Skip to content

Hide Navigation Hide TOC

Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462)

Implement robust Active Directory configurations using group policies to control access and reduce the attack surface. Specific examples include:

  • Account Configuration: Use provisioned domain accounts rather than local accounts to leverage centralized control and auditing capabilities.
  • Interactive Logon Restrictions: Enforce group policies that prohibit interactive logons for accounts that should not directly access systems.
  • Remote Desktop Settings: Limit Remote Desktop logons to authorized accounts to prevent misuse by adversaries.
  • Dedicated Administrative Accounts: Create specialized domain-wide accounts that are restricted from interactive logons but can perform specific tasks like installations or repository access.
  • Authentication Silos: Configure Authentication Silos in Active Directory to create access zones with restrictions based on membership in the Protected Users global security group. This setup enhances security by applying additional protections to high-risk accounts, limiting their exposure to potential attacks.
Cluster A Galaxy A Cluster B Galaxy B Level
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action 1
Active Directory Configuration - M1015 (e3388c78-2a8d-47c2-8422-c1398b324462) Course of Action DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2