Tenable Identity Exposure
To protect the Active Directory and remove attack path
Control your Active Directory (AD) and Azure AD safety, the defect has adverse effects to the business before find and repair the defect.
Tenable Identity Exposure(formerly known as Tenable. AD)Is a rapid, without the agent's Active Directory security solutions that can view all assets in a complex Active Directory environment, predict which areas contribute most to reduce risk, and eliminate before by the attacker using attack path.
Require presentationDoes not produce
Elevated privileges
Lateral movement
The attacker's next move
Before the attacks happen to find and fix the Active Directory
Use the identity of the Tenable risk scores found risk exposure of the Active Directory and the priority analysis.Repair using step guide to reduce the risk of your identity.
Real-time detecting and responding to the Active Directory
Detection of Active Directory, such as DCShadow, Brute Force, Password Spraying, DCSync, etc.Tenable Identity Exposure using attack rich insight into your SIEM, SOC or SOAR execution, so you can quickly response and prevent attacks.
"Tenable solution will we liberated from the Active Directory security, allows us to focus on building new business."Vinci Energies of CIO Dominique Tessaro
Sanofi pharmaceutical industry leading enterprises how to successfully protect its global Active Directory infrastructure
Read the case studyVinci how Energies continues to evolve on the Active Directory infrastructure, strong security parameters
Read the case studyLagardere how small entity with limited resources to protect its Active Directory infrastructure
Read the case studyThrough the Tenable One exposure management platform to provide
Tenable One,Exposure is a management platform to help enterprises to get the whole modern attack the visibility, focus on the prevention of potential attacks, and accurately convey the network security risks, and to support the enterprises to achieve the best performance.Tenable One platform provides a wide range of coverage, cover IT assets, cloud resources, containers, Web applications and identity system.
For detailsProtect the safety of the Active Directory
- The underlying problem found the threat to the Active Directory
- Identify dangerous trust relationship
- Using Identity Risk Score of exposure rate and an analysis of the priority repair
- Grab the Active Directory and Azure AD each change
- The Active Directory changes associated with malicious actions
- In the Active Directory and Azure AD unified identity
- Visual attack further details
- Directly from the event details in exploring the MITRE ATT&CK instructions
Common problems
- It found any hidden weaknesses in Active Directory configuration
- The underlying problem found the threat to the Active Directory
- In simple terms analysis each wrong configuration
- A new asset risk exposure score function by combining vulnerability, risk exposure and identity authorization to quantify risk assets (provided by Tenable of artificial intelligence and big data engine support)
- Get advice for each problem of repair methods
- Create a custom dashboard to manage your Active Directory security, thus reducing risks
- Found dangerous trust relationship
- New feature: to check the Active Directory and Azure unified identity in the AD
- Grasp every change in the AD
- Found that the main attack each domain in the Active Directory
- Through the exact time of the attack line visualization each threat
- In a single view integrated distribution of attack
- The Active Directory changes associated with malicious actions
- Analysis of the Active Directory attack further detailed information
- Directly from the detected event to explore the MITRE ATT&CK ®
Attack vector |
instructions |
The known attack tools |
MitreAttack array |
The privilege of running the Kerberos service account |
Use brute force of high privilege account Kerberos service principal name |
Kerberom |
Privilege promotion, lateral movement and persistence |
Dangerous Kerberos delegation |
Check dangerous without authorization delegate (without constraint, protocol conversion, etc.) |
Nishang |
Privilege promotion, lateral movement and persistence |
In the Active Directory PKI use weak encryption algorithm |
Deployed on the Active Directory within PKI weak passwords shall be used for the root certificate of the algorithm |
ANSSI - ADCP |
Persistent, privilege promotion, lateral movement |
Aiming at the key access to the danger of objects |
Found some allow illegal users access control key objects |
BloodHound |
Leak, lateral movement, command and control, the credentials to access and privilege promotion |
There are multiple issues in the password policy |
In certain account, the current password policy is insufficient, can't ensure that provide reliable proof for protection |
Patator |
Defensive avoidance, lateral movement and the credentials to access and privilege promotion |
Dangerous RODC management account |
Be responsible for the management of the read-only domain controller group contains abnormal account |
Impacket |
Credentials to access, defensive avoidance and privilege promotion |
Has been linked to the key object of sensitive GPO |
Certain by the management account GPO link to the sensitive Active Directory objects (for example KDC account, the domain controller and management groups, etc.). |
ANSSI - ADCP |
Command and control, the credentials to access privileges, persistence, ascension |
Has allowed to connect to other systems outside of the domain controller management account |
On the monitoring infrastructure deployment of security policies will not prevent management account connected to a DC outside resources, resulting in the sensitive credential exposure |
CrackMapExec |
Defensive avoidance, credentials to access |
Dangerous trust relationship |
Wrong configuration of trust property reduces directory infrastructure security |
Kekeo |
Lateral movement, the credentials to access and privilege promotion, defensive avoidance |
In the GPO reversible password |
Verify the GPO does not contain the password stored in reversible format |
SMB password crawler |
The credentials to access and privilege promotion |
Run out of the operating system computer |
Supplier no longer support the outdated system, which greatly increased the infrastructure vulnerability |
Metasploit |
Lateral movement, command and control |
Using compatible with Windows 2000 previous versions of access control of the account |
Windows 2000 compatible with access group member account before can bypass specific safety measures |
Impacket |
Lateral movement, defensive avoidance |
Local management account management |
Make sure you use LAPS concentration and safety management of local management account |
CrackMapExec |
Defensive avoidance, credentials to access, lateral movement |
Dangerous anonymous user configuration |
Activation on the monitoring of the Active Directory infrastructure anonymous access to sensitive data leakage |
Impacket |
Let the cat out of the |
Abnormal RODC filtering properties |
In some read-only domain controller filtering strategy may lead to sensitive information on the application of cache, causing the privilege to upgrade |
Mimikatz (DCShadow) |
Privilege to ascend, defensive avoidance |
Lack of restrictions on lateral movement attack scenario |
On the monitoring of the Active Directory infrastructure has not yet been activated lateral movement restrictions, so that the attacker can at the same privilege level access a range of computer |
CrackMapExec |
Lateral movement |
DC Shared stored in plaintext password |
DC on sharing some files (can be any authenticated user access) may contain text passwords, causing privilege promotion |
SMBSpider |
The credentials to access, privilege promotion, persistence |
The danger of login script on access control permissions |
Computer or during certain script has the danger of the user login access, resulting in the privilege |
Metasploit |
Lateral movement, privilege promotion, persistence |
Use the risk parameters in GPO |
GPO to setting up the risk parameters (such as limited group, LM hash calculation, NTLM authentication level, sensitive parameters, etc.), resulting in security vulnerabilities |
Responder |
Found, the credentials to access, executing, persistence, privilege promotion, defensive avoidance |
The user account control configuration defined in the risk parameters |
Some user accounts "user account control" attribute defines the risk parameters (such as PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), it will endanger the security of the account |
Mimikatz (LSADump) |
Sustainability, privilege, defensive avoidance |
The lack of the application of security patches |
Recently has not registered in the Active Directory server application security updates |
Metasploit |
Command and control rights, defensive avoidance |
In view of the user account to brute force to try |
Some user account has been the focus of brute force |
Patator |
The credentials to access |
The user account Kerberos configuration |
Some account use weak Kerberos configuration |
Mimikatz (Silver Ticket) |
The credentials to access and privilege promotion |
Abnormal DC on sharing and storing files |
Some of the domain controller for hosting unnecessary files or network share |
SMBSpider |
Detection, leak |
The back door technology |
instructions |
The known attack tools |
Mitre attack array |
Ensure SDProp persistence |
Control adminSDHolder object in a harmless state |
Mimikatz (Golden Ticket) |
Privilege to ascend, persistence |
Ensure SDProp persistence |
Verify the user's primary group has not changed |
BloodHound |
Privilege to ascend, persistence |
Verify the root domain object permissions |
Ensure that set the permissions on the root domain object is correct |
BloodHound |
Privilege to ascend, persistence |
Validation of sensitive GPO objects and file permissions |
Make sure the link to the sensitive containers (for example, the domain controller OU) GPO object and file permissions set is correct |
BloodHound |
Execution, privilege promotion, persistence |
The danger of the RODC KDC account access |
Some read-only domain controller with KDC account can by illegal user account control, resulting in the leakage of the credential |
Mimikatz (DCSync) |
Privilege to ascend, persistence |
Sensitive certificate is mapped to a user account |
Some X509 certificates are stored in altSecurityIdentities user account attributes, allowing the certificate the private key of the owner to the user identity authentication |
Command and control, the credentials to access and privilege promotion, persistence |
|
In conventional account set up dangerous Krbtgt SPN |
The KDC service principal name exists in some normal user account, resulting in the Kerberos ticket forgery |
Mimikatz (Golden Ticket) |
Privilege to ascend, persistence |
KDC password password change last time |
KDC account password must be changed regularly |
Mimikatz (Golden Ticket) |
The credentials to access, privilege promotion, persistence |
Account with dangerous SID history attributes |
Check the SID history attributes used in privilege SID users or computers |
DeathStar |
Privilege to ascend, persistence |
Malicious domain controller |
To ensure that only legitimate registered to the Active Directory domain controller server infrastructure |
Mimikatz (DCShadow) |
Execution, defensive avoidance, privilege promotion, persistence |
Illegal Bitlocker key access control |
In addition to the administrator and link the computer, the others can access the Active Directory stored in some of the Bitlocker recovery key |
ANSSI - ADCP |
The credentials to access, privilege promotion, persistence |
Abnormal structure security descriptor entries |
The Active Directory schema has been modified, leading to the new standard access or may endanger the infrastructure of the monitored objects |
BloodHound |
Privilege to ascend, persistence |
DSRM account has been activated |
The Active Directory recovery account has been activated, resulting in the credential may be stolen |
Mimikatz (LSADump) |
The credentials to access, disclosure, defensive avoidance, privilege promotion, persistence |
Don't update authentication hash when using a smart card |
Some use a smart card authentication of user account not regularly updates its credentials hash |
Mimikatz (LSADump) |
persistence |
Reversible password of user accounts |
Verify no parameters in reversible format stored password |
Mimikatz (DC Sync) |
The credentials to access |
Use clear access denied on the container |
Some Active Directory container or OU defines clear access denied, leading to the back door of the hidden potential |
BloodHound |
Defensive avoidance, persistence |
AD configuration error will occur at any time, so time point audit only at the beginning and focus on error configuration was abandoned in a few minutes, but does not include hazard index.
, on the other hand, Tenable Identity Exposure is a security platform, can continue to scan the AD to find new defects and attacks, and real-time alert user related issues.
AD security is an important part of safe territory, and the Tenable Identity Exposure can be seamlessly integrated into the ecosystem safety.
Our Syslog integration ensures that all SIEM and most of the work order system can be Tenable and Identity Exposure immediate integration.We also provides the QRadar, Splunk and Phantom a native application.