Security Templates
This section contains templates for detecting and preventing various security threats.
Ransomware Protection
The Ransomware folder contains the following templates:
| Template | Description | TAGS |
|---|---|---|
| Ransomware Extensions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of files related to the actual encrypting of the data during a Ransomware attack, and trigger an alert | None |
| Ransomware Instructions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of warning file created by a Ransomware attack, and trigger an alert | None |
Domain Persistence Protection
The Domain Persistence folder contains the following templates:
| Template | Description | TAGS |
|---|---|---|
| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. | - NEW 5.1 TEMPLATES - Domain Persistence - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | - NEW 5.1 TEMPLATES - GPO Security - AD Security - Unauthorized changes |
| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. | - NEW 5.1 TEMPLATES |
Privilege Escalation Protection
The Privilege Escalation folder contains the following templates:
| Template | Description | TAGS |
|---|---|---|
| AD: Administrator Escalation | Indicates that an unprivileged account has had its ACLs changed to a value that allows it to obtain administrative privileges (directly or transitively). | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
| AD: Modifications of Administrator Accounts | Utilizes the built-in Administrator Accounts – Objects Collection. Add accounts with administrative rights to be monitored to this collection | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
| AD: SID History Tampering | SID History is an attribute that supports migration scenarios. Every user account has an associated Security Identifier (SID) that is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user's SID is added to DomainB's user account's SID History attribute. This ensures that DomainB user can still access resources in DomainA. To detect SID History account escalation, this policy monitors users with data in the SID History attribute and flag the ones which include SIDs in the same domain that have changed | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - Persistence - AD Security - Unauthorized changes |
| Ntds.dit File Hijacking | Protects users from stealing Ntds.dit file which contains the Active Directory database. Attackers can use Volume Shadow Copy to copy this file, but this will prevent and log any activity based on configuration. | - NEW 5.2 TEMPLATES - Privileged Accounts - Privilege Escalation - Persistence - AD Security - Unauthorized changes |