-
Find existing weaknesses
Immediately discover, map, and score existing weaknesses. Follow our step-by-step remediation tactics and prevent attacks.
-
Uncover attack pathways
Instantly identify new vulnerabilities and misconfigurations. Break attack pathways and keep your threat exposure in check.
-
Investigate incidents
Drill down into the most comprehensive security tracker for AD. Search and correlate AD changes at object and attribute levels.
-
Detect attacks in real time
Get real-time alerts and actionable remediation plans on AD attacks. Visualize notifications and trigger responses in your SIEM / SOAR / SOC.
Welcome to the new definition of Active Directory security
Introducing Alsid for Active Directory, the comprehensive security solution that provides instant peace of mind for your Active Directory teams. Built by and for security professionals, Alsid’s solution is ‘plug and play in a day.’ No agents, no privileges, no nonsense. Just harden, detect, and respond. Discover Alsid’s solutions now.
-
Find existing weaknesses
Immediately discover, map, and score existing weaknesses. Follow our step-by-step remediation tactics and prevent attacks.
-
Uncover attack pathways
Instantly identify new vulnerabilities and misconfigurations. Break attack pathways and keep your threat exposure in check.
-
Investigate incidents
Drill down into the most comprehensive security tracker for AD. Search and correlate AD changes at object and attribute levels.
-
Detect attacks in real time
Get real-time alerts and actionable remediation plans on AD attacks. Visualize notifications and trigger responses in your SIEM / SOAR / SOC.
-
Find and fix existing weaknesses
- Uncover and fix existing weaknesses with 45 Indicators of Exposure, each composed of 100+ security checkers.
- Identify quick-wins and inform your remediation plans with dynamic threat scoring, complexity rating, and recommended course of action.
- Track security progress using a baseline score or a custom-made scoring framework.
-
Continuously uncover new attack pathways
- Keep your security exposure in check by closing new security gaps before they get exploited.
- Detect new attack pathways in real-time thanks to thousands of security triggers.
- Spot and fix dangerous ACEs for your Active Directory objects.
- Go deeper with comprehensive vulnerability details, research links, and embedded remediation tactics.
-
Detect ongoing attacks in real time
- Spot attacks across all domains and forests in real time and prevent attackers’ lateral movements.
- Leverage our AD-native hypergraph engine to catch attacks that bypass logs such as DCSync and DCShadow.
- Beat the best threat actors’ breakout time (~17 minutes) with the only true real-time technology on market.
- Augment your existing security ecosystem with AD-centric notifications in your SIEM and playbooks for your SOAR.
-
Investigate incidents and hunt for threats
- Search and correlate AD-native data to uncover suspicious activities and find patient zero.
- Develop queries and customized rules at object- and attribute-levels.
- Focus only on meaningful security information with our false-positive proof hypergraph engine.
- Dissect Active Directory and SYSLOG replication data for breach entry and lateral movement discovery.
- Forward investigation findings to your SIEM & SOAR for event correlation and automated response.
-
- Your Alsid dedicated instance lives in the cloud of your choice
- Benefit from transparent scaling as our platform adapts to meet your needs
- We’ll take care of pushing security and feature upgrades continuously
- Roll-out our on-prem platform in your air-gaped infrastructures
-
- Simply summon a VPN link to get our hypergraph engine started
- Your Alsid instance will connect to only 1 Domain Controller per monitored domain
- Alsid only uses standard protocols to operate, such as LDAP, KERBEROS, DNS, NETBIOS DSRU RPC, etc.
-
- Get the value without the pain, with no agent to deploy, and no risk for your operations
- Our solution does not need any form of privilege over your AD, so your infrastructure is safe with us
- Our API-based monitoring can handle hundreds of domains and forests without any perceivable footprint on your servers and network
Understanding Alsid’s IoE
Our Indicators of Exposure are constantly run against your AD’s hypergraph to uncover weaknesses and attacks.
Privilege attack vectors
These IoE ensure that monitored Active Directory infrastructures cannot be exploited by attackers to gain admin privileges.
Backdooring techniques
These IoE confirm there are no backdoors into your Active Directory environment and ensure the efficiency of deployed security strategies.
Dangerous security models
These IoE ensure that monitored Active Directory infrastructures are implementing recommended security strategies that reinforce information systems against cyberattacks.
| Classif. icon + name of IoE | Explanation | Known offensive tools | MITRE ATT&CK Matrix™ |
| (C) Privileged accounts running Kerberos services | Highly privileged accounts using a brute-forceable Kerberos Service Principal Name | Kerberom | Privilege Escalation, Lateral movement, Persistence |
| (C) Dangerous Kerberos delegation | Check that no dangerous delegation (unconstrained, protocol transition, etc.) is authorized | Nishang | Lateral movement,Persistence, Privilege escalation |
| (C) Use of weak cryptography algorithms into Active Directory PKI | Root certificates deployed on internal Active Directory PKI must not use weak cryptographic algorithms | ANSSI-ADCP | Persistence, Privilege escalation, Lateral movement |
| (C) Dangerous access rights delegation on critical objects | Some access rights allowing illegitimate users to control critical objects have been found | BloodHood | Exfiltration, Lateral movement, Command and control, Credential access, Privilege escalation |
| (U) (M) Multiple issues in the password policy | On some specific accounts, the current password policies are insufficient to ensure robust credentials protection | Patator | Defense evasion, Lateral movement, Credential access, Privilege escalation |
| (C) Dangerous RODC management accounts | The administrative groups in charge of Read-Only Domain Controllers contain abnormal accounts | Impacket | Credential access, Defense evasion, Privilege escalation |
| (C) Sensitive GPO linked to critical objects | Some GPO managed by non-administrative accounts are linked to sensitive Active Directory objects (e.g. the KDC account, Domain Controllers, administrative groups, etc.) | ANSSI-ADCP | Command and control, Credential access, Persistence, Privilege escalation |
| (U) Administrative accounts allowed to connect to other systems than the Domain Controllers | The security policies deployed on the monitored infrastructure does not prevent administrative accounts to connect to resources other than DC, leading to sensitive credentials exposure | CrackMapExec | Defense evasion, Credential access |
| (C) Dangerous trust relationship | Misconfigured trust relationship attributes decrease the security of a directory infrastructure | Kekeo | Lateral movement, Credential access, Privilege escalation, Defense evasion |
| (C) Reversible passwords in GPO | Verify that no GPO contain passwords stored in a reversible format | SMB Password crawler | Credential access, Privilege escalation |
| (M) Computers running an obsolete OS | Obsolete systems are not supported by the editor anymore and greatly increase the infrastructure vulnerability | Metasploit | Lateral movement, Command and control |
| (U) (M) Accounts using a pre-Windows 2000 compatible access control | Account member of the pre-Windows 2000 Compatible Access Group can bypass specific security measures | Impacket | Lateral movement, Defense evasion |
| (U) Local administrative account management | Ensure local administrative accounts are managed centrally and securely using LAPS | CrackMapExec | Defense evasion, Credential access, Lateral movement |
| (U) Dangerous anonymous users configuration | Anonymous access is activated on the monitored Active Directory infrastructure leading to sensitive information leak | Impacket | Exfiltration |
| (C) Abnormal RODC filtered attributes | The filtering policies applied on some Read-Only Domain Controllers can lead to sensitive information caching, allowing privilege escalations | Mimikatz (DCShadow) | Privilege escalation, Defense evasion |
| (U) Lacking restriction on lateral movements attack scenario | Lateral movement restriction has not been activated on the monitored Active Directory infrastructure, allowing attackers to bounce from machine to machine with the same level of privileges | CrackMapExec | Lateral movement |
| (M) Clear-text password stored in DC shares | Some files on DC shares, accessible by any authenticated user, are likely to contain clear-text password, allowing privilege escalation | SMBSpider | Credential access, Privilege escalation, Persistence |
| (C) Dangerous access control rights on logon scripts | Some scripts, run during a computer or a user logon, have dangerous access rights, leading to privilege escalation | Metasploit | Lateral movement, Privilege escalation, Persistence |
| (C) Dangerous parameters are used in GPO | Some dangerous parameters (e.g. restricted groups, LM hash computation, NTLM authentication level, sensitive parameters, etc.) are set by GPO, creating security breaches | Responder | Discovery, Credential access, Execution, Persistence, Privilege escalation, Defense evasion |
| (U) Dangerous parameters defined in the User Account Control configuration | The User Account Control attribute of some user accounts defines dangerous parameters (e.g. PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), which endanger the security of said account | Mimikatz (LSADump) | Persistence, Privilege escalation, Defense evasion |
| (M) Lacking application of security patches | Some server registered in Active Directory did not recently apply security updates | Metasploit | Command and control Privilege escalation, Defense evasion, |
| (U) Brute force attempt on user accounts | Some user accounts have been targeted by a brute force attempt | Patator | Credential access |
| (U) Kerberos configuration on user account | Some accounts are using weak Kerberos configuration | Mimikatz (Silver Ticket) | Credential access, Privilege escalation |
| (M) Abnormal share or file stored on the DC | Some domain controllers are used to host non-necessary files or network shares | SMBSpider | Discovery, Exfiltration |
|
Classif. icons: |
User (U) |
Machine (M) |
Security Component (C) |
| Classif. icon + name of IoE | Explanation | Known offensive tools | MITRE ATT&CK Matrix™ |
| (C) Ensure SDProp consistency | Control that the adminSDHolder object is in a clean state | Mimikatz (Golden Ticket) | Privilege escalation, Persistence |
| (U) (M) User primary group ID | Verify that users’ primary group has not been changed | BloodHood | Privilege escalation, Persistence |
| (C) Verify root domain object permissions | Ensure the permissions set on the root domain object are sane | BloodHood | Privilege escalation, Persistence |
| (C) Verify sensitive GPO objects and files permissions | Ensure that permissions set on the GPO objects and files linked to sensitive containers (like the Domain Controllers OU) are sane | BloodHood | Execution, Privilege escalation,
Persistence |
| (C) Dangerous access rights on RODC KDC account | The KDC account used on some Read-Only Domain Controllers can be controlled by illegitimate user account, leading to credential leaks | Mimikatz (DCSync) | Privilege escalation, Persistence |
| (U) (M) Sensitive certificates mapped to user accounts | Some X509 certificates are stored in the altSecurityIdentities user account attribute, allowing certificate’s private key owner to authenticate as this user | Not implemented (yet) | Command and control, Credential access, Privilege escalation, Persistence |
| (U) Rogue Krbtgt SPN set on regular account | The Service Principal Name of the KDC is present on some regular user account, leading to Kerberos tickets forgery | Mimikatz (Golden Ticket) | Privilege escalation, Persistence |
| (C) KDC password last change | KDC account password must be changed regularly | Mimikatz (Golden Ticket) | Credential access, Privilege escalation, Persistence |
| (U) (M) Accounts having a dangerous SID History attribute | Check user or computer accounts using a privileged SID in SID history attribute | DeathStar | Privilege escalation, Persistence |
| (M) Rogue domain controllers | Ensure only legitimate Domain controller servers are registered into Active Directory infrastructure | Mimikatz (DCShadow) | Execution, Defense evasion, Privilege escalation, Persistence |
| (C) Illegitimate Bitlocker key access control | Some Bitlocker recovery keys stored in Active Directory can be accessed by other people than administrators and linked computers | ANSSI-ADCP | Credential access, Privilege escalation, Persistence |
| (C) Abnormal entries in the Schema security descriptor | The Active Directory Schema has been modified leading to new standard access rights or objects that can endanger the monitored infrastructure | BloodHood | Privilege escalation, Persistence |
| (U) DSRM account activated | The Active Directory recovery account has been activated, exposing it to credential theft | Mimikatz (LSADump) | Credential access, Execution, Defense evasion, Privilege escalation, Persistence |
| (C) Dangerous caching policy on RODC | The caching policy configured on some Read-Only Domain Controllers allows global administrative accounts to have their credentials cached and retrieved by RODC management accounts | Mimikatz (DCSync) | Privilege escalation, Persistence |
| (C) Certificate deployed by GPO applied on DC | Some GPOs are used to deploy certificates on Domain Controllers, allowing certificate’s private key owner to compromise these servers | BloodHood | Privilege escalation, Persistence |
| (U) Authentication hash not renewed when using smartcard | Some user accounts using smartcard authentication do not renew their credentials hash frequently enough | Mimikatz (LSADump) | Persistence |
| (U) Reversible passwords for User accounts | Verify no parameter make passwords stored in a reversible format | Mimikatz (DC Sync) | Credential access |
| (C) Use of explicit denied access on containers | Some Active Directory containers or OUs define explicit denied access, leading to potential backdoor concealment | BloodHood | Defense evasion, Persistence |
|
Classif. icons: |
User (U) |
Machine (M) |
Security Component (C) |
| Classif. icon + name of IoE | Explanation | Known offensive tools | MITRE ATT&CK Matrix™ |
| (U) (M) Native administrative group members | Abnormal accounts in the native administrative groups of Active Directory | Impacket | Persistence, Execution, Privilege escalation, Defense evasion |
| (U) Accounts with never expiring passwords | Accounts with the DONT_EXPIRE property are not affected by password renewal policy | Impacket | Persistence |
| (U) Recent use of the default administrator account | Built-in administrator account has been used recently | Mimikatz (Token Impersonate) | Command and control |
| (C) Protected Users group not created or not used | Verify the Protected Users group has been created on the Active Directory forest and is used | Mimikatz (Silver Ticket) | Credential access |
| (C) Presence of blocking OU | Some organization units are blocking the application of security policies deployed by GPO | Responder | Persistence |
| (M) Inappropriate number of Domain Controllers | Compared to the monitored Active Directory infrastructures, the number of Domain Controllers seems inappropriate | Metasploit | Discovery |
| (C) Unlinked, disabled or orphan GPO | Having unlinked, disabled or orphan GPO can lead to administrative errors | GPOInjection | Defense evasion |
| (U) (M) Sleeping accounts | Unused sleeping accounts are still activated | Mimikatz (Token Impersonate) | Persistence |
| (U) (M) AdminCount attribute set on standard users | Some decommissioned administrative accounts are not globally manageable | CrackMapExec | Persistence, Privilege escalation |
| (U) (M) Disabled accounts in privileged groups | Accounts that are not used anymore should not stay in privileged groups | Mimikatz (Silver Ticket) | Persistence |
| (C) Domains have an outdated functional level | A low functional level prevents the use of advanced functionalities or improvements | Patator | Defense evasion |
| (C) Domain using a dangerous backward-compatibility configuration | The dSHeuristics attribute can modify AD behavior and have security impacts | Enum | Credential access, Privilege escalation, Defense evasion |
| (U) Lacking the use of Managed Service Accounts | Some compatible service accounts are not using the Active Directory Managed Service Accounts feature to automatically renew their password | Patator | Defense evasion |
| (C) Lacking the use of Advanced Audit Policy | The modern Active Directory event logging feature is not used, leading to inappropriate security event monitoring | Mimikatz (LSADump) | Defense evasion |
| (C) Lack of Active Directory backups | The monitored AD infrastructure does not seem to make regular backups | Impacket | Defense evasion |
| (U) (M) Regular users can add new computers into AD domain | Regular users are allowed to add new computers in the monitored Active Directory domains without administrative teams approval | Mimikatz (DCShadow) | Persistence, Privilege escalation |
| (C) Active Directory event logs not centralized | Active Directory event logs do not appear to be centralized and harvested to ensure efficient incident response | Metasploit | Defense evasion |
| (U) (M) Account naming convention not fully respected | Some accounts do not follow the naming convention defined for the monitored infrastructure | Responder | Defense evasion |
| (C) Use of non-canonical ACE | Some access control policies set on Active Directory object use non-canonical ACEs which could lead to misleading information | Empire | Persistence |
|
Classif. icons: |
User (U) |
Machine (M) |
Security Component (C) |