10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.
Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:
These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:
NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.
NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:
Download the PDF version of this report: PDF, 660 KB
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13, and the MITRE D3FEND™ cybersecurity countermeasures framework.[4],[5] See the Appendix: MITRE ATT&CK tactics and techniques section for tables summarizing the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques, and the Mitigations section for MITRE D3FEND countermeasures.
For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.[6],[7]
Over the years, the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense (DoD); Federal Civilian Executive Branch (FCEB); state, local, tribal, and territorial (SLTT) governments; and the private sector:
During these assessments, NSA and CISA identified the 10 most common network misconfigurations, which are detailed below. These misconfigurations (non-prioritized) are systemic weaknesses across many networks.
Many of the assessments were of Microsoft® Windows® and Active Directory® environments. This advisory provides details about, and mitigations for, specific issues found during these assessments, and so mostly focuses on these products. However, it should be noted that many other environments contain similar misconfigurations. Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned below.
Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include:
Many software manufacturers release commercial off-the-shelf (COTS) network devices —which provide user access via applications or web portals—containing predefined default credentials for their built-in administrative accounts.[9] Malicious actors and assessment teams regularly abuse default credentials by:
In addition to devices that provide network access, printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain [T1078.002].
Certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services if users or administrators enable them.
Assessment teams regularly find the following:
Active Directory Certificate Services (ADCS) is a feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of Active Directory (AD) environments. ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network.
Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges. These certificates and domain escalation paths may grant actors unauthorized, persistent access to systems and critical data, the ability to impersonate legitimate entities, and the ability to bypass security measures.
Assessment teams have observed organizations with the following misconfigurations:
subjectAltName
in the certificate signing request [CSR], not requiring authorized signatures for CSRs, granting FullControl
or WriteDacl
permissions to users). Malicious actors can use a low-privileged user account to request a certificate with a particular Subject Alternative Name (SAN) and gain a certificate where the SAN matches the User Principal Name (UPN) of a privileged account.Note: For more information on known escalation paths, including PetitPotam NTLM relay techniques, see: Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints and Certified Pre-Owned, Active Directory Certificate Services.[10],[11],[12]
Many vulnerable network services are enabled by default, and assessment teams have observed them enabled in production environments. Specifically, assessment teams have observed Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing, poisoning, and relay techniques [T1557.001] to obtain domain hashes, system access, and potential administrative system sessions. Malicious actors frequently exploit these protocols to compromise entire Windows’ environments.
Malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor-controlled system instead of the intended one. If the requested system requires identification/authentication, the target computer will send the user’s username and hash to the actor-controlled system. The actors then collect the hash and crack it offline to obtain the plain text password [T1110.002].
The Server Message Block service is a Windows component primarily for file sharing. Its default configuration, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. If SMB servers do not enforce SMB signing, malicious actors can use machine-in-the-middle techniques, such as NTLM relay. Further, malicious actors can combine a lack of SMB signing with the name resolution poisoning issue (see above) to gain access to remote systems [T1021.002] without needing to capture and crack any hashes.
Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures.
Assessment teams have observed the following common account separation misconfigurations:
Account privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a least-privilege security model. When account privileges are overly permissive, users can see and/or do things they should not be able to, which becomes a security issue as it increases risk exposure and attack surface.
Expanding organizations can undergo numerous changes in account management, personnel, and access requirements. These changes commonly lead to privilege creep—the granting of excessive access and unnecessary account privileges. Through the analysis of topical and nested AD groups, a malicious actor can find a user account [T1078] that has been granted account privileges that exceed their need-to-know or least-privilege function. Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain.
Applications often operate using user accounts to access resources. These user accounts, which are known as service accounts, often require elevated privileges. When a malicious actor compromises an application or service using a service account, they will have the same privileges and access as the service account.
Malicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems. Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service, and because access to use the service can be requested by any valid domain user. Due to these factors, kerberoasting—a form of credential access achieved by cracking service account credentials—is a common technique used to gain control over service account targets [T1558.003].
IT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges. When an administrator account is logged into a compromised host, a malicious actor can steal and use the account’s credentials and an AD-generated authentication token [T1528] to move, using the elevated permissions, throughout the domain [T1550.001]. Using an elevated account for normal day-to-day, non-administrative tasks increases the account’s exposure and, therefore, its risk of compromise and its risk to the network.
Malicious actors prioritize obtaining valid domain credentials upon gaining access to a network. Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure, including discovery of elevated accounts and where the elevated accounts are used [T1087].
Targeting elevated accounts (such as domain administrator or system administrators) performing day-to-day activities provides the most direct path to achieve domain escalation. Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries, providing additional paths and escalation options.
After obtaining initial access via an account with administrative permissions, an assessment team compromised a domain in under a business day. The team first gained initial access to the system through phishing [T1566], by which they enticed the end user to download [T1204] and execute malicious payloads. The targeted end-user account had administrative permissions, enabling the team to quickly compromise the entire domain.
Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.
Assessment teams have exploited insufficient monitoring to gain access to assessed networks. For example:
Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques.
Lack of segmentation between IT and operational technology (OT) environments places OT environments at risk. For example, assessment teams have often gained access to OT networks—despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network—by finding special purpose, forgotten, or even accidental network connections [T1199].
Vendors release patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes:
Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Due to their ease of discovery—via vulnerability scanning [T1595.002] and open source research [T1592]—and exploitation, these systems are immediate targets for adversaries. Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface. Organizations should prioritize patching known exploited vulnerabilities in their environments.[2]
Assessment teams have observed threat actors exploiting many CVEs in public-facing applications [T1190], including:
Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched. Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access, compromise sensitive data, and disrupt operations [T1210].
Assessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17-010 and MS08-67. These updates, released years ago, address critical remote code execution vulnerabilities.[17],[18]
A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) [T1550.002]. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.
Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication. If the password hash never changes, once a malicious actor has an account’s password hash [T1111], the actor can use it indefinitely, via the PtH technique for as long as that account exists.
Some forms of MFA are vulnerable to phishing, “push bombing” [T1621], exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. (See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.)[3]
For example, assessment teams have used voice phishing to convince users to provide missing MFA information [T1598]. In one instance, an assessment team knew a user’s main credentials, but their login attempts were blocked by MFA requirements. The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone, allowing the team to complete their login attempt and gain access to the user’s email and other organizational resources.
Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives.
Actors can use commands, open source tools, or custom malware to look for shared folders and drives [T1135].
net share
command—which displays information about shared resources on the local computer—and the ntfsinfo
command to search network shares on compromised computers. In the same compromise, the actors used a custom tool, CovalentStealer, which is designed to identify file shares on a system, categorize the files [T1083], and upload the files to a remote server [TA0010].[19],[20]netscan.exe
—which can ping computers [T1018], scan ports [T1046], and discover shared folders—and SharpShares to enumerate accessible network shares in a domain.[21],[22]Malicious actors can then collect and exfiltrate the data from the shared drives and folders. They can then use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. Assessment teams routinely find sensitive information on network shares [T1039] that could facilitate follow-on activity or provide opportunities for extortion. Teams regularly find drives containing cleartext credentials [T1552] for service accounts, web applications, and even domain administrators.
Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data. In addition, teams regularly identify sensitive data and PII on shared drives (e.g., scanned documents, social security numbers, and tax returns) that could be used for extortion or social engineering of the organization or individuals.
Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes:
Easily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources. The presence of easily crackable passwords on a network generally stems from a lack of password length (i.e., shorter than 15 characters) and randomness (i.e., is not unique or can be guessed). This is often due to lax requirements for passwords in organizational policies and user training. A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking. Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure, random passwords for each account.
Often, when a credential is obtained, it is a hash (one-way encryption) of the password and not the password itself. Although some hashes can be used directly with PtH techniques, many hashes need to be cracked to obtain usable credentials. The cracking process takes the captured hash of the user’s plaintext password and leverages dictionary wordlists and rulesets, often using a database of billions of previously compromised passwords, in an attempt to find the matching plaintext password [T1110.002].
One of the primary ways to crack passwords is with the open source tool, Hashcat, combined with password lists obtained from publicly released password breaches. Once a malicious actor has access to a plaintext password, they are usually limited only by the account’s permissions. In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far.
Assessment teams have cracked password hashes for NTLM users, Kerberos service account tickets, NetNTLMv2, and PFX stores [T1555], enabling the team to elevate privileges and move laterally within networks. In 12 hours, one team cracked over 80% of all users’ passwords in an Active Directory, resulting in hundreds of valid credentials.
Storing passwords in cleartext is a serious security risk. A malicious actor with access to files containing cleartext passwords [T1552.001] could use these credentials to log into the affected applications or systems under the guise of a legitimate user. Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systems.
Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining cleartext passwords. Assessment teams frequently discover cleartext passwords, allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account, such as a Domain or Enterprise Administrator. A common tool used for locating cleartext passwords is the open source tool, Snaffler.[23]
If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.
Malicious actors often execute code after gaining initial access to a system. For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network.
Assessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) [T1059.005] to establish initial access, persistence, and lateral movement. In addition, actors often use scripting languages [T1059] to obscure their actions [T1027.010] and bypass allowlisting—where organizations restrict applications and other forms of code by default and only allow those that are known and trusted. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device [T1068].
NSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) as well as with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks.
The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.[24]
Table 1: Recommendations for Network Defenders to Mitigate Default Configurations of Software and Applications
Misconfiguration
|
Recommendations for Network Defenders
—|—
Default configurations of software and applications
|
Default configurations of software and applications: Default Credentials
|
Default service permissions and configuration settings: Insecure Active Directory Certificate Services
|
altSecurityIdentities
attribute for explicit mapping of certificates to accounts more securely.[34]CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
flag from templates to prevent users from supplying and editing sensitive security settings within these templates. Enforce manager approval for requested certificates. Remove FullControl
, WriteDacl
, and Write
property permissions from low-privileged groups, such as domain users, to certificate template objects.Default service permissions and configuration settings: Insecure legacy protocols/services
|
Default service permissions and configuration settings: Insecure SMB service
|
Table 2: Recommendations for Network Defenders to Mitigate Improper Separation of User/Administrator Privilege
Misconfiguration
|
Recommendations for Network Defenders
—|—
Improper separation of user/administrator privilege:
Excessive account privileges,
Elevated service account permissions, and
Non-essential use of elevated accounts
|
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform, and review logs of user actions to detect unauthorized use and abuse. Apply least privilege principles to user accounts and groups allowing only the performance of authorized actions.
Audit user accountsand remove those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Restrict use of privileged accounts to perform general tasks, such as accessing emails and browsing the Internet [CPG 2.E],[D3-UAP]. See NSA Cybersecurity Information Sheet (CSI) Defend Privileges and Accounts for more information.[37]
Limit the number of users within the organization with an identity and access management (IAM) role that has administrator privileges. Strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles, and policies.
Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools.
Restrict domain users from being in the local administrator group on multiple systems.
Run daemonized applications (services) with non-administrator accounts when possible.
Only configure service accounts with the permissions necessary for the services they control to operate.
Disable unused services and implement ACLs to protect services.
Table 3: Recommendations for Network Defenders to Mitigate Insufficient Internal Network Monitoring
Misconfiguration
|
Recommendations for Network Defenders
—|—
Insufficient internal network monitoring
|
Table 4: Recommendations for Network Defenders to Mitigate Lack of Network Segmentation
Misconfiguration
|
Recommendations for Network Defenders
—|—
Lack of network segmentation
|
Table 5: Recommendations for Network Defenders to Mitigate Poor Patch Management
Misconfiguration
|
Recommendations for Network Defenders
—|—
Poor patch management: Lack of regular patching
|
Poor patch management: Use of unsupported OSs and outdated firmware
|
Table 6: Recommendations for Network Defenders to Mitigate Bypass of System Access Controls
Misconfiguration
|
Recommendations for Network Defenders
—|—
Bypass of system access controls
|
Table 7: Recommendations for Network Defenders to Mitigate Weak or Misconfigured MFA Methods
Misconfiguration
|
Recommendations for Network Defenders
—|—
Weak or misconfigured MFA methods: Misconfigured smart cards or tokens
|
Weak or misconfigured MFA methods: Lack of phishing-resistant MFA
|
Table 8: Recommendations for Network Defenders to Mitigate Insufficient ACLs on Network Shares and Services
Misconfiguration
|
Recommendations for Network Defenders
—|—
Insufficient ACLs on network shares and services
|
Table 9: Recommendations for Network Defenders to Mitigate Poor Credential Hygiene
Misconfiguration
|
Recommendations for Network Defenders
—|—
Poor credential hygiene: easily crackable passwords
|
Poor credential hygiene: cleartext password disclosure
|
Table 10: Recommendations for Network Defenders to Mitigate Unrestricted Code Execution
Misconfiguration
|
Recommendations for Network Defenders
—|—
Unrestricted code execution
|
NSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory. These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure “out of the box” and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.[1]
Table 11: Recommendations for Software Manufacturers to Mitigate Identified Misconfigurations
Misconfiguration
|
Recommendations for Software Manufacturers
—|—
Default configurations of software and applications
|
Default configurations of software and applications: Default credentials
|
Default configurations of software and applications: Default service permissions and configuration settings
|
Improper separation of user/administrator privilege:
Excessive account privileges,
Elevated service account permissions, and
Non-essential use of elevated accounts
|
Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, ensuring that user privileges are narrowly provisioned by default and ACLs are employed can reduce the impact of a compromised account. Also, software sandboxing techniques can quarantine a vulnerability to limit compromise of an entire application.
Automatically generate reports for: ***Administrators of inactive accounts. **Prompt administrators to set a maximum inactive time and automatically suspend accounts that exceed that threshold.
Automatically alert administrators of infrequently used servicesand provide recommendations for disabling them or implementing ACLs.
Insufficient internal network monitoring
|
Lack of network segmentation
|
Poor patch management: Lack of regular patching
|
Poor patch management: Use of unsupported operating OSs and outdated firmware
|
Bypass of system access controls
|
Weak or Misconfigured MFA Methods: Misconfigured Smart Cards or Tokens
|
Weak or Misconfigured MFA Methods: Lack of phishing-resistant MFA
|
Insufficient ACL on network shares and services
|
Poor credential hygiene: easily crackable passwords
|
Poor credential hygiene: cleartext password disclosure
|
Unrestricted code execution
|
In addition to applying mitigations, NSA and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions.
[1] Joint Guide: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (2023), <https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf>
[2] CISA, Known Exploited Vulnerabilities Catalog, <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
[3] CISA, Implementing Phishing-Resistant MFA, https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
[4] MITRE, ATT&CK for Enterprise, <https://attack.mitre.org/versions/v13/matrices/enterprise/>
[5] MITRE, D3FEND, <https://d3fend.mitre.org/>
[6] CISA, Best Practices for MITRE ATT&CK Mapping, <https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping>
[7] CISA, Decider Tool, <https://github.com/cisagov/Decider/>
[8] CISA, Cyber Assessment Fact Sheet, https://www.cisa.gov/sites/default/files/publications/VM_Assessments_Fact_Sheet_RVA_508C.pdf
[9] Joint CSA: Weak Security Controls and Practices Routinely Exploited for Initial Access, <https://media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF>
[10] Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), <https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>
[11] Raj Chandel, Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints, <https://www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/>
[12] SpecterOps - Will Schroeder, Certified Pre-Owned, <https://posts.specterops.io/certified-pre-owned-d95910965cd2>
[13] CISA, CSA: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, <https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a>
[14] Joint CSA: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers, <https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a>
[15] Joint CSA: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester, <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a>
[16] Joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a>
[17] Microsoft, How to verify that MS17-010 is installed, <https://support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8>
[18] Microsoft, Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644), <https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067>
[19] Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a>
[20] CISA, Malware Analysis Report: 10365227.r1.v1, https://www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf
[21] Joint CSA: #StopRansomware: BianLian Ransomware Group, <https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a>
[22] CISA Analysis Report: FiveHands Ransomware, <https://www.cisa.gov/news-events/analysis-reports/ar21-126a>
[23] Snaffler, <https://github.com/SnaffCon/Snaffler>
[24] CISA, Cross-Sector Cybersecurity Performance Goals, <https://www.cisa.gov/cross-sector-cybersecurity-performance-goals>
[25] Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), <https://public.cyber.mil/stigs/>
[26] NSA, Network Infrastructure Security Guide, <https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF>
[27] NSA, Actively Manage Systems and Configurations, <https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively Manage Systems and Configurations.docx - Copy.pdf>
[28] NSA, Cybersecurity Advisories & Guidance, <https://www.nsa.gov/cybersecurity-guidance>
[29] National Institute of Standards and Technologies (NIST), NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, <https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final>
[30] Microsoft, Uninstall-AdcsWebEnrollment, <https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment>
[31] Microsoft, KB5021989: Extended Protection for Authentication, <https://support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f>
[32] Microsoft, Network security: Restrict NTLM: NTLM authentication in this domain, <https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain>
[33] Microsoft, Network security: Restrict NTLM: Incoming NTLM traffic, <https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic>
[34] Microsoft, How to disable the Subject Alternative Name for UPN mapping, <https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping>
[35] Microsoft, Overview of Server Message Block signing, <https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing>
[36] Microsoft, SMB signing required by default in Windows Insider, <https://aka.ms/SmbSigningRequired>
[37] NSA, Defend Privileges and Accounts, <https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend Privileges and Accounts - Copy.pdf>
[38] NSA, Advancing Zero Trust Maturity Throughout the User Pillar, <https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF>
[39] NSA, Continuously Hunt for Network Intrusions, <https://media.defense.gov/2019/Sep/09/2002180360/-1/-1/0/Continuously Hunt for Network Intrusions - Copy.pdf>
[40] Joint CSI: Detect and Prevent Web Shell Malware, <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>
[41] NSA, Segment Networks and Deploy Application-aware Defenses, <https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment Networks and Deploy Application Aware Defenses - Copy.pdf>
[42] Joint CSA: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, <https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF>
[43] NSA, Stop Malicious Cyber Activity Against Connected Operational Technology, <https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF>
[44] NSA, Performing Out-of-Band Network Management, <https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF>
[45] NSA, Update and Upgrade Software Immediately, <https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update and Upgrade Software Immediately.docx - Copy.pdf>
[46] Microsoft, Microsoft Security Advisory 2871997: Update to Improve Credentials Protection and Management, <https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997>
[47] CISA, Secure Cloud Business Applications Hybrid Identity Solutions Architecture, https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf
[48] CISA, Secure Cloud Business Applications (SCuBA) Project, <https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project>
[49] NSA, Transition to Multi-factor Authentication, <https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition to Multi-factor Authentication - Copy.pdf>
[50] Committee on National Security Systems (CNSS), CNSS Policy 15, <https://www.cnss.gov/CNSS/issuances/Policies.cfm>
[51] NSA, NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems, <https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/>
[52] NSA, Enforce Signed Software Execution Policies, <https://media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce Signed Software Execution Policies - Copy.pdf>
[53] Joint CSI: Keeping PowerShell: Security Measures to Use and Embrace, <https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF>
[54] NIST, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, <https://csrc.nist.gov/publications/detail/sp/800-218/final>
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Active Directory, Microsoft, and Windows are registered trademarks of Microsoft Corporation.
MITRE ATT&CK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation.
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company.
Telerik is a registered trademark of Progress Software Corporation.
VMware is a registered trademark of VMWare, Inc.
Zimbra is a registered trademark of Synacor, Inc.
This document was developed in furtherance of the authoring cybersecurity organizations’ missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Cybersecurity Report Feedback: [email protected]
General Cybersecurity Inquiries: [email protected]
Defense Industrial Base Inquiries and Cybersecurity Services: [email protected]
Media Inquiries / Press Desk: 443-634-0721, [email protected]
To report suspicious activity contact CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
See Table 12–Table 21 for all referenced threat actor tactics and techniques in this advisory.
Table 12: ATT&CK Techniques for Enterprise – Reconnaissance
Technique Title
|
ID
|
Use
—|—|—
Active Scanning: Vulnerability Scanning
|
|
Malicious actors scan victims for vulnerabilities that be exploited for initial access.
Gather Victim Host Information
|
|
Malicious actors gather information on victim client configurations and/or vulnerabilities through vulnerabilities scans and searching the web.
Gather Victim Identity Information: Credentials
|
|
Malicious actors find default credentials through searching the web.
Phishing for Information
|
|
Malicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resources.
Table 13: ATT&CK Techniques for Enterprise – Initial Access
Technique Title
|
ID
|
Use
—|—|—
External Remote Services
|
|
Malicious actors use default credentials for VPN access to internal networks.
Valid Accounts: Default Accounts
|
|
Malicious actors gain authenticated access to devices by finding default credentials through searching the web.
Malicious actors use default credentials for VPN access to internal networks, and default administrative credentials to gain access to web applications and databases.
Exploit Public-Facing Application
|
|
Malicious actors exploit CVEs in Telerik UI, VM Horizon, Zimbra Collaboration Suite, and other applications for initial access to victim organizations.
Phishing
|
|
Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads.
Trust Relationship
|
|
Malicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network, by finding special purpose, forgotten, or even accidental network connections.
Table 14: ATT&CK Techniques for Enterprise – Execution
Technique Title
|
ID
|
Use
—|—|—
Software Deployment Tools
|
|
Malicious actors use default or captured credentials on software deployment tools to execute code and move laterally.
User Execution
|
|
Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstations.
Command and Scripting Interpreter
|
|
Malicious actors use scripting languages to obscure their actions and bypass allowlisting.
Command and Scripting Interpreter: Visual Basic
|
|
Malicious actors use macros for initial access, persistence, and lateral movement.
Table 15: ATT&CK Techniques for Enterprise – Persistence
Technique Title
|
ID
|
Use
—|—|—
Account Manipulation
|
|
Malicious actors reset built-in administrative accounts via predictable, forgotten password questions.
Table 16: ATT&CK Techniques for Enterprise – Privilege Escalation
Technique Title
|
ID
|
Use
—|—|—
Valid Accounts
|
|
Malicious actors analyze topical and nested Active Directory groups to find privileged accounts to target.
Valid Accounts: Domain Accounts
|
|
Malicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network device.
Exploitation for Privilege Escalation
|
|
Malicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device.
Table 17: ATT&CK Techniques for Enterprise – Defense Evasion
Technique Title
|
ID
|
Use
—|—|—
Obfuscated Files or Information: Command Obfuscation
|
|
Malicious actors often use scripting languages to obscure their actions.
Table 18: ATT&CK Techniques for Enterprise – Credential Access
Technique Title
|
ID
|
Use
—|—|—
Adversary-in-the-Middle
|
|
Malicious actors force a device to communicate through actor-controlled systems, so they can collect information or perform additional actions.
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
|
|
Malicious actors execute spoofing, poisoning, and relay techniques if Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Server Message Block (SMB) services are enabled in a network.
Brute Force: Password Cracking
|
|
Malicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwords.
Credentials from Password Stores
|
|
Malicious actors gain access to and crack credentials from PFX stores, enabling elevation of privileges and lateral movement within networks.
Multi-Factor Authentication Interception
|
|
Malicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniques.
Multi-Factor Authentication Request Generation
|
|
Malicious actors use “push bombing” against non-phishing resistant MFA to induce “MFA fatigue” in victims, gaining access to MFA authentication credentials or bypassing MFA, and accessing the MFA-protected system.
Steal Application Access Token
|
|
Malicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised host.
Steal or Forge Authentication Certificates
|
|
Unauthenticated malicious actors coerce an ADCS server to authenticate to an actor-controlled server, and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificate.
Steal or Forge Kerberos Tickets: Golden Ticket
|
|
Malicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGT.
Steal or Forge Kerberos Tickets: Kerberoasting
|
|
Malicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organization’s network.
Unsecured Credentials: Credentials in Files
|
|
Malicious actors find cleartext credentials that organizations or individual users store in spreadsheets, configuration files, and other documents.
Table 19: ATT&CK Techniques for Enterprise – Discovery
Technique Title
|
ID
|
Use
—|—|—
Account Discovery
|
|
Malicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are used.
File and Directory Discovery
|
|
Malicious actors use commands, such as net share
, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer to discover and categorize files.
Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining desired information, such as cleartext passwords.
Network Share Discovery
|
|
Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer, to look for shared folders and drives.
Table 20: ATT&CK Techniques for Enterprise – Lateral Movement
Technique Title
|
ID
|
Use
—|—|—
Exploitation of Remote Services
|
|
Malicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access, compromise sensitive data, and disrupt operations.
Remote Services: SMB/Windows Admin Shares
|
|
If SMB signing is not enforced, malicious actors can use name resolution poisoning to access remote systems.
Use Alternate Authentication Material: Application Access Token
|
|
Malicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domain.
Use Alternate Authentication Material: Pass the Hash
|
|
Malicious actors collect hashes in a network and authenticate as a user without having access to the user’s cleartext password.
Table 21: ATT&CK Techniques for Enterprise – Collection
Technique Title
|
ID
|
Use
—|—|—
Data from Network Shared Drive
|
|
Malicious actors find sensitive information on network shares that could facilitate follow-on activity or provide opportunities for extortion.
aka.ms/SmbSigningRequired
aka.ms/SmbSigningRequired
attack.mitre.org/techniques/T1078/001/
attack.mitre.org/versions/v13/matrices/enterprise/
attack.mitre.org/versions/v13/matrices/enterprise/
attack.mitre.org/versions/v13/mitigations/enterprise/
attack.mitre.org/versions/v13/mitigations/M1013/
attack.mitre.org/versions/v13/mitigations/M1018
attack.mitre.org/versions/v13/mitigations/M1018
attack.mitre.org/versions/v13/mitigations/M1018
attack.mitre.org/versions/v13/mitigations/M1018/
attack.mitre.org/versions/v13/mitigations/M1022
attack.mitre.org/versions/v13/mitigations/M1022
attack.mitre.org/versions/v13/mitigations/M1026
attack.mitre.org/versions/v13/mitigations/M1027
attack.mitre.org/versions/v13/mitigations/M1027
attack.mitre.org/versions/v13/mitigations/M1027
attack.mitre.org/versions/v13/mitigations/M1027
attack.mitre.org/versions/v13/mitigations/M1027/
attack.mitre.org/versions/v13/mitigations/M1030/
attack.mitre.org/versions/v13/mitigations/M1032
attack.mitre.org/versions/v13/mitigations/M1038
attack.mitre.org/versions/v13/mitigations/M1047
attack.mitre.org/versions/v13/mitigations/M1047
attack.mitre.org/versions/v13/mitigations/M1051
attack.mitre.org/versions/v13/mitigations/M1051
attack.mitre.org/versions/v13/mitigations/M1052
attack.mitre.org/versions/v13/tactics/TA0008/
attack.mitre.org/versions/v13/tactics/TA0010/
attack.mitre.org/versions/v13/techniques/T1018/
attack.mitre.org/versions/v13/techniques/T1021/002/
attack.mitre.org/versions/v13/techniques/T1021/002/
attack.mitre.org/versions/v13/techniques/T1027/010/
attack.mitre.org/versions/v13/techniques/T1027/010/
attack.mitre.org/versions/v13/techniques/T1039/
attack.mitre.org/versions/v13/techniques/T1039/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1059/
attack.mitre.org/versions/v13/techniques/T1059/
attack.mitre.org/versions/v13/techniques/T1059/005/
attack.mitre.org/versions/v13/techniques/T1059/005/
attack.mitre.org/versions/v13/techniques/T1068/
attack.mitre.org/versions/v13/techniques/T1068/
attack.mitre.org/versions/v13/techniques/T1072/
attack.mitre.org/versions/v13/techniques/T1072/
attack.mitre.org/versions/v13/techniques/T1078/
attack.mitre.org/versions/v13/techniques/T1078/
attack.mitre.org/versions/v13/techniques/T1078/001
attack.mitre.org/versions/v13/techniques/T1078/002/
attack.mitre.org/versions/v13/techniques/T1078/002/
attack.mitre.org/versions/v13/techniques/T1083/
attack.mitre.org/versions/v13/techniques/T1083/
attack.mitre.org/versions/v13/techniques/T1087/
attack.mitre.org/versions/v13/techniques/T1087/
attack.mitre.org/versions/v13/techniques/T1098/
attack.mitre.org/versions/v13/techniques/T1098/
attack.mitre.org/versions/v13/techniques/T1110/002/
attack.mitre.org/versions/v13/techniques/T1110/002/
attack.mitre.org/versions/v13/techniques/T1110/002/
attack.mitre.org/versions/v13/techniques/T1111/
attack.mitre.org/versions/v13/techniques/T1111/
attack.mitre.org/versions/v13/techniques/T1133/
attack.mitre.org/versions/v13/techniques/T1133/
attack.mitre.org/versions/v13/techniques/T1135/
attack.mitre.org/versions/v13/techniques/T1135/
attack.mitre.org/versions/v13/techniques/T1190/
attack.mitre.org/versions/v13/techniques/T1190/
attack.mitre.org/versions/v13/techniques/T1199/
attack.mitre.org/versions/v13/techniques/T1199/
attack.mitre.org/versions/v13/techniques/T1204
attack.mitre.org/versions/v13/techniques/T1204/
attack.mitre.org/versions/v13/techniques/T1210/
attack.mitre.org/versions/v13/techniques/T1210/
attack.mitre.org/versions/v13/techniques/T1528/
attack.mitre.org/versions/v13/techniques/T1528/
attack.mitre.org/versions/v13/techniques/T1550/001/
attack.mitre.org/versions/v13/techniques/T1550/001/
attack.mitre.org/versions/v13/techniques/T1550/002/
attack.mitre.org/versions/v13/techniques/T1550/002/
attack.mitre.org/versions/v13/techniques/T1552/
attack.mitre.org/versions/v13/techniques/T1552/001/
attack.mitre.org/versions/v13/techniques/T1552/001/
attack.mitre.org/versions/v13/techniques/T1555/
attack.mitre.org/versions/v13/techniques/T1555/
attack.mitre.org/versions/v13/techniques/T1557/
attack.mitre.org/versions/v13/techniques/T1557/
attack.mitre.org/versions/v13/techniques/T1557/001/
attack.mitre.org/versions/v13/techniques/T1557/001/
attack.mitre.org/versions/v13/techniques/T1558/001/
attack.mitre.org/versions/v13/techniques/T1558/001/
attack.mitre.org/versions/v13/techniques/T1558/003/
attack.mitre.org/versions/v13/techniques/T1558/003/
attack.mitre.org/versions/v13/techniques/T1566/
attack.mitre.org/versions/v13/techniques/T1566/
attack.mitre.org/versions/v13/techniques/T1589/001
attack.mitre.org/versions/v13/techniques/T1589/001
attack.mitre.org/versions/v13/techniques/T1592/
attack.mitre.org/versions/v13/techniques/T1592/
attack.mitre.org/versions/v13/techniques/T1595/002/
attack.mitre.org/versions/v13/techniques/T1595/002/
attack.mitre.org/versions/v13/techniques/T1598/
attack.mitre.org/versions/v13/techniques/T1598/
attack.mitre.org/versions/v13/techniques/T1621/
attack.mitre.org/versions/v13/techniques/T1621/
attack.mitre.org/versions/v13/techniques/T1649/
attack.mitre.org/versions/v13/techniques/T1649/
csrc.nist.gov/publications/detail/sp/800-218/final
csrc.nist.gov/publications/detail/sp/800-218/final
csrc.nist.gov/publications/detail/sp/800-218/final
csrc.nist.gov/publications/detail/sp/800-63b/final
csrc.nist.gov/publications/detail/sp/800-63b/final
csrc.nist.gov/publications/detail/sp/800-63b/final
csrc.nist.gov/pubs/sp/800/63/b/upd2/final
d3fend.mitre.org/
d3fend.mitre.org/
d3fend.mitre.org/
d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis/
d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening/
d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling/
d3fend.mitre.org/technique/d3f:CredentialHardening/
d3fend.mitre.org/technique/d3f:CredentialRotation
d3fend.mitre.org/technique/d3f:ExecutableAllowlisting/
d3fend.mitre.org/technique/d3f:FileEncryption/
d3fend.mitre.org/technique/d3f:LocalFilePermissions
d3fend.mitre.org/technique/d3f:LocalFilePermissions
d3fend.mitre.org/technique/d3f:MessageAnalysis/
d3fend.mitre.org/technique/d3f:Multi-factorAuthentication
d3fend.mitre.org/technique/d3f:NetworkIsolation/
d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis
d3fend.mitre.org/technique/d3f:NetworkTrafficCommunityDeviation/
d3fend.mitre.org/technique/d3f:NetworkTrafficFiltering/
d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring/
d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis/
d3fend.mitre.org/technique/d3f:SoftwareUpdate/
d3fend.mitre.org/technique/d3f:SoftwareUpdate/
d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/
d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/
d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/
d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/
d3fend.mitre.org/technique/d3f:UserAccountPermissions/
d3fend.mitre.org/technique/d3f:UserAccountPermissions/
d3fend.mitre.org/technique/d3f:UserAccountPermissions/
d3fend.mitre.org/technique/d3f:UserAccountPermissions/
d3fend.mitre.org/technique/d3f:UserAccountPermissions/
d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis
github.com/cisagov/Decider/
github.com/cisagov/Decider/
github.com/SnaffCon/Snaffler
github.com/SnaffCon/Snaffler
learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment
learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment?view=windowsserver2022-ps
learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997
learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997
learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping
learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
learn.microsoft.com/troubleshoot/windows-server/networking/overview-server-message-block-signing
media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-factor%20Authentication%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180360/-1/-1/0/Continuously%20Hunt%20for%20Network%20Intrusions%20-%20Copy.pdf
media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
media.defense.gov/2022/Jun/22/2003021689/-1/-1/1/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF
media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF
media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
posts.specterops.io/certified-pre-owned-d95910965cd2
posts.specterops.io/certified-pre-owned-d95910965cd2
public.cyber.mil/stigs/
public.cyber.mil/stigs/
public.cyber.mil/stigs/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f
support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f
support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8
support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8
support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
twitter.com/CISAgov
twitter.com/intent/tweet?text=NSA%20and%20CISA%20Red%20and%20Blue%20Teams%20Share%20Top%20Ten%20Cybersecurity%20Misconfigurations+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
www.cisa.gov/cpg
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/analysis-reports/ar21-126a
www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a
www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/resources-tools/resources/secure-by-design-and-default
www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
www.cisa.gov/securebydesign
www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf
www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf
www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf
www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf
www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf
www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
www.cnss.gov/CNSS/issuances/Policies.cfm
www.cnss.gov/CNSS/issuances/Policies.cfm
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a&title=NSA%20and%20CISA%20Red%20and%20Blue%20Teams%20Share%20Top%20Ten%20Cybersecurity%20Misconfigurations
www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/
www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
www.nsa.gov/cybersecurity-guidance
www.nsa.gov/cybersecurity-guidance
www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=NSA%20and%20CISA%20Red%20and%20Blue%20Teams%20Share%20Top%20Ten%20Cybersecurity%20Misconfigurations&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%