This scan of obexum-dc emitted 161 findings across 0 scanner module(s). Of these, 22 are CRITICAL, requiring immediate triage and remediation before the next risk-bearing change window.
46 of 161 findings have an Obexum-shipped remediation playbook. Run obexum playbook list --platform windows-dc to inspect them, then obexum playbook render <id> --target obexum-dc to emit a script for change-management review.
22 CRITICAL104 High30 Medium5 Low
๐ Top Fixes by Impact
46 of 161 findings are resolvable via the recipes below. Run obexum fix --scan-id 85beab58-0816-4f8b-bf47-613a8dffe587 to apply.
#
Impact
Risk
Reboot
Resolves
Fix
1
65.0
low
never
13 (C0 H13 I0 M0 L0)
Apply auditpol baseline (Success+Failure on critical subcategories)
Templates with msPKI-Template-Schema-Version = 1 AND CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT set. CVE-2024-49019 (Nov 2024 patch). Schema-v1 templates accept arbitrary application-policy injection from the requester, allowing a non-priv user to mint a cert with Client Auth + bypass strong binding. Microsoft KB5044280 mitigates server-side; remove vulnerable templates.
Finding: template 'OBX_ESC15_v1Schema' is schema-v1 with ENROLLEE_SUPPLIES_SUBJECT โ CVE-2024-49019 EKUwu. Remove from issuance OR upgrade to schema v2/v3
Templates with msPKI-Certificate-Name-Flag bit 0x1 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) AND a client-authentication EKU (Client Auth, Smartcard Logon, Any Purpose, PKINIT) AND enrollable by non-privileged principals = full Domain Admin via certificate forgery (ESC1, SpecterOps Certified Pre-Owned 2021).
Finding: template 'OBX_ESC15_v1Schema' allows alternate-SAN supply + auth EKU without Manager Approval โ DA via cert forgery
Templates with msPKI-Certificate-Name-Flag bit 0x1 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) AND a client-authentication EKU (Client Auth, Smartcard Logon, Any Purpose, PKINIT) AND enrollable by non-privileged principals = full Domain Admin via certificate forgery (ESC1, SpecterOps Certified Pre-Owned 2021).
Finding: template 'OBX_ESC2_AnyEKU' allows alternate-SAN supply + auth EKU without Manager Approval โ DA via cert forgery
Templates with msPKI-Certificate-Name-Flag bit 0x1 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) AND a client-authentication EKU (Client Auth, Smartcard Logon, Any Purpose, PKINIT) AND enrollable by non-privileged principals = full Domain Admin via certificate forgery (ESC1, SpecterOps Certified Pre-Owned 2021).
Finding: template 'OBX_ESC9_NoSecExt' allows alternate-SAN supply + auth EKU without Manager Approval โ DA via cert forgery
Templates with pkiExtendedKeyUsage = 2.5.29.37.0 (Any Purpose) OR no EKU at all AND enrollable by non-privileged principals. The resulting certificate can authenticate as ANY user/service in the forest. ESC2 per SpecterOps Certified Pre-Owned.
Finding: template 'OBX_ESC2_AnyEKU' โ Any Purpose EKU (2.5.29.37.0) โ certificate authenticates as any principal
Source: auditCategory: authScore: 9.5
T1649
AUD-WIN-ADCS-006CRITICAL
ADCS ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 set on CA โ OBXLAB-CA
CA policy module EditFlags has bit 0x40000 (EDITF_ATTRIBUTESUBJECTALTNAME2) set, allowing requesters to specify alternate SAN values on ANY template enrollable by them. Equivalent to ESC1 across every template. Microsoft KB 4509489 explicitly forbids this flag.
Finding: CA OBXLAB-CA on ip-208-84-101-7.obxlab.local has EDITF_ATTRIBUTESUBJECTALTNAME2 set. Fix: certutil -config 'ip-208-84-101-7.obxlab.local\OBXLAB-CA' -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; net stop certsvc; net start certsvc
Source: auditCategory: authScore: 9.5
T1649
AUD-WIN-ADCS-008CRITICAL
ADCS ESC8: web enrollment endpoint exposed without HTTPS+EPA โ OBXLAB-CA:EPA
ADCS web enrollment (/certsrv/) and/or CES/CEP endpoints are reachable without HTTPS-only + Extended Protection for Authentication. Combined with PetitPotam-style coercion, any unprivileged user can NTLM-relay to ADCS and obtain a DC certificate (ESC8, Microsoft ADV210003).
Finding: CA OBXLAB-CA /certsrv/ Extended Protection for Authentication tokenChecking= (expected Required). NTLM relay with channel binding bypass possible
Source: auditCategory: authScore: 9.5
T1557.001
AUD-WIN-DCH-001CRITICAL
DC hardening: Print Spooler service running on DC โ Spooler
PrintNightmare (CVE-2021-34527) and follow-on spooler RCEs are pre-auth SYSTEM on any host running the Print Spooler service. CISA, MS and CIS all recommend stopping + disabling the Spooler service on every Domain Controller. Default Server 2019/2022 = Running.
Finding: Print Spooler is Running with start type Automatic on a DC. Stop-Service Spooler; Set-Service Spooler -StartupType Disabled
Source: auditCategory: networkScore: 9.5
T1210
AUD-WIN-DCH-007CRITICAL
DC hardening: latest hotfix older than 30 days โ KB5010523
Time since the most recent hotfix InstalledOn value. >30d = HIGH (one missed Patch Tuesday), >60d = CRITICAL. Probe queries Get-HotFix and reports the newest.
Finding: Newest hotfix KB5010523 installed 2022-03-03 (1517 days ago). Run a cumulative update
Source: auditCategory: integrityScore: 9.5
AUD-WIN-KRB-009CRITICAL
Kerberos: constrained delegation to sensitive service โ svc_kroast
msDS-AllowedToDelegateTo entries pointing at sensitive SPN classes (cifs/ldap/host/krbtgt/HTTP on a DC) let the delegating principal impersonate any user including AccountIsSensitive ones when configured with protocol transition (UAC 0x1000000 TRUSTED_TO_AUTH_FOR_DELEGATION). Surface every such grant with target SPN class so the operator can validate scope.
Finding: object 'svc_kroast' (user) delegates to spn=cifs/obexum-dc.obxlab.local โ sensitive service class 'cifs' + protocol transition (S4U2Self) โ impersonate any user
Source: auditCategory: authScore: 9.5
T1558.002
AUD-WIN-KRB-003CRITICAL
Kerberos: unconstrained delegation enabled on non-DC computer โ OBX-FAKEHOST1
Computer objects with userAccountControl bit 0x80000 (TRUSTED_FOR_DELEGATION) cache full TGTs of any user that authenticates to them, allowing impersonation forest-wide. Domain Controllers carry this flag legitimately and are excluded (primaryGroupID 516 / 521).
Finding: computer 'OBX-FAKEHOST1' has unconstrained delegation โ os=. Any privileged user authenticating to this host can be impersonated forest-wide
Source: auditCategory: authScore: 9.5
T1558.001
AUD-WIN-PG-007CRITICAL
LAPS: coverage gap on managed computers โ LAPS coverage
Computers without ms-Mcs-AdmPwdExpirationTime / msLAPS-PasswordExpirationTime have no managed local-admin password rotation. Lateral movement via reused / static local admin secrets becomes trivial. Coverage <50% is HIGH <10% (or no LAPS schema) is CRITICAL.
Finding: 0 of 1 non-DC computers have LAPS expiration attribute set (0%). Deploy Windows LAPS via Intune/GPO
Source: auditCategory: authScore: 9.5
WinServer2022-2.3.xT1550.002
AUD-WIN-THREAT-005CRITICAL
Microsoft Defender ASR rules not in Block mode โ Block credential stealing from LSASS
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 not configured (no ASR rules registered on host) โ T1003.001 Mimikatz / pypykatz LSASS dump
AUD-WIN-THREAT-005CRITICAL
Microsoft Defender ASR rules not in Block mode โ Use advanced ransomware protection
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule C1DB55AB-C21A-4637-BB3F-A12568109D35 not configured (no ASR rules registered on host) โ T1486 ransomware encryption block
AUD-WIN-INTEG-005CRITICAL
Patch posture: stale last-update OR pending reboot โ PatchAge
Last installed HotFix is more than 30 days ago AND/OR a pending reboot is blocking installed patches from taking effect. Stale patch posture means public exploits for recent CVEs land directly. Pending reboot is the silent variant โ host appears patched (KB shows installed) but the new binaries on disk are not loaded until restart.
Finding: last HotFix installed 1516 days ago (>90d). Public exploits for recent CVEs apply directly. Last KB: KB5010523 on 2022-03-03T00:00:00.0000000
Source: auditCategory: integrityScore: 9.5
SI-2SI-2(2)T1190
AUD-WIN-PG-006CRITICAL
Privileged groups: Pre-Windows 2000 Compatible Access has broad principal โ Authenticated Users
Pre-Windows 2000 Compatible Access (BUILTIN, S-1-5-32-554) grants Read on AD user attributes including legacy attributes. Authenticated Users / Anonymous Logon / Everyone / Domain Users as a member effectively gives every authenticated principal unrestricted AD enumeration. Default on Server 2003+ is empty or contains Authenticated Users only when 'pre-Win2k compat' was selected at dcpromo. CIS recommends empty.
Finding: Pre-Win2k Compatible Access has broad principal 'Authenticated Users' (SID S-1-5-11) โ anonymous/authenticated AD enumeration
One or more UAC settings under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.
Finding: UAC engine entirely disabled โ every Administrator-group process runs full-elevated. Single biggest privesc enabler. Fix: Set-ItemProperty same path -Name EnableLUA -Value 1 -Type DWord (reboot)
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Audit Policy Change' = "No Auditing" (expected one of [Success Success and Failure]). 4719 โ audit policy disabled by attacker (T1562.002) โ meta-tamper invisible. Fix: auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Credential Validation' = "No Auditing" (expected one of [Success and Failure]). Kerberos/NTLM brute-force + Pass-the-Hash early-stage auth invisible (4776 missing). Fix: auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
AUD-WIN-LOG-002CRITICAL
Windows audit policy critical subcategories below baseline โ Logon
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Logon' = "No Auditing" (expected one of [Success and Failure]). Whole 4624/4625 logon stream โ RDP brute-force + interactive logon mapping invisible. Fix: auditpol /set /subcategory:"Logon" /success:enable /failure:enable
AUD-WIN-LOG-002CRITICAL
Windows audit policy critical subcategories below baseline โ Process Creation
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Process Creation' = "No Auditing" (expected one of [Success Success and Failure]). 4688 โ every Execution technique (T1059.*) invisible WITHOUT this. Fix: auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
AUD-WIN-LOG-002CRITICAL
Windows audit policy critical subcategories below baseline โ Security System Extension
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Security System Extension' = "No Auditing" (expected one of [Success Success and Failure]). 4610/4614/4622 โ Security Package load (T1547.005), LSA driver (T1547.008) invisible. Fix: auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
DC registry HKLM:\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement is not 2 (Full Enforcement) AND/OR HKLM:\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters\CertificateMappingMethods allows weak mappings (UPN alone). CVE-2022-26923 / KB5014754 require Full Enforcement.
Finding: got (expected 2 = Full Enforcement). KB5014754 requires this. Fix: Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Kdc' -Name StrongCertificateBindingEnforcement -Value 2 -Type DWord; reboot
Source: auditCategory: authScore: 8.0
T1649
AUD-WIN-ADCS-009HIGH
ADCS ESC9: certificate template has no_security_extension flag โ OBX_ESC9_NoSecExt
Templates with msPKI-Enrollment-Flag bit 0x80000 (CT_FLAG_NO_SECURITY_EXTENSION) emit certificates without the szOID_NTDS_CA_SECURITY_EXT extension that binds cert to user SID. Combined with weak certificate mapping (ESC10) on DCs, enables impersonation across user accounts. CVE-2022-26923 era. Microsoft KB5014754 enforces strong binding mode 2.
Finding: template 'OBX_ESC9_NoSecExt' has CT_FLAG_NO_SECURITY_EXTENSION (0x80000) โ cert lacks SID binding, ESC9 abuse vector
Source: auditCategory: authScore: 8.0
T1649
AUD-WIN-IDENT-004HIGH
Account lockout policy is below CIS / DISA STIG baseline โ LockoutBadCount
Lockout threshold is 0 (no lockout), duration too short, or the modern AllowAdministratorLockout setting is not enabled. Without effective lockout the built-in Administrator (RID 500) becomes a free spray target โ every attempt costs the attacker one HTTP/SMB request and there is no defender feedback loop.
Finding: set to 0 โ accounts can NEVER be locked out, password spray is unbounded
AUD-WIN-IDENT-006HIGH
Anonymous (null-session) restrictions deviate from CIS / DISA STIG โ RestrictAnonymous
One or more LSA / LanmanServer settings that govern anonymous network access (null sessions to SAM, shares, and named pipes) is below baseline. These are the recon primitives every BloodHound-style enumeration depends on. Even when defaults are hardened, legacy compat scripts and downgrade attacks routinely re-open them.
Finding: got 0, expected 1 โ null-session share/pipe enumeration possible
AUD-WIN-IDENT-006HIGH
Anonymous (null-session) restrictions deviate from CIS / DISA STIG โ RestrictRemoteSAM
One or more LSA / LanmanServer settings that govern anonymous network access (null sessions to SAM, shares, and named pipes) is below baseline. These are the recon primitives every BloodHound-style enumeration depends on. Even when defaults are hardened, legacy compat scripts and downgrade attacks routinely re-open them.
Finding: not set โ remote SAM read accessible to any authenticated user (BloodHound primitive)
One or more boot-chain integrity controls is not at hardening baseline: Secure Boot disabled (unsigned bootloader can run pre-OS), TPM absent / not activated / not version 2.0 (Credential Guard + measured boot impossible), or early-launch anti-malware (ELAM) driver-load policy permissive. Together these protect against pre-OS rootkit + boot-time tampering.
Finding: Confirm-SecureBootUEFI failed (ERR:Cmdlet not supported on this platform: 0xC0000002) โ likely BIOS/legacy boot mode; UEFI required for Secure Boot
One or more boot-chain integrity controls is not at hardening baseline: Secure Boot disabled (unsigned bootloader can run pre-OS), TPM absent / not activated / not version 2.0 (Credential Guard + measured boot impossible), or early-launch anti-malware (ELAM) driver-load policy permissive. Together these protect against pre-OS rootkit + boot-time tampering.
Finding: TPM not present โ Credential Guard, measured boot, BitLocker TPM-bind impossible. On VMs add a virtual TPM (vTPM) device; on physical add discrete TPM module
AUD-WIN-IDENT-001HIGH
Built-in Administrator account (RID 500) is enabled โ Administrator
The built-in Administrator (well-known SID ending in -500) is enabled. This account is exempt from lockout policy and is the canonical target for password spray attacks against every Windows host worldwide (same SID across the planet). CIS, DISA STIG, and Microsoft Security Baseline all require it disabled. Renaming alone is not sufficient mitigation โ adversaries enumerate by SID, not by name.
Finding: RID 500 account enabled โ disable via Disable-LocalUser -SID 'S-1-5-21-873624365-3528634227-720301803-500'
VBS reports VirtualizationBasedSecurityStatus != 2 (not running) OR Credential Guard (svc 1) / HVCI (svc 2) is not in SecurityServicesRunning. Without VBS, LSASS lives in regular kernel memory and can be read by any kernel-mode attacker (signed-driver bring-your-own). HVCI prevents unsigned kernel code from running. Both required for modern adversary defense per Microsoft Security Baseline.
Finding: Credential Guard not in SecurityServicesRunning โ LSASS not isolated; Mimikatz / pypykatz can extract NTLM hashes and Kerberos tickets
VBS reports VirtualizationBasedSecurityStatus != 2 (not running) OR Credential Guard (svc 1) / HVCI (svc 2) is not in SecurityServicesRunning. Without VBS, LSASS lives in regular kernel memory and can be read by any kernel-mode attacker (signed-driver bring-your-own). HVCI prevents unsigned kernel code from running. Both required for modern adversary defense per Microsoft Security Baseline.
Finding: HVCI / Memory Integrity not in SecurityServicesRunning โ unsigned kernel drivers can load (BYOVD attack surface)
VBS reports VirtualizationBasedSecurityStatus != 2 (not running) OR Credential Guard (svc 1) / HVCI (svc 2) is not in SecurityServicesRunning. Without VBS, LSASS lives in regular kernel memory and can be read by any kernel-mode attacker (signed-driver bring-your-own). HVCI prevents unsigned kernel code from running. Both required for modern adversary defense per Microsoft Security Baseline.
Finding: VirtualizationBasedSecurityStatus = 0 (expected 2 = Running). Without VBS, Credential Guard / HVCI cannot isolate LSASS / kernel code
AUD-WIN-DCH-003HIGH
DC hardening: Defender ExclusionPath beyond MS DC baseline โ C:\ProgramData\obx_persX_drv.sys
Microsoft's official DC AV exclusions list (KB822158) covers AD database, log files, SYSVOL, NTDS, DFSR. Any path outside that set is suspicious โ adversary persistence + AV bypass. The check matches paths against a whitelist of normalized prefixes; anything else fires.
Finding: Defender exclusion path 'C:\ProgramData\obx_persX_drv.sys' is outside the MS DC baseline (KB 822158). Audit + remove
Source: auditCategory: threatScore: 8.0
T1562.001
AUD-WIN-DCH-004HIGH
DC hardening: DsrmAdminLogonBehavior allows DSRM admin in normal mode โ DsrmAdminLogonBehavior
HKLM\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior controls whether the Directory Services Restore Mode admin can log on while the DC is operating normally. 0 (default) and 1 = allowed, 2 = DSRM-mode only. DSRM credentials are forest-wide and never rotated by default; 2 is mandatory for hardened DCs.
Finding: DsrmAdminLogonBehavior = -1. Set to 2 so the DSRM admin can only log on while in DSRM mode
Source: auditCategory: authScore: 8.0
T1078.002
AUD-WIN-DC-001HIGH
DC hardening: LDAPServerIntegrity not set to Required โ LDAPServerIntegrity
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity = 2 enforces LDAP signing on the DC, mitigating LDAP relay (CVE-2017-8563). Default = 1 (Negotiate) accepts unsigned binds. Combined with DC-002 channel binding it closes the LDAP relay surface.
Finding: LDAPServerIntegrity = 1. Set to 2 (Required) to mitigate LDAP relay CVE-2017-8563
Source: auditCategory: networkScore: 8.0
WinServer2022-2.3.11.xT1557.001
AUD-WIN-DC-002HIGH
DC hardening: LdapEnforceChannelBinding not Always (2) โ LdapEnforceChannelBinding
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding = 2 makes channel binding mandatory on LDAPS โ closing the relay path that plain signing cannot. 0 = Disabled, 1 = When supported. CIS + Microsoft KB 4520412 require 2.
Finding: LdapEnforceChannelBinding = -1. Set to 2 (Always) per KB 4520412
Source: auditCategory: networkScore: 8.0
WinServer2022-2.3.11.xT1557.001
AUD-WIN-DC-005HIGH
DC hardening: NTLMv1 / LM accepted โ LmCompatibilityLevel
LmCompatibilityLevel < 5 still accepts NTLMv1 and LM, both broken authentication primitives. NoLMHash = 1 prevents the LM hash being stored at password-set time. Both must be hardened on every DC.
Finding: LmCompatibilityLevel = -1 (expected โฅ 5 = NTLMv2 only)
Source: auditCategory: cryptoScore: 8.0
WinServer2022-2.3.11.xT1557.001
AUD-WIN-DC-006HIGH
DC hardening: NullSessionPipes or NullSessionShares non-empty โ pipe:lsarpc
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes / NullSessionShares list named pipes / shares accessible without authentication. Default on Server 2008 R2+ is empty. Any entry is a remote anonymous-IPC primitive.
Finding: NullSessionPipes contains 'lsarpc' โ anonymous IPC$ access surface
Source: auditCategory: networkScore: 8.0
WinServer2022-2.3.10.xT1021.002
AUD-WIN-DC-006HIGH
DC hardening: NullSessionPipes or NullSessionShares non-empty โ pipe:netlogon
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes / NullSessionShares list named pipes / shares accessible without authentication. Default on Server 2008 R2+ is empty. Any entry is a remote anonymous-IPC primitive.
Finding: NullSessionPipes contains 'netlogon' โ anonymous IPC$ access surface
Source: auditCategory: networkScore: 8.0
WinServer2022-2.3.10.xT1021.002
AUD-WIN-DC-006HIGH
DC hardening: NullSessionPipes or NullSessionShares non-empty โ pipe:samr
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes / NullSessionShares list named pipes / shares accessible without authentication. Default on Server 2008 R2+ is empty. Any entry is a remote anonymous-IPC primitive.
Finding: NullSessionPipes contains 'samr' โ anonymous IPC$ access surface
Source: auditCategory: networkScore: 8.0
WinServer2022-2.3.10.xT1021.002
AUD-WIN-DCH-002HIGH
DC hardening: Point-and-Print not restricted to administrators โ NoWarningNoElevationOnInstall
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint requires:
RestrictDriverInstallationToAdministrators = 1
NoWarningNoElevationOnInstall = 0
UpdatePromptSettings = 0
Without these, any user can install a driver โ the same primitive PrintNightmare uses for SYSTEM RCE.
Finding: NoWarningNoElevationOnInstall = -1 (expected 0)
Source: auditCategory: networkScore: 8.0
WinServer2022-18.6.x
AUD-WIN-DCH-002HIGH
DC hardening: Point-and-Print not restricted to administrators โ RestrictDriverInstallationToAdministrators
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint requires:
RestrictDriverInstallationToAdministrators = 1
NoWarningNoElevationOnInstall = 0
UpdatePromptSettings = 0
Without these, any user can install a driver โ the same primitive PrintNightmare uses for SYSTEM RCE.
Finding: RestrictDriverInstallationToAdministrators = -1 (expected 1)
Source: auditCategory: networkScore: 8.0
WinServer2022-18.6.x
AUD-WIN-DC-003HIGH
DC hardening: anonymous SAM enumeration enabled โ EveryoneIncludesAnonymous
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1, RestrictAnonymousSAM = 1, EveryoneIncludesAnonymous = 0 together block anonymous SID to name resolution, anonymous SAM enumeration, and prevent the Everyone token from including Anonymous Logon. CIS requires all three.
Finding: EveryoneIncludesAnonymous = -1 (expected 0)
Source: auditCategory: authScore: 8.0
WinServer2022-2.3.10.xT1087.002
AUD-WIN-DC-003HIGH
DC hardening: anonymous SAM enumeration enabled โ RestrictAnonymous
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1, RestrictAnonymousSAM = 1, EveryoneIncludesAnonymous = 0 together block anonymous SID to name resolution, anonymous SAM enumeration, and prevent the Everyone token from including Anonymous Logon. CIS requires all three.
Finding: RestrictAnonymous = 0 (expected 1)
Source: auditCategory: authScore: 8.0
WinServer2022-2.3.10.xT1087.002
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Account Lockout
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Account Lockout' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Computer Account Management
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Computer Account Management' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Credential Validation
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Credential Validation' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Directory Service Access
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Directory Service Access' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Directory Service Changes
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Directory Service Changes' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Kerberos Authentication Service
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Kerberos Authentication Service' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Kerberos Service Ticket Operations
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Kerberos Service Ticket Operations' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Logoff
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Logoff' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Logon
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Logon' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Other Account Logon Events
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Other Account Logon Events' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Security Group Management
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Security Group Management' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ Special Logon
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'Special Logon' = 'No Auditing' (expected 'Success and Failure')
Source: auditCategory: loggingScore: 8.0
WinServer2022-17.x
AUD-WIN-DCH-008HIGH
DC hardening: audit policy critical subcategories not at Success+Failure โ User Account Management
auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.
Finding: Audit subcategory 'User Account Management' = 'No Auditing' (expected 'Success and Failure')
EnableNetworkProtection != 1 (Block known-malicious outbound), EnableControlledFolderAccess != 1/2/3 (anti-ransomware folder lock), OR PUAProtection != 1 (block coin-miners / adware / browser hijackers). Each is an Exploit-Guard pillar that complements ASR rules.
Finding: EnableControlledFolderAccess=0 โ anti-ransomware folder lock not active
Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full โ T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.
Finding: Security MaxSize = 134217728 bytes (128 MB), expected >= 1073741824 bytes (1024 MB)
AUD-WIN-FH-003HIGH
Forest hygiene: AD Recycle Bin not enabled โ Recycle Bin Feature
Without the Recycle Bin Optional Feature, deleted AD objects lose all link-valued + back-link attributes โ recovery from accidental or malicious bulk deletion (e.g. adversary scrubbing audit groups) is impossible. Once enabled the feature cannot be disabled.
Finding: Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target <ForestRootDN>. Cannot be disabled once enabled โ coordinate before changing.
Get-ADDefaultDomainPasswordPolicy returns the policy applied to every domain user that is not under a Fine-Grained Password Policy. Hardened baseline: MinPasswordLength โฅ 14, ComplexityEnabled = true, LockoutThreshold > 0 and โค 10, LockoutDuration โฅ 15 minutes, ReversibleEncryption disabled.
Finding: LockoutThreshold = 0 (no account lockout โ unlimited brute force)
Get-ADDefaultDomainPasswordPolicy returns the policy applied to every domain user that is not under a Fine-Grained Password Policy. Hardened baseline: MinPasswordLength โฅ 14, ComplexityEnabled = true, LockoutThreshold > 0 and โค 10, LockoutDuration โฅ 15 minutes, ReversibleEncryption disabled.
Finding: MinPasswordLength = 7 (baseline โฅ 14)
Source: auditCategory: authScore: 8.0
WinServer2022-1.1.xIA-5(1)T1110
AUD-WIN-NET-006HIGH
Hardened UNC Paths for SYSVOL / NETLOGON not configured (domain-joined) โ NETLOGON
On a domain-joined host, HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths is missing entries for \\*\NETLOGON and \\*\SYSVOL with RequireMutualAuthentication=1 and RequireIntegrity=1. Without these, an attacker on the LAN can MITM SYSVOL traffic, deliver poisoned Group Policy files, and execute code as SYSTEM at next gpupdate (MS14-025 / MS15-011).
Finding: \\*\NETLOGON entry missing under HardenedPaths
AUD-WIN-NET-006HIGH
Hardened UNC Paths for SYSVOL / NETLOGON not configured (domain-joined) โ SYSVOL
On a domain-joined host, HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths is missing entries for \\*\NETLOGON and \\*\SYSVOL with RequireMutualAuthentication=1 and RequireIntegrity=1. Without these, an attacker on the LAN can MITM SYSVOL traffic, deliver poisoned Group Policy files, and execute code as SYSTEM at next gpupdate (MS14-025 / MS15-011).
Finding: \\*\SYSVOL entry missing under HardenedPaths
AUD-WIN-KRB-008HIGH
Kerberos: Domain Admins not protected from delegation abuse โ Administrator
Each Domain Admins member should either carry userAccountControl bit 0x100000 (NOT_DELEGATED, AccountIsSensitive) or be a member of Protected Users (RID 525). Without one of these the account TGT is forwardable and capturable by any unconstrained-delegation-trusted host.
Finding: Domain Admin 'Administrator' has neither AccountIsSensitive (UAC 0x100000) nor Protected Users membership โ TGT forwardable, captureable on unconstrained-delegation hosts
Source: auditCategory: authScore: 8.0
T1558.001
AUD-WIN-KRB-008HIGH
Kerberos: Domain Admins not protected from delegation abuse โ extra_da
Each Domain Admins member should either carry userAccountControl bit 0x100000 (NOT_DELEGATED, AccountIsSensitive) or be a member of Protected Users (RID 525). Without one of these the account TGT is forwardable and capturable by any unconstrained-delegation-trusted host.
Finding: Domain Admin 'extra_da' has neither AccountIsSensitive (UAC 0x100000) nor Protected Users membership โ TGT forwardable, captureable on unconstrained-delegation hosts
Source: auditCategory: authScore: 8.0
T1558.001
AUD-WIN-KRB-006HIGH
Kerberos: RC4 still allowed on Tier0 / privileged accounts โ Administrator
msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility โ also flagged.
Finding: Tier0 account 'Administrator' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) โ set to 0x18 AES-only
Source: auditCategory: cryptoScore: 8.0
T1558.003
AUD-WIN-KRB-006HIGH
Kerberos: RC4 still allowed on Tier0 / privileged accounts โ cloudbase-init
msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility โ also flagged.
Finding: Tier0 account 'cloudbase-init' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) โ set to 0x18 AES-only
Source: auditCategory: cryptoScore: 8.0
T1558.003
AUD-WIN-KRB-006HIGH
Kerberos: RC4 still allowed on Tier0 / privileged accounts โ extra_da
msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility โ also flagged.
Finding: Tier0 account 'extra_da' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) โ set to 0x18 AES-only
Source: auditCategory: cryptoScore: 8.0
T1558.003
AUD-WIN-KRB-006HIGH
Kerberos: RC4 still allowed on Tier0 / privileged accounts โ krbtgt
msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility โ also flagged.
Finding: Tier0 account 'krbtgt' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) โ set to 0x18 AES-only
msDS-AllowedToActOnBehalfOfOtherIdentity grants S4U2Proxy to the principals listed in the security descriptor. RBCD is a high-impact primitive when the writable principal is a non-Tier0 account or a broad principal. We surface every RBCD configuration so the operator can validate that each grant is intentional and the granted principal is a constrained service account.
Finding: object 'OBX-FAKEHOST1$' (computer) allows S4U2Proxy from SID S-1-5-21-873624365-3528634227-720301803-1108 โ RBCD primitive. Verify grantee is a constrained service principal
Accounts with userAccountControl bit 0x400000 do not require Kerberos pre-authentication, so a remote unauthenticated attacker can request an AS-REP and brute-force the credential offline. Severity is CRITICAL when the account is Tier0.
Finding: user 'svc_asrep' has DONT_REQUIRE_PREAUTH set โ AS-REP returns offline-crackable hash to anonymous requestors
Source: auditCategory: authScore: 8.0
T1558.004
AUD-WIN-KRB-007HIGH
Kerberos: krbtgt msDS-SupportedEncryptionTypes is not AES-only โ krbtgt
If krbtgt's supported encryption types include RC4 (0x4) or are unset (defaulting to RC4+AES), Golden Tickets can be forged with RC4 hash compromise instead of AES. The krbtgt account must be set to 0x18 (AES128|AES256) and rotated.
Finding: krbtgt msDS-SupportedEncryptionTypes is unset (0) โ legacy default RC4+AES. Set to 0x18 AES-only and rotate twice
Default ms-DS-MachineAccountQuota = 10 lets every authenticated user join up to 10 machines to the domain. Combined with CVE-2021-42278/42287 (NoPac / sAMAccountName spoofing) any low-priv user can compromise the domain. Microsoft's KB5008380 hardens both CVEs; the durable mitigation is to set the quota to 0 and grant CreateChild via a delegated administrator group.
Finding: ms-DS-MachineAccountQuota = 10 allows authenticated users to join machines to the domain. Set to 0 and delegate CreateChild on Computer container
Source: auditCategory: authScore: 8.0
T1078.002
AUD-WIN-KRB-001HIGH
Kerberos: user account with SPN is Kerberoastable โ svc_kroast
User accounts with servicePrincipalName set issue TGS-REP messages encrypted with the account's NTLM hash. Offline crack recovers the password if it is human-chosen. Excludes gMSA (machine-managed 240-char key) and krbtgt. Severity ratchets to CRITICAL when the account is Tier0 (DA/EA/SA/Operators or adminCount=1). Mitigation: gMSA, AES-only enctype, 25+ char randomly-generated password.
Finding: user 'svc_kroast' has SPN โ TGS-REP offline-crackable. spns=HTTP/test-kroast.obxlab.local
One or more of the three LSA settings that protect credentials at rest is not at the hardening baseline: LSA Protection (RunAsPPL) blocks LSASS process handle open by Mimikatz; WDigest UseLogonCredential=0 disables cleartext cred caching; NoLMHash=1 stops storing crackable LM hashes. Each gap maps directly to a documented credential-extraction technique (T1003.001).
Finding: not set โ lsass.exe is NOT a protected process; Mimikatz can open the process handle and dump credentials. Fix: Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name RunAsPPL -Value 1 -Type DWord (reboot required)
AUD-WIN-IDENT-003HIGH
Local password policy deviates from CIS / DISA STIG baseline โ MinimumPasswordLength
One or more of the six CIS-mandated password policy fields is below the hardening threshold: history (>=24), max age (1-365 not 0), min age (>=1), length (>=14), complexity enabled, reversible encryption disabled. Weak password policy is the foundation of credential-stuffing, password spray, and offline-cracking attacks.
Finding: got "7", expected >=14
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block Adobe Reader from creating child processes
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C not configured (no ASR rules registered on host) โ PDF macro -> shell
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block JS/VBScript launching downloaded executable content
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule D3E037E1-3EB8-44C8-A917-57927947596D not configured (no ASR rules registered on host) โ T1059.007 / T1059.005 script droppers
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block Office apps creating executable content
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 3B576869-A4EC-4529-8536-B80A7769E899 not configured (no ASR rules registered on host) โ T1566.001 Office dropper
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block Office apps from injecting code into other processes
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 not configured (no ASR rules registered on host) โ process injection from Office
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block Office communication app child processes (Outlook)
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 26190899-1602-49E8-8B27-EB1D0A1CE869 not configured (no ASR rules registered on host) โ Outlook -> shell drop
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block Win32 API calls from Office macros
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B not configured (no ASR rules registered on host) โ T1106 Office macro Native API
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block abuse of exploited vulnerable signed drivers
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 56A863A9-875E-4185-98A7-B882C64B5CE5 not configured (no ASR rules registered on host) โ BYOVD - bring-your-own-vulnerable-driver
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block all Office apps from creating child processes
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A not configured (no ASR rules registered on host) โ T1059.005 Office macro -> cmd/PowerShell
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block exec content from email/webmail
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 not configured (no ASR rules registered on host) โ T1566.001 spear-phish exec drop
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block execution of obfuscated scripts
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC not configured (no ASR rules registered on host) โ T1027.010 obfuscated PS / VBS
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block persistence through WMI event subscription
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule E6DB77E5-3DF2-4CF1-B95A-636979351E5B not configured (no ASR rules registered on host) โ T1546.003 WMI persistence
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block process creations from PSExec and WMI commands
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule D1E49AAC-8F56-4280-B9BA-993A6D77406C not configured (no ASR rules registered on host) โ T1021.002 / T1047 lateral movement
AUD-WIN-THREAT-005HIGH
Microsoft Defender ASR rules not in Block mode โ Block untrusted/unsigned processes from USB
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 not configured (no ASR rules registered on host) โ T1091 USB malware drop
AUD-WIN-THREAT-003HIGH
Microsoft Defender Tamper Protection is OFF โ TamperProtection
Get-MpComputerStatus.IsTamperProtected = False. Without Tamper Protection a local Administrator-token attacker can disable Defender entirely with a single PowerShell line (Set-MpPreference -DisableRealtimeMonitoring $true) โ bypassing every other Defender hardening control. T1562.001 master-disable. Required by every modern hardening baseline (CIS, MS Baseline, DISA STIG).
Finding: IsTamperProtected=False. Enable via Windows Security UI > Virus & threat protection > Tamper Protection (or via Intune / MDE tenant attach for managed devices)
LLMNR EnableMulticast != 0 OR NetBT NodeType != 2 OR EnableNetbios != 0. Each gap is a Responder / Inveigh primitive: when a host can't resolve a name via DNS it broadcasts the question via LLMNR (UDP 5355) or NetBT (UDP 137), which an attacker on the same broadcast domain answers โ capturing NTLMv2 challenge-response for offline crack OR relaying live to LDAP/SMB.
Finding: got , expected 0 (LLMNR disabled). Fix: Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' -Name EnableMulticast -Value 0 -Type DWord
LLMNR EnableMulticast != 0 OR NetBT NodeType != 2 OR EnableNetbios != 0. Each gap is a Responder / Inveigh primitive: when a host can't resolve a name via DNS it broadcasts the question via LLMNR (UDP 5355) or NetBT (UDP 137), which an attacker on the same broadcast domain answers โ capturing NTLMv2 challenge-response for offline crack OR relaying live to LDAP/SMB.
Finding: got , expected 0 (DNS client doesn't use NetBT fallback). Fix: Set-ItemProperty same path -Name EnableNetbios -Value 0 -Type DWord
AUD-WIN-PRIV-009HIGH
Privesc T1003.001: LSASS RunAsPPL not enabled โ RunAsPPL
HKLM\System\CurrentControlSet\Control\Lsa\RunAsPPL = 1 protects LSASS as Protected Process Light, blocking Mimikatz-style credential dumps unless the attacker has signed kernel-driver primitive. Server 2016+ baseline: 1 (or 2 with UEFI lock).
Finding: Lsa\RunAsPPL = -2. Set to 1 (or 2 + UEFI lock) so LSASS runs as Protected Process Light
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = 1 disables UAC remote-token filtering, letting any local admin authenticate over the network with a non-filtered token. Default and CIS-required = 0.
Finding: LocalAccountTokenFilterPolicy = -2 (expected 0). Disables UAC remote-token filtering for local admins
Source: auditCategory: authScore: 8.0
WinServer2022-2.3.xT1078.003
AUD-WIN-PRIV-006HIGH
Privesc: PowerShell v2 Optional Feature still installed โ MicrosoftWindowsPowerShellV2
PowerShell v2 has no AMSI and no script-block logging. Adversaries invoke `powershell -Version 2 -Command ...` to bypass modern PowerShell logging entirely. Disable the MicrosoftWindowsPowerShellV2Root + V2 features.
Finding: PowerShell feature 'MicrosoftWindowsPowerShellV2' = Enabled โ disable to remove the AMSI bypass surface
Enterprise Admins group should be empty outside of forest- level operations (schema upgrades / domain adds). Persistent members hold forest-wide privileges that cannot be reduced.
Finding: Enterprise Admins has persistent member 'Administrator' โ should be empty outside forest-level operations
Schema Admins group should be empty outside of forest- level operations (schema upgrades / domain adds). Persistent members hold forest-wide privileges that cannot be reduced.
Finding: Schema Admins has persistent member 'Administrator' โ should be empty outside forest-level operations
Source: auditCategory: authScore: 8.0
WinServer2022-2.2.xT1078.002
AUD-WIN-LOG-004HIGH
Process Creation events missing command-line enrichment โ ProcessCreationAudit
auditpol Process Creation = Success AND ProcessCreationIncludeCmdLine_Enabled = 1 must BOTH be set. Without the registry flag, 4688 events log only the executable path โ useless for detection of LotL attacks where the binary is signed and the distinguishing payload is in the args (powershell -enc, mshta http://..., wmic process call create, etc.). KB3004375 Microsoft-recommended baseline.
Finding: auditpol 'Process Creation' subcategory not set to Success. Fix: auditpol /set /subcategory:"Process Creation" /success:enable
AUD-WIN-LOG-004HIGH
Process Creation events missing command-line enrichment โ ProcessCreationIncludeCmdLine_Enabled
auditpol Process Creation = Success AND ProcessCreationIncludeCmdLine_Enabled = 1 must BOTH be set. Without the registry flag, 4688 events log only the executable path โ useless for detection of LotL attacks where the binary is signed and the distinguishing payload is in the args (powershell -enc, mshta http://..., wmic process call create, etc.). KB3004375 Microsoft-recommended baseline.
Finding: registry flag != 1 โ 4688 events log only executable path (no args). Fix: Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' -Name ProcessCreationIncludeCmdLine_Enabled -Value 1 -Type DWord
AUD-WIN-NET-002HIGH
SMB signing not required (client and/or server) โ ClientRequireSecuritySignature
SMB signing is the primary defense against NTLM-relay attacks targeting SMB sessions (SMBRelay, ntlmrelayx). Both client and server must require signing โ if either negotiates 'optional', a relay attacker can downgrade the session and mount file shares as the victim. Default-on only on Win11 24H2 / Server 2025.
Finding: got False, expected True. Fix: Set-SmbClientConfiguration -RequireSecuritySignature $true -Force
AUD-WIN-IDENT-012HIGH
Sensitive User-Rights privileges granted to non-admin principals โ SeAssignPrimaryTokenPrivilege
One or more privilege assignments under Local Security Policy โ User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -> Potato, SeDebug -> Mimikatz, SeBackup -> SAM dump, SeLoadDriver -> BYOVD).
Finding: SeAssignPrimaryTokenPrivilege โ held by non-admin SID(s): cloudbase-init, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415. After SeImpersonate, spawn SYSTEM processes; Administrators + service accounts only
AUD-WIN-IDENT-012HIGH
Sensitive User-Rights privileges granted to non-admin principals โ SeBackupPrivilege
One or more privilege assignments under Local Security Policy โ User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -> Potato, SeDebug -> Mimikatz, SeBackup -> SAM dump, SeLoadDriver -> BYOVD).
Finding: SeBackupPrivilege โ held by non-admin SID(s): *S-1-5-32-549, *S-1-5-32-551. Read any file regardless of ACL (SAM/NTDS.dit dump); Administrators only
AUD-WIN-IDENT-012HIGH
Sensitive User-Rights privileges granted to non-admin principals โ SeImpersonatePrivilege
One or more privilege assignments under Local Security Policy โ User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -> Potato, SeDebug -> Mimikatz, SeBackup -> SAM dump, SeLoadDriver -> BYOVD).
Finding: SeImpersonatePrivilege โ held by non-admin SID(s): *S-1-5-6. Potato-family attack vector (RoguePotato, JuicyPotato); Administrators + service accounts only
AUD-WIN-IDENT-012HIGH
Sensitive User-Rights privileges granted to non-admin principals โ SeLoadDriverPrivilege
One or more privilege assignments under Local Security Policy โ User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -> Potato, SeDebug -> Mimikatz, SeBackup -> SAM dump, SeLoadDriver -> BYOVD).
Finding: SeLoadDriverPrivilege โ held by non-admin SID(s): *S-1-5-32-550. Load kernel drivers (BYOVD precondition); Administrators only
AUD-WIN-IDENT-012HIGH
Sensitive User-Rights privileges granted to non-admin principals โ SeRestorePrivilege
One or more privilege assignments under Local Security Policy โ User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -> Potato, SeDebug -> Mimikatz, SeBackup -> SAM dump, SeLoadDriver -> BYOVD).
Finding: SeRestorePrivilege โ held by non-admin SID(s): *S-1-5-32-549, *S-1-5-32-551. Write any file regardless of ACL (ACL replacement); Administrators only
One or more UAC settings under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.
Finding: got , expected 2 (prompt on secure desktop)
One or more UAC settings under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.
Finding: got , expected 1 โ built-in Administrator runs with full token by default; UAC bypass primitive
AUD-WIN-NET-004HIGH
Windows Defender Firewall posture below baseline โ Domain-DefaultInboundAction
One or more firewall profiles (Domain, Private, Public) is disabled, defaults inbound to Allow, OR Public profile permits local rule additions (AllowLocalPolicyMerge=True โ bypasses centralized policy). Composite check; each (profile, setting) gap is reported as a separate Item.
Finding: Profile Domain DefaultInboundAction="NotConfigured" (expected Block). Fix: Set-NetFirewallProfile -Name Domain -DefaultInboundAction Block
AUD-WIN-NET-004HIGH
Windows Defender Firewall posture below baseline โ Private-DefaultInboundAction
One or more firewall profiles (Domain, Private, Public) is disabled, defaults inbound to Allow, OR Public profile permits local rule additions (AllowLocalPolicyMerge=True โ bypasses centralized policy). Composite check; each (profile, setting) gap is reported as a separate Item.
Finding: Profile Private DefaultInboundAction="NotConfigured" (expected Block). Fix: Set-NetFirewallProfile -Name Private -DefaultInboundAction Block
AUD-WIN-NET-004HIGH
Windows Defender Firewall posture below baseline โ Public-DefaultInboundAction
One or more firewall profiles (Domain, Private, Public) is disabled, defaults inbound to Allow, OR Public profile permits local rule additions (AllowLocalPolicyMerge=True โ bypasses centralized policy). Composite check; each (profile, setting) gap is reported as a separate Item.
Finding: Profile Public DefaultInboundAction="NotConfigured" (expected Block). Fix: Set-NetFirewallProfile -Name Public -DefaultInboundAction Block
AUD-WIN-LOG-002HIGH
Windows audit policy critical subcategories below baseline โ Security Group Management
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Security Group Management' = "No Auditing" (expected one of [Success Success and Failure]). 4728/4732 โ admin-group escalation (T1098, T1078.003) invisible. Fix: auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
AUD-WIN-LOG-002HIGH
Windows audit policy critical subcategories below baseline โ Security State Change
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Security State Change' = "No Auditing" (expected one of [Success Success and Failure]). 4608/4616 โ system time change (T1070.006 Timestomp) invisible. Fix: auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
AUD-WIN-LOG-002HIGH
Windows audit policy critical subcategories below baseline โ Sensitive Privilege Use
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Sensitive Privilege Use' = "No Auditing" (expected one of [Success and Failure]). 4673/4674 โ SeDebug, SeBackup, SeRestore abuse (T1134, T1003) invisible. Fix: auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
AUD-WIN-LOG-002HIGH
Windows audit policy critical subcategories below baseline โ Special Logon
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Special Logon' = "No Auditing" (expected one of [Success Success and Failure]). 4672 SeDebugPrivilege grant on logon โ admin creep undetected. Fix: auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
AUD-WIN-LOG-002HIGH
Windows audit policy critical subcategories below baseline โ System Integrity
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'System Integrity' = "No Auditing" (expected one of [Success and Failure]). 4612/4618 โ audit log buffer issues, integrity violations invisible. Fix: auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
AUD-WIN-LOG-002HIGH
Windows audit policy critical subcategories below baseline โ User Account Management
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'User Account Management' = "No Auditing" (expected one of [Success and Failure]). 4720/4722/4738 โ backdoor account creation (T1136.001) invisible. Fix: auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
AUD-WIN-IDENT-004MEDIUM
Account lockout policy is below CIS / DISA STIG baseline โ LockoutDuration
Lockout threshold is 0 (no lockout), duration too short, or the modern AllowAdministratorLockout setting is not enabled. Without effective lockout the built-in Administrator (RID 500) becomes a free spray target โ every attempt costs the attacker one HTTP/SMB request and there is no defender feedback loop.
Finding: got "" minutes, expected >=15
AUD-WIN-IDENT-006MEDIUM
Anonymous (null-session) restrictions deviate from CIS / DISA STIG โ NullSessionPipes
One or more LSA / LanmanServer settings that govern anonymous network access (null sessions to SAM, shares, and named pipes) is below baseline. These are the recon primitives every BloodHound-style enumeration depends on. Even when defaults are hardened, legacy compat scripts and downgrade attacks routinely re-open them.
Finding: non-empty: netlogon,samr,lsarpc โ each pipe is reachable without auth (legacy SQL/MSDTC compat)
AUD-WIN-INTEG-004MEDIUM
Application Control (WDAC / Smart App Control) not enforced โ ApplicationControl
Windows Defender Application Control (WDAC) UMCI / KMCI policy is not Enforced AND Smart App Control is not On. Without either, every signed binary on disk is permitted to run โ application-level allowlisting absent. CIS strict + MS Security Baseline strongly recommend enforced WDAC for managed endpoints.
Finding: Application Control fully off (UMCI=0, KMCI=0, SAC=)
NoDriveTypeAutoRun != 255 OR NoAutorun != 1 OR NoAutoplayfornonVolume != 1. Any of these allows USB-borne payloads to execute when the drive is inserted โ the Conficker / Stuxnet / BadUSB delivery vector. Modern Windows reduced the surface but explicit hardening is required by CIS, DISA STIG, and MS baseline.
Finding: got , expected 1 (disable AutoRun command globally). Fix: same path -Name NoAutorun -Value 1 -Type DWord
NoDriveTypeAutoRun != 255 OR NoAutorun != 1 OR NoAutoplayfornonVolume != 1. Any of these allows USB-borne payloads to execute when the drive is inserted โ the Conficker / Stuxnet / BadUSB delivery vector. Modern Windows reduced the surface but explicit hardening is required by CIS, DISA STIG, and MS baseline.
Finding: got , expected 255 (0xFF โ disable AutoRun on all drive types). Fix: Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name NoDriveTypeAutoRun -Value 255 -Type DWord
CachedLogonsCount > 4 OR DisableDomainCreds != 1. Cached credentials live in HKLM:\SECURITY as MSCache hashes; an attacker post-compromise can extract them with `secretsdump.py` and crack offline (T1003.005). High-value workstations should cap at 4 and tier-0 hosts at 0. Note: setting to 0 breaks offline domain logon โ verify the host has reliable DC connectivity before hardening.
Finding: CachedLogonsCount="10" (default 10), CIS L2 recommends <=4. Fix: Set-ItemProperty 'HKLM:\..\Winlogon' -Name CachedLogonsCount -Value '4'
AUD-WIN-DC-007MEDIUM
DC hardening: LDAP simple-bind audit not enabled โ 16 LDAP Interface Events
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\"16 LDAP Interface Events" โฅ 2 logs simple binds (event 2887/2888/2889) so the operator can identify clients still authenticating without TLS before enforcing DC-001/002. Default 0 = silent.
Finding: NTDS Diagnostics '16 LDAP Interface Events' = 0. Set to 2 to log simple-bind events 2887/2888/2889 before enforcing channel binding
Source: auditCategory: loggingScore: 5.0
WinServer2022-17.x
AUD-WIN-DCH-009MEDIUM
DC hardening: NTLM inbound not restricted or audited โ AuditReceivingNTLMTraffic
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic = 1 audits inbound NTLM, 2 denies. AuditReceivingNTLMTraffic = 2 logs every NTLM use. Unset (0) is silent and accepting โ a DC accepting NTLM blindly is the relay sink.
Finding: AuditReceivingNTLMTraffic = -1 (expected 2 = full audit)
Source: auditCategory: networkScore: 5.0
WinServer2022-2.3.11.xT1557.001
AUD-WIN-DCH-009MEDIUM
DC hardening: NTLM inbound not restricted or audited โ RestrictReceivingNTLMTraffic
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic = 1 audits inbound NTLM, 2 denies. AuditReceivingNTLMTraffic = 2 logs every NTLM use. Unset (0) is silent and accepting โ a DC accepting NTLM blindly is the relay sink.
Finding: RestrictReceivingNTLMTraffic = -1 (expected โฅ 1 audit, 2 deny)
Source: auditCategory: networkScore: 5.0
WinServer2022-2.3.11.xT1557.001
AUD-WIN-DCH-002MEDIUM
DC hardening: Point-and-Print not restricted to administrators โ UpdatePromptSettings
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint requires:
RestrictDriverInstallationToAdministrators = 1
NoWarningNoElevationOnInstall = 0
UpdatePromptSettings = 0
Without these, any user can install a driver โ the same primitive PrintNightmare uses for SYSTEM RCE.
Finding: UpdatePromptSettings = -1 (expected 0)
MAPSReporting != 2 (cloud not engaged), SubmitSamplesConsent disabled (no sample upload โ cloud lookup misses), CloudBlockLevel below baseline, OR signatures > 24h stale. Each gap reduces Defender's catch rate against new / polymorphic malware that's caught by cloud-side reputation rather than local definitions.
Finding: set to 0 (Default โ least blocking). CIS / MS Baseline recommend 2 (High) minimum
MAPSReporting != 2 (cloud not engaged), SubmitSamplesConsent disabled (no sample upload โ cloud lookup misses), CloudBlockLevel below baseline, OR signatures > 24h stale. Each gap reduces Defender's catch rate against new / polymorphic malware that's caught by cloud-side reputation rather than local definitions.
Finding: set to 2 (Never send) โ block-at-first-sight cannot escalate to cloud verdict
Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full โ T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.
Finding: Application MaxSize = 20971520 bytes (20 MB), expected >= 67108864 bytes (64 MB)
Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full โ T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.
Finding: Microsoft-Windows-PowerShell/Operational MaxSize = 15728640 bytes (15 MB), expected >= 67108864 bytes (64 MB)
Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full โ T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.
Finding: System MaxSize = 20971520 bytes (20 MB), expected >= 67108864 bytes (64 MB)
AUD-WIN-INTEG-003MEDIUM
Kernel DMA Protection enumeration policy not set to Block all โ DeviceEnumerationPolicy
HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy != 0. Without it, a Thunderbolt / PCIe / external GPU plugged in by a physical attacker can DMA-read kernel memory, extracting LSASS credentials and bypassing Credential Guard. PCILeech / ChimeraTools / Inception.
Finding: registry value not set; explicit 0 required for hardening compliance. Fix: New-Item / Set-ItemProperty under HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection
HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\LDAPClientIntegrity is not set to 2 (Require signing). Without enforced signing, LDAP simple-bind credentials and query responses can be intercepted / NTLM-relayed. Microsoft advisory ADV190023 made this the post-2020 baseline.
Finding: set to 1 (Negotiate); CIS / DISA STIG require 2 (Require signing). Fix: Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\LDAP' -Name LDAPClientIntegrity -Value 2 -Type DWord
AUD-WIN-THREAT-005MEDIUM
Microsoft Defender ASR rules not in Block mode โ Block executables not meeting prevalence/age (ISG)
One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable < 30 days as a rollout transition; Disabled / Warn / not-listed is fail.
Finding: rule 01443614-CD74-433A-B99E-2ECDC07BFC25 not configured (no ASR rules registered on host) โ fresh polymorphic blocks via cloud rep
AUD-WIN-THREAT-001MEDIUM
Microsoft Defender engine pillar(s) disabled โ DisableRemovableDriveScanning
One or more of the seven Get-MpPreference Disable* flags is True. Each corresponds to a Defender pillar (real-time scan, behavior monitor, AMSI script inspection, archive scan, USB scan, NIS network inspection). T1562.001 โ single attacker primitive disables one or more of these to blind defense before exec.
Finding: DisableRemovableDriveScanning=True โ USB drives not scanned on insert. Fix: Set-MpPreference -DisableRemovableDriveScanning $false
RestrictSendingNTLMTraffic is missing or 0 (host happily initiates NTLM to any attacker-controlled SMB/HTTP/LDAP target โ classic relay primitive) AND/OR AuditReceivingNTLMTraffic != 2 (no log trail for incoming NTLM auth attempts, making relay/spray invisible).
Finding: got , expected 1 (Audit) or 2 (Deny all). Without this, host initiates NTLM to any target โ primary NTLM-relay primitive
LLMNR EnableMulticast != 0 OR NetBT NodeType != 2 OR EnableNetbios != 0. Each gap is a Responder / Inveigh primitive: when a host can't resolve a name via DNS it broadcasts the question via LLMNR (UDP 5355) or NetBT (UDP 137), which an attacker on the same broadcast domain answers โ capturing NTLMv2 challenge-response for offline crack OR relaying live to LDAP/SMB.
Finding: got , expected 2 (P-node โ only WINS, no broadcast NBT-NS). Fix: Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name NodeType -Value 2 -Type DWord
HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin = 0 (default) allows RDP restricted-admin mode. With it enabled an attacker can pass-the-hash over RDP. CIS-hardened: 1.
Finding: DisableRestrictedAdminOutboundCreds = 0 (expected 1)
Get-WinEvent finds recent occurrences of canonical tamper IDs: 1102 (Security log cleared), 4719 (audit policy changed), 104 (other log cleared). 1102 within 30 days on a non-rebuild host is near-immediate IOC โ Mimikatz / impacket-secretsdump / standard ransomware playbook clears audit log to hide activity (T1070.001).
Finding: 57 audit-policy-change event(s) in last 30 days โ abnormal volume. Review against change-control records; T1562.002 candidate
Source: auditCategory: integrityScore: 5.0
AU-9SI-7T1070.001T1562.002
AUD-WIN-LOG-006MEDIUM
Sysmon not installed / not configured โ SysmonInstalled
Microsoft Sysmon (Sysinternals) is not installed, not running, or running with default config (no rules โ virtually no detection). Sysmon is the canonical host-side telemetry source for ATT&CK Execution / Defense Evasion / Credential Access detection. SwiftOnSecurity sysmon-config or Olaf Hartong sysmon-modular are the standard reference configs.
Finding: Sysmon service is absent or stopped. Install from sysinternals.com and configure with SwiftOnSecurity sysmon-config or Olaf Hartong sysmon-modular (github.com/SwiftOnSecurity/sysmon-config, github.com/olafhartong/sysmon-modular)
Source: auditCategory: loggingScore: 5.0
AU-2SI-4T1562.001
AUD-WIN-NET-005MEDIUM
WPAD service not disabled (proxy-poisoning surface) โ WinHttpAutoProxySvc
WinHttpAutoProxySvc is not Disabled (Start != 4). When WPAD is on, browsers and any WinHTTP consumer query DNS/LLMNR/NetBT for `wpad.<suffix>`. Responder answers, injects a malicious proxy, and captures the host's HTTP NTLM challenge โ primary input for ntlmrelayx.py / Inveigh. Microsoft's own hardening guidance recommends disabling WPAD on managed endpoints.
Finding: service can resolve WPAD queries via DNS/LLMNR/NetBT โ Responder primitive. Fix: Set-Service -Name WinHttpAutoProxySvc -StartupType Disabled; Stop-Service WinHttpAutoProxySvc
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Account Lockout' = "No Auditing" (expected one of [Success Failure Success and Failure]). 4740 lockout signal โ password spray detection blind. Fix: auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
AUD-WIN-LOG-002MEDIUM
Windows audit policy critical subcategories below baseline โ Other Logon/Logoff Events
auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class โ see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.
Finding: 'Other Logon/Logoff Events' = "No Auditing" (expected one of [Success Success and Failure]). 4648 explicit credentials โ runas / Pass-the-Hash detection (T1550.002) invisible. Fix: auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
AUD-WIN-IDENT-004LOW
Account lockout policy is below CIS / DISA STIG baseline โ ResetLockoutCount
Lockout threshold is 0 (no lockout), duration too short, or the modern AllowAdministratorLockout setting is not enabled. Without effective lockout the built-in Administrator (RID 500) becomes a free spray target โ every attempt costs the attacker one HTTP/SMB request and there is no defender feedback loop.
Finding: got "" minutes, expected >=15 (window before bad-count counter resets)
NoDriveTypeAutoRun != 255 OR NoAutorun != 1 OR NoAutoplayfornonVolume != 1. Any of these allows USB-borne payloads to execute when the drive is inserted โ the Conficker / Stuxnet / BadUSB delivery vector. Modern Windows reduced the surface but explicit hardening is required by CIS, DISA STIG, and MS baseline.
Finding: got , expected 1 (disable AutoPlay for MTP / non-volume devices)
CachedLogonsCount > 4 OR DisableDomainCreds != 1. Cached credentials live in HKLM:\SECURITY as MSCache hashes; an attacker post-compromise can extract them with `secretsdump.py` and crack offline (T1003.005). High-value workstations should cap at 4 and tier-0 hosts at 0. Note: setting to 0 breaks offline domain logon โ verify the host has reliable DC connectivity before hardening.
Finding: DisableDomainCreds not set on domain-joined host. CIS L2 recommends 1; breaks scheduled tasks that store creds (assess before applying)
One or more UAC settings under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.
Finding: got 3, CIS recommends 0 (deny standard-user elevation requests silently โ no creds prompt)