{"description": "Enterprise techniques mitigated by Active Directory Configuration, ATT&CK mitigation M1015 (v1.2)", "name": "Active Directory Configuration (M1015)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.005", "comment": "Clean up SID-History attributes after legitimate account migration is complete.\n\nConsider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the trusted domain from claiming a user has membership in groups outside of the domain).\n\nSID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID Filtering Quarantining Jan 2009) However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.\n\nSID Filtering can be applied by: (Citation: Microsoft Netdom Trust Sept 2012)\n\n* Disabling SIDHistory on forest trusts using the netdom tool (netdom trust /domain: /EnableSIDHistory:no on the domain controller)\n\n* Applying SID Filter Quarantining to external trusts using the netdom tool (netdom trust  /domain: /quarantine:yes on the domain controller)\n\n* Applying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes. (Citation: Microsoft Netdom Trust Sept 2012) (Citation: AdSecurity Kerberos GT Aug 2015) If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1606", "showSubtechniques": true}, {"techniqueID": "T1606.002", "comment": "For containing the impact of a previously forged SAML token, rotate the token-signing AD FS certificate in rapid succession twice, which will invalidate any tokens generated using the previous certificate.(Citation: Mandiant Defend UNC2452 White Paper)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "\nManage the access control list for \u201cReplicating Directory Changes All\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL) Consider adding users to the \"Protected Users\" Active Directory security group. This can help limit the caching of users' plaintext credentials.(Citation: Microsoft Protected Users Security Group)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.005", "comment": "Consider adding users to the \"Protected Users\" Active Directory security group. This can help limit the caching of users' plaintext credentials.(Citation: Microsoft Protected Users Security Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "Manage the access control list for \"Replicating Directory Changes\" and other permissions associated with domain controller replication.(Citation: ADSecurity Mimikatz DCSync)(Citation: Microsoft Replication ACL)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "Ensure proper system and access isolation for critical network systems through use of group policy.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1649", "comment": "Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes.\n\nFor example, consider disabling the usage of AD CS certificate SANs within relevant authentication protocol settings to enforce strict user mappings and prevent certificates from authenticating as other identifies.(Citation: SpecterOps Certified Pre Owned) Also consider enforcing CA Certificate Manager approval for the templates that include SAN as an issuance requirement.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "comment": "For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.(Citation: STIG krbtgt reset)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.001", "comment": "For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.(Citation: STIG krbtgt reset)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "comment": "Remove vulnerable Group Policy Preferences.(Citation: Microsoft MS14-025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.006", "comment": "Remove vulnerable Group Policy Preferences.(Citation: Microsoft MS14-025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "comment": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550.003", "comment": "To contain the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.(Citation: ADSecurity Kerberos and KRBTGT) For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.(Citation: STIG krbtgt reset)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Active Directory Configuration", "color": "#66b1ff"}]}