Operators 0 0 0 0 0 0 0
Print Operators 0 0 0 0 0 0 0
Schema Admins 2 2 0 0 1 1 0
Server Operators 0 0 0 0 0 0 0
SamAccountName Enabled Active Pwd never Expired Locked Flag Cannot be delegated present Distinguished name
Adiant NO NO NO CN=Adiant,CN=Users,DC=test,DC=mysmartlogon,DC=com
Administrator YES NO YES CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com
teste ( NO NO NO CN=New Object with (dsg,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount1 NO NO NO CN=wrongAccount1,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount5 NO NO NO CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
DistinguishedName Account Right
DC=test TEST\Domain Controllers EXT_RIGHT_REPLICATION_GET_CHANGES_ALL
CN=MicrosoftDNS,CN=System NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
CN=MicrosoftDNS,CN=System TEST\DnsAdmins GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
CN=RAS and IAS Servers Access Check,CN=System TEST\RAS and IAS Servers GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
CN=WMIPolicy,CN=System TEST\Group Policy Creator Owners GenericWrite, DSSelf, Write all prop
CN=SOM,CN=WMIPolicy,CN=System TEST\Group Policy Creator Owners GenericWrite, DSSelf, Write all prop
CN=Users TEST\wronguser4 WRITE_PROP_MEMBER, VAL_WRITE_SELF_MEMBERSHIP, EXT_RIGHT_FORCE_CHANGE_PWD
OU=TestOU TEST\Adiant GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=TestOU TEST\wrongAccount6 GenericAll, GenericWrite, WriteDacl, WriteOwner, WRITE_PROP_MEMBER, VAL_WRITE_SELF_MEMBERSHIP
OU=TestOU TEST\wrongAccount7 EXT_RIGHT_FORCE_CHANGE_PWD
OU=TestOU TEST\wrongaccount9 EXT_RIGHT_FORCE_CHANGE_PWD

Discovered Domains

Trust Partner Type Attribut Direction SID Filtering active Creation Is Active ?
mil MIT Non-Transitive Outbound No 2014-06-09 12:49:20Z False
bastion.local Uplevel Forest Trust Outbound Yes 2018-07-23 13:02:08Z True

Reachable Domains

Reachable domain Via Netbios Creation date

Backup

The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).

Last backup date: Never

LAPS

LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack.

Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO

LAPS installation date: Never

Windows Event Forwarding (WEF)

Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configure for WEF found in GPO

Number of WEF servers configured: 3

GPO Name Order Server
WEF test 1 Server=http://192.168.0.25:5985/wsman/SubscriptionManager/WEC
WEF test 2 test
WEF test 3 teset2

krbtgt (Used for Golden ticket attacks)

The password of the krbtgt account should be changed twice every 40 days using this script

You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets has been done

Kerberos password last changed: 2012-03-03 19:17:15Z version: 2

AdminSDHolder (detect temporary elevated accounts)

This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute adminaccount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.

Number of accounts to review: 0

NULL SESSION (anonymous access)

Domain controllers vulnerable: 1

Domain Controller
WIN-PGAHI2ECI8E

Logon scripts

You can check here backdoors or typo error in the scriptPath attribute

Script Name Count
None 15

Certificates

This detects trusted certificate which can be used in man in the middle attacks or which can issue smart card logon certificates

Number of trusted certificates: 17

Source Store Subject Issuer NotBefore NotAfter Module size Signature Alg SC Logon
NTLMStore NTLMStore CN=CA, DC=test, DC=mysmartlogon, DC=com CN=CA, DC=test, DC=mysmartlogon, DC=com 2015-10-03 09:34:06Z 2030-10-02 09:44:04Z 2048 sha1RSA False
NTLMStore NTLMStore CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE 2014-02-13 15:30:41Z 2019-01-16 15:30:41Z 3072 sha1RSA False
NTLMStore NTLMStore CN=Belgium Root CA2, C=BE CN=Belgium Root CA2, C=BE 2007-10-04 12:00:00Z 2021-12-15 09:00:00Z 2048 sha1RSA False
NTLMStore NTLMStore CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US 2011-08-24 02:00:00Z 2020-05-30 12:48:38Z 2048 sha1RSA False
NTLMStore NTLMStore CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI 2014-05-01 09:08:21Z 2041-09-15 09:08:21Z 2048 sha1RSA False
NTLMStore NTLMStore CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE 2000-05-30 12:48:38Z 2020-05-30 12:48:38Z 2048 sha1RSA False
NTLMStore NTLMStore CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE 2005-06-07 10:09:10Z 2020-05-30 12:48:38Z 2048 sha1RSA False
NTLMStore NTLMStore CN=COMODO Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US 2011-04-27 02:00:00Z 2020-05-30 12:48:38Z 2048 sha1RSA False
NTLMStore NTLMStore CN=CA, DC=test, DC=mysmartlogon, DC=com CN=CA, DC=test, DC=mysmartlogon, DC=com 2012-03-03 19:21:37Z 2027-03-03 19:31:35Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine Root CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE 2000-05-30 12:48:38Z 2020-05-30 12:48:38Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine Root CN=Belgium Root CA2, C=BE CN=Belgium Root CA2, C=BE 2007-10-04 12:00:00Z 2021-12-15 09:00:00Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine Root CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE 2014-02-13 15:30:41Z 2019-01-16 15:30:41Z 3072 sha1RSA False
GPO:Default Domain Policy;Machine Root CN=CA, DC=test, DC=mysmartlogon, DC=com CN=CA, DC=test, DC=mysmartlogon, DC=com 2015-10-03 09:34:06Z 2030-10-02 09:44:04Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine Root CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI 2014-05-01 09:08:21Z 2041-09-15 09:08:21Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine CA SERIALNUMBER=200804, CN=Foreigner CA, C=BE CN=Belgium Root CA2, C=BE 2007-10-04 14:00:00Z 2014-06-04 14:00:00Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine CA CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE 2005-06-07 10:09:10Z 2020-05-30 12:48:38Z 2048 sha1RSA False
GPO:Default Domain Policy;Machine CA CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US 2011-08-24 02:00:00Z 2020-05-30 12:48:38Z 2048 sha1RSA False

Password policies

Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"

Policy Name Complexity Max Password Age Min Password Age Min Password Length Password History Reversible Encryption Lockout Threshold Lockout Duration Reset account counter locker after
Default Domain Policy False Never expires 0 day 0 0 False 0 Not Set Not Set
Default Domain Controllers Policy False Never expires 0 day 0 Not Set Not Set Not Set Not Set Not Set
test nfc 2 False Never expires 0 day 1 Not Set Not Set Not Set Not Set Not Set
PSO:test False 90 day(s) 0 day 0 5 False 50 1 minute(s) Infinite

Screensaver policies

Policy Name Screensaver enforced Password request Start after (seconds) Grace Period (seconds)
test nfc 2 True True 90000 Not Set

LSA settings

Policy Name Setting Value
Default Domain Controllers Policy LSAAnonymousNameLookup 1

GPO

Obfuscated Passwords

The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromissed and change it immediatly.

GPO Name Password origin UserName Password Changed Other
test nfc 2 groups.xml administrator vletoux 2016-04-02 19:40:14Z NewName:adiant-admin
test nfc 2 drives.xml adiant vletoux 2016-04-02 19:39:33Z Path:test
test nfc 2 groups.xml test test 2016-04-02 20:21:02Z

Restricted Groups

Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.

Privileges

Giving privilegdes in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge give the right to act as SYSTEM, which has more privileges than the administrator account.

GPO Name Privilege Members
Default Domain Controllers Policy SeMachineAccountPrivilege Authenticated Users
test nfc 2 SeDebugPrivilege adiant-test

GPO Login script

A GPO login script is a way to force the execution of data on behalf of users.

GPO Name Action Source Command line Parameters
test nfc 2 Logon scripts.ini test.vbs machin trust
test nfc 2 Logoff scripts.ini test123
test nfc 2 Logoff scripts.ini tatayoyo
test nfc 2 Logon psscripts.ini test.ps1 tsettte
test nfc 2 Logoff psscripts.ini test456