diff --git a/TierZeroTable.csv b/TierZeroTable.csv index 11748af..e1d860c 100644 --- a/TierZeroTable.csv +++ b/TierZeroTable.csv @@ -1,186 +1,4 @@ Name;Type;IdP;Identification;Description;Known Tier Zero compromise by default configuration;Known Tier Zero compromise by common (mis)configuration;Is Tier Zero;Reasoning;Microsoft: Privileged access security roles;AdminSDHolder protected;What is Tier Zero episode;External links -Account Operators;DC group;Active Directory;SID: S-1-5-32-548;"The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers. - -Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group can't modify user rights. - -The Account Operators group applies to the Windows Server operating system in the Default Active Directory security groups list. - -Note: By default, this built-in group has no members. The group can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and don't use it for any delegated administration. This group can't be renamed, deleted, or removed.";YES - Takeover;N/A - Compromise by default;YES;"The Account Operators group has GenericAll in the default security descriptor on the AD object classes: User, Group, and Computer. That means all objects of these types will be under full control of Account Operators unless they are protected with AdminSDHolder. Not all Tier Zero objects will be protected with AdminSDHolder typically, as not all Tier Zero objects will be included in Protected Accounts and Groups. This means Account Operators members have a path to compromise Tier Zero most often. - -It is possible to delete all GenericAll ACEs for Account Operators on Tier Zero objects. To protect future Tier Zero objects, one would have to either remove the Account Operators ACE from the default security descriptors or implement a process of removing the ACEs as Tier Zero objects are being created. However, we recommend not using the group and classifying it as Tier Zero instead.";YES;YES;1;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#account-operators -https://www.whiteoaksecurity.com/blog/account-operators-privilege-escalation/ -https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericall" +Account Operators;DC group;Active Directory;SID: S-1-5-32-548;The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers. Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group can't modify user rights. The Account Operators group applies to the Windows Server operating system in the Default Active Directory security groups list. Note: By default, this built-in group has no members. The group can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and don't use it for any delegated administration. This group can't be renamed, deleted, or removed.;YES - Takeover;N/A - Compromise by default;YES;The Account Operators group has GenericAll in the default security descriptor on the AD object classes: User, Group, and Computer. That means all objects of these types will be under full control of Account Operators unless they are protected with AdminSDHolder. Not all Tier Zero objects will be protected with AdminSDHolder typically, as not all Tier Zero objects will be included in Protected Accounts and Groups. This means Account Operators members have a path to compromise Tier Zero most often. It is possible to delete all GenericAll ACEs for Account Operators on Tier Zero objects. To protect future Tier Zero objects, one would have to either remove the Account Operators ACE from the default security descriptors or implement a process of removing the ACEs as Tier Zero objects are being created. However, we recommend not using the group and classifying it as Tier Zero instead.;YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#account-operators, https://www.whiteoaksecurity.com/blog/account-operators-privilege-escalation/, +https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericall Administrator;AD user;Active Directory;SID: S-1-5-21--500;The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled.;YES - Takeover;N/A - Compromise by default;YES;The built-in Administrator account has admin access to DCs by default and is therefore Tier Zero.;YES;YES;2;https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11)?redirectedfrom=MSDN#administrator-account -Administrators;DC group;Active Directory;SID: S-1-5-32-544;"Members of the Administrators group have complete and unrestricted access to the computer. If the computer is promoted to a domain controller, members of the Administrators group have unrestricted access to the domain. - -The Administrators group applies to the Windows Server operating system in the Default Active Directory security groups list. - -Note: The Administrators group has built-in capabilities that give its members full control over the system. This group can't be renamed, deleted, or removed. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Members of the following groups can modify the Administrators group membership: the default service Administrators, Domain Admins in the domain, and Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.";YES - Takeover;N/A - Compromise by default;YES;The Administrators group has full control over most of AD’s essential objects and are inarguably part of Tier Zero.;YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#administrators -AdminSDHolder;AD container;Active Directory;DistinguishedName: CN=AdminSDHolder,CN=System,;"The purpose of the AdminSDHolder object is to provide ""template"" permissions for the protected accounts and groups in the domain. AdminSDHolder is automatically created as an object in the System container of every Active Directory domain.";YES - Takeover;N/A - Compromise by default;YES;The permissions configured on AdminSDHolder is a template that will be applied on Protected Groups and Users with SDProp, by default every hour. Control over AdminSDHolder means you have control over the Protected Groups (and their members) and Users, which include Tier Zero groups such as Domain Admins. The AdminSDHolder container is therefore a Tier Zero object.;NO;YES;2;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory -Allowed RODC Password Replication Group;AD group;Active Directory;SID: S-1-5-21--571;The purpose of this security group is to manage a read-only domain controller (RODC) password replication policy. This group has no members by default, and it results in the condition that new RODCs don't cache user credentials. The Denied RODC Password Replication group contains various high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.;NO;YES - Takeover;NO;"The Allowed RODC Password Replication Group has no control by default. By default, this group is included in the msDS-RevealOnDemandGroup attribute of RODC computer objects, meaning that the RODC can retrieve the credentials of members of the group. Control over the group could potentially cause an attack path to Tier Zero if the attacker has administrative access to an RODC host and the RODC is misconfigured to not deny replication of Tier Zero principals. An attacker could add a targeted Tier Zero user to this group. With admin access to an RODC computer, the attacker can dump the RODC krbtgt account to create a Golden RODC TGT for the targeted Tier Zero user. This Golden RODC TGT can be exchanged with a real TGT when the targeted user is in the msDS-RevealOnDemandGroup attribute through the membership of Allowed RODC Password Replication Group, unless the target user is in the msDS-NeverRevealGroup attribute. - -All Tier Zero users and computers should be in the msDS-NeverRevealGroup attribute to ensure they cannot be compromised by being added to the Allowed RODC Password Replication Group. When this practice is followed, this group can be treated as a non-Tier Zero group and non-Tier Zero admins can manage membership of the group.";NO;NO;2;"https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06 -https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#allowed-rodc-password-replication" -Backup Operators;DC group;Active Directory;SID: S-1-5-32-551;"Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can't be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Members of the following groups can modify Backup Operators group membership: default service Administrators, Domain Admins in the domain, and Enterprise Admins. Members of the Backup Operators group can't modify the membership of any administrative groups. Although members of this group can't change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because members of this group can replace files on domain controllers, they're considered service administrators. - -The Backup Operators group applies to the Windows Server operating system in Default Active Directory security groups.";YES - Takeover;N/A - Compromise by default;YES;The Backup Operators group has the SeBackupPrivilege and SeRestorePrivilege rights on the domain controllers by default. These privileges allow members to access all files on the domain controllers, regardless of their permission, through backup and restore operations. Additionally, Backup Operators have full remote access to the registry of domain controllers. To compromise the domain, members of Backup Operators can dump the registry hives of a domain controller remotely, extract the domain controller account credentials, and perform a DCSync attack. Alternative ways to compromise the domain exist as well. The group is considered Tier Zero because of these known abuse techniques.;YES;YES;1;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#backup-operators -https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#backup-operators-1" -Cryptographic Operators;DC group;Active Directory;SID: S-1-5-32-569;"Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. - -The Cryptographic Operators group applies to the Windows Server operating system in Default Active Directory security groups. - -This security group was introduced in Windows Vista SP1, and it hasn't changed in subsequent versions.";NO;NO;YES;"The Cryptographic Operators group has the local privilege on domain controllers to perform cryptographic operations but no privilege to log in. - -There are no known ways to abuse the membership of the group to compromise Tier Zero. The local privilege the group has on the domain controllers is considered security dependencies, and the group is therefore considered Tier Zero.";YES;NO;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#cryptographic-operators -Denied RODC Password Replication Group;AD group;Active Directory;SID: S-1-5-21--572;"Passwords of members of the Denied RODC Password Replication group can't be replicated to any RODC. - -The purpose of this security group is to manage a RODC password replication policy. This group contains various high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.";NO;YES - Takeover;NO;"The Denied RODC Password Replication Group has no control by default. By default, this group is included in the msDS-NeverRevealGroup attribute of RODC computer objects, meaning that the RODC cannot retrieve the credentials of members of the group. Control over the group could potentially cause an attack path to Tier Zero if the attacker has administrative access to the OS of an RODC and a target Tier Zero principal is in the msDS-RevealOnDemandGroup attribute by group membership. The attacker could remove the targeted Tier Zero principal from the Denied RODC Password Replication Group, and with admin access to the RODC computer, the attacker could dump the RODC krbtgt account to create a Golden RODC TGT for the targeted Tier Zero principal. This Golden RODC TGT can be exchanged with a real TGT now the targeted user is no longer in msDS-NeverRevealGroup. - -All Tier Zero users and computers should be in the msDS-NeverRevealGroup attribute by dedicated Tier Zero groups to ensure they cannot be compromised through RODCs, rather than through membership of this group. When this practice is followed, this group can be treated as a non-Tier Zero group and non-Tier Zero admins can manage membership of this group.";NO;NO;2;"https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06 -https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#denied-rodc-password-replication" -Distributed COM Users;DC group;Active Directory;SID: S-1-5-32-562;"Members of the Distributed COM Users group can launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (also called the flexible single master operations or FSMO) role. - -The Distributed COM Users group applies to the Windows Server operating system in Default Active Directory security groups.";NO;NO;YES;"The Distributed COM Users group has local privileges on domain controllers to launch, activate, and use Distributed COM objects but no privilege to log in. - -There are no known ways to abuse the membership of the group to compromise Tier Zero. The local privileges the group has on the DCs are considered security dependency, and the group is therefore considered Tier Zero.";YES;NO;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#distributed-com-users -Domain Admins;AD group;Active Directory;SID: S-1-5-21--512;"Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that's created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. - -The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Members of the service administrator groups in its domain (Administrators and Domain Admins) and members of the Enterprise Admins group can modify Domain Admins membership. This group is considered a service administrator account because its members have full access to the domain controllers in a domain. - -The Domain Admins group applies to the Windows Server operating system in Default Active Directory security groups.";YES - Takeover;N/A - Compromise by default;YES;The Domain Admins group has full control over most of AD’s essential objects and are inarguably part of Tier Zero.;YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#domain-admins -Domain Controllers;AD group;Active Directory;SID: S-1-5-21--516;"The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group. - -The Domain Controllers group applies to the Windows Server operating system in Default Active Directory security groups.";YES - Disruption;N/A - Compromise by default;YES;"The Domain Controllers group has the GetChangesAll privilege on the domain. This is not enough to perform DCSync, where the GetChanges privilege is also required. - -There are no known ways to abuse membership in this group to compromise Tier Zero. However, the GetChangesAll privilege is considered a security dependency that should only be held by Tier Zero principals. Additionally, control over the group allows one to impact the operability of Tier Zero by removing domain controllers from the group, which breaks AD replication. The group is therefore considered Tier Zero.";YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#domain-controllers -Domain Controllers (OU);AD OU;Active Directory;DistinguishedName: OU=Domain Controllers,;When domain controllers are added to the domain, their computer objects are automatically added to the Domain Controller OU. This OU has a default set of policies applied to it. To ensure that these policies are applied uniformly to all domain controllers, we recommend that you not move the computer objects of the domain controllers out of this OU. Failure to apply the default policies can cause a domain controller to fail to function properly.;YES - Takeover;N/A - Compromise by default;YES;Inheritance is not disabled by default on DCs and RODCs, which means they can inherit permissions placed on the Domain Controllers OU. An attacker could thereby grant themselves GenericAll on DCs and RODCs, which enable the attacker to perform a domain compromise. If the attacker has the privilege to create or modify GPOs, the attacker could compromise DCs with a malicious GPO. For these reasons, the Domain Controllers OU is Tier Zero.;NO;NO;2;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-of-default-containers-and-ous#domain-controller-ou -Domain root object;AD domain;Active Directory;Top object in the Default Naming Context;A Domain root object represents the AD domain. It contains all AD objects in the Default Naming Context.;YES - Takeover;N/A - Compromise by default;YES;An attacker with control over the domain root object can compromise the domain in multiple ways, for example by a DCSync attack (see reference). The domain root object is therefore Tier Zero.;NO;NO;2;https://adsecurity.org/?p=1729 -DnsAdmins;AD group;Active Directory;S-1-5-21--;"Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For more information about security and DNS, see DNSSEC in Windows Server 2012.";YES - Takeover;N/A - Compromise by default;YES;Users from the DnsAdmins group could use a “feature” in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT AuthoritySystem, allowing DnsAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins).;NO;NO;Community contribution;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins -https://www.semperis.com/blog/dnsadmins-revisited/" -Enterprise Admins;AD group;Active Directory;SID: S-1-5-21--519;"The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. The group is a Universal group if the domain is in native mode. The group is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, like adding child domains. - -By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access to configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Members of the default service administrator groups in the root domain can modify Enterprise Admins membership. This group is considered a service administrator account. - -The Enterprise Admins group applies to the Windows Server operating system in Default Active Directory security groups.";YES - Takeover;N/A - Compromise by default;YES;The Enterprise Admins group has full control over most of AD’s essential objects and are inarguably part of Tier Zero.;YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#enterprise-admins -Enterprise Read-only Domain Controllers;AD group;Active Directory;SID: S-1-5-21--498;"Members of this group are RODCs in the enterprise. Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes can't be made to the database that's stored on the RODC. Changes must be made on a writable domain controller and then replicated to the RODC. - -RODCs address some of the issues that are commonly found in branch offices. These locations might not have a domain controller, or they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it.";NO;NO;NO;The group has no Tier Zero privileges and is not a security dependency for Tier Zero. The Enterprise Read-only Domain Controllers group has the GetChanges privilege on all domains in the forest. This is not enough to perform DCSync, where the GetChangesAll privilege is also required.;NO;NO;2;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#enterprise-read-only-domain-controllers -GPO linked to Tier Zero container;AD GPO;Active Directory;Any GPO in Active Directory;"A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID. - -Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory. GPO settings are evaluated by clients using the hierarchical nature of Active Directory.";YES - Takeover;N/A - Compromise by default;YES;Control over a GPO allows you to compromise users and computers affected by the GPO (see references). If a GPO is linked to a Tier Zero container (Domain, OU, or Site), then the GPO is Tier Zero. ;NO;NO;2;"https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/group-policy-objects -https://wald0.com/?p=179 -https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/" -GPO NOT linked to Tier Zero container;AD GPO;Active Directory;Any GPO in Active Directory;"A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID. - -Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory. GPO settings are evaluated by clients using the hierarchical nature of Active Directory.";NO;NO;NO;Control over a GPO allows you to compromise users and computers affected by the GPO (see references). If a GPO is not linked to a Tier Zero container (Domain, OU, or Site), then the GPO does not effect Tier Zero principals and is therefore not Tier Zero. ;NO;NO;2;"https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/group-policy-objects -https://wald0.com/?p=179 -https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/" -Group Policy Creator Owners;AD group;Active Directory;SID: S-1-5-21--520;"This group is authorized to create, edit, and delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. - -For information about other features you can use with this security group, see Group Policy overview. - -The Group Policy Creator Owners group applies to the Windows Server operating system in Default Active Directory security groups.";NO;NO;NO;"The Group Policy Creator Owners group has the privilege to create new GPOs. However, members of the group can only edit or delete GPOs that they have created themselves. The group has no privileges to link GPOs to an OU, a site, or the domain. - -There are no known ways to abuse membership of the Group Policy Creator Owners group to compromise Tier Zero. The group is not a security dependency for Tier Zero and is therefore not considered Tier Zero.";YES;NO;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#group-policy-creator-owners -krbtgt;AD user;Active Directory;SID: S-1-5-21--502;"The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory. - -KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created. - -Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.";YES - Takeover;N/A - Compromise by default;YES;The krbtgt's credentials allow one to create golden ticket and compromise the domain. Therefore, if you obtain the credentials of this account, then you can authenticate as any Tier Zero user. However, there is currently no known privilege on the object to obtain the Kerberos keys or to compromise the account in any other way. When you reset the password of krbtgt, AD will ignore your password input and use a random string instead. So, the reset password privilege does not work for a compromise. An attacker could use the reset password privilege to harm Tier Zero, as a double password reset causes all Kerberos TGTs in the domain to become invalid. So, since control over the account can harm Tier Zero, and there is no reason for delegating control to non-Tier Zero, the krbtgt is Tier Zero.;YES;YES;2;"https://adsecurity.org/?p=483 -https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11)?redirectedfrom=MSDN#krbtgt-account" -Print Operators;DC group;Active Directory;SID: S-1-5-32-550;"Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They also can manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. - -This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group can't be renamed, deleted, or removed. - -The Print Operators group applies to the Windows Server operating system in Default Active Directory security groups. - -For more information, see Assign delegated print administrator and printer permission settings in Windows Server 2012.";YES - Takeover;N/A - Compromise by default;YES;"The Print Operators group has the local privilege on the domain controllers to load device drivers and can log on locally on domain controllers by default. - -It is feasible to remove the logon privilege from the group on the domain controllers, such that the group has no known abusable path to Tier Zero. However, the local privilege to load device drivers is considered a security dependency for the domain controllers, and the group is therefore considered Tier Zero.";YES;YES;1;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#print-operators -https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#print-operators" -Read-only Domain Controllers;AD group;Active Directory;SID: S-1-5-21--521;"This group is composed of the RODCs in the domain. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios in which physical security can't be guaranteed, such as in branch office locations or when local storage of all domain passwords is considered a primary threat, like in an extranet or application-facing role. - -Because you can delegate administration of an RODC to a domain user or security group, an RODC is well suited for a site that shouldn't have a user who is a member of the Domain Admins group. An RODC has the following functionality: - -Contains read-only AD DS database - -Unidirectional replication - -Credential caching - -Administrator role separation - -Contains read-only Domain Name System (DNS) - -For more information, see Understand planning and deployment for read-only domain controllers.";NO;N/A - Compromise by default;NO;"The Read-only Domain Controllers group has no compromising privileges, and there are no known ways to abuse membership in the group to compromise Tier Zero. - -Whether the group is a security dependency for read-only domain controller servers is not clear, but read-only domain controller servers are not considered Tier Zero (only the read-only domain controller AD objects are). The Read-only Domain Controllers group is therefore not considered Tier Zero. We will dive deeper into how read-only domain controllers should be handled in one of the following blog posts.";YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#read-only-domain-controllers -RODC computer object;AD computer;Active Directory;AD attribute msDS-isRODC: True;A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.;YES - Takeover;N/A - Compromise by default;YES;An attacker with control over a RODC computer object can compromise Tier Zero principals. The attacker can modify the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup attributes of the RODC computer object such that the RODC can retrieve the credentials of a targeted Tier Zero principal. The attacker can obtain admin access to the OS of the RODC through the managedBy attribute, from where they can obtain the credentials of the RODC krbtgt account. With that, the attacker can create a RODC golden ticket for the target principal. This ticket can be converted to a real golden ticket as the target has been added to the msDS-RevealOnDemandGroup attribute and is not protected by the msDS-NeverRevealGroup attribute. Therefore, the RODC computer object is Tier Zero.;NO;NO;2;"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732801(v=ws.10) -https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06" -RODC host;Computer host;Active Directory;Not applicable - Not represented as an object;A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.;NO;YES - Takeover;NO;An attacker with admin access to the OS of a RODC computer can compromise any principal which is in the msDS-RevealOnDemandGroup attribute of the RODC computer object if the principal is not in the msDS-NeverRevealGroup attribute of the RODC computer object. All Tier Zero principals should be protected in the msDS-NeverRevealGroup attribute, which will prevent a compromise of Tier Zero. The RODC computer OS is not Tier Zero if that practice is followed. That means non-Tier Zero users who belong to a remote office where the RODC computer is located are allowed to log in on the RODC computer with admin access.;NO;N/A;2;"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732801(v=ws.10) -https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06" -RODC krbtgt;AD user;Active Directory;SAMAccountName: krbtgt_, and msDS-SecondaryKrbTgtNumber attribute set to same ;"The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines whether a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy. - -After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.";NO;YES - Takeover;NO;The RODC krbtgt's credentials allow one to obtain a golden ticket for any account in the msDS-RevealOnDemandGroup attribute of the RODC computer object if the account is not in the msDS-NeverRevealGroup attribute. All Tier Zero principals should be protected in the msDS-NeverRevealGroup attribute, which will prevent a compromise of Tier Zero. The RODC krbtgt account is not Tier Zero if that practice is followed.;NO;NO;2;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts#read-only-domain-controllers-and-the-krbtgt-account -https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06" -Schema Admins;AD group;Active Directory;SID: S-1-5-21--518;"Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. This group is a Universal group if the domain is in native mode. This group is a Global group if the domain is in mixed mode. - -The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. - -Any of the service administrator groups in the root domain can modify the membership of this group. This group is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory. - -For more information, see What is the Active Directory schema? - -The Schema Admins group applies to the Windows Server operating system in Default Active Directory security groups. -";YES - Takeover;N/A - Compromise by default;YES;The Schema Admins group has full control over the AD schema. This allows the group members to create or modify ACEs for future AD objects. An attacker could grant full control to a compromised principal on any object type and wait for the next Tier Zero asset to be created, to then have a path to Tier Zero. This attack could be remediated by removing any unwanted ACEs on objects before they are promoted to Tier Zero, but we recommend considering the group as Tier Zero instead.;YES;YES;1;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#schema-admins -https://cube0x0.github.io/Pocing-Beyond-DA/#schema-admins" -Server Operators;DC group;Active Directory;SID: S-1-5-32-549;"Members of the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can take the following actions: sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group can't be renamed, deleted, or removed. - -By default, this built-in group has no members. The group has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and by the Enterprise Admins group in the forest root domain. Members in this group can't change any administrative group memberships. This group is considered a service administrator account because its members have physical access to domain controllers. Members of this group can perform maintenance tasks like backup and restore, and they can change binaries that are installed on the domain controllers. See the group's default user rights in the following table. - -The Server Operators group applies to the Windows Server operating system in Default Active Directory security groups.";YES - Takeover;N/A - Compromise by default;YES;"The Server Operators group has local privileges on the domain controllers and perform administrative operations as creating backups of all files. The group can log on locally on domain controllers by default. - -It is feasible to remove the logon privilege from the group on the domain controllers, such that the group has no known abusable path to Tier Zero. However, the local privileges are considered security dependencies for the domain controllers, and the groups are therefore considered Tier Zero.";YES;YES;1;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#server-operators -https://cube0x0.github.io/Pocing-Beyond-DA/#server-operators" -Users (container);AD container;Active Directory;DistinguishedName: CN=Users,;"The users and computers containers are the default locations for all new user accounts and non-domain-controller computer accounts in the domain. - -If you need to delegate control over users or computers, do not modify the default settings on the users and computers containers. Instead, create new OUs (as needed) and move the user and computer objects from their default containers and into the new OUs. Delegate control over the new OUs, as needed. We recommend that you not modify who controls the default containers.";YES - Disruption;N/A - Compromise by default;YES;"The Users container contains multiple default Tier Zero objects by default and is therefore considered Tier Zero. The most privileged ones like Domain Admins are protected with AdminSDHolder and have ACL inheritance disabled, so control over the Users container does not enable compromise of these objects. But some Tier Zero objects such as Cert Publishers and DnsAdmins are not protected with AdminSDHolder and do have inheritance disabled, which means they can be compromised by an attacker with control over the Users container. However, the Tier Zero objects that can be compromised can only disrupt Tier Zero operation but not takeover Tier Zero. - -We recommend to move all Tier Zero objects from the Users container to dedicated Tier Zero OUs to make it clear what belongs to Tier Zero in the OU structure. The Users container is not Tier Zero when this practice is followed.";NO;NO;2;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-of-default-containers-and-ous#users-and-computers-containers -Global Administrator;Entra ID role;Entra ID;Template ID: 62e90394-69f5-4237-9190-012177145e10;This is a privileged role. Users with this role have access to all administrative features in Microsoft Entra ID, as well as services that use Microsoft Entra identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Global Administrators can view Directory Activity logs. Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Microsoft Entra tenant. The person who signs up for the Microsoft Entra organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has zero Global Administrators.;YES - Takeover;N/A - Compromise by default;YES;The Global Administrator role is the highest privilege role in Entra ID and inarguably part of Tier Zero. It can do almost anything, and grant permission to do the things it cannot do.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator -Privileged Authentication Administrator;Entra ID role;Entra ID;Template ID: 7be44c8a-adaf-4e2a-84d6-ab2649e08a13;"This is a privileged role. Assign the Privileged Authentication Administrator role to users who need to do the following: -- Set or reset any authentication method (including passwords) for any user, including Global Administrators. -- Delete or restore any users, including Global Administrators. For more information, see Who can perform sensitive actions. -- Force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke remember MFA on the device, prompting for MFA on the next sign-in of all users. -- Update sensitive properties for all users. For more information, see Who can perform sensitive actions. -- Create and manage support tickets in Azure and the Microsoft 365 admin center. - -Users with this role cannot do the following: -- Cannot manage per-user MFA in the legacy MFA management portal. - -Important: Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example: -- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application. -- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure. -- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere. -- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, and Microsoft Purview compliance portal, and human resources systems. -- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.";YES - Takeover;N/A - Compromise by default;YES;The Privileged Authentication Administrator role can set or reset any authentication method (including passwords) for any principal, including principals with the Global Administrator role. The role is therefore considered Tier Zero.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#privileged-authentication-administrator -Privileged Role Administrator;Entra ID role;Entra ID;Template ID: e8611ab8-c189-46e8-94e1-60213ab1f814;"This is a privileged role. Users with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management. They can create and manage groups that can be assigned to Microsoft Entra roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units. - - Important: This role grants the ability to manage assignments for all Microsoft Entra roles including the Global Administrator role. This role does not include any other privileged abilities in Microsoft Entra ID like creating or updating users. However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.";YES - Takeover;N/A - Compromise by default;YES;The Privileged Role Administrator role can grant any other admin role to any principal at the tenant level. The role is therefore considered Tier Zero.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator -Partner Tier2 Support;Entra ID role;Entra ID;Template ID: e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8;"This is a privileged role. Do not use. This role has been deprecated and will be removed from Microsoft Entra ID in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use. - -Important: This role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). This role should not be used because it is deprecated.";YES - Takeover;N/A - Compromise by default;YES;The Partner Tier2 Support role can reset the password for any principal, including principals with the Global Administrator role. The role is therefore considered Tier Zero.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#partner-tier2-support -Security Administrator;Entra ID role;Entra ID;Template ID: 194ae4cb-b126-40b2-bd5b-6091b380977d;This is a privileged role. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview compliance portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.;YES - Disruption;YES - Takeover;YES;The Security Administrator role has access to Live Response API (if not disabled) with permission to execute scripts locally on Entra-managed devices. The role has therefore a potential attack path to Tier Zero through Entra-managed devices used by Tier Zero principals. Furthermore, the Security Administrator role can manage Conditional Access, which can be abused to lower the security of Tier Zero or prevent the operability of Tier Zero. The role is therefore considered Tier Zero.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#security-administrator -Intune Administrator;Entra ID role;Entra ID;Template ID: 3a2c62db-5318-420d-8d74-23affee5d9d5;"This is a privileged role. Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. For more information, see Role-based administration control (RBAC) with Microsoft Intune. - -This role can create and manage all security groups. However, Intune Administrator does not have admin rights over Office groups. That means the admin cannot update owners or memberships of all Office groups in the organization. However, he/she can manage the Office group that he creates which comes as a part of his/her end-user privileges. So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250.";YES - Disruption;YES - Takeover;YES;The Intune Administrator role has permission to execute scripts locally on Entra-managed devices. The role has therefore a potential attack path to Tier Zero through Entra-managed devices used by Tier Zero principals. Furthermore, the Intune Administrator role can manage Conditional Access, which can be abused to lower the security of Tier Zero or prevent the operability of Tier Zero. The role is therefore considered Tier Zero.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#intune-administrator -Knowledge Administrator;Entra ID role;Entra ID;Template ID: b5a8dcf3-09d5-43a9-a639-8e29ef291470;Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. They have a general understanding of the suite of products, licensing details and have responsibility to control access. Knowledge Administrator can create and manage content, like topics, acronyms and learning resources. Additionally, these users can create content centers, monitor service health, and create service requests.;NO;YES - Takeover;IT DEPENDS;The Knowledge Administrator role can control non-role-assignable groups. If any non-role-assignable group has compromising permissions over a Tier Zero asset (e.g. Contributor on a domain controller Azure VM), then the Knowledge Administrator role can add arbitrary principals to the given group and compromise Tier Zero. If no non-role-assignable group has compromising permissions over a Tier Zero asset, then there is no attack path to Tier Zero from the Knowledge Administrator role. It therefore depends on the usage of non-role-assignable groups whether the role should be considered Tier Zero.;NO;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#knowledge-administrator -Application Administrator;Entra ID role;Entra ID;Template ID: 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3;"This is a privileged role. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications. - -This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Microsoft Graph. - -Important: This exception means that you can still consent to application permissions for other apps (for example, non-Microsoft apps or apps that you have registered). You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator. - -This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.";NO;YES - Takeover;IT DEPENDS;The Application Administrator role can control tenant-resident apps. This includes creating new credentials for apps, which can be used to authenticate the tenant as the app’s service principal and abuse the service principal privileges. The role is therefore considered Tier Zero if the tenant contains any Tier Zero service principals.;YES;N/A;3;https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#application-administrator