Skip to content

M1015 Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Item Value
ID M1015
Version 1.1
Created 06 June 2019
Last Modified 29 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.005 SID-History Injection Clean up SID-History attributes after legitimate account migration is complete.
enterprise T1606 Forge Web Credentials -
enterprise T1606.002 SAML Tokens For containing the impact of a previously forged SAML token, rotate the token-signing AD FS certificate in rapid succession twice, which will invalidate any tokens generated using the previous certificate.12
enterprise T1003 OS Credential Dumping
Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. 7 8 Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.9
enterprise T1003.005 Cached Domain Credentials Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.9
enterprise T1003.006 DCSync Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication.108
enterprise T1072 Software Deployment Tools Ensure proper system and access isolation for critical network systems through use of group policy.
enterprise T1558 Steal or Forge Kerberos Tickets For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.5
enterprise T1558.001 Golden Ticket For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.5
enterprise T1552 Unsecured Credentials Remove vulnerable Group Policy Preferences.6
enterprise T1552.006 Group Policy Preferences Remove vulnerable Group Policy Preferences.6
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.003 Pass the Ticket To contain the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.11 For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.5

References


  1. Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017. 

  2. Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017. 

  3. Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017. 

  4. Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017. 

  5. UCF. (n.d.). The password for the krbtgt account on a domain must be reset at least every 180 days. Retrieved November 5, 2020. 

  6. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015. 

  7. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017. 

  8. Microsoft. (n.d.). How to grant the “Replicating Directory Changes” permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017. 

  9. Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020. 

  10. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017. 

  11. Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account. Retrieved January 30, 2020. 

  12. Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. 

Back to top