You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Non-Owner Logon Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Specify the Exchange Mailboxes and Containers to lockdown. Optionally, add Exchange Perpetrators to be allowed or denied. | None |
25
+
| Non-Owner Logon Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Specify the Exchange Mailboxes and Containers to lockdown. Optionally, add Exchange Perpetrators to be allowed or denied. | None |
| File Owner Changes | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | None |
32
-
| File System Monitoring | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Reads are left out due to the potential high volume of data that could be gathered; recommended only for highly sensitive content. | None |
| File Owner Changes | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | None |
32
+
| File System Monitoring | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. <br />Reads are left out due to the potential high volume of data that could be gathered; recommended only for highly sensitive content. | None |
33
33
34
34
Object Lockdown Folder
35
35
36
36
**CAUTION:** Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
| AD Object Permissions Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Object Permissions - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
42
-
| AD Root Object Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Root Object - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
43
-
| Critical GPO Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Critical GPO - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired GPOs to protect. | None |
44
-
| DNS Record Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “DNS Records - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in collection. | None |
45
-
| Group Lockdown of Delete, Move, Rename, and Membership Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Group Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Groups to protect. | None |
46
-
| Group, User, and OU Lockdown of Delete, Move, and Rename Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Group User OU Object Delete and Move - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
47
-
| OU Structure Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “OU Structure - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired OUs to protect. | None |
48
-
| User Lockdown of Delete, Move, Rename and Modify Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “User Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in Allow Lockdown Perpetrator Collection, and add the desired Users to protect. | None |
| AD Object Permissions Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “Object Permissions - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
42
+
| AD Root Object Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “Root Object - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
43
+
| Critical GPO Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “Critical GPO - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired GPOs to protect. | None |
44
+
| DNS Record Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “DNS Records - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in collection. | None |
45
+
| Group Lockdown of Delete, Move, Rename, and Membership Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “Group Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Groups to protect. | None |
46
+
| Group, User, and OU Lockdown of Delete, Move, and Rename Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “Group User OU Object Delete and Move - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
47
+
| OU Structure Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “OU Structure - >Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired OUs to protect. | None |
48
+
| User Lockdown of Delete, Move, Rename and Modify Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Utilizes the built-in “User Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection. <br />Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in Allow Lockdown Perpetrator Collection, and add the desired Users to protect. | None |
| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. | - NEW 5.1 TEMPLATES - Domain Persistence - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
14
-
| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | - NEW 5.1 TEMPLATES - GPO Security - AD Security - Unauthorized changes |
15
-
| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. | - NEW 5.1 TEMPLATES |
| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. | <ul><li>NEW 5.1 TEMPLATES</li><li>Domain Persistence</li><li>Privileged Accounts</li><li>Privilege Escalation</li><li>AD Security</li><li>Unauthorized changes</li></ul> |
14
+
| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | <ul><li>NEW 5.1 TEMPLATES</li><li>GPO Security</li><li>AD Security</li><li>Unauthorized changes</li></ul> |
15
+
| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. | <ul><li>NEW 5.1 TEMPLATES</li></ul> |
0 commit comments