Playbook catalogue
The 55 remediation playbooks Obexum ships for Windows AD domain controllers, generated from the playbook library. Each is dry-run by default, carries a rollback section, advisory notes, and a post-fix validation hook. Render one with obexum playbook render <id> --target <host>.
| Playbook ID | Title | Fixes | Risk | Est. time |
|---|---|---|---|---|
pb-windows-dc-acl-001 | Remove non-Tier0 DCSync extended right from domain root | AUD-WIN-ACL-001 | medium | 30s |
pb-windows-dc-acl-002 | Strip non-Tier0 ACE from AdminSDHolder | AUD-WIN-ACL-002 | medium | 30s |
pb-windows-dc-acl-003 | Strip non-Tier0 takeover ACE from Tier0 group | AUD-WIN-ACL-003 | medium | 30s |
pb-windows-dc-acl-004 | Strip non-Tier0 takeover ACE from domain root | AUD-WIN-ACL-004 | high | 30s |
pb-windows-dc-acl-008 | Strip non-Tier0 GenericAll/Write ACE from Tier0 user | AUD-WIN-ACL-008 | medium | 30s |
pb-windows-dc-acl-009 | Strip Shadow Credentials write ACE (msDS-KeyCredentialLink) | AUD-WIN-ACL-009 | medium | 30s |
pb-windows-dc-acl-010 | Restore Tier0 object owner to Domain Admins | AUD-WIN-ACL-010 | medium | 30s |
pb-windows-dc-acl-011 | Strip non-Tier0 ACE from Domain Controllers OU | AUD-WIN-ACL-011 | high | 30s |
pb-windows-dc-acl-012 | Strip non-Tier0 write ACE from DC computer object | AUD-WIN-ACL-012 | high | 30s |
pb-windows-dc-adcs-001 | ADCS ESC1 - disable + unpublish SAN-supply template | AUD-WIN-ADCS-001 | medium | 2m |
pb-windows-dc-adcs-002 | ADCS ESC2 - disable + remove Any-Purpose EKU template | AUD-WIN-ADCS-002 | medium | 2m |
pb-windows-dc-adcs-004 | ADCS ESC4 - strip non-Tier0 write ACEs from certificate template | AUD-WIN-ADCS-004 | medium | 1m |
pb-windows-dc-adcs-006 | ADCS ESC6 - clear EDITF_ATTRIBUTESUBJECTALTNAME2 on CA | AUD-WIN-ADCS-006 | low | 30s |
pb-windows-dc-adcs-008 | ADCS ESC8 - disable HTTP web enrollment, require HTTPS + EPA | AUD-WIN-ADCS-008 | medium | 1m |
pb-windows-dc-adcs-009 | ADCS ESC9 - clear no_security_extension flag from template | AUD-WIN-ADCS-009 | low | 30s |
pb-windows-dc-adcs-015 | ADCS ESC15 / EKUwu - disable + remove schema-v1 + SAN-supply template | AUD-WIN-ADCS-015 | medium | 2m |
pb-windows-dc-dc-001 | Enforce LDAP signing on Domain Controller (LDAPServerIntegrity = 2) | AUD-WIN-DC-001 | medium | 30s |
pb-windows-dc-dc-002 | Enforce LDAP channel binding (LdapEnforceChannelBinding = 2) | AUD-WIN-DC-002 | medium | 30s |
pb-windows-dc-dc-003 | Disable anonymous SAM enumeration (RestrictAnonymous combo) | AUD-WIN-DC-003 | low | 15s |
pb-windows-dc-dc-005 | Refuse NTLMv1 / LM (LmCompatibilityLevel=5 + NoLMHash=1) | AUD-WIN-DC-005 | medium | 30s |
pb-windows-dc-dch-001 | Disable + stop Print Spooler service on Domain Controller | AUD-WIN-DCH-001 | low | 30s |
pb-windows-dc-dch-002 | Restrict Point-and-Print to administrators (PrintNightmare follow-up) | AUD-WIN-DCH-002 | low | 15s |
pb-windows-dc-dch-004 | Restrict DSRM admin to DSRM mode only (DsrmAdminLogonBehavior=2) | AUD-WIN-DCH-004 | low | 15s |
pb-windows-dc-dch-008 | Apply auditpol baseline (Success+Failure on critical subcategories) | AUD-WIN-DCH-008 | low | 30s |
pb-windows-dc-dch-009 | Enable NTLM inbound restriction + audit on DC | AUD-WIN-DCH-009 | low | 15s |
pb-windows-dc-dch-010 | Disable WDigest cleartext credentials in LSASS | AUD-WIN-DCH-010 | low | 15s |
pb-windows-dc-fh-003 | Enable AD Recycle Bin Optional Feature | AUD-WIN-FH-003 | medium | 30s |
pb-windows-dc-fh-006 | Harden Default Domain Password Policy | AUD-WIN-FH-006 | high | 30s |
pb-windows-dc-fh-007 | Clear dSHeuristics anonymous-bind bit | AUD-WIN-FH-007 | low | 15s |
pb-windows-dc-krb-005 | Rotate krbtgt password (twice, >=10h apart) | AUD-WIN-KRB-005 | high | 1m |
pb-windows-dc-krb-007 | Set krbtgt enctype to AES-only (msDS-SupportedEncryptionTypes=0x18) | AUD-WIN-KRB-007 | medium | 30s |
pb-windows-dc-krb-008 | Add Domain Admins to Protected Users (or set AccountIsSensitive) | AUD-WIN-KRB-008 | medium | 30s |
pb-windows-dc-krb-010 | Set ms-DS-MachineAccountQuota = 0 (block NoPac prereq) | AUD-WIN-KRB-010 | medium | 15s |
pb-windows-dc-pers-t-007 | Restore Winlogon Userinit to baseline | AUD-WIN-PERS-T-007 | medium | 15s |
pb-windows-dc-pers-t-008 | Restore Winlogon Shell to baseline ('explorer.exe') | AUD-WIN-PERS-T-008 | medium | 15s |
pb-windows-dc-pers-t-009 | Remove Winlogon Taskman value | AUD-WIN-PERS-T-009 | low | 15s |
pb-windows-dc-pers-t-010 | Remove Winlogon GinaDLL value | AUD-WIN-PERS-T-010 | low | 15s |
pb-windows-dc-pers-t-012 | Remove Winlogon Notify subkey | AUD-WIN-PERS-T-012 | low | 15s |
pb-windows-dc-pers-x-001 | Remove IFEO Debugger value from <exe> | AUD-WIN-PERS-X-001 | low | 15s |
pb-windows-dc-pers-x-005 | Clear AppInit_DLLs + LoadAppInit_DLLs | AUD-WIN-PERS-X-005 | low | 15s |
pb-windows-dc-pers-x-011 | Investigate + remove kernel driver service with off-System32 ImagePath | AUD-WIN-PERS-X-011 | high | 5m |
pb-windows-dc-pers-x-015 | Investigate + remove svchost service with ServiceDll off-System32 | AUD-WIN-PERS-X-015 | high | 5m |
pb-windows-dc-pg-004 | Remove non-Tier0 member from DnsAdmins | AUD-WIN-PG-004 | low | 15s |
pb-windows-dc-pg-006 | Remove broad principal from Pre-Windows 2000 Compatible Access | AUD-WIN-PG-006 | medium | 15s |
pb-windows-dc-pg-007 | Deploy Windows LAPS on the domain (schema + GPO) | AUD-WIN-PG-007 | high | 5m |
pb-windows-dc-pg-008 | Strip non-Tier0 ExtendedRight on LAPS password attribute | AUD-WIN-PG-008 | low | 30s |
pb-windows-dc-priv-004 | Clear DNS ServerLevelPluginDll registry value | AUD-WIN-PRIV-004 | medium | 30s |
pb-windows-dc-priv-006 | Disable PowerShell v2 Optional Feature | AUD-WIN-PRIV-006 | low | 1m |
pb-windows-dc-priv-007 | Remove off-baseline AMSI Provider CLSID | AUD-WIN-PRIV-007 | low | 15s |
pb-windows-dc-priv-009 | Enable LSASS Protected Process Light (RunAsPPL) | AUD-WIN-PRIV-009 | medium | 1m |
pb-windows-dc-priv-010 | Reset LocalAccountTokenFilterPolicy to default (=0) | AUD-WIN-PRIV-010 | low | 15s |
pb-windows-dc-priv-011 | Restore UAC ConsentPromptBehaviorAdmin to baseline (=5) | AUD-WIN-PRIV-011 | low | 15s |
pb-windows-dc-priv-012 | Remove HKU auto-elevate hijack subkeys | AUD-WIN-PRIV-012 | low | 15s |
pb-windows-dc-priv-014 | Disable RDP RestrictedAdmin pass-the-hash | AUD-WIN-PRIV-014 | low | 15s |
pb-windows-dc-priv-015 | Harden DLL search-order (SafeDllSearchMode + CWDIllegalInDllSearch) | AUD-WIN-PRIV-015 | low | 15s |