Playbook catalogue

The 55 remediation playbooks Obexum ships for Windows AD domain controllers, generated from the playbook library. Each is dry-run by default, carries a rollback section, advisory notes, and a post-fix validation hook. Render one with obexum playbook render <id> --target <host>.

Playbook IDTitleFixesRiskEst. time
pb-windows-dc-acl-001Remove non-Tier0 DCSync extended right from domain rootAUD-WIN-ACL-001medium30s
pb-windows-dc-acl-002Strip non-Tier0 ACE from AdminSDHolderAUD-WIN-ACL-002medium30s
pb-windows-dc-acl-003Strip non-Tier0 takeover ACE from Tier0 groupAUD-WIN-ACL-003medium30s
pb-windows-dc-acl-004Strip non-Tier0 takeover ACE from domain rootAUD-WIN-ACL-004high30s
pb-windows-dc-acl-008Strip non-Tier0 GenericAll/Write ACE from Tier0 userAUD-WIN-ACL-008medium30s
pb-windows-dc-acl-009Strip Shadow Credentials write ACE (msDS-KeyCredentialLink)AUD-WIN-ACL-009medium30s
pb-windows-dc-acl-010Restore Tier0 object owner to Domain AdminsAUD-WIN-ACL-010medium30s
pb-windows-dc-acl-011Strip non-Tier0 ACE from Domain Controllers OUAUD-WIN-ACL-011high30s
pb-windows-dc-acl-012Strip non-Tier0 write ACE from DC computer objectAUD-WIN-ACL-012high30s
pb-windows-dc-adcs-001ADCS ESC1 - disable + unpublish SAN-supply templateAUD-WIN-ADCS-001medium2m
pb-windows-dc-adcs-002ADCS ESC2 - disable + remove Any-Purpose EKU templateAUD-WIN-ADCS-002medium2m
pb-windows-dc-adcs-004ADCS ESC4 - strip non-Tier0 write ACEs from certificate templateAUD-WIN-ADCS-004medium1m
pb-windows-dc-adcs-006ADCS ESC6 - clear EDITF_ATTRIBUTESUBJECTALTNAME2 on CAAUD-WIN-ADCS-006low30s
pb-windows-dc-adcs-008ADCS ESC8 - disable HTTP web enrollment, require HTTPS + EPAAUD-WIN-ADCS-008medium1m
pb-windows-dc-adcs-009ADCS ESC9 - clear no_security_extension flag from templateAUD-WIN-ADCS-009low30s
pb-windows-dc-adcs-015ADCS ESC15 / EKUwu - disable + remove schema-v1 + SAN-supply templateAUD-WIN-ADCS-015medium2m
pb-windows-dc-dc-001Enforce LDAP signing on Domain Controller (LDAPServerIntegrity = 2)AUD-WIN-DC-001medium30s
pb-windows-dc-dc-002Enforce LDAP channel binding (LdapEnforceChannelBinding = 2)AUD-WIN-DC-002medium30s
pb-windows-dc-dc-003Disable anonymous SAM enumeration (RestrictAnonymous combo)AUD-WIN-DC-003low15s
pb-windows-dc-dc-005Refuse NTLMv1 / LM (LmCompatibilityLevel=5 + NoLMHash=1)AUD-WIN-DC-005medium30s
pb-windows-dc-dch-001Disable + stop Print Spooler service on Domain ControllerAUD-WIN-DCH-001low30s
pb-windows-dc-dch-002Restrict Point-and-Print to administrators (PrintNightmare follow-up)AUD-WIN-DCH-002low15s
pb-windows-dc-dch-004Restrict DSRM admin to DSRM mode only (DsrmAdminLogonBehavior=2)AUD-WIN-DCH-004low15s
pb-windows-dc-dch-008Apply auditpol baseline (Success+Failure on critical subcategories)AUD-WIN-DCH-008low30s
pb-windows-dc-dch-009Enable NTLM inbound restriction + audit on DCAUD-WIN-DCH-009low15s
pb-windows-dc-dch-010Disable WDigest cleartext credentials in LSASSAUD-WIN-DCH-010low15s
pb-windows-dc-fh-003Enable AD Recycle Bin Optional FeatureAUD-WIN-FH-003medium30s
pb-windows-dc-fh-006Harden Default Domain Password PolicyAUD-WIN-FH-006high30s
pb-windows-dc-fh-007Clear dSHeuristics anonymous-bind bitAUD-WIN-FH-007low15s
pb-windows-dc-krb-005Rotate krbtgt password (twice, >=10h apart)AUD-WIN-KRB-005high1m
pb-windows-dc-krb-007Set krbtgt enctype to AES-only (msDS-SupportedEncryptionTypes=0x18)AUD-WIN-KRB-007medium30s
pb-windows-dc-krb-008Add Domain Admins to Protected Users (or set AccountIsSensitive)AUD-WIN-KRB-008medium30s
pb-windows-dc-krb-010Set ms-DS-MachineAccountQuota = 0 (block NoPac prereq)AUD-WIN-KRB-010medium15s
pb-windows-dc-pers-t-007Restore Winlogon Userinit to baselineAUD-WIN-PERS-T-007medium15s
pb-windows-dc-pers-t-008Restore Winlogon Shell to baseline ('explorer.exe')AUD-WIN-PERS-T-008medium15s
pb-windows-dc-pers-t-009Remove Winlogon Taskman valueAUD-WIN-PERS-T-009low15s
pb-windows-dc-pers-t-010Remove Winlogon GinaDLL valueAUD-WIN-PERS-T-010low15s
pb-windows-dc-pers-t-012Remove Winlogon Notify subkeyAUD-WIN-PERS-T-012low15s
pb-windows-dc-pers-x-001Remove IFEO Debugger value from <exe>AUD-WIN-PERS-X-001low15s
pb-windows-dc-pers-x-005Clear AppInit_DLLs + LoadAppInit_DLLsAUD-WIN-PERS-X-005low15s
pb-windows-dc-pers-x-011Investigate + remove kernel driver service with off-System32 ImagePathAUD-WIN-PERS-X-011high5m
pb-windows-dc-pers-x-015Investigate + remove svchost service with ServiceDll off-System32AUD-WIN-PERS-X-015high5m
pb-windows-dc-pg-004Remove non-Tier0 member from DnsAdminsAUD-WIN-PG-004low15s
pb-windows-dc-pg-006Remove broad principal from Pre-Windows 2000 Compatible AccessAUD-WIN-PG-006medium15s
pb-windows-dc-pg-007Deploy Windows LAPS on the domain (schema + GPO)AUD-WIN-PG-007high5m
pb-windows-dc-pg-008Strip non-Tier0 ExtendedRight on LAPS password attributeAUD-WIN-PG-008low30s
pb-windows-dc-priv-004Clear DNS ServerLevelPluginDll registry valueAUD-WIN-PRIV-004medium30s
pb-windows-dc-priv-006Disable PowerShell v2 Optional FeatureAUD-WIN-PRIV-006low1m
pb-windows-dc-priv-007Remove off-baseline AMSI Provider CLSIDAUD-WIN-PRIV-007low15s
pb-windows-dc-priv-009Enable LSASS Protected Process Light (RunAsPPL)AUD-WIN-PRIV-009medium1m
pb-windows-dc-priv-010Reset LocalAccountTokenFilterPolicy to default (=0)AUD-WIN-PRIV-010low15s
pb-windows-dc-priv-011Restore UAC ConsentPromptBehaviorAdmin to baseline (=5)AUD-WIN-PRIV-011low15s
pb-windows-dc-priv-012Remove HKU auto-elevate hijack subkeysAUD-WIN-PRIV-012low15s
pb-windows-dc-priv-014Disable RDP RestrictedAdmin pass-the-hashAUD-WIN-PRIV-014low15s
pb-windows-dc-priv-015Harden DLL search-order (SafeDllSearchMode + CWDIllegalInDllSearch)AUD-WIN-PRIV-015low15s