{ "tool": "obexum", "version": "0.1.0-dev", "scan": { "id": "85beab58-0816-4f8b-bf47-613a8dffe587", "started_at": "2026-04-28T01:38:08.28069561Z", "ended_at": "2026-04-28T01:38:08.291210661Z", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "scanners": [], "counts": { "total": 161, "critical": 22, "high": 104, "important": 0, "medium": 30, "low": 5 }, "status": "completed", "patch_compliance": { "last_security_update_days_ago": -1, "unpatched_critical": 0, "unpatched_high": 0, "unpatched_important": 0, "unpatched_medium": 0, "unpatched_low": 0, "unpatched_kev_active": 0, "unpatched_kev_overdue": 0 } }, "findings": [ { "id": "cfb55aef-d605-445a-b324-c8c22a0a872a", "fingerprint": "b95f4e117720b83b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-001", "title": "NTLM authentication crypto strength below baseline — LmCompatibilityLevel", "description": "LmCompatibilityLevel \u003c 5 OR NTLMMinClientSec / NTLMMinServerSec missing the required 0x20080000 flags (NTLMv2 + 128-bit + integrity + confidentiality). With LM / NTLMv1 fallback enabled, captured challenge-response is crackable in minutes via rainbow tables; without integrity/confidentiality flags, NTLM relay to LDAP/SMB/RPC succeeds without signing.\n\nFinding: got \"\", expected 5 (Send NTLMv2 only / Refuse LM \u0026 NTLMv1). Default unset = level 3 on most Server SKUs (still allows NTLMv1 outbound).", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + Lsa\\MSV1_0 (multi-key)\nLmCompatibilityLevel=\"\" NTLMMinClientSec=\"536870912\" NTLMMinServerSec=\"536870912\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + Lsa\\MSV1_0 (multi-key)\nLmCompatibilityLevel=\"\" NTLMMinClientSec=\"536870912\" NTLMMinServerSec=\"536870912\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.7" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.9" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.10" }, { "type": "cis-benchmark", "id": "Win11-2.3.11.7" }, { "type": "nist-800-53", "id": "IA-7" }, { "type": "nist-800-53", "id": "SC-13" }, { "type": "disa-stig", "id": "WN22-SO-000220" }, { "type": "disa-stig", "id": "WN22-SO-000230" }, { "type": "mitre-attack", "id": "T1110.002" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "cwe", "id": "CWE-326" }, { "type": "cwe", "id": "CWE-327" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.166901232Z", "last_seen": "2026-04-28T01:41:56.166901232Z", "status": "OPEN" }, { "id": "082b514c-21c4-47ee-aa6a-534e584c1c5d", "fingerprint": "b95f4e117720b83b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-001", "title": "NTLM authentication crypto strength below baseline — NTLMMinClientSec", "description": "LmCompatibilityLevel \u003c 5 OR NTLMMinClientSec / NTLMMinServerSec missing the required 0x20080000 flags (NTLMv2 + 128-bit + integrity + confidentiality). With LM / NTLMv1 fallback enabled, captured challenge-response is crackable in minutes via rainbow tables; without integrity/confidentiality flags, NTLM relay to LDAP/SMB/RPC succeeds without signing.\n\nFinding: got \"536870912\", expected \u003e=537395200 (0x20080000 — NTLMv2 + 128-bit + integrity + confidentiality)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + Lsa\\MSV1_0 (multi-key)\nLmCompatibilityLevel=\"\" NTLMMinClientSec=\"536870912\" NTLMMinServerSec=\"536870912\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + Lsa\\MSV1_0 (multi-key)\nLmCompatibilityLevel=\"\" NTLMMinClientSec=\"536870912\" NTLMMinServerSec=\"536870912\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.7" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.9" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.10" }, { "type": "cis-benchmark", "id": "Win11-2.3.11.7" }, { "type": "nist-800-53", "id": "IA-7" }, { "type": "nist-800-53", "id": "SC-13" }, { "type": "disa-stig", "id": "WN22-SO-000220" }, { "type": "disa-stig", "id": "WN22-SO-000230" }, { "type": "mitre-attack", "id": "T1110.002" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "cwe", "id": "CWE-326" }, { "type": "cwe", "id": "CWE-327" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.166933321Z", "last_seen": "2026-04-28T01:41:56.166933321Z", "status": "OPEN" }, { "id": "1fc0060c-5e9b-4271-9917-a4b19d70f4cb", "fingerprint": "b95f4e117720b83b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-001", "title": "NTLM authentication crypto strength below baseline — NTLMMinServerSec", "description": "LmCompatibilityLevel \u003c 5 OR NTLMMinClientSec / NTLMMinServerSec missing the required 0x20080000 flags (NTLMv2 + 128-bit + integrity + confidentiality). With LM / NTLMv1 fallback enabled, captured challenge-response is crackable in minutes via rainbow tables; without integrity/confidentiality flags, NTLM relay to LDAP/SMB/RPC succeeds without signing.\n\nFinding: got \"536870912\", expected \u003e=537395200 (0x20080000)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + Lsa\\MSV1_0 (multi-key)\nLmCompatibilityLevel=\"\" NTLMMinClientSec=\"536870912\" NTLMMinServerSec=\"536870912\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + Lsa\\MSV1_0 (multi-key)\nLmCompatibilityLevel=\"\" NTLMMinClientSec=\"536870912\" NTLMMinServerSec=\"536870912\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.7" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.9" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.10" }, { "type": "cis-benchmark", "id": "Win11-2.3.11.7" }, { "type": "nist-800-53", "id": "IA-7" }, { "type": "nist-800-53", "id": "SC-13" }, { "type": "disa-stig", "id": "WN22-SO-000220" }, { "type": "disa-stig", "id": "WN22-SO-000230" }, { "type": "mitre-attack", "id": "T1110.002" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "cwe", "id": "CWE-326" }, { "type": "cwe", "id": "CWE-327" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.166963884Z", "last_seen": "2026-04-28T01:41:56.166963884Z", "status": "OPEN" }, { "id": "bd1f53be-d9f1-42f4-bf35-449896753073", "fingerprint": "1069d7502ff74d8a", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-002", "title": "Boot integrity below baseline (Secure Boot / TPM / ELAM) — SecureBoot", "description": "One or more boot-chain integrity controls is not at hardening baseline: Secure Boot disabled (unsigned bootloader can run pre-OS), TPM absent / not activated / not version 2.0 (Credential Guard + measured boot impossible), or early-launch anti-malware (ELAM) driver-load policy permissive. Together these protect against pre-OS rootkit + boot-time tampering.\n\nFinding: Confirm-SecureBootUEFI failed (ERR:Cmdlet not supported on this platform: 0xC0000002) — likely BIOS/legacy boot mode; UEFI required for Secure Boot", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Confirm-SecureBootUEFI + Get-Tpm + Win32_Tpm + ELAM registry\nSB=\"ERR:Cmdlet not supported on this platform: 0xC0000002\" TpmPresent=\"False\" Ready=\"False\" Enabled=\"False\" Activated=\"False\" SpecVer=\"\" ELAM=\"\"" }, { "kind": "audit_probe", "content": "$ Confirm-SecureBootUEFI + Get-Tpm + Win32_Tpm + ELAM registry\nSB=\"ERR:Cmdlet not supported on this platform: 0xC0000002\" TpmPresent=\"False\" Ready=\"False\" Enabled=\"False\" Activated=\"False\" SpecVer=\"\" ELAM=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.13.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.11.2.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.10.1.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.11.2.1" }, { "type": "nist-800-53", "id": "SI-7" }, { "type": "nist-800-53", "id": "SC-39" }, { "type": "disa-stig", "id": "WN22-OO-000010" }, { "type": "disa-stig", "id": "WN22-OO-000020" }, { "type": "mitre-attack", "id": "T1542.003" }, { "type": "mitre-attack", "id": "T1014" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167023965Z", "last_seen": "2026-04-28T01:41:56.167023965Z", "status": "OPEN" }, { "id": "787e4b81-535f-492d-b772-5aea56fd537f", "fingerprint": "1069d7502ff74d8a", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-002", "title": "Boot integrity below baseline (Secure Boot / TPM / ELAM) — TPMPresent", "description": "One or more boot-chain integrity controls is not at hardening baseline: Secure Boot disabled (unsigned bootloader can run pre-OS), TPM absent / not activated / not version 2.0 (Credential Guard + measured boot impossible), or early-launch anti-malware (ELAM) driver-load policy permissive. Together these protect against pre-OS rootkit + boot-time tampering.\n\nFinding: TPM not present — Credential Guard, measured boot, BitLocker TPM-bind impossible. On VMs add a virtual TPM (vTPM) device; on physical add discrete TPM module", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Confirm-SecureBootUEFI + Get-Tpm + Win32_Tpm + ELAM registry\nSB=\"ERR:Cmdlet not supported on this platform: 0xC0000002\" TpmPresent=\"False\" Ready=\"False\" Enabled=\"False\" Activated=\"False\" SpecVer=\"\" ELAM=\"\"" }, { "kind": "audit_probe", "content": "$ Confirm-SecureBootUEFI + Get-Tpm + Win32_Tpm + ELAM registry\nSB=\"ERR:Cmdlet not supported on this platform: 0xC0000002\" TpmPresent=\"False\" Ready=\"False\" Enabled=\"False\" Activated=\"False\" SpecVer=\"\" ELAM=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.13.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.11.2.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.10.1.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.11.2.1" }, { "type": "nist-800-53", "id": "SI-7" }, { "type": "nist-800-53", "id": "SC-39" }, { "type": "disa-stig", "id": "WN22-OO-000010" }, { "type": "disa-stig", "id": "WN22-OO-000020" }, { "type": "mitre-attack", "id": "T1542.003" }, { "type": "mitre-attack", "id": "T1014" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167058606Z", "last_seen": "2026-04-28T01:41:56.167058606Z", "status": "OPEN" }, { "id": "b87ce98b-45b1-46d0-9486-72645af686e0", "fingerprint": "141ec248b9cabb69", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-002", "title": "NTLM outbound restriction / inbound audit not configured — RestrictSendingNTLMTraffic", "description": "RestrictSendingNTLMTraffic is missing or 0 (host happily initiates NTLM to any attacker-controlled SMB/HTTP/LDAP target — classic relay primitive) AND/OR AuditReceivingNTLMTraffic != 2 (no log trail for incoming NTLM auth attempts, making relay/spray invisible).\n\nFinding: got , expected 1 (Audit) or 2 (Deny all). Without this, host initiates NTLM to any target — primary NTLM-relay primitive", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa\\MSV1_0 (RestrictSendingNTLMTraffic, AuditReceivingNTLMTraffic)\nRestrictSendingNTLMTraffic=\"\" AuditReceivingNTLMTraffic=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa\\MSV1_0 (RestrictSendingNTLMTraffic, AuditReceivingNTLMTraffic)\nRestrictSendingNTLMTraffic=\"\" AuditReceivingNTLMTraffic=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.11" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.13" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "mitre-attack", "id": "T1187" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.167112616Z", "last_seen": "2026-04-28T01:41:56.167112616Z", "status": "OPEN" }, { "id": "b7484f72-5831-45ad-993b-dfb7cde3ebc5", "fingerprint": "141ec248b9cabb69", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-002", "title": "NTLM outbound restriction / inbound audit not configured — AuditReceivingNTLMTraffic", "description": "RestrictSendingNTLMTraffic is missing or 0 (host happily initiates NTLM to any attacker-controlled SMB/HTTP/LDAP target — classic relay primitive) AND/OR AuditReceivingNTLMTraffic != 2 (no log trail for incoming NTLM auth attempts, making relay/spray invisible).\n\nFinding: got , expected 2 (Audit all). Without this, NTLM relay attempts and password spray leave no Event Log trail", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa\\MSV1_0 (RestrictSendingNTLMTraffic, AuditReceivingNTLMTraffic)\nRestrictSendingNTLMTraffic=\"\" AuditReceivingNTLMTraffic=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa\\MSV1_0 (RestrictSendingNTLMTraffic, AuditReceivingNTLMTraffic)\nRestrictSendingNTLMTraffic=\"\" AuditReceivingNTLMTraffic=\"\"" } ], "severity": "LOW", "confidence": "OBSERVED", "scores": { "context": 2.5, "final": 2.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.11" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.13" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "mitre-attack", "id": "T1187" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.167128752Z", "last_seen": "2026-04-28T01:41:56.167128752Z", "status": "OPEN" }, { "id": "15b39dd8-2a9d-46fe-982e-2a157ded258f", "fingerprint": "4c84c1c3005f92f1", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-003", "title": "LDAP client signing not required (LDAPClientIntegrity != 2) — LDAPClientIntegrity", "description": "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LDAP\\LDAPClientIntegrity is not set to 2 (Require signing). Without enforced signing, LDAP simple-bind credentials and query responses can be intercepted / NTLM-relayed. Microsoft advisory ADV190023 made this the post-2020 baseline.\n\nFinding: set to 1 (Negotiate); CIS / DISA STIG require 2 (Require signing). Fix: Set-ItemProperty 'HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LDAP' -Name LDAPClientIntegrity -Value 2 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ (Get-ItemProperty Services\\LDAP).LDAPClientIntegrity\nLDAPClientIntegrity=\"1\"" }, { "kind": "audit_probe", "content": "$ (Get-ItemProperty Services\\LDAP).LDAPClientIntegrity\nLDAPClientIntegrity=\"1\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.8" }, { "type": "cis-benchmark", "id": "Win11-2.3.11.8" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "nist-800-53", "id": "SC-23" }, { "type": "disa-stig", "id": "WN22-SO-000200" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "cwe", "id": "CWE-300" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.167162346Z", "last_seen": "2026-04-28T01:41:56.167162346Z", "status": "OPEN" }, { "id": "079443e9-55e0-4fa0-bba9-e095e9e83d58", "fingerprint": "a7552de316f6b0c5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-003", "title": "Kernel DMA Protection enumeration policy not set to Block all — DeviceEnumerationPolicy", "description": "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Kernel DMA Protection\\DeviceEnumerationPolicy != 0. Without it, a Thunderbolt / PCIe / external GPU plugged in by a physical attacker can DMA-read kernel memory, extracting LSASS credentials and bypassing Credential Guard. PCILeech / ChimeraTools / Inception.\n\nFinding: registry value not set; explicit 0 required for hardening compliance. Fix: New-Item / Set-ItemProperty under HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Kernel DMA Protection", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Kernel DMA Protection key\nKeyExists=\"False\" DeviceEnumerationPolicy=\"\" RequiredSecurityProperties=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Kernel DMA Protection key\nKeyExists=\"False\" DeviceEnumerationPolicy=\"\" RequiredSecurityProperties=\"0\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.24.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.7.1" }, { "type": "nist-800-53", "id": "PE-3" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "mitre-attack", "id": "T1200" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167195142Z", "last_seen": "2026-04-28T01:41:56.167195142Z", "status": "OPEN" }, { "id": "9438ab0b-1778-452b-ad71-e9678924e907", "fingerprint": "b24df21a59996dd8", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-004", "title": "Credential Guard / HVCI / VBS not running — VirtualizationBasedSecurity", "description": "VBS reports VirtualizationBasedSecurityStatus != 2 (not running) OR Credential Guard (svc 1) / HVCI (svc 2) is not in SecurityServicesRunning. Without VBS, LSASS lives in regular kernel memory and can be read by any kernel-mode attacker (signed-driver bring-your-own). HVCI prevents unsigned kernel code from running. Both required for modern adversary defense per Microsoft Security Baseline.\n\nFinding: VirtualizationBasedSecurityStatus = 0 (expected 2 = Running). Without VBS, Credential Guard / HVCI cannot isolate LSASS / kernel code", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-CimInstance Win32_DeviceGuard (root\\Microsoft\\Windows\\DeviceGuard)\nVBSStatus=\"0\" ConfiguredServices=\"0\" RunningServices=\"0\" UMCIPolicy=\"0\" CIPolicy=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-CimInstance Win32_DeviceGuard (root\\Microsoft\\Windows\\DeviceGuard)\nVBSStatus=\"0\" ConfiguredServices=\"0\" RunningServices=\"0\" UMCIPolicy=\"0\" CIPolicy=\"0\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.3" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.5" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.3" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.4" }, { "type": "nist-800-53", "id": "SC-39" }, { "type": "nist-800-53", "id": "SI-7(8)" }, { "type": "disa-stig", "id": "WN22-CC-000070" }, { "type": "disa-stig", "id": "WN22-CC-000080" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1014" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.167237828Z", "last_seen": "2026-04-28T01:41:56.167237828Z", "status": "OPEN" }, { "id": "450d558f-2178-4128-87fc-8c00bf803493", "fingerprint": "b24df21a59996dd8", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-004", "title": "Credential Guard / HVCI / VBS not running — CredentialGuard", "description": "VBS reports VirtualizationBasedSecurityStatus != 2 (not running) OR Credential Guard (svc 1) / HVCI (svc 2) is not in SecurityServicesRunning. Without VBS, LSASS lives in regular kernel memory and can be read by any kernel-mode attacker (signed-driver bring-your-own). HVCI prevents unsigned kernel code from running. Both required for modern adversary defense per Microsoft Security Baseline.\n\nFinding: Credential Guard not in SecurityServicesRunning — LSASS not isolated; Mimikatz / pypykatz can extract NTLM hashes and Kerberos tickets", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-CimInstance Win32_DeviceGuard (root\\Microsoft\\Windows\\DeviceGuard)\nVBSStatus=\"0\" ConfiguredServices=\"0\" RunningServices=\"0\" UMCIPolicy=\"0\" CIPolicy=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-CimInstance Win32_DeviceGuard (root\\Microsoft\\Windows\\DeviceGuard)\nVBSStatus=\"0\" ConfiguredServices=\"0\" RunningServices=\"0\" UMCIPolicy=\"0\" CIPolicy=\"0\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.3" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.5" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.3" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.4" }, { "type": "nist-800-53", "id": "SC-39" }, { "type": "nist-800-53", "id": "SI-7(8)" }, { "type": "disa-stig", "id": "WN22-CC-000070" }, { "type": "disa-stig", "id": "WN22-CC-000080" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1014" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.167261596Z", "last_seen": "2026-04-28T01:41:56.167261596Z", "status": "OPEN" }, { "id": "45d39ff4-2843-42f2-a307-ca6a58dc4c2a", "fingerprint": "b24df21a59996dd8", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-CRYPTO-004", "title": "Credential Guard / HVCI / VBS not running — HVCI", "description": "VBS reports VirtualizationBasedSecurityStatus != 2 (not running) OR Credential Guard (svc 1) / HVCI (svc 2) is not in SecurityServicesRunning. Without VBS, LSASS lives in regular kernel memory and can be read by any kernel-mode attacker (signed-driver bring-your-own). HVCI prevents unsigned kernel code from running. Both required for modern adversary defense per Microsoft Security Baseline.\n\nFinding: HVCI / Memory Integrity not in SecurityServicesRunning — unsigned kernel drivers can load (BYOVD attack surface)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-CimInstance Win32_DeviceGuard (root\\Microsoft\\Windows\\DeviceGuard)\nVBSStatus=\"0\" ConfiguredServices=\"0\" RunningServices=\"0\" UMCIPolicy=\"0\" CIPolicy=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-CimInstance Win32_DeviceGuard (root\\Microsoft\\Windows\\DeviceGuard)\nVBSStatus=\"0\" ConfiguredServices=\"0\" RunningServices=\"0\" UMCIPolicy=\"0\" CIPolicy=\"0\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.3" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.5" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.1" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.3" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.4" }, { "type": "nist-800-53", "id": "SC-39" }, { "type": "nist-800-53", "id": "SI-7(8)" }, { "type": "disa-stig", "id": "WN22-CC-000070" }, { "type": "disa-stig", "id": "WN22-CC-000080" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1014" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.167304861Z", "last_seen": "2026-04-28T01:41:56.167304861Z", "status": "OPEN" }, { "id": "2a10b866-9db5-4d60-870f-d3f66257208b", "fingerprint": "a0111b0886519253", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-004", "title": "Application Control (WDAC / Smart App Control) not enforced — ApplicationControl", "description": "Windows Defender Application Control (WDAC) UMCI / KMCI policy is not Enforced AND Smart App Control is not On. Without either, every signed binary on disk is permitted to run — application-level allowlisting absent. CIS strict + MS Security Baseline strongly recommend enforced WDAC for managed endpoints.\n\nFinding: Application Control fully off (UMCI=0, KMCI=0, SAC=)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Win32_DeviceGuard CIM + Get-MpComputerStatus.SmartAppControlState\nUMCIPolicy=\"0\" KMCIPolicy=\"0\" SmartAppControl=\"\"" }, { "kind": "audit_probe", "content": "$ Win32_DeviceGuard CIM + Get-MpComputerStatus.SmartAppControlState\nUMCIPolicy=\"0\" KMCIPolicy=\"0\" SmartAppControl=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.5.x" }, { "type": "cis-benchmark", "id": "Win11-18.9.4.x" }, { "type": "nist-800-53", "id": "CM-7" }, { "type": "nist-800-53", "id": "CM-7(5)" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1059" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167347492Z", "last_seen": "2026-04-28T01:41:56.167347492Z", "status": "OPEN" }, { "id": "b588428b-3b00-4671-ba08-389374c13f47", "fingerprint": "67ed099fd0aa2420", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DC-001", "title": "DC hardening: LDAPServerIntegrity not set to Required — LDAPServerIntegrity", "description": "HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Parameters\\LDAPServerIntegrity = 2 enforces LDAP signing on the DC, mitigating LDAP relay (CVE-2017-8563). Default = 1 (Negotiate) accepts unsigned binds. Combined with DC-002 channel binding it closes the LDAP relay surface.\n\nFinding: LDAPServerIntegrity = 1. Set to 2 (Required) to mitigate LDAP relay CVE-2017-8563", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get LDAPServerIntegrity\nVAL|LDAPServerIntegrity=1" }, { "kind": "audit_probe", "content": "$ Get LDAPServerIntegrity\nVAL|LDAPServerIntegrity=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.x" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.167373895Z", "last_seen": "2026-04-28T01:41:56.167373895Z", "status": "OPEN" }, { "id": "c653afc2-4b95-492f-a0d9-339d4b00f85d", "fingerprint": "f82abf43a4fcf534", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-005", "title": "Patch posture: stale last-update OR pending reboot — PatchAge", "description": "Last installed HotFix is more than 30 days ago AND/OR a pending reboot is blocking installed patches from taking effect. Stale patch posture means public exploits for recent CVEs land directly. Pending reboot is the silent variant — host appears patched (KB shows installed) but the new binaries on disk are not loaded until restart.\n\nFinding: last HotFix installed 1516 days ago (\u003e90d). Public exploits for recent CVEs apply directly. Last KB: KB5010523 on 2022-03-03T00:00:00.0000000", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-HotFix sort + reboot-pending registry probes\nLastHotFix=\"KB5010523\" DaysSince=\"1516\" CBS=\"False\" WUAU=\"False\" PFR=\"False\" CCM=\"False\" ComputerName=\"False\"" }, { "kind": "audit_probe", "content": "$ Get-HotFix sort + reboot-pending registry probes\nLastHotFix=\"KB5010523\" DaysSince=\"1516\" CBS=\"False\" WUAU=\"False\" PFR=\"False\" CCM=\"False\" ComputerName=\"False\"" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "nist-800-53", "id": "SI-2" }, { "type": "nist-800-53", "id": "SI-2(2)" }, { "type": "mitre-attack", "id": "T1190" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167543419Z", "last_seen": "2026-04-28T01:41:56.167543419Z", "status": "OPEN" }, { "id": "868da909-61a6-497b-a4a1-86e21516d253", "fingerprint": "139a874f59ae7e5b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DC-002", "title": "DC hardening: LdapEnforceChannelBinding not Always (2) — LdapEnforceChannelBinding", "description": "HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Parameters\\LdapEnforceChannelBinding = 2 makes channel binding mandatory on LDAPS — closing the relay path that plain signing cannot. 0 = Disabled, 1 = When supported. CIS + Microsoft KB 4520412 require 2.\n\nFinding: LdapEnforceChannelBinding = -1. Set to 2 (Always) per KB 4520412", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get LdapEnforceChannelBinding\nVAL|LdapEnforceChannelBinding=-1" }, { "kind": "audit_probe", "content": "$ Get LdapEnforceChannelBinding\nVAL|LdapEnforceChannelBinding=-1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.x" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.167587098Z", "last_seen": "2026-04-28T01:41:56.167587098Z", "status": "OPEN" }, { "id": "049f00e2-a855-48a2-911d-924725666298", "fingerprint": "57f7662294717a8a", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-006", "title": "AutoPlay / AutoRun not disabled (USB privesc surface) — NoDriveTypeAutoRun", "description": "NoDriveTypeAutoRun != 255 OR NoAutorun != 1 OR NoAutoplayfornonVolume != 1. Any of these allows USB-borne payloads to execute when the drive is inserted — the Conficker / Stuxnet / BadUSB delivery vector. Modern Windows reduced the surface but explicit hardening is required by CIS, DISA STIG, and MS baseline.\n\nFinding: got , expected 255 (0xFF — disable AutoRun on all drive types). Fix: Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer' -Name NoDriveTypeAutoRun -Value 255 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Explorer policies (3 keys)\nNoDriveTypeAutoRun=\"\" NoAutorun=\"\" NoAutoplayfornonVolume=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Explorer policies (3 keys)\nNoDriveTypeAutoRun=\"\" NoAutorun=\"\" NoAutoplayfornonVolume=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.7.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.7.3" }, { "type": "cis-benchmark", "id": "Win11-18.10.7.x" }, { "type": "nist-800-53", "id": "CM-7" }, { "type": "nist-800-53", "id": "AC-19" }, { "type": "mitre-attack", "id": "T1091" }, { "type": "mitre-attack", "id": "T1200" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167658502Z", "last_seen": "2026-04-28T01:41:56.167658502Z", "status": "OPEN" }, { "id": "06939e5f-8722-4762-8568-1b906b4184a8", "fingerprint": "57f7662294717a8a", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-006", "title": "AutoPlay / AutoRun not disabled (USB privesc surface) — NoAutorun", "description": "NoDriveTypeAutoRun != 255 OR NoAutorun != 1 OR NoAutoplayfornonVolume != 1. Any of these allows USB-borne payloads to execute when the drive is inserted — the Conficker / Stuxnet / BadUSB delivery vector. Modern Windows reduced the surface but explicit hardening is required by CIS, DISA STIG, and MS baseline.\n\nFinding: got , expected 1 (disable AutoRun command globally). Fix: same path -Name NoAutorun -Value 1 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Explorer policies (3 keys)\nNoDriveTypeAutoRun=\"\" NoAutorun=\"\" NoAutoplayfornonVolume=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Explorer policies (3 keys)\nNoDriveTypeAutoRun=\"\" NoAutorun=\"\" NoAutoplayfornonVolume=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.7.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.7.3" }, { "type": "cis-benchmark", "id": "Win11-18.10.7.x" }, { "type": "nist-800-53", "id": "CM-7" }, { "type": "nist-800-53", "id": "AC-19" }, { "type": "mitre-attack", "id": "T1091" }, { "type": "mitre-attack", "id": "T1200" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167688276Z", "last_seen": "2026-04-28T01:41:56.167688276Z", "status": "OPEN" }, { "id": "775dc5c0-6278-4110-a542-5010893bcb46", "fingerprint": "57f7662294717a8a", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-INTEG-006", "title": "AutoPlay / AutoRun not disabled (USB privesc surface) — NoAutoplayfornonVolume", "description": "NoDriveTypeAutoRun != 255 OR NoAutorun != 1 OR NoAutoplayfornonVolume != 1. Any of these allows USB-borne payloads to execute when the drive is inserted — the Conficker / Stuxnet / BadUSB delivery vector. Modern Windows reduced the surface but explicit hardening is required by CIS, DISA STIG, and MS baseline.\n\nFinding: got , expected 1 (disable AutoPlay for MTP / non-volume devices)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Explorer policies (3 keys)\nNoDriveTypeAutoRun=\"\" NoAutorun=\"\" NoAutoplayfornonVolume=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Explorer policies (3 keys)\nNoDriveTypeAutoRun=\"\" NoAutorun=\"\" NoAutoplayfornonVolume=\"\"" } ], "severity": "LOW", "confidence": "OBSERVED", "scores": { "context": 2.5, "final": 2.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.7.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.7.3" }, { "type": "cis-benchmark", "id": "Win11-18.10.7.x" }, { "type": "nist-800-53", "id": "CM-7" }, { "type": "nist-800-53", "id": "AC-19" }, { "type": "mitre-attack", "id": "T1091" }, { "type": "mitre-attack", "id": "T1200" } ], "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.167708306Z", "last_seen": "2026-04-28T01:41:56.167708306Z", "status": "OPEN" }, { "id": "30ff073d-5807-49d3-82fe-5108caf0e839", "fingerprint": "49774fe307d0be31", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-DC-003", "title": "DC hardening: anonymous SAM enumeration enabled — RestrictAnonymous", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\RestrictAnonymous = 1, RestrictAnonymousSAM = 1, EveryoneIncludesAnonymous = 0 together block anonymous SID to name resolution, anonymous SAM enumeration, and prevent the Everyone token from including Anonymous Logon. CIS requires all three.\n\nFinding: RestrictAnonymous = 0 (expected 1)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get RestrictAnonymous values\nVAL|RestrictAnonymous=0|RestrictAnonymousSAM=1|EveryoneIncludesAnonymous=-1" }, { "kind": "audit_probe", "content": "$ Get RestrictAnonymous values\nVAL|RestrictAnonymous=0|RestrictAnonymousSAM=1|EveryoneIncludesAnonymous=-1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.x" }, { "type": "mitre-attack", "id": "T1087.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.167752572Z", "last_seen": "2026-04-28T01:41:56.167752572Z", "status": "OPEN" }, { "id": "1c2a1fe2-8092-4e1d-87f2-c3caab256d3f", "fingerprint": "49774fe307d0be31", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-DC-003", "title": "DC hardening: anonymous SAM enumeration enabled — EveryoneIncludesAnonymous", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\RestrictAnonymous = 1, RestrictAnonymousSAM = 1, EveryoneIncludesAnonymous = 0 together block anonymous SID to name resolution, anonymous SAM enumeration, and prevent the Everyone token from including Anonymous Logon. CIS requires all three.\n\nFinding: EveryoneIncludesAnonymous = -1 (expected 0)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get RestrictAnonymous values\nVAL|RestrictAnonymous=0|RestrictAnonymousSAM=1|EveryoneIncludesAnonymous=-1" }, { "kind": "audit_probe", "content": "$ Get RestrictAnonymous values\nVAL|RestrictAnonymous=0|RestrictAnonymousSAM=1|EveryoneIncludesAnonymous=-1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.x" }, { "type": "mitre-attack", "id": "T1087.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.167777726Z", "last_seen": "2026-04-28T01:41:56.167777726Z", "status": "OPEN" }, { "id": "7c0ea5c2-f11f-4fd7-88ad-eb3881699dc2", "fingerprint": "b150258e5db88109", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-001", "title": "Kerberos: user account with SPN is Kerberoastable — svc_kroast", "description": "User accounts with servicePrincipalName set issue TGS-REP messages encrypted with the account's NTLM hash. Offline crack recovers the password if it is human-chosen. Excludes gMSA (machine-managed 240-char key) and krbtgt. Severity ratchets to CRITICAL when the account is Tier0 (DA/EA/SA/Operators or adminCount=1). Mitigation: gMSA, AES-only enctype, 25+ char randomly-generated password.\n\nFinding: user 'svc_kroast' has SPN — TGS-REP offline-crackable. spns=HTTP/test-kroast.obxlab.local", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADUser SPN filter (Kerberoastable)\nUSR|svc_kroast|tier0=False|spns=HTTP/test-kroast.obxlab.local|enc=0\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADUser SPN filter (Kerberoastable)\nUSR|svc_kroast|tier0=False|spns=HTTP/test-kroast.obxlab.local|enc=0\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "mitre-attack", "id": "T1558.003" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.167821505Z", "last_seen": "2026-04-28T01:41:56.167821505Z", "status": "OPEN" }, { "id": "91c43d17-c799-40a9-87e3-038df0cfd6e2", "fingerprint": "18811cbf9ac8e19a", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-002", "title": "Kerberos: account allows AS-REP roasting (DONT_REQUIRE_PREAUTH) — svc_asrep", "description": "Accounts with userAccountControl bit 0x400000 do not require Kerberos pre-authentication, so a remote unauthenticated attacker can request an AS-REP and brute-force the credential offline. Severity is CRITICAL when the account is Tier0.\n\nFinding: user 'svc_asrep' has DONT_REQUIRE_PREAUTH set — AS-REP returns offline-crackable hash to anonymous requestors", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ AS-REP roastable LDAP filter (UAC bit 0x400000)\nUSR|svc_asrep|tier0=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ AS-REP roastable LDAP filter (UAC bit 0x400000)\nUSR|svc_asrep|tier0=False\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.004" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.16785678Z", "last_seen": "2026-04-28T01:41:56.16785678Z", "status": "OPEN" }, { "id": "90c18980-fe45-41cd-b37b-97f5ad67ea81", "fingerprint": "9b0867126a95cec6", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-003", "title": "Kerberos: unconstrained delegation enabled on non-DC computer — OBX-FAKEHOST1", "description": "Computer objects with userAccountControl bit 0x80000 (TRUSTED_FOR_DELEGATION) cache full TGTs of any user that authenticates to them, allowing impersonation forest-wide. Domain Controllers carry this flag legitimately and are excluded (primaryGroupID 516 / 521).\n\nFinding: computer 'OBX-FAKEHOST1' has unconstrained delegation — os=. Any privileged user authenticating to this host can be impersonated forest-wide", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADComputer TRUSTED_FOR_DELEGATION filter\nCMP|OBX-FAKEHOST1|os=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADComputer TRUSTED_FOR_DELEGATION filter\nCMP|OBX-FAKEHOST1|os=\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1558.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.167880089Z", "last_seen": "2026-04-28T01:41:56.167880089Z", "status": "OPEN" }, { "id": "65f6db3b-7797-43dc-bfdd-52834be1412d", "fingerprint": "c44f391d4e26a244", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-004", "title": "Kerberos: Resource-Based Constrained Delegation (RBCD) configured — OBX-FAKEHOST1$", "description": "msDS-AllowedToActOnBehalfOfOtherIdentity grants S4U2Proxy to the principals listed in the security descriptor. RBCD is a high-impact primitive when the writable principal is a non-Tier0 account or a broad principal. We surface every RBCD configuration so the operator can validate that each grant is intentional and the granted principal is a constrained service account.\n\nFinding: object 'OBX-FAKEHOST1$' (computer) allows S4U2Proxy from SID S-1-5-21-873624365-3528634227-720301803-1108 — RBCD primitive. Verify grantee is a constrained service principal", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ RBCD enumeration (msDS-AllowedToActOnBehalfOfOtherIdentity)\nRBCD|OBX-FAKEHOST1$|computer|S-1-5-21-873624365-3528634227-720301803-1108\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ RBCD enumeration (msDS-AllowedToActOnBehalfOfOtherIdentity)\nRBCD|OBX-FAKEHOST1$|computer|S-1-5-21-873624365-3528634227-720301803-1108\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.167916953Z", "last_seen": "2026-04-28T01:41:56.167916953Z", "status": "OPEN" }, { "id": "906acb92-042b-468f-8a8b-fca9249c251b", "fingerprint": "328b093b8583c3d5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-KRB-006", "title": "Kerberos: RC4 still allowed on Tier0 / privileged accounts — Administrator", "description": "msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility — also flagged.\n\nFinding: Tier0 account 'Administrator' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) — set to 0x18 AES-only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.003" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.168000038Z", "last_seen": "2026-04-28T01:41:56.168000038Z", "status": "OPEN" }, { "id": "99b2476a-40fd-442c-bb0b-f34c777a6439", "fingerprint": "328b093b8583c3d5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-KRB-006", "title": "Kerberos: RC4 still allowed on Tier0 / privileged accounts — extra_da", "description": "msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility — also flagged.\n\nFinding: Tier0 account 'extra_da' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) — set to 0x18 AES-only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.003" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.168056905Z", "last_seen": "2026-04-28T01:41:56.168056905Z", "status": "OPEN" }, { "id": "6f78e762-8991-48fa-94f7-b61f4f496ddc", "fingerprint": "328b093b8583c3d5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-KRB-006", "title": "Kerberos: RC4 still allowed on Tier0 / privileged accounts — cloudbase-init", "description": "msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility — also flagged.\n\nFinding: Tier0 account 'cloudbase-init' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) — set to 0x18 AES-only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.003" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.168197876Z", "last_seen": "2026-04-28T01:41:56.168197876Z", "status": "OPEN" }, { "id": "41284be5-5d3c-4006-a349-d865aa6005db", "fingerprint": "328b093b8583c3d5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-KRB-006", "title": "Kerberos: RC4 still allowed on Tier0 / privileged accounts — krbtgt", "description": "msDS-SupportedEncryptionTypes bit 0x4 (RC4-HMAC) on a privileged account exposes the account hash to Kerberoast / Silver-Ticket forgery. Tier0 accounts must be AES-only (0x18 = AES128|AES256). Unset (0x0) on Server 2008+ defaults to RC4+AES per legacy compatibility — also flagged.\n\nFinding: Tier0 account 'krbtgt' has msDS-SupportedEncryptionTypes unset (defaults to RC4+AES) — set to 0x18 AES-only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Tier0 msDS-SupportedEncryptionTypes audit\nTIER0|Administrator|enc=0|rc4=False|des=False|unset=True\r\nTIER0|extra_da|enc=0|rc4=False|des=False|unset=True\r\nTIER0|cloudbase-init|enc=0|rc4=False|des=False|unset=True\r\nTIER0|krbtgt|enc=0|rc4=False|des=False|unset=True\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.003" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.168259444Z", "last_seen": "2026-04-28T01:41:56.168259444Z", "status": "OPEN" }, { "id": "261c5bbd-d817-400c-aee0-aaea1400fc39", "fingerprint": "611b14ddbb3f7ff4", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-KRB-007", "title": "Kerberos: krbtgt msDS-SupportedEncryptionTypes is not AES-only — krbtgt", "description": "If krbtgt's supported encryption types include RC4 (0x4) or are unset (defaulting to RC4+AES), Golden Tickets can be forged with RC4 hash compromise instead of AES. The krbtgt account must be set to 0x18 (AES128|AES256) and rotated.\n\nFinding: krbtgt msDS-SupportedEncryptionTypes is unset (0) → legacy default RC4+AES. Set to 0x18 AES-only and rotate twice", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADUser krbtgt msDS-SupportedEncryptionTypes\nKRBTGT|enc=0\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADUser krbtgt msDS-SupportedEncryptionTypes\nKRBTGT|enc=0\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.001" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.168352669Z", "last_seen": "2026-04-28T01:41:56.168352669Z", "status": "OPEN" }, { "id": "c672028a-956a-4865-b558-7330bcea6fa9", "fingerprint": "77c3c49e65eb6882", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-008", "title": "Kerberos: Domain Admins not protected from delegation abuse — Administrator", "description": "Each Domain Admins member should either carry userAccountControl bit 0x100000 (NOT_DELEGATED, AccountIsSensitive) or be a member of Protected Users (RID 525). Without one of these the account TGT is forwardable and capturable by any unconstrained-delegation-trusted host.\n\nFinding: Domain Admin 'Administrator' has neither AccountIsSensitive (UAC 0x100000) nor Protected Users membership — TGT forwardable, captureable on unconstrained-delegation hosts", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Domain Admins delegation-protection audit\nDA|Administrator|notDelegated=False|protected=False\r\nDA|extra_da|notDelegated=False|protected=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Domain Admins delegation-protection audit\nDA|Administrator|notDelegated=False|protected=False\r\nDA|extra_da|notDelegated=False|protected=False\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.168390314Z", "last_seen": "2026-04-28T01:41:56.168390314Z", "status": "OPEN" }, { "id": "2c1c66cd-73b6-40b2-8688-84353df6aa8c", "fingerprint": "77c3c49e65eb6882", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-008", "title": "Kerberos: Domain Admins not protected from delegation abuse — extra_da", "description": "Each Domain Admins member should either carry userAccountControl bit 0x100000 (NOT_DELEGATED, AccountIsSensitive) or be a member of Protected Users (RID 525). Without one of these the account TGT is forwardable and capturable by any unconstrained-delegation-trusted host.\n\nFinding: Domain Admin 'extra_da' has neither AccountIsSensitive (UAC 0x100000) nor Protected Users membership — TGT forwardable, captureable on unconstrained-delegation hosts", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Domain Admins delegation-protection audit\nDA|Administrator|notDelegated=False|protected=False\r\nDA|extra_da|notDelegated=False|protected=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Domain Admins delegation-protection audit\nDA|Administrator|notDelegated=False|protected=False\r\nDA|extra_da|notDelegated=False|protected=False\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1558.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.168424643Z", "last_seen": "2026-04-28T01:41:56.168424643Z", "status": "OPEN" }, { "id": "c7884dcd-b32e-4156-a1aa-f5459186b16b", "fingerprint": "5165fdef03e909fc", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-009", "title": "Kerberos: constrained delegation to sensitive service — svc_kroast", "description": "msDS-AllowedToDelegateTo entries pointing at sensitive SPN classes (cifs/ldap/host/krbtgt/HTTP on a DC) let the delegating principal impersonate any user including AccountIsSensitive ones when configured with protocol transition (UAC 0x1000000 TRUSTED_TO_AUTH_FOR_DELEGATION). Surface every such grant with target SPN class so the operator can validate scope.\n\nFinding: object 'svc_kroast' (user) delegates to spn=cifs/obexum-dc.obxlab.local — sensitive service class 'cifs' + protocol transition (S4U2Self) → impersonate any user", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Constrained delegation msDS-AllowedToDelegateTo audit\nCD|svc_kroast|user|spn=cifs/obexum-dc.obxlab.local|svc=cifs|pt=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Constrained delegation msDS-AllowedToDelegateTo audit\nCD|svc_kroast|user|spn=cifs/obexum-dc.obxlab.local|svc=cifs|pt=True\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1558.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.168477367Z", "last_seen": "2026-04-28T01:41:56.168477367Z", "status": "OPEN" }, { "id": "d2244af7-06e5-42ad-a6af-134bb64ecb51", "fingerprint": "5b825537d3e50e8d", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "crypto", "rule_id": "AUD-WIN-DC-005", "title": "DC hardening: NTLMv1 / LM accepted — LmCompatibilityLevel", "description": "LmCompatibilityLevel \u003c 5 still accepts NTLMv1 and LM, both broken authentication primitives. NoLMHash = 1 prevents the LM hash being stored at password-set time. Both must be hardened on every DC.\n\nFinding: LmCompatibilityLevel = -1 (expected ≥ 5 = NTLMv2 only)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get LmCompatibilityLevel + NoLMHash\nVAL|LmCompatibilityLevel=-1|NoLMHash=1" }, { "kind": "audit_probe", "content": "$ Get LmCompatibilityLevel + NoLMHash\nVAL|LmCompatibilityLevel=-1|NoLMHash=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.x" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "crypto" ], "first_seen": "2026-04-28T01:41:56.168513074Z", "last_seen": "2026-04-28T01:41:56.168513074Z", "status": "OPEN" }, { "id": "ef30d3bb-658d-4cee-99d9-e7c63f8b4368", "fingerprint": "1e5af1cde468aaa4", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-KRB-010", "title": "Kerberos: ms-DS-MachineAccountQuota \u003e 0 enables NoPac chain — ms-DS-MachineAccountQuota", "description": "Default ms-DS-MachineAccountQuota = 10 lets every authenticated user join up to 10 machines to the domain. Combined with CVE-2021-42278/42287 (NoPac / sAMAccountName spoofing) any low-priv user can compromise the domain. Microsoft's KB5008380 hardens both CVEs; the durable mitigation is to set the quota to 0 and grant CreateChild via a delegated administrator group.\n\nFinding: ms-DS-MachineAccountQuota = 10 allows authenticated users to join machines to the domain. Set to 0 and delegate CreateChild on Computer container", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get ms-DS-MachineAccountQuota on domain root\nMAQ|10\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get ms-DS-MachineAccountQuota on domain root\nMAQ|10\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.168530486Z", "last_seen": "2026-04-28T01:41:56.168530486Z", "status": "OPEN" }, { "id": "bfe9423b-29a9-42b5-930b-ccb015919493", "fingerprint": "4114140af4f5e289", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DC-006", "title": "DC hardening: NullSessionPipes or NullSessionShares non-empty — pipe:netlogon", "description": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\NullSessionPipes / NullSessionShares list named pipes / shares accessible without authentication. Default on Server 2008 R2+ is empty. Any entry is a remote anonymous-IPC primitive.\n\nFinding: NullSessionPipes contains 'netlogon' — anonymous IPC$ access surface", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get NullSessionPipes/Shares\nPIPE|netlogon\r\nPIPE|samr\r\nPIPE|lsarpc\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get NullSessionPipes/Shares\nPIPE|netlogon\r\nPIPE|samr\r\nPIPE|lsarpc\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.x" }, { "type": "mitre-attack", "id": "T1021.002" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.168598823Z", "last_seen": "2026-04-28T01:41:56.168598823Z", "status": "OPEN" }, { "id": "8a5c34b3-7031-4428-8090-8f4ca537ad27", "fingerprint": "4114140af4f5e289", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DC-006", "title": "DC hardening: NullSessionPipes or NullSessionShares non-empty — pipe:samr", "description": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\NullSessionPipes / NullSessionShares list named pipes / shares accessible without authentication. Default on Server 2008 R2+ is empty. Any entry is a remote anonymous-IPC primitive.\n\nFinding: NullSessionPipes contains 'samr' — anonymous IPC$ access surface", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get NullSessionPipes/Shares\nPIPE|netlogon\r\nPIPE|samr\r\nPIPE|lsarpc\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get NullSessionPipes/Shares\nPIPE|netlogon\r\nPIPE|samr\r\nPIPE|lsarpc\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.x" }, { "type": "mitre-attack", "id": "T1021.002" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.168616107Z", "last_seen": "2026-04-28T01:41:56.168616107Z", "status": "OPEN" }, { "id": "fab90d78-24d4-4d21-ae08-3f4de561d97a", "fingerprint": "4114140af4f5e289", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DC-006", "title": "DC hardening: NullSessionPipes or NullSessionShares non-empty — pipe:lsarpc", "description": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\NullSessionPipes / NullSessionShares list named pipes / shares accessible without authentication. Default on Server 2008 R2+ is empty. Any entry is a remote anonymous-IPC primitive.\n\nFinding: NullSessionPipes contains 'lsarpc' — anonymous IPC$ access surface", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get NullSessionPipes/Shares\nPIPE|netlogon\r\nPIPE|samr\r\nPIPE|lsarpc\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get NullSessionPipes/Shares\nPIPE|netlogon\r\nPIPE|samr\r\nPIPE|lsarpc\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.x" }, { "type": "mitre-attack", "id": "T1021.002" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.168632573Z", "last_seen": "2026-04-28T01:41:56.168632573Z", "status": "OPEN" }, { "id": "bcbd2a24-742d-4593-8e7a-aeb5742d6d2b", "fingerprint": "762c5e4a8b8bdfd6", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-001", "title": "PowerShell logging incomplete (Module / ScriptBlock / Transcription / PSv2) — ModuleLogging", "description": "One or more PowerShell logging settings are below baseline: Module Logging (4103 module-call trace), Script Block Logging (4104 script-body capture), Transcription (interactive console mirror), or PowerShell v2 not disabled (allows `powershell -Version 2` downgrade attack that bypasses ScriptBlockLogging). Without these, T1059.001 PowerShell-based attacks leave NO Event Log trail.\n\nFinding: EnableModuleLogging != 1 — 4103 module-call events not generated. Fix: Set-ItemProperty 'HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging' -Name EnableModuleLogging -Value 1 -Type DWord; Set-ItemProperty 'HKLM:\\..\\ModuleLogging\\ModuleNames' -Name '*' -Value '*'", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.4.x" }, { "type": "cis-benchmark", "id": "Win11-18.10.x" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-CC-000270" }, { "type": "disa-stig", "id": "WN22-CC-000280" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1562.006" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168678566Z", "last_seen": "2026-04-28T01:41:56.168678566Z", "status": "OPEN" }, { "id": "87764ea3-199f-4e48-b279-2719e3fd69ee", "fingerprint": "762c5e4a8b8bdfd6", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-001", "title": "PowerShell logging incomplete (Module / ScriptBlock / Transcription / PSv2) — ScriptBlockLogging", "description": "One or more PowerShell logging settings are below baseline: Module Logging (4103 module-call trace), Script Block Logging (4104 script-body capture), Transcription (interactive console mirror), or PowerShell v2 not disabled (allows `powershell -Version 2` downgrade attack that bypasses ScriptBlockLogging). Without these, T1059.001 PowerShell-based attacks leave NO Event Log trail.\n\nFinding: EnableScriptBlockLogging != 1 — 4104 script-body capture disabled; obfuscated/encoded PowerShell (T1027.010) leaves no decode trail. Fix: Set-ItemProperty same path -Name EnableScriptBlockLogging -Value 1", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.4.x" }, { "type": "cis-benchmark", "id": "Win11-18.10.x" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-CC-000270" }, { "type": "disa-stig", "id": "WN22-CC-000280" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1562.006" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168702857Z", "last_seen": "2026-04-28T01:41:56.168702857Z", "status": "OPEN" }, { "id": "f5b2a3bd-fdb2-45de-937a-0dbdc5d0568f", "fingerprint": "762c5e4a8b8bdfd6", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-001", "title": "PowerShell logging incomplete (Module / ScriptBlock / Transcription / PSv2) — Transcription", "description": "One or more PowerShell logging settings are below baseline: Module Logging (4103 module-call trace), Script Block Logging (4104 script-body capture), Transcription (interactive console mirror), or PowerShell v2 not disabled (allows `powershell -Version 2` downgrade attack that bypasses ScriptBlockLogging). Without these, T1059.001 PowerShell-based attacks leave NO Event Log trail.\n\nFinding: EnableTranscripting != 1 — interactive console history not captured", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.4.x" }, { "type": "cis-benchmark", "id": "Win11-18.10.x" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-CC-000270" }, { "type": "disa-stig", "id": "WN22-CC-000280" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1562.006" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168727001Z", "last_seen": "2026-04-28T01:41:56.168727001Z", "status": "OPEN" }, { "id": "e2af406d-b91e-44c0-911c-5d42436fa48d", "fingerprint": "762c5e4a8b8bdfd6", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-001", "title": "PowerShell logging incomplete (Module / ScriptBlock / Transcription / PSv2) — PSv2Engine", "description": "One or more PowerShell logging settings are below baseline: Module Logging (4103 module-call trace), Script Block Logging (4104 script-body capture), Transcription (interactive console mirror), or PowerShell v2 not disabled (allows `powershell -Version 2` downgrade attack that bypasses ScriptBlockLogging). Without these, T1059.001 PowerShell-based attacks leave NO Event Log trail.\n\nFinding: PowerShell v2 feature PSv2Engine state=Enabled — attacker can run `powershell -Version 2` to bypass ScriptBlockLogging (T1562.001 + T1059.001 chain)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty PowerShell logging keys + Get-WindowsOptionalFeature PSv2\nML=\"\" MN*=\"False\" SBL=\"\" Transcript=\"\" TranOut=\"\" ProtectedEL=\"\" PSv2=\"Enabled\" PSv2Root=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.86.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.4.x" }, { "type": "cis-benchmark", "id": "Win11-18.10.x" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-CC-000270" }, { "type": "disa-stig", "id": "WN22-CC-000280" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1562.006" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168754617Z", "last_seen": "2026-04-28T01:41:56.168754617Z", "status": "OPEN" }, { "id": "a8e6fb07-e89f-454d-b400-651615647d04", "fingerprint": "c4c271cc97680244", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DC-007", "title": "DC hardening: LDAP simple-bind audit not enabled — 16 LDAP Interface Events", "description": "HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Diagnostics\\\"16 LDAP Interface Events\" ≥ 2 logs simple binds (event 2887/2888/2889) so the operator can identify clients still authenticating without TLS before enforcing DC-001/002. Default 0 = silent.\n\nFinding: NTDS Diagnostics '16 LDAP Interface Events' = 0. Set to 2 to log simple-bind events 2887/2888/2889 before enforcing channel binding", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get NTDS Diagnostics 16 LDAP Interface Events\nVAL|16 LDAP Interface Events=0" }, { "kind": "audit_probe", "content": "$ Get NTDS Diagnostics 16 LDAP Interface Events\nVAL|16 LDAP Interface Events=0" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168794383Z", "last_seen": "2026-04-28T01:41:56.168794383Z", "status": "OPEN" }, { "id": "f4a89d06-7bae-4797-8457-42e6e5b0f172", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Credential Validation", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Credential Validation' = \"No Auditing\" (expected one of [Success and Failure]). Kerberos/NTLM brute-force + Pass-the-Hash early-stage auth invisible (4776 missing). Fix: auditpol /set /subcategory:\"Credential Validation\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168903128Z", "last_seen": "2026-04-28T01:41:56.168903128Z", "status": "OPEN" }, { "id": "d1e3ea6b-bf7d-44ce-86cc-e7e1eb30d060", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Logon", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Logon' = \"No Auditing\" (expected one of [Success and Failure]). Whole 4624/4625 logon stream — RDP brute-force + interactive logon mapping invisible. Fix: auditpol /set /subcategory:\"Logon\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.168992965Z", "last_seen": "2026-04-28T01:41:56.168992965Z", "status": "OPEN" }, { "id": "db99603d-421a-472d-9d82-e331bfc3582e", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Special Logon", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Special Logon' = \"No Auditing\" (expected one of [Success Success and Failure]). 4672 SeDebugPrivilege grant on logon — admin creep undetected. Fix: auditpol /set /subcategory:\"Special Logon\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169083609Z", "last_seen": "2026-04-28T01:41:56.169083609Z", "status": "OPEN" }, { "id": "5756e9db-bfea-4775-8ba4-7747026a66f9", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Account Lockout", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Account Lockout' = \"No Auditing\" (expected one of [Success Failure Success and Failure]). 4740 lockout signal — password spray detection blind. Fix: auditpol /set /subcategory:\"Account Lockout\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169170846Z", "last_seen": "2026-04-28T01:41:56.169170846Z", "status": "OPEN" }, { "id": "810fe062-c789-4419-bacd-f0a070b324a3", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Other Logon/Logoff Events", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Other Logon/Logoff Events' = \"No Auditing\" (expected one of [Success Success and Failure]). 4648 explicit credentials — runas / Pass-the-Hash detection (T1550.002) invisible. Fix: auditpol /set /subcategory:\"Other Logon/Logoff Events\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169260223Z", "last_seen": "2026-04-28T01:41:56.169260223Z", "status": "OPEN" }, { "id": "32fc7d07-bcb8-4640-96e1-10d366506768", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — User Account Management", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'User Account Management' = \"No Auditing\" (expected one of [Success and Failure]). 4720/4722/4738 — backdoor account creation (T1136.001) invisible. Fix: auditpol /set /subcategory:\"User Account Management\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169346982Z", "last_seen": "2026-04-28T01:41:56.169346982Z", "status": "OPEN" }, { "id": "9a6c050c-f8fb-4e6c-aec3-a894e11db222", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Security Group Management", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Security Group Management' = \"No Auditing\" (expected one of [Success Success and Failure]). 4728/4732 — admin-group escalation (T1098, T1078.003) invisible. Fix: auditpol /set /subcategory:\"Security Group Management\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169433888Z", "last_seen": "2026-04-28T01:41:56.169433888Z", "status": "OPEN" }, { "id": "2b3c4cc5-04be-4849-ac00-b0c08f4b60de", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Process Creation", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Process Creation' = \"No Auditing\" (expected one of [Success Success and Failure]). 4688 — every Execution technique (T1059.*) invisible WITHOUT this. Fix: auditpol /set /subcategory:\"Process Creation\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169575714Z", "last_seen": "2026-04-28T01:41:56.169575714Z", "status": "OPEN" }, { "id": "d41fd653-f7f2-4ba1-997f-7180bd13098d", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Sensitive Privilege Use", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Sensitive Privilege Use' = \"No Auditing\" (expected one of [Success and Failure]). 4673/4674 — SeDebug, SeBackup, SeRestore abuse (T1134, T1003) invisible. Fix: auditpol /set /subcategory:\"Sensitive Privilege Use\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169666882Z", "last_seen": "2026-04-28T01:41:56.169666882Z", "status": "OPEN" }, { "id": "3539adeb-bdb4-4271-9a70-dbbf4f485b98", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Security State Change", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Security State Change' = \"No Auditing\" (expected one of [Success Success and Failure]). 4608/4616 — system time change (T1070.006 Timestomp) invisible. Fix: auditpol /set /subcategory:\"Security State Change\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.16975174Z", "last_seen": "2026-04-28T01:41:56.16975174Z", "status": "OPEN" }, { "id": "d59e50de-306d-4d89-aaf0-0db0ead0e08d", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Security System Extension", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Security System Extension' = \"No Auditing\" (expected one of [Success Success and Failure]). 4610/4614/4622 — Security Package load (T1547.005), LSA driver (T1547.008) invisible. Fix: auditpol /set /subcategory:\"Security System Extension\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169837489Z", "last_seen": "2026-04-28T01:41:56.169837489Z", "status": "OPEN" }, { "id": "b7b74b78-87bd-4834-a6b2-d7177534e0f4", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — System Integrity", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'System Integrity' = \"No Auditing\" (expected one of [Success and Failure]). 4612/4618 — audit log buffer issues, integrity violations invisible. Fix: auditpol /set /subcategory:\"System Integrity\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.169950432Z", "last_seen": "2026-04-28T01:41:56.169950432Z", "status": "OPEN" }, { "id": "2fc703df-ab23-43b4-a203-2df133591da2", "fingerprint": "107f48c70b7c2aa9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-002", "title": "Windows audit policy critical subcategories below baseline — Audit Policy Change", "description": "auditpol /get /category:* shows one or more critical subcategories (Logon, Special Logon, Account Lockout, Sensitive Privilege Use, Process Creation, Audit Policy Change, Security State Change, Security System Extension, etc.) not configured for Success+Failure. Each gap blinds detection of a documented attack technique class — see JPCERT/CC 'Detecting Lateral Movement through Tracking Event Logs' for the canonical mapping.\n\nFinding: 'Audit Policy Change' = \"No Auditing\" (expected one of [Success Success and Failure]). 4719 — audit policy disabled by attacker (T1562.002) — meta-tamper invisible. Fix: auditpol /set /subcategory:\"Audit Policy Change\" /success:enable /failure:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." }, { "kind": "audit_probe", "content": "$ auditpol /get /category:* /r\nMachine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting\r\r\nIP-208-84-101-7,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,\r\r\nIP-208-84-101-7,Sys..." } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.5" }, { "type": "cis-benchmark", "id": "WinServer2022-17.2.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.4" }, { "type": "cis-benchmark", "id": "WinServer2022-17.5.6" }, { "type": "cis-benchmark", "id": "WinServer2022-17.7.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.9.5" }, { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "disa-stig", "id": "WN22-AU-000010" }, { "type": "disa-stig", "id": "WN22-AU-000020" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.17003754Z", "last_seen": "2026-04-28T01:41:56.17003754Z", "status": "OPEN" }, { "id": "e3677691-484a-42f8-9f7d-ccbc8826508b", "fingerprint": "9febd6bbb2fe6ed0", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-003", "title": "Event Log channels below minimum size / unsafe retention mode — Security:MaxSize", "description": "Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full — T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.\n\nFinding: Security MaxSize = 134217728 bytes (128 MB), expected \u003e= 1073741824 bytes (1024 MB)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.25.x" }, { "type": "nist-800-53", "id": "AU-4" }, { "type": "nist-800-53", "id": "AU-5" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1070.001" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.170261598Z", "last_seen": "2026-04-28T01:41:56.170261598Z", "status": "OPEN" }, { "id": "c0a45368-144c-419d-9e9b-76c26834a467", "fingerprint": "9febd6bbb2fe6ed0", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-003", "title": "Event Log channels below minimum size / unsafe retention mode — Application:MaxSize", "description": "Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full — T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.\n\nFinding: Application MaxSize = 20971520 bytes (20 MB), expected \u003e= 67108864 bytes (64 MB)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.25.x" }, { "type": "nist-800-53", "id": "AU-4" }, { "type": "nist-800-53", "id": "AU-5" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1070.001" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.170381318Z", "last_seen": "2026-04-28T01:41:56.170381318Z", "status": "OPEN" }, { "id": "64b9187e-de75-4553-bbf1-4f719597bfa7", "fingerprint": "9febd6bbb2fe6ed0", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-003", "title": "Event Log channels below minimum size / unsafe retention mode — System:MaxSize", "description": "Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full — T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.\n\nFinding: System MaxSize = 20971520 bytes (20 MB), expected \u003e= 67108864 bytes (64 MB)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.25.x" }, { "type": "nist-800-53", "id": "AU-4" }, { "type": "nist-800-53", "id": "AU-5" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1070.001" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.170502351Z", "last_seen": "2026-04-28T01:41:56.170502351Z", "status": "OPEN" }, { "id": "91aae223-1ca0-4c4f-be9d-031ced3a2d35", "fingerprint": "9febd6bbb2fe6ed0", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-003", "title": "Event Log channels below minimum size / unsafe retention mode — Microsoft-Windows-PowerShell/Operational:MaxSize", "description": "Security / Application / System / PowerShell / Sysmon channels have MaxSizeInBytes below baseline OR LogMode set to Retain (rejects new events when full — T1562.002 effective DoS). Under attack volume, an undersized Security log rotates out within minutes; investigators lose the IOC timeline.\n\nFinding: Microsoft-Windows-PowerShell/Operational MaxSize = 15728640 bytes (15 MB), expected \u003e= 67108864 bytes (64 MB)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-WinEvent -ListLog (8 channels)\nLOG|Security|MaxSize=134217728|LogMode=Circular|IsEnabled=True\r\nLOG|Application|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|System|MaxSize=20971520|LogMode=Circular|IsEnabled=True\r\nLOG|Setup|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Operational|MaxSize=15728640|LogMode=Circular|IsEnabled=True\r\nLOG|Microsoft-Windows-PowerShell/Admin|MaxSize=1048985600|LogMode=Retain|IsEnabled=True\r\nLOG|Microsoft-Windows-Sysmon/Operational|absent\r\nLOG|Microsoft-Windows-Windows Defender/Operational|MaxSize=1052672|LogMode=Circular|IsEnabled=True\r\nPROBE_DONE" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.25.x" }, { "type": "nist-800-53", "id": "AU-4" }, { "type": "nist-800-53", "id": "AU-5" }, { "type": "mitre-attack", "id": "T1562.002" }, { "type": "mitre-attack", "id": "T1070.001" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.170617232Z", "last_seen": "2026-04-28T01:41:56.170617232Z", "status": "OPEN" }, { "id": "973eadf6-bd3a-4b24-bc64-d82bc11c7301", "fingerprint": "805fca4938e251db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-001", "title": "ADCS ESC1: certificate template allows alternate-SAN supply with client-auth EKU — OBX_ESC2_AnyEKU", "description": "Templates with msPKI-Certificate-Name-Flag bit 0x1 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) AND a client-authentication EKU (Client Auth, Smartcard Logon, Any Purpose, PKINIT) AND enrollable by non-privileged principals = full Domain Admin via certificate forgery (ESC1, SpecterOps Certified Pre-Owned 2021).\n\nFinding: template 'OBX_ESC2_AnyEKU' allows alternate-SAN supply + auth EKU without Manager Approval — DA via cert forgery", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADObject pKICertificateTemplate ESC1 LDAP filter\nTPL|OBX_ESC2_AnyEKU|managerApproval=False\r\nTPL|OBX_ESC9_NoSecExt|managerApproval=False\r\nTPL|OBX_ESC15_v1Schema|managerApproval=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADObject pKICertificateTemplate ESC1 LDAP filter\nTPL|OBX_ESC2_AnyEKU|managerApproval=False\r\nTPL|OBX_ESC9_NoSecExt|managerApproval=False\r\nTPL|OBX_ESC15_v1Schema|managerApproval=False\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "nist-800-53", "id": "AC-3" }, { "type": "nist-800-53", "id": "IA-5(2)" }, { "type": "mitre-attack", "id": "T1649" }, { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.170769922Z", "last_seen": "2026-04-28T01:41:56.170769922Z", "status": "OPEN" }, { "id": "699f3295-0249-4c40-b7af-3e8861ff87ed", "fingerprint": "805fca4938e251db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-001", "title": "ADCS ESC1: certificate template allows alternate-SAN supply with client-auth EKU — OBX_ESC9_NoSecExt", "description": "Templates with msPKI-Certificate-Name-Flag bit 0x1 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) AND a client-authentication EKU (Client Auth, Smartcard Logon, Any Purpose, PKINIT) AND enrollable by non-privileged principals = full Domain Admin via certificate forgery (ESC1, SpecterOps Certified Pre-Owned 2021).\n\nFinding: template 'OBX_ESC9_NoSecExt' allows alternate-SAN supply + auth EKU without Manager Approval — DA via cert forgery", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADObject pKICertificateTemplate ESC1 LDAP filter\nTPL|OBX_ESC2_AnyEKU|managerApproval=False\r\nTPL|OBX_ESC9_NoSecExt|managerApproval=False\r\nTPL|OBX_ESC15_v1Schema|managerApproval=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADObject pKICertificateTemplate ESC1 LDAP filter\nTPL|OBX_ESC2_AnyEKU|managerApproval=False\r\nTPL|OBX_ESC9_NoSecExt|managerApproval=False\r\nTPL|OBX_ESC15_v1Schema|managerApproval=False\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "nist-800-53", "id": "AC-3" }, { "type": "nist-800-53", "id": "IA-5(2)" }, { "type": "mitre-attack", "id": "T1649" }, { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.170812415Z", "last_seen": "2026-04-28T01:41:56.170812415Z", "status": "OPEN" }, { "id": "971de01b-90b7-4f2c-a9c3-04ee53b70275", "fingerprint": "805fca4938e251db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-001", "title": "ADCS ESC1: certificate template allows alternate-SAN supply with client-auth EKU — OBX_ESC15_v1Schema", "description": "Templates with msPKI-Certificate-Name-Flag bit 0x1 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) AND a client-authentication EKU (Client Auth, Smartcard Logon, Any Purpose, PKINIT) AND enrollable by non-privileged principals = full Domain Admin via certificate forgery (ESC1, SpecterOps Certified Pre-Owned 2021).\n\nFinding: template 'OBX_ESC15_v1Schema' allows alternate-SAN supply + auth EKU without Manager Approval — DA via cert forgery", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADObject pKICertificateTemplate ESC1 LDAP filter\nTPL|OBX_ESC2_AnyEKU|managerApproval=False\r\nTPL|OBX_ESC9_NoSecExt|managerApproval=False\r\nTPL|OBX_ESC15_v1Schema|managerApproval=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADObject pKICertificateTemplate ESC1 LDAP filter\nTPL|OBX_ESC2_AnyEKU|managerApproval=False\r\nTPL|OBX_ESC9_NoSecExt|managerApproval=False\r\nTPL|OBX_ESC15_v1Schema|managerApproval=False\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "nist-800-53", "id": "AC-3" }, { "type": "nist-800-53", "id": "IA-5(2)" }, { "type": "mitre-attack", "id": "T1649" }, { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.170843888Z", "last_seen": "2026-04-28T01:41:56.170843888Z", "status": "OPEN" }, { "id": "f239bb5b-d3a5-4878-8ac1-d4f8d3e5e7f6", "fingerprint": "7c48a939f262f39f", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-002", "title": "ADCS ESC2: certificate template grants Any Purpose EKU — OBX_ESC2_AnyEKU", "description": "Templates with pkiExtendedKeyUsage = 2.5.29.37.0 (Any Purpose) OR no EKU at all AND enrollable by non-privileged principals. The resulting certificate can authenticate as ANY user/service in the forest. ESC2 per SpecterOps Certified Pre-Owned.\n\nFinding: template 'OBX_ESC2_AnyEKU' — Any Purpose EKU (2.5.29.37.0) → certificate authenticates as any principal", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADObject ESC2 filter\nTPL|OBX_ESC2_AnyEKU|hasEKU=2.5.29.37.0\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADObject ESC2 filter\nTPL|OBX_ESC2_AnyEKU|hasEKU=2.5.29.37.0\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1649" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.170888696Z", "last_seen": "2026-04-28T01:41:56.170888696Z", "status": "OPEN" }, { "id": "8339f274-033e-4142-bcb6-b51f46a9d7f3", "fingerprint": "d1189a7d7597cea9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-006", "title": "ADCS ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 set on CA — OBXLAB-CA", "description": "CA policy module EditFlags has bit 0x40000 (EDITF_ATTRIBUTESUBJECTALTNAME2) set, allowing requesters to specify alternate SAN values on ANY template enrollable by them. Equivalent to ESC1 across every template. Microsoft KB 4509489 explicitly forbids this flag.\n\nFinding: CA OBXLAB-CA on ip-208-84-101-7.obxlab.local has EDITF_ATTRIBUTESUBJECTALTNAME2 set. Fix: certutil -config 'ip-208-84-101-7.obxlab.local\\OBXLAB-CA' -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; net stop certsvc; net start certsvc", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ certutil -getreg policy\\EditFlags per CA\nCA|OBXLAB-CA|ip-208-84-101-7.obxlab.local|EditFlags=0x15014e|EDITF_ATTRIBUTESUBJECTALTNAME2=True\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ certutil -getreg policy\\EditFlags per CA\nCA|OBXLAB-CA|ip-208-84-101-7.obxlab.local|EditFlags=0x15014e|EDITF_ATTRIBUTESUBJECTALTNAME2=True\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1649" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.170928296Z", "last_seen": "2026-04-28T01:41:56.170928296Z", "status": "OPEN" }, { "id": "fb521bed-d0e0-4502-b9f9-11b58ecc6f1e", "fingerprint": "4f90707808113db2", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-PRIV-006", "title": "Privesc: PowerShell v2 Optional Feature still installed — MicrosoftWindowsPowerShellV2", "description": "PowerShell v2 has no AMSI and no script-block logging. Adversaries invoke `powershell -Version 2 -Command ...` to bypass modern PowerShell logging entirely. Disable the MicrosoftWindowsPowerShellV2Root + V2 features.\n\nFinding: PowerShell feature 'MicrosoftWindowsPowerShellV2' = Enabled — disable to remove the AMSI bypass surface", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ PowerShell v2 feature state\nVAL|MicrosoftWindowsPowerShellV2|Enabled\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ PowerShell v2 feature state\nVAL|MicrosoftWindowsPowerShellV2|Enabled\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.x" }, { "type": "mitre-attack", "id": "T1059.001" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.170966492Z", "last_seen": "2026-04-28T01:41:56.170966492Z", "status": "OPEN" }, { "id": "b194e545-9364-4624-815c-2da721bd8af6", "fingerprint": "ee6d8b8d5905eec4", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-008", "title": "ADCS ESC8: web enrollment endpoint exposed without HTTPS+EPA — OBXLAB-CA:EPA", "description": "ADCS web enrollment (/certsrv/) and/or CES/CEP endpoints are reachable without HTTPS-only + Extended Protection for Authentication. Combined with PetitPotam-style coercion, any unprivileged user can NTLM-relay to ADCS and obtain a DC certificate (ESC8, Microsoft ADV210003).\n\nFinding: CA OBXLAB-CA /certsrv/ Extended Protection for Authentication tokenChecking= (expected Required). NTLM relay with channel binding bypass possible", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Web enrollment endpoint probes\nCAWEB|OBXLAB-CA|ip-208-84-101-7.obxlab.local|http=True|https=False\r\nCAEPA|OBXLAB-CA|tokenChecking=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Web enrollment endpoint probes\nCAWEB|OBXLAB-CA|ip-208-84-101-7.obxlab.local|http=True|https=False\r\nCAEPA|OBXLAB-CA|tokenChecking=\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171003429Z", "last_seen": "2026-04-28T01:41:56.171003429Z", "status": "OPEN" }, { "id": "235b3284-d325-48a1-bf74-7877173c6a17", "fingerprint": "415cdccf911dfd9d", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-009", "title": "ADCS ESC9: certificate template has no_security_extension flag — OBX_ESC9_NoSecExt", "description": "Templates with msPKI-Enrollment-Flag bit 0x80000 (CT_FLAG_NO_SECURITY_EXTENSION) emit certificates without the szOID_NTDS_CA_SECURITY_EXT extension that binds cert to user SID. Combined with weak certificate mapping (ESC10) on DCs, enables impersonation across user accounts. CVE-2022-26923 era. Microsoft KB5014754 enforces strong binding mode 2.\n\nFinding: template 'OBX_ESC9_NoSecExt' has CT_FLAG_NO_SECURITY_EXTENSION (0x80000) — cert lacks SID binding, ESC9 abuse vector", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ ESC9 enrollment-flag LDAP filter\nTPL|OBX_ESC9_NoSecExt\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ ESC9 enrollment-flag LDAP filter\nTPL|OBX_ESC9_NoSecExt\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1649" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171036987Z", "last_seen": "2026-04-28T01:41:56.171036987Z", "status": "OPEN" }, { "id": "e4447377-42d1-4252-ac07-364a24bcc9ab", "fingerprint": "662a5018fcb5cc5c", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-010", "title": "ADCS ESC10: weak certificate-account mapping on Domain Controllers — StrongCertificateBindingEnforcement", "description": "DC registry HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Kdc\\StrongCertificateBindingEnforcement is not 2 (Full Enforcement) AND/OR HKLM:\\SYSTEM\\CurrentControlSet\\Control\\LSA\\Kerberos\\Parameters\\CertificateMappingMethods allows weak mappings (UPN alone). CVE-2022-26923 / KB5014754 require Full Enforcement.\n\nFinding: got (expected 2 = Full Enforcement). KB5014754 requires this. Fix: Set-ItemProperty 'HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Kdc' -Name StrongCertificateBindingEnforcement -Value 2 -Type DWord; reboot", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Kdc + Kerberos cert-mapping registry\nStrongCertificateBindingEnforcement=\"\" CertificateMappingMethods=\"\"" }, { "kind": "audit_probe", "content": "$ Kdc + Kerberos cert-mapping registry\nStrongCertificateBindingEnforcement=\"\" CertificateMappingMethods=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1649" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.17106148Z", "last_seen": "2026-04-28T01:41:56.17106148Z", "status": "OPEN" }, { "id": "1ec5cd38-5e2f-42ec-ba70-ec0ae9d3c05d", "fingerprint": "c2e0cb1441edac12", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-ADCS-015", "title": "ADCS ESC15 / EKUwu: schema-v1 template with ENROLLEE_SUPPLIES_SUBJECT — OBX_ESC15_v1Schema", "description": "Templates with msPKI-Template-Schema-Version = 1 AND CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT set. CVE-2024-49019 (Nov 2024 patch). Schema-v1 templates accept arbitrary application-policy injection from the requester, allowing a non-priv user to mint a cert with Client Auth + bypass strong binding. Microsoft KB5044280 mitigates server-side; remove vulnerable templates.\n\nFinding: template 'OBX_ESC15_v1Schema' is schema-v1 with ENROLLEE_SUPPLIES_SUBJECT — CVE-2024-49019 EKUwu. Remove from issuance OR upgrade to schema v2/v3", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ ESC15 schema-v1 + subject-supply LDAP\nTPL|OBX_ESC15_v1Schema\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ ESC15 schema-v1 + subject-supply LDAP\nTPL|OBX_ESC15_v1Schema\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1649" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171090051Z", "last_seen": "2026-04-28T01:41:56.171090051Z", "status": "OPEN" }, { "id": "11c20a53-47ae-4f03-85c2-3ae1d9ecbe5f", "fingerprint": "9730a166ed39e749", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PRIV-009", "title": "Privesc T1003.001: LSASS RunAsPPL not enabled — RunAsPPL", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\RunAsPPL = 1 protects LSASS as Protected Process Light, blocking Mimikatz-style credential dumps unless the attacker has signed kernel-driver primitive. Server 2016+ baseline: 1 (or 2 with UEFI lock).\n\nFinding: Lsa\\RunAsPPL = -2. Set to 1 (or 2 + UEFI lock) so LSASS runs as Protected Process Light", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Lsa RunAsPPL\nVAL|RunAsPPL=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Lsa RunAsPPL\nVAL|RunAsPPL=\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.x" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171107417Z", "last_seen": "2026-04-28T01:41:56.171107417Z", "status": "OPEN" }, { "id": "ebefe891-fcd6-47ff-bc74-3ee9aec05ba2", "fingerprint": "a4553ed103aa90f1", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PRIV-010", "title": "Privesc: LocalAccountTokenFilterPolicy = 1 (remote admin token) — LocalAccountTokenFilterPolicy", "description": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy = 1 disables UAC remote-token filtering, letting any local admin authenticate over the network with a non-filtered token. Default and CIS-required = 0.\n\nFinding: LocalAccountTokenFilterPolicy = -2 (expected 0). Disables UAC remote-token filtering for local admins", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ LocalAccountTokenFilterPolicy\nVAL|LocalAccountTokenFilterPolicy=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ LocalAccountTokenFilterPolicy\nVAL|LocalAccountTokenFilterPolicy=\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.x" }, { "type": "mitre-attack", "id": "T1078.003" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171126988Z", "last_seen": "2026-04-28T01:41:56.171126988Z", "status": "OPEN" }, { "id": "a3392b27-f9b5-4f16-8320-0dbc53ecbff4", "fingerprint": "9f7c829b0fc95cb5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PG-002", "title": "Privileged groups: Enterprise Admins non-empty — Administrator", "description": "Enterprise Admins group should be empty outside of forest- level operations (schema upgrades / domain adds). Persistent members hold forest-wide privileges that cannot be reduced.\n\nFinding: Enterprise Admins has persistent member 'Administrator' — should be empty outside forest-level operations", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADGroupMember Enterprise Admins\nMEMBER|Administrator\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADGroupMember Enterprise Admins\nMEMBER|Administrator\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.x" }, { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171163576Z", "last_seen": "2026-04-28T01:41:56.171163576Z", "status": "OPEN" }, { "id": "736e620f-baa8-4252-a499-adedf604bf74", "fingerprint": "1048f51e984204ae", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PG-003", "title": "Privileged groups: Schema Admins non-empty — Administrator", "description": "Schema Admins group should be empty outside of forest- level operations (schema upgrades / domain adds). Persistent members hold forest-wide privileges that cannot be reduced.\n\nFinding: Schema Admins has persistent member 'Administrator' — should be empty outside forest-level operations", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADGroupMember Schema Admins\nMEMBER|Administrator\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADGroupMember Schema Admins\nMEMBER|Administrator\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.x" }, { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171185526Z", "last_seen": "2026-04-28T01:41:56.171185526Z", "status": "OPEN" }, { "id": "b12c2c9d-aca4-4c90-ac76-5beebde8dbf9", "fingerprint": "50bd2f00cf83964d", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PRIV-014", "title": "Privesc T1003: DisableRestrictedAdmin = 0 (RestrictedAdmin allowed) — DisableRestrictedAdmin", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin = 0 (default) allows RDP restricted-admin mode. With it enabled an attacker can pass-the-hash over RDP. CIS-hardened: 1.\n\nFinding: DisableRestrictedAdmin = 0 (expected 1 — block RDP RestrictedAdmin pass-the-hash)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ RestrictedAdmin LSA values\nVAL|DisableRestrictedAdmin=|DisableRestrictedAdminOutboundCreds=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ RestrictedAdmin LSA values\nVAL|DisableRestrictedAdmin=|DisableRestrictedAdminOutboundCreds=\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.x" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171212104Z", "last_seen": "2026-04-28T01:41:56.171212104Z", "status": "OPEN" }, { "id": "742ba998-91c6-4c07-ad07-fbc9f90db705", "fingerprint": "50bd2f00cf83964d", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PRIV-014", "title": "Privesc T1003: DisableRestrictedAdmin = 0 (RestrictedAdmin allowed) — DisableRestrictedAdminOutboundCreds", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin = 0 (default) allows RDP restricted-admin mode. With it enabled an attacker can pass-the-hash over RDP. CIS-hardened: 1.\n\nFinding: DisableRestrictedAdminOutboundCreds = 0 (expected 1)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ RestrictedAdmin LSA values\nVAL|DisableRestrictedAdmin=|DisableRestrictedAdminOutboundCreds=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ RestrictedAdmin LSA values\nVAL|DisableRestrictedAdmin=|DisableRestrictedAdminOutboundCreds=\r\nPROBE_DONE" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.x" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171229828Z", "last_seen": "2026-04-28T01:41:56.171229828Z", "status": "OPEN" }, { "id": "ed6cc434-3f71-482b-9ced-487488953418", "fingerprint": "c4600614002f09ac", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DCH-001", "title": "DC hardening: Print Spooler service running on DC — Spooler", "description": "PrintNightmare (CVE-2021-34527) and follow-on spooler RCEs are pre-auth SYSTEM on any host running the Print Spooler service. CISA, MS and CIS all recommend stopping + disabling the Spooler service on every Domain Controller. Default Server 2019/2022 = Running.\n\nFinding: Print Spooler is Running with start type Automatic on a DC. Stop-Service Spooler; Set-Service Spooler -StartupType Disabled", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-Service Spooler\nSTATE|Running|Automatic" }, { "kind": "audit_probe", "content": "$ Get-Service Spooler\nSTATE|Running|Automatic" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "mitre-attack", "id": "T1210" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.171255571Z", "last_seen": "2026-04-28T01:41:56.171255571Z", "status": "OPEN" }, { "id": "e6fbcfda-c86a-41ce-a215-59476a329059", "fingerprint": "b6a247499e57c317", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "persistence", "rule_id": "AUD-WIN-PRIV-015", "title": "Privesc T1574.001: SafeDllSearchMode disabled or CWDIllegalInDllSearch missing — SafeDllSearchMode", "description": "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode = 1 (default) puts the process current directory AFTER System32 in the loader search order. Setting to 0 reintroduces classic DLL planting. CWDIllegalInDllSearch = 0xFFFFFFFF blocks loading from network/UNC CWDs entirely.\n\nFinding: SafeDllSearchMode = 0 (CWD-before-System32 — classic DLL planting)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ SafeDllSearchMode + CWDIllegalInDllSearch\nVAL|SafeDllSearchMode=|CWDIllegalInDllSearch=\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ SafeDllSearchMode + CWDIllegalInDllSearch\nVAL|SafeDllSearchMode=|CWDIllegalInDllSearch=\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1574.001" } ], "tags": [ "audit", "observed", "persistence" ], "first_seen": "2026-04-28T01:41:56.171278714Z", "last_seen": "2026-04-28T01:41:56.171278714Z", "status": "OPEN" }, { "id": "a345a3a4-a55b-43bc-a150-29bce1369169", "fingerprint": "bc766080bb90cef8", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-001", "title": "Microsoft Defender engine pillar(s) disabled — DisableRemovableDriveScanning", "description": "One or more of the seven Get-MpPreference Disable* flags is True. Each corresponds to a Defender pillar (real-time scan, behavior monitor, AMSI script inspection, archive scan, USB scan, NIS network inspection). T1562.001 — single attacker primitive disables one or more of these to blind defense before exec.\n\nFinding: DisableRemovableDriveScanning=True — USB drives not scanned on insert. Fix: Set-MpPreference -DisableRemovableDriveScanning $false", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpComputerStatus + Get-MpPreference (engine health)\nAVEnabled=\"True\" AMService=\"True\" Mode=\"Normal\" RT=\"False\" Behavior=\"False\" IOAV=\"False\" Script=\"False\" Archive=\"False\" USB=\"True\" NIS=\"\"" }, { "kind": "audit_probe", "content": "$ Get-MpComputerStatus + Get-MpPreference (engine health)\nAVEnabled=\"True\" AMService=\"True\" Mode=\"Normal\" RT=\"False\" Behavior=\"False\" IOAV=\"False\" Script=\"False\" Archive=\"False\" USB=\"True\" NIS=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.10.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.10.3" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "disa-stig", "id": "WN22-AV-000010" }, { "type": "mitre-attack", "id": "T1562.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.171323099Z", "last_seen": "2026-04-28T01:41:56.171323099Z", "status": "OPEN" }, { "id": "8c1a5c7d-63d8-4ec2-9d86-03059b2d521a", "fingerprint": "29b3f93c2bb22dfa", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DCH-002", "title": "DC hardening: Point-and-Print not restricted to administrators — RestrictDriverInstallationToAdministrators", "description": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint requires:\n RestrictDriverInstallationToAdministrators = 1\n NoWarningNoElevationOnInstall = 0\n UpdatePromptSettings = 0\nWithout these, any user can install a driver — the same primitive PrintNightmare uses for SYSTEM RCE.\n\nFinding: RestrictDriverInstallationToAdministrators = -1 (expected 1)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get Point-and-Print policy\nVAL|RestrictDriverInstallationToAdministrators=-1|NoWarningNoElevationOnInstall=-1|UpdatePromptSettings=-1" }, { "kind": "audit_probe", "content": "$ Get Point-and-Print policy\nVAL|RestrictDriverInstallationToAdministrators=-1|NoWarningNoElevationOnInstall=-1|UpdatePromptSettings=-1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.6.x" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.171378092Z", "last_seen": "2026-04-28T01:41:56.171378092Z", "status": "OPEN" }, { "id": "73fb7452-fccf-47aa-acff-675d2f21ca44", "fingerprint": "29b3f93c2bb22dfa", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DCH-002", "title": "DC hardening: Point-and-Print not restricted to administrators — NoWarningNoElevationOnInstall", "description": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint requires:\n RestrictDriverInstallationToAdministrators = 1\n NoWarningNoElevationOnInstall = 0\n UpdatePromptSettings = 0\nWithout these, any user can install a driver — the same primitive PrintNightmare uses for SYSTEM RCE.\n\nFinding: NoWarningNoElevationOnInstall = -1 (expected 0)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get Point-and-Print policy\nVAL|RestrictDriverInstallationToAdministrators=-1|NoWarningNoElevationOnInstall=-1|UpdatePromptSettings=-1" }, { "kind": "audit_probe", "content": "$ Get Point-and-Print policy\nVAL|RestrictDriverInstallationToAdministrators=-1|NoWarningNoElevationOnInstall=-1|UpdatePromptSettings=-1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.6.x" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.171401547Z", "last_seen": "2026-04-28T01:41:56.171401547Z", "status": "OPEN" }, { "id": "c5041bf4-b4cb-4329-87f2-f34f16bc6197", "fingerprint": "29b3f93c2bb22dfa", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DCH-002", "title": "DC hardening: Point-and-Print not restricted to administrators — UpdatePromptSettings", "description": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint requires:\n RestrictDriverInstallationToAdministrators = 1\n NoWarningNoElevationOnInstall = 0\n UpdatePromptSettings = 0\nWithout these, any user can install a driver — the same primitive PrintNightmare uses for SYSTEM RCE.\n\nFinding: UpdatePromptSettings = -1 (expected 0)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get Point-and-Print policy\nVAL|RestrictDriverInstallationToAdministrators=-1|NoWarningNoElevationOnInstall=-1|UpdatePromptSettings=-1" }, { "kind": "audit_probe", "content": "$ Get Point-and-Print policy\nVAL|RestrictDriverInstallationToAdministrators=-1|NoWarningNoElevationOnInstall=-1|UpdatePromptSettings=-1" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.6.x" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.171429962Z", "last_seen": "2026-04-28T01:41:56.171429962Z", "status": "OPEN" }, { "id": "202f79d4-91e7-4846-b597-ada84bc81ee6", "fingerprint": "d0c827e314a5bacc", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PG-006", "title": "Privileged groups: Pre-Windows 2000 Compatible Access has broad principal — Authenticated Users", "description": "Pre-Windows 2000 Compatible Access (BUILTIN, S-1-5-32-554) grants Read on AD user attributes including legacy attributes. Authenticated Users / Anonymous Logon / Everyone / Domain Users as a member effectively gives every authenticated principal unrestricted AD enumeration. Default on Server 2003+ is empty or contains Authenticated Users only when 'pre-Win2k compat' was selected at dcpromo. CIS recommends empty.\n\nFinding: Pre-Win2k Compatible Access has broad principal 'Authenticated Users' (SID S-1-5-11) — anonymous/authenticated AD enumeration", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADGroupMember Pre-Win2k Compatible Access\nMEMBER|IP-208-84-101-7$|S-1-5-21-873624365-3528634227-720301803-1001\r\nMEMBER|Authenticated Users|S-1-5-11\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADGroupMember Pre-Win2k Compatible Access\nMEMBER|IP-208-84-101-7$|S-1-5-21-873624365-3528634227-720301803-1001\r\nMEMBER|Authenticated Users|S-1-5-11\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.x" }, { "type": "mitre-attack", "id": "T1087.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.17148625Z", "last_seen": "2026-04-28T01:41:56.17148625Z", "status": "OPEN" }, { "id": "8776aff1-06a0-4844-9dea-f537e3a2b37b", "fingerprint": "3e9969a270d55fde", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-002", "title": "Defender cloud protection / sample submission / signatures stale — SubmitSamplesConsent", "description": "MAPSReporting != 2 (cloud not engaged), SubmitSamplesConsent disabled (no sample upload — cloud lookup misses), CloudBlockLevel below baseline, OR signatures \u003e 24h stale. Each gap reduces Defender's catch rate against new / polymorphic malware that's caught by cloud-side reputation rather than local definitions.\n\nFinding: set to 2 (Never send) — block-at-first-sight cannot escalate to cloud verdict", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpComputerStatus + Get-MpPreference (cloud + sigs)\nMAPS=\"2\" Samples=\"2\" CloudBlock=\"0\" BlockAtFirstSeen=\"False\" SigsLastUpdated=\"04/27/2026 10:33:10\" SigVersion=\"1.449.333.0\"" }, { "kind": "audit_probe", "content": "$ Get-MpComputerStatus + Get-MpPreference (cloud + sigs)\nMAPS=\"2\" Samples=\"2\" CloudBlock=\"0\" BlockAtFirstSeen=\"False\" SigsLastUpdated=\"04/27/2026 10:33:10\" SigVersion=\"1.449.333.0\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.5.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.5.3" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-3(2)" }, { "type": "mitre-attack", "id": "T1562.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.171544255Z", "last_seen": "2026-04-28T01:41:56.171544255Z", "status": "OPEN" }, { "id": "ded16551-11a4-4bae-bcc5-08f462926cce", "fingerprint": "3e9969a270d55fde", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-002", "title": "Defender cloud protection / sample submission / signatures stale — CloudBlockLevel", "description": "MAPSReporting != 2 (cloud not engaged), SubmitSamplesConsent disabled (no sample upload — cloud lookup misses), CloudBlockLevel below baseline, OR signatures \u003e 24h stale. Each gap reduces Defender's catch rate against new / polymorphic malware that's caught by cloud-side reputation rather than local definitions.\n\nFinding: set to 0 (Default — least blocking). CIS / MS Baseline recommend 2 (High) minimum", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpComputerStatus + Get-MpPreference (cloud + sigs)\nMAPS=\"2\" Samples=\"2\" CloudBlock=\"0\" BlockAtFirstSeen=\"False\" SigsLastUpdated=\"04/27/2026 10:33:10\" SigVersion=\"1.449.333.0\"" }, { "kind": "audit_probe", "content": "$ Get-MpComputerStatus + Get-MpPreference (cloud + sigs)\nMAPS=\"2\" Samples=\"2\" CloudBlock=\"0\" BlockAtFirstSeen=\"False\" SigsLastUpdated=\"04/27/2026 10:33:10\" SigVersion=\"1.449.333.0\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.5.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.5.3" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-3(2)" }, { "type": "mitre-attack", "id": "T1562.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.171571246Z", "last_seen": "2026-04-28T01:41:56.171571246Z", "status": "OPEN" }, { "id": "0d001ffa-62d5-4f93-b09a-63bba2abdac2", "fingerprint": "8833b14221826482", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-DCH-003", "title": "DC hardening: Defender ExclusionPath beyond MS DC baseline — C:\\ProgramData\\obx_persX_drv.sys", "description": "Microsoft's official DC AV exclusions list (KB822158) covers AD database, log files, SYSVOL, NTDS, DFSR. Any path outside that set is suspicious — adversary persistence + AV bypass. The check matches paths against a whitelist of normalized prefixes; anything else fires.\n\nFinding: Defender exclusion path 'C:\\ProgramData\\obx_persX_drv.sys' is outside the MS DC baseline (KB 822158). Audit + remove", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference ExclusionPath\nEXCL|C:\\ProgramData\\obx_persX_drv.sys\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-MpPreference ExclusionPath\nEXCL|C:\\ProgramData\\obx_persX_drv.sys\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1562.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.171610038Z", "last_seen": "2026-04-28T01:41:56.171610038Z", "status": "OPEN" }, { "id": "547ebca6-84e3-49ca-be39-3312b31504e8", "fingerprint": "395ce4cd9d654bc6", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-DCH-004", "title": "DC hardening: DsrmAdminLogonBehavior allows DSRM admin in normal mode — DsrmAdminLogonBehavior", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior controls whether the Directory Services Restore Mode admin can log on while the DC is operating normally. 0 (default) and 1 = allowed, 2 = DSRM-mode only. DSRM credentials are forest-wide and never rotated by default; 2 is mandatory for hardened DCs.\n\nFinding: DsrmAdminLogonBehavior = -1. Set to 2 so the DSRM admin can only log on while in DSRM mode", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get DsrmAdminLogonBehavior\nVAL|DsrmAdminLogonBehavior=-1" }, { "kind": "audit_probe", "content": "$ Get DsrmAdminLogonBehavior\nVAL|DsrmAdminLogonBehavior=-1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "mitre-attack", "id": "T1078.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171640593Z", "last_seen": "2026-04-28T01:41:56.171640593Z", "status": "OPEN" }, { "id": "1b2bf9da-799b-418f-8d87-c0a150564d2e", "fingerprint": "191d595a28362104", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-003", "title": "Microsoft Defender Tamper Protection is OFF — TamperProtection", "description": "Get-MpComputerStatus.IsTamperProtected = False. Without Tamper Protection a local Administrator-token attacker can disable Defender entirely with a single PowerShell line (Set-MpPreference -DisableRealtimeMonitoring $true) — bypassing every other Defender hardening control. T1562.001 master-disable. Required by every modern hardening baseline (CIS, MS Baseline, DISA STIG).\n\nFinding: IsTamperProtected=False. Enable via Windows Security UI \u003e Virus \u0026 threat protection \u003e Tamper Protection (or via Intune / MDE tenant attach for managed devices)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ (Get-MpComputerStatus).IsTamperProtected\nIsTamperProtected=\"False\"" }, { "kind": "audit_probe", "content": "$ (Get-MpComputerStatus).IsTamperProtected\nIsTamperProtected=\"False\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "nist-800-53", "id": "SI-7" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "mitre-attack", "id": "T1562.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.171659392Z", "last_seen": "2026-04-28T01:41:56.171659392Z", "status": "OPEN" }, { "id": "5ebd6e55-2bc7-45c2-885d-e95f74299b95", "fingerprint": "7d3e8efdb6135d30", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-PG-007", "title": "LAPS: coverage gap on managed computers — LAPS coverage", "description": "Computers without ms-Mcs-AdmPwdExpirationTime / msLAPS-PasswordExpirationTime have no managed local-admin password rotation. Lateral movement via reused / static local admin secrets becomes trivial. Coverage \u003c50% is HIGH \u003c10% (or no LAPS schema) is CRITICAL.\n\nFinding: 0 of 1 non-DC computers have LAPS expiration attribute set (0%). Deploy Windows LAPS via Intune/GPO", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ LAPS attribute coverage on member computers\nCOVERAGE|total=1|laps=0\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ LAPS attribute coverage on member computers\nCOVERAGE|total=1|laps=0\r\nPROBE_DONE" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.x" }, { "type": "mitre-attack", "id": "T1550.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.171680524Z", "last_seen": "2026-04-28T01:41:56.171680524Z", "status": "OPEN" }, { "id": "8b3f21b2-7153-4fe3-b75d-90c087964b73", "fingerprint": "8aca5dea1803cf2d", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-DCH-007", "title": "DC hardening: latest hotfix older than 30 days — KB5010523", "description": "Time since the most recent hotfix InstalledOn value. \u003e30d = HIGH (one missed Patch Tuesday), \u003e60d = CRITICAL. Probe queries Get-HotFix and reports the newest.\n\nFinding: Newest hotfix KB5010523 installed 2022-03-03 (1517 days ago). Run a cumulative update", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-HotFix latest\nHOTFIX|KB5010523|2022-03-03" }, { "kind": "audit_probe", "content": "$ Get-HotFix latest\nHOTFIX|KB5010523|2022-03-03" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "tags": [ "audit", "observed", "integrity" ], "first_seen": "2026-04-28T01:41:56.171699654Z", "last_seen": "2026-04-28T01:41:56.171699654Z", "status": "OPEN" }, { "id": "b9d073c6-6669-4b28-b804-76660b2a03b0", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Credential Validation", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Credential Validation' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.171825628Z", "last_seen": "2026-04-28T01:41:56.171825628Z", "status": "OPEN" }, { "id": "defd3630-07b5-455f-83bb-03a42754ee3c", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Kerberos Authentication Service", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Kerberos Authentication Service' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.171944733Z", "last_seen": "2026-04-28T01:41:56.171944733Z", "status": "OPEN" }, { "id": "c72d4629-de54-43a4-b6f7-02dc8314e777", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Kerberos Service Ticket Operations", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Kerberos Service Ticket Operations' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172061487Z", "last_seen": "2026-04-28T01:41:56.172061487Z", "status": "OPEN" }, { "id": "3c521c41-b2b9-4e9e-89c7-1205c6023083", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Other Account Logon Events", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Other Account Logon Events' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172181721Z", "last_seen": "2026-04-28T01:41:56.172181721Z", "status": "OPEN" }, { "id": "020055aa-7621-4c04-a5c0-c0cf974aa6f6", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — User Account Management", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'User Account Management' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172298043Z", "last_seen": "2026-04-28T01:41:56.172298043Z", "status": "OPEN" }, { "id": "e64c7743-227e-4621-9dfa-52f5d774ea79", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Computer Account Management", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Computer Account Management' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172415826Z", "last_seen": "2026-04-28T01:41:56.172415826Z", "status": "OPEN" }, { "id": "f0117ce3-08ca-4836-a3c3-9e1c2d5ce806", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Security Group Management", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Security Group Management' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172532993Z", "last_seen": "2026-04-28T01:41:56.172532993Z", "status": "OPEN" }, { "id": "76fc82de-83f7-4153-8095-cf6e07ec2f4b", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Directory Service Access", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Directory Service Access' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172648543Z", "last_seen": "2026-04-28T01:41:56.172648543Z", "status": "OPEN" }, { "id": "23feee66-f40c-403f-84aa-3f0f5c6e8a39", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Directory Service Changes", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Directory Service Changes' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172769053Z", "last_seen": "2026-04-28T01:41:56.172769053Z", "status": "OPEN" }, { "id": "be65af06-59ac-4e07-8fbd-5f04894d8127", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Logon", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Logon' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.172894054Z", "last_seen": "2026-04-28T01:41:56.172894054Z", "status": "OPEN" }, { "id": "4b855d69-63d5-4ed3-acf4-37793a72b874", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Logoff", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Logoff' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.173014133Z", "last_seen": "2026-04-28T01:41:56.173014133Z", "status": "OPEN" }, { "id": "a5e7d8f9-0440-4cac-b2ce-fd55abdad884", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Special Logon", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Special Logon' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.173134018Z", "last_seen": "2026-04-28T01:41:56.173134018Z", "status": "OPEN" }, { "id": "232f1df5-5085-4999-9db5-d7bebc5ed509", "fingerprint": "eeba45b6e4f1ff7b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-DCH-008", "title": "DC hardening: audit policy critical subcategories not at Success+Failure — Account Lockout", "description": "auditpol /get must show Success and Failure for the critical subcategories: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events, User Account Management, Computer Account Management, Security Group Management, Directory Service Access, Directory Service Changes, Logon, Logoff, Special Logon, Account Lockout. Anything below S+F is a logging blind spot on a DC.\n\nFinding: Audit subcategory 'Account Lockout' = 'No Auditing' (expected 'Success and Failure')", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" }, { "kind": "audit_probe", "content": "$ auditpol /get /category:*\nAP|System audit policy\r\nAP|\r\nAP|Category/Subcategory Setting\r\nAP|System\r\nAP| Security System Extension No Auditing\r\nAP|\r\nAP| System Integrity No Auditing\r\nAP|\r\nAP| IPsec Driver No Auditing\r\nAP|\r\nAP| Other System Events No Auditing\r\nAP|\r\nAP| Security State Change No Auditing\r\nAP|\r\nAP|Logon/Logoff\r\nAP| Logon No Auditing\r\nAP|\r\nAP| Logoff No Auditing\r\nAP|\r\nAP| Account Lockout No …(truncated, 3 B more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-17.x" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.173251314Z", "last_seen": "2026-04-28T01:41:56.173251314Z", "status": "OPEN" }, { "id": "ec4e9bb6-5f46-4d6e-af3c-0d9ce1f90229", "fingerprint": "c94aacd6f908f0f0", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DCH-009", "title": "DC hardening: NTLM inbound not restricted or audited — RestrictReceivingNTLMTraffic", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictReceivingNTLMTraffic = 1 audits inbound NTLM, 2 denies. AuditReceivingNTLMTraffic = 2 logs every NTLM use. Unset (0) is silent and accepting — a DC accepting NTLM blindly is the relay sink.\n\nFinding: RestrictReceivingNTLMTraffic = -1 (expected ≥ 1 audit, 2 deny)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get NTLM inbound restriction\nVAL|RestrictReceivingNTLMTraffic=-1|AuditReceivingNTLMTraffic=-1" }, { "kind": "audit_probe", "content": "$ Get NTLM inbound restriction\nVAL|RestrictReceivingNTLMTraffic=-1|AuditReceivingNTLMTraffic=-1" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.x" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.173383946Z", "last_seen": "2026-04-28T01:41:56.173383946Z", "status": "OPEN" }, { "id": "877f4b9e-e556-43f4-9853-722cc413943e", "fingerprint": "c94aacd6f908f0f0", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-DCH-009", "title": "DC hardening: NTLM inbound not restricted or audited — AuditReceivingNTLMTraffic", "description": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictReceivingNTLMTraffic = 1 audits inbound NTLM, 2 denies. AuditReceivingNTLMTraffic = 2 logs every NTLM use. Unset (0) is silent and accepting — a DC accepting NTLM blindly is the relay sink.\n\nFinding: AuditReceivingNTLMTraffic = -1 (expected 2 = full audit)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get NTLM inbound restriction\nVAL|RestrictReceivingNTLMTraffic=-1|AuditReceivingNTLMTraffic=-1" }, { "kind": "audit_probe", "content": "$ Get NTLM inbound restriction\nVAL|RestrictReceivingNTLMTraffic=-1|AuditReceivingNTLMTraffic=-1" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.x" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.173403315Z", "last_seen": "2026-04-28T01:41:56.173403315Z", "status": "OPEN" }, { "id": "791865c6-2044-4587-84ec-6e4cd519e6eb", "fingerprint": "2151a1f1f718c94b", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-FH-003", "title": "Forest hygiene: AD Recycle Bin not enabled — Recycle Bin Feature", "description": "Without the Recycle Bin Optional Feature, deleted AD objects lose all link-valued + back-link attributes — recovery from accidental or malicious bulk deletion (e.g. adversary scrubbing audit groups) is impossible. Once enabled the feature cannot be disabled.\n\nFinding: Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target \u003cForestRootDN\u003e. Cannot be disabled once enabled — coordinate before changing.", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADOptionalFeature Recycle Bin\nRECYCLE|enabled=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADOptionalFeature Recycle Bin\nRECYCLE|enabled=False\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.1.x" }, { "type": "mitre-attack", "id": "T1485" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173428543Z", "last_seen": "2026-04-28T01:41:56.173428543Z", "status": "OPEN" }, { "id": "3f0eca75-2e01-400b-a866-f05cf7b75e2c", "fingerprint": "7a3870ed4b109b16", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-006", "title": "Anonymous (null-session) restrictions deviate from CIS / DISA STIG — RestrictAnonymous", "description": "One or more LSA / LanmanServer settings that govern anonymous network access (null sessions to SAM, shares, and named pipes) is below baseline. These are the recon primitives every BloodHound-style enumeration depends on. Even when defaults are hardened, legacy compat scripts and downgrade attacks routinely re-open them.\n\nFinding: got 0, expected 1 — null-session share/pipe enumeration possible", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty HKLM:\\..\\Lsa + LanManServer\\Parameters (multi-key)\nRestrictAnonymousSAM=\"1\" RestrictAnonymous=\"0\" EveryoneIncludesAnonymous=\"\" RestrictRemoteSAM=\"\" RestrictNullSessAccess=\"1\" NullSessionPipes=\"netlogon,samr,lsarpc\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty HKLM:\\..\\Lsa + LanManServer\\Parameters (multi-key)\nRestrictAnonymousSAM=\"1\" RestrictAnonymous=\"0\" EveryoneIncludesAnonymous=\"\" RestrictRemoteSAM=\"\" RestrictNullSessAccess=\"1\" NullSessionPipes=\"netlogon,samr,lsarpc\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.5" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.7" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.10" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.11" }, { "type": "cis-benchmark", "id": "Win11-2.3.10.5" }, { "type": "nist-800-53", "id": "AC-3" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "disa-stig", "id": "WN22-SO-000110" }, { "type": "disa-stig", "id": "WN22-SO-000120" }, { "type": "disa-stig", "id": "WN22-SO-000130" }, { "type": "mitre-attack", "id": "T1087.002" }, { "type": "mitre-attack", "id": "T1135" }, { "type": "mitre-attack", "id": "T1018" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.17347482Z", "last_seen": "2026-04-28T01:41:56.17347482Z", "status": "OPEN" }, { "id": "6fa71984-d61c-452d-8bf6-b4acc4d24a60", "fingerprint": "7a3870ed4b109b16", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-006", "title": "Anonymous (null-session) restrictions deviate from CIS / DISA STIG — NullSessionPipes", "description": "One or more LSA / LanmanServer settings that govern anonymous network access (null sessions to SAM, shares, and named pipes) is below baseline. These are the recon primitives every BloodHound-style enumeration depends on. Even when defaults are hardened, legacy compat scripts and downgrade attacks routinely re-open them.\n\nFinding: non-empty: netlogon,samr,lsarpc — each pipe is reachable without auth (legacy SQL/MSDTC compat)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty HKLM:\\..\\Lsa + LanManServer\\Parameters (multi-key)\nRestrictAnonymousSAM=\"1\" RestrictAnonymous=\"0\" EveryoneIncludesAnonymous=\"\" RestrictRemoteSAM=\"\" RestrictNullSessAccess=\"1\" NullSessionPipes=\"netlogon,samr,lsarpc\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty HKLM:\\..\\Lsa + LanManServer\\Parameters (multi-key)\nRestrictAnonymousSAM=\"1\" RestrictAnonymous=\"0\" EveryoneIncludesAnonymous=\"\" RestrictRemoteSAM=\"\" RestrictNullSessAccess=\"1\" NullSessionPipes=\"netlogon,samr,lsarpc\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.5" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.7" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.10" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.11" }, { "type": "cis-benchmark", "id": "Win11-2.3.10.5" }, { "type": "nist-800-53", "id": "AC-3" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "disa-stig", "id": "WN22-SO-000110" }, { "type": "disa-stig", "id": "WN22-SO-000120" }, { "type": "disa-stig", "id": "WN22-SO-000130" }, { "type": "mitre-attack", "id": "T1087.002" }, { "type": "mitre-attack", "id": "T1135" }, { "type": "mitre-attack", "id": "T1018" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173510022Z", "last_seen": "2026-04-28T01:41:56.173510022Z", "status": "OPEN" }, { "id": "bf4487ba-cfac-40a4-98d7-aa2045c992f0", "fingerprint": "7a3870ed4b109b16", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-006", "title": "Anonymous (null-session) restrictions deviate from CIS / DISA STIG — RestrictRemoteSAM", "description": "One or more LSA / LanmanServer settings that govern anonymous network access (null sessions to SAM, shares, and named pipes) is below baseline. These are the recon primitives every BloodHound-style enumeration depends on. Even when defaults are hardened, legacy compat scripts and downgrade attacks routinely re-open them.\n\nFinding: not set — remote SAM read accessible to any authenticated user (BloodHound primitive)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty HKLM:\\..\\Lsa + LanManServer\\Parameters (multi-key)\nRestrictAnonymousSAM=\"1\" RestrictAnonymous=\"0\" EveryoneIncludesAnonymous=\"\" RestrictRemoteSAM=\"\" RestrictNullSessAccess=\"1\" NullSessionPipes=\"netlogon,samr,lsarpc\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty HKLM:\\..\\Lsa + LanManServer\\Parameters (multi-key)\nRestrictAnonymousSAM=\"1\" RestrictAnonymous=\"0\" EveryoneIncludesAnonymous=\"\" RestrictRemoteSAM=\"\" RestrictNullSessAccess=\"1\" NullSessionPipes=\"netlogon,samr,lsarpc\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.5" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.7" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.10" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.11" }, { "type": "cis-benchmark", "id": "Win11-2.3.10.5" }, { "type": "nist-800-53", "id": "AC-3" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "disa-stig", "id": "WN22-SO-000110" }, { "type": "disa-stig", "id": "WN22-SO-000120" }, { "type": "disa-stig", "id": "WN22-SO-000130" }, { "type": "mitre-attack", "id": "T1087.002" }, { "type": "mitre-attack", "id": "T1135" }, { "type": "mitre-attack", "id": "T1018" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173544681Z", "last_seen": "2026-04-28T01:41:56.173544681Z", "status": "OPEN" }, { "id": "1e38d8a0-9755-4aea-b671-b3620e032246", "fingerprint": "da75e3923a84dbbe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-FH-006", "title": "Forest hygiene: Default Domain Password Policy below baseline — MinPasswordLength", "description": "Get-ADDefaultDomainPasswordPolicy returns the policy applied to every domain user that is not under a Fine-Grained Password Policy. Hardened baseline: MinPasswordLength ≥ 14, ComplexityEnabled = true, LockoutThreshold \u003e 0 and ≤ 10, LockoutDuration ≥ 15 minutes, ReversibleEncryption disabled.\n\nFinding: MinPasswordLength = 7 (baseline ≥ 14)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADDefaultDomainPasswordPolicy\nPOLICY|MinLen=7|Complex=True|Lockout=0|LockDur=30|Reversible=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADDefaultDomainPasswordPolicy\nPOLICY|MinLen=7|Complex=True|Lockout=0|LockDur=30|Reversible=False\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-1.1.x" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "mitre-attack", "id": "T1110" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173596441Z", "last_seen": "2026-04-28T01:41:56.173596441Z", "status": "OPEN" }, { "id": "f247eda6-67be-4fff-9583-d765e59f2641", "fingerprint": "da75e3923a84dbbe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-FH-006", "title": "Forest hygiene: Default Domain Password Policy below baseline — LockoutThreshold", "description": "Get-ADDefaultDomainPasswordPolicy returns the policy applied to every domain user that is not under a Fine-Grained Password Policy. Hardened baseline: MinPasswordLength ≥ 14, ComplexityEnabled = true, LockoutThreshold \u003e 0 and ≤ 10, LockoutDuration ≥ 15 minutes, ReversibleEncryption disabled.\n\nFinding: LockoutThreshold = 0 (no account lockout — unlimited brute force)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ADDefaultDomainPasswordPolicy\nPOLICY|MinLen=7|Complex=True|Lockout=0|LockDur=30|Reversible=False\r\nPROBE_DONE" }, { "kind": "audit_probe", "content": "$ Get-ADDefaultDomainPasswordPolicy\nPOLICY|MinLen=7|Complex=True|Lockout=0|LockDur=30|Reversible=False\r\nPROBE_DONE" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-1.1.x" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "mitre-attack", "id": "T1110" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173627813Z", "last_seen": "2026-04-28T01:41:56.173627813Z", "status": "OPEN" }, { "id": "dad34089-f794-4261-97ac-dde95491aa73", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block exec content from email/webmail", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 not configured (no ASR rules registered on host) — T1566.001 spear-phish exec drop", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173651783Z", "last_seen": "2026-04-28T01:41:56.173651783Z", "status": "OPEN" }, { "id": "0e231b11-c1bd-4094-9d54-c2d4098b2292", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block all Office apps from creating child processes", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A not configured (no ASR rules registered on host) — T1059.005 Office macro -\u003e cmd/PowerShell", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173656825Z", "last_seen": "2026-04-28T01:41:56.173656825Z", "status": "OPEN" }, { "id": "c488be27-447a-4985-a1f5-9f575ec4df59", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block Office apps creating executable content", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 3B576869-A4EC-4529-8536-B80A7769E899 not configured (no ASR rules registered on host) — T1566.001 Office dropper", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.17366127Z", "last_seen": "2026-04-28T01:41:56.17366127Z", "status": "OPEN" }, { "id": "c16d6665-0830-4a3d-9eee-78a9f671b422", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block Office apps from injecting code into other processes", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 not configured (no ASR rules registered on host) — process injection from Office", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173665586Z", "last_seen": "2026-04-28T01:41:56.173665586Z", "status": "OPEN" }, { "id": "1b52e965-5e6d-417c-a626-ac43c5931dd4", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block JS/VBScript launching downloaded executable content", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule D3E037E1-3EB8-44C8-A917-57927947596D not configured (no ASR rules registered on host) — T1059.007 / T1059.005 script droppers", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173669719Z", "last_seen": "2026-04-28T01:41:56.173669719Z", "status": "OPEN" }, { "id": "f5445a83-2bb4-4202-83b6-8ac746526401", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block execution of obfuscated scripts", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC not configured (no ASR rules registered on host) — T1027.010 obfuscated PS / VBS", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173675413Z", "last_seen": "2026-04-28T01:41:56.173675413Z", "status": "OPEN" }, { "id": "26ad761e-6cae-4b69-935c-8dbcdfec510d", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block Win32 API calls from Office macros", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B not configured (no ASR rules registered on host) — T1106 Office macro Native API", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173679977Z", "last_seen": "2026-04-28T01:41:56.173679977Z", "status": "OPEN" }, { "id": "248a15fa-d24e-4dce-9457-cd42ca99b9d1", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Use advanced ransomware protection", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule C1DB55AB-C21A-4637-BB3F-A12568109D35 not configured (no ASR rules registered on host) — T1486 ransomware encryption block", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173685148Z", "last_seen": "2026-04-28T01:41:56.173685148Z", "status": "OPEN" }, { "id": "99b42246-8e52-4090-a1a8-ffffd4e2f558", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block credential stealing from LSASS", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 not configured (no ASR rules registered on host) — T1003.001 Mimikatz / pypykatz LSASS dump", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173689639Z", "last_seen": "2026-04-28T01:41:56.173689639Z", "status": "OPEN" }, { "id": "4bc33e5d-d9da-4b8a-a3ad-0fe5f97d84e0", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block process creations from PSExec and WMI commands", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule D1E49AAC-8F56-4280-B9BA-993A6D77406C not configured (no ASR rules registered on host) — T1021.002 / T1047 lateral movement", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.17369795Z", "last_seen": "2026-04-28T01:41:56.17369795Z", "status": "OPEN" }, { "id": "9a434432-dae1-47fd-afcd-39fc86ba10b9", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block untrusted/unsigned processes from USB", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 not configured (no ASR rules registered on host) — T1091 USB malware drop", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173702174Z", "last_seen": "2026-04-28T01:41:56.173702174Z", "status": "OPEN" }, { "id": "9dd4e75c-5a87-415f-aa63-702da903a527", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block executables not meeting prevalence/age (ISG)", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 01443614-CD74-433A-B99E-2ECDC07BFC25 not configured (no ASR rules registered on host) — fresh polymorphic blocks via cloud rep", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.1737065Z", "last_seen": "2026-04-28T01:41:56.1737065Z", "status": "OPEN" }, { "id": "54aec213-10ff-467c-93ed-2648f4460df9", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block Office communication app child processes (Outlook)", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 26190899-1602-49E8-8B27-EB1D0A1CE869 not configured (no ASR rules registered on host) — Outlook -\u003e shell drop", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173710743Z", "last_seen": "2026-04-28T01:41:56.173710743Z", "status": "OPEN" }, { "id": "a1d1c1b9-8d74-48ff-a707-44e0b0c18f2e", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block Adobe Reader from creating child processes", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C not configured (no ASR rules registered on host) — PDF macro -\u003e shell", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173714894Z", "last_seen": "2026-04-28T01:41:56.173714894Z", "status": "OPEN" }, { "id": "bb93f6c4-4dd2-4762-941e-a0ca686dcf55", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block persistence through WMI event subscription", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule E6DB77E5-3DF2-4CF1-B95A-636979351E5B not configured (no ASR rules registered on host) — T1546.003 WMI persistence", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.17371933Z", "last_seen": "2026-04-28T01:41:56.17371933Z", "status": "OPEN" }, { "id": "8e6c2e6f-31a8-4fb9-ae76-2cb09023d091", "fingerprint": "886c040593158abe", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-005", "title": "Microsoft Defender ASR rules not in Block mode — Block abuse of exploited vulnerable signed drivers", "description": "One or more of the 16 mandated Attack Surface Reduction rules is not in Block mode (action=1). Each rule maps to a documented attacker primitive: Office macro execution, LSASS credential theft, PSExec/WMI lateral, persistence via WMI event subscription, vulnerable signed driver abuse (BYOVD), etc. Audit-only mode (2) is acceptable \u003c 30 days as a rollout transition; Disabled / Warn / not-listed is fail.\n\nFinding: rule 56A863A9-875E-4185-98A7-B882C64B5CE5 not configured (no ASR rules registered on host) — BYOVD - bring-your-own-vulnerable-driver", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | AttackSurfaceReductionRules_Ids + _Actions\nNoASRRules=1" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.1.2" }, { "type": "cis-benchmark", "id": "Win11-18.9.45.x" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1059.001" }, { "type": "mitre-attack", "id": "T1059.005" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1546.003" }, { "type": "mitre-attack", "id": "T1547" }, { "type": "mitre-attack", "id": "T1566.001" }, { "type": "mitre-attack", "id": "T1490" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.173724868Z", "last_seen": "2026-04-28T01:41:56.173724868Z", "status": "OPEN" }, { "id": "3c9a97df-0dfe-4f94-bc35-93f0a9768abf", "fingerprint": "af6f64b099a1fadd", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-009", "title": "LSASS / SAM credential storage protection below baseline — RunAsPPL", "description": "One or more of the three LSA settings that protect credentials at rest is not at the hardening baseline: LSA Protection (RunAsPPL) blocks LSASS process handle open by Mimikatz; WDigest UseLogonCredential=0 disables cleartext cred caching; NoLMHash=1 stops storing crackable LM hashes. Each gap maps directly to a documented credential-extraction technique (T1003.001).\n\nFinding: not set — lsass.exe is NOT a protected process; Mimikatz can open the process handle and dump credentials. Fix: Set-ItemProperty 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa' -Name RunAsPPL -Value 1 -Type DWord (reboot required)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + WDigest (multi-key)\nRunAsPPL=\"\" RunAsPPLBoot=\"\" UseLogonCredential=\"\" NoLMHash=\"1\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Lsa + WDigest (multi-key)\nRunAsPPL=\"\" RunAsPPLBoot=\"\" UseLogonCredential=\"\" NoLMHash=\"1\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.11.5" }, { "type": "cis-benchmark", "id": "WinServer2022-18.4.8" }, { "type": "cis-benchmark", "id": "WinServer2022-18.9.26.2" }, { "type": "cis-benchmark", "id": "Win11-2.3.11.5" }, { "type": "cis-benchmark", "id": "Win11-18.9.5.1" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "nist-800-53", "id": "SC-28" }, { "type": "disa-stig", "id": "WN22-SO-000095" }, { "type": "disa-stig", "id": "WN22-SO-000220" }, { "type": "mitre-attack", "id": "T1003.001" }, { "type": "mitre-attack", "id": "T1003.002" }, { "type": "cwe", "id": "CWE-256" }, { "type": "cwe", "id": "CWE-916" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173748222Z", "last_seen": "2026-04-28T01:41:56.173748222Z", "status": "OPEN" }, { "id": "deb1475d-0f0a-4598-84b9-f843697c2b7e", "fingerprint": "9e476cd40a6415e5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-010", "title": "Cached domain credential surface above CIS L2 baseline — CachedLogonsCount", "description": "CachedLogonsCount \u003e 4 OR DisableDomainCreds != 1. Cached credentials live in HKLM:\\SECURITY as MSCache hashes; an attacker post-compromise can extract them with `secretsdump.py` and crack offline (T1003.005). High-value workstations should cap at 4 and tier-0 hosts at 0. Note: setting to 0 breaks offline domain logon — verify the host has reliable DC connectivity before hardening.\n\nFinding: CachedLogonsCount=\"10\" (default 10), CIS L2 recommends \u003c=4. Fix: Set-ItemProperty 'HKLM:\\..\\Winlogon' -Name CachedLogonsCount -Value '4'", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Winlogon + Lsa (multi-key)\nCachedLogonsCount=\"10\" DisableDomainCreds=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Winlogon + Lsa (multi-key)\nCachedLogonsCount=\"10\" DisableDomainCreds=\"0\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.7.6" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.4" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "nist-800-53", "id": "AC-19" }, { "type": "mitre-attack", "id": "T1003.005" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.17377682Z", "last_seen": "2026-04-28T01:41:56.17377682Z", "status": "OPEN" }, { "id": "2c835d02-3563-4788-80b8-1a0023b13da9", "fingerprint": "9e476cd40a6415e5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-010", "title": "Cached domain credential surface above CIS L2 baseline — DisableDomainCreds", "description": "CachedLogonsCount \u003e 4 OR DisableDomainCreds != 1. Cached credentials live in HKLM:\\SECURITY as MSCache hashes; an attacker post-compromise can extract them with `secretsdump.py` and crack offline (T1003.005). High-value workstations should cap at 4 and tier-0 hosts at 0. Note: setting to 0 breaks offline domain logon — verify the host has reliable DC connectivity before hardening.\n\nFinding: DisableDomainCreds not set on domain-joined host. CIS L2 recommends 1; breaks scheduled tasks that store creds (assess before applying)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Winlogon + Lsa (multi-key)\nCachedLogonsCount=\"10\" DisableDomainCreds=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Winlogon + Lsa (multi-key)\nCachedLogonsCount=\"10\" DisableDomainCreds=\"0\"" } ], "severity": "LOW", "confidence": "OBSERVED", "scores": { "context": 2.5, "final": 2.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.7.6" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.10.4" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "nist-800-53", "id": "AC-19" }, { "type": "mitre-attack", "id": "T1003.005" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173789467Z", "last_seen": "2026-04-28T01:41:56.173789467Z", "status": "OPEN" }, { "id": "55823101-29d3-4003-bed4-c06f85af2497", "fingerprint": "6229a6f11f8d0a92", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-011", "title": "UAC posture below CIS / DISA STIG baseline — EnableLUA", "description": "One or more UAC settings under HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.\n\nFinding: UAC engine entirely disabled — every Administrator-group process runs full-elevated. Single biggest privesc enabler. Fix: Set-ItemProperty same path -Name EnableLUA -Value 1 -Type DWord (reboot)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" } ], "severity": "CRITICAL", "confidence": "OBSERVED", "scores": { "context": 9.5, "final": 9.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.1" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.6" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.7" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.1" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.2" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.6" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(2)" }, { "type": "disa-stig", "id": "WN22-SO-000370" }, { "type": "disa-stig", "id": "WN22-SO-000380" }, { "type": "disa-stig", "id": "WN22-SO-000390" }, { "type": "mitre-attack", "id": "T1548.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173825339Z", "last_seen": "2026-04-28T01:41:56.173825339Z", "status": "OPEN" }, { "id": "bbdc7ac6-b45c-4c0d-967d-8cf13c0fe4a6", "fingerprint": "6229a6f11f8d0a92", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-011", "title": "UAC posture below CIS / DISA STIG baseline — FilterAdministratorToken", "description": "One or more UAC settings under HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.\n\nFinding: got , expected 1 — built-in Administrator runs with full token by default; UAC bypass primitive", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.1" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.6" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.7" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.1" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.2" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.6" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(2)" }, { "type": "disa-stig", "id": "WN22-SO-000370" }, { "type": "disa-stig", "id": "WN22-SO-000380" }, { "type": "disa-stig", "id": "WN22-SO-000390" }, { "type": "mitre-attack", "id": "T1548.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173848509Z", "last_seen": "2026-04-28T01:41:56.173848509Z", "status": "OPEN" }, { "id": "2d161840-7ced-47e2-8993-67f630d59dfd", "fingerprint": "6229a6f11f8d0a92", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-011", "title": "UAC posture below CIS / DISA STIG baseline — ConsentPromptBehaviorAdmin", "description": "One or more UAC settings under HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.\n\nFinding: got , expected 2 (prompt on secure desktop)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.1" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.6" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.7" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.1" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.2" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.6" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(2)" }, { "type": "disa-stig", "id": "WN22-SO-000370" }, { "type": "disa-stig", "id": "WN22-SO-000380" }, { "type": "disa-stig", "id": "WN22-SO-000390" }, { "type": "mitre-attack", "id": "T1548.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173871423Z", "last_seen": "2026-04-28T01:41:56.173871423Z", "status": "OPEN" }, { "id": "fc1db2b0-bf47-48dd-9589-3f791463ef04", "fingerprint": "6229a6f11f8d0a92", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-011", "title": "UAC posture below CIS / DISA STIG baseline — ConsentPromptBehaviorUser", "description": "One or more UAC settings under HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System is below the hardening baseline. With UAC weakened (EnableLUA=0 the worst case) every privesc primitive that lives in user context immediately reaches SYSTEM via Administrator-group token granting. The six settings together model: UAC engine on, built-in Admin filtered, secure-desktop prompts, deny-silent for non-admins, installer heuristic on.\n\nFinding: got 3, CIS recommends 0 (deny standard-user elevation requests silently — no creds prompt)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty Policies\\System (UAC keys)\nEnableLUA=\"0\" FilterAdminToken=\"\" ConsentAdmin=\"\" ConsentUser=\"3\" PromptSecure=\"1\" InstallerDetect=\"1\"" } ], "severity": "LOW", "confidence": "OBSERVED", "scores": { "context": 2.5, "final": 2.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.1" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.2" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.3" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.6" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.17.7" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.1" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.2" }, { "type": "cis-benchmark", "id": "Win11-2.3.17.6" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(2)" }, { "type": "disa-stig", "id": "WN22-SO-000370" }, { "type": "disa-stig", "id": "WN22-SO-000380" }, { "type": "disa-stig", "id": "WN22-SO-000390" }, { "type": "mitre-attack", "id": "T1548.002" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.173893822Z", "last_seen": "2026-04-28T01:41:56.173893822Z", "status": "OPEN" }, { "id": "da75e70c-c9f3-4f12-b8d5-9c9b4af6c0cf", "fingerprint": "017758f94e3383db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-012", "title": "Sensitive User-Rights privileges granted to non-admin principals — SeImpersonatePrivilege", "description": "One or more privilege assignments under Local Security Policy → User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -\u003e Potato, SeDebug -\u003e Mimikatz, SeBackup -\u003e SAM dump, SeLoadDriver -\u003e BYOVD).\n\nFinding: SeImpersonatePrivilege — held by non-admin SID(s): *S-1-5-6. Potato-family attack vector (RoguePotato, JuicyPotato); Administrators + service accounts only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.4" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.15" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.20" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.35" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.39" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.49" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(1)" }, { "type": "disa-stig", "id": "WN22-UR-000010" }, { "type": "disa-stig", "id": "WN22-UR-000050" }, { "type": "disa-stig", "id": "WN22-UR-000110" }, { "type": "mitre-attack", "id": "T1134" }, { "type": "mitre-attack", "id": "T1134.001" }, { "type": "mitre-attack", "id": "T1134.002" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.174256702Z", "last_seen": "2026-04-28T01:41:56.174256702Z", "status": "OPEN" }, { "id": "ad234cb8-75ae-47b4-ac5f-65e0ae8ba6d0", "fingerprint": "017758f94e3383db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-012", "title": "Sensitive User-Rights privileges granted to non-admin principals — SeAssignPrimaryTokenPrivilege", "description": "One or more privilege assignments under Local Security Policy → User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -\u003e Potato, SeDebug -\u003e Mimikatz, SeBackup -\u003e SAM dump, SeLoadDriver -\u003e BYOVD).\n\nFinding: SeAssignPrimaryTokenPrivilege — held by non-admin SID(s): cloudbase-init, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415. After SeImpersonate, spawn SYSTEM processes; Administrators + service accounts only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.4" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.15" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.20" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.35" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.39" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.49" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(1)" }, { "type": "disa-stig", "id": "WN22-UR-000010" }, { "type": "disa-stig", "id": "WN22-UR-000050" }, { "type": "disa-stig", "id": "WN22-UR-000110" }, { "type": "mitre-attack", "id": "T1134" }, { "type": "mitre-attack", "id": "T1134.001" }, { "type": "mitre-attack", "id": "T1134.002" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.174612942Z", "last_seen": "2026-04-28T01:41:56.174612942Z", "status": "OPEN" }, { "id": "c9ccbf1a-06a6-41fe-aa20-19ea6c397731", "fingerprint": "017758f94e3383db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-012", "title": "Sensitive User-Rights privileges granted to non-admin principals — SeBackupPrivilege", "description": "One or more privilege assignments under Local Security Policy → User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -\u003e Potato, SeDebug -\u003e Mimikatz, SeBackup -\u003e SAM dump, SeLoadDriver -\u003e BYOVD).\n\nFinding: SeBackupPrivilege — held by non-admin SID(s): *S-1-5-32-549, *S-1-5-32-551. Read any file regardless of ACL (SAM/NTDS.dit dump); Administrators only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.4" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.15" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.20" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.35" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.39" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.49" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(1)" }, { "type": "disa-stig", "id": "WN22-UR-000010" }, { "type": "disa-stig", "id": "WN22-UR-000050" }, { "type": "disa-stig", "id": "WN22-UR-000110" }, { "type": "mitre-attack", "id": "T1134" }, { "type": "mitre-attack", "id": "T1134.001" }, { "type": "mitre-attack", "id": "T1134.002" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.174947352Z", "last_seen": "2026-04-28T01:41:56.174947352Z", "status": "OPEN" }, { "id": "3521509f-f59e-4dd2-9cfb-7e30b0dba200", "fingerprint": "017758f94e3383db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-012", "title": "Sensitive User-Rights privileges granted to non-admin principals — SeRestorePrivilege", "description": "One or more privilege assignments under Local Security Policy → User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -\u003e Potato, SeDebug -\u003e Mimikatz, SeBackup -\u003e SAM dump, SeLoadDriver -\u003e BYOVD).\n\nFinding: SeRestorePrivilege — held by non-admin SID(s): *S-1-5-32-549, *S-1-5-32-551. Write any file regardless of ACL (ACL replacement); Administrators only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.4" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.15" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.20" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.35" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.39" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.49" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(1)" }, { "type": "disa-stig", "id": "WN22-UR-000010" }, { "type": "disa-stig", "id": "WN22-UR-000050" }, { "type": "disa-stig", "id": "WN22-UR-000110" }, { "type": "mitre-attack", "id": "T1134" }, { "type": "mitre-attack", "id": "T1134.001" }, { "type": "mitre-attack", "id": "T1134.002" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.17531802Z", "last_seen": "2026-04-28T01:41:56.17531802Z", "status": "OPEN" }, { "id": "b30e260b-d7a9-4a6b-9128-92f99fe37ecf", "fingerprint": "017758f94e3383db", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-012", "title": "Sensitive User-Rights privileges granted to non-admin principals — SeLoadDriverPrivilege", "description": "One or more privilege assignments under Local Security Policy → User Rights Assignment includes a principal that is not Administrators / SYSTEM / LOCAL SERVICE / NETWORK SERVICE. Each of the seven privileges checked is a documented privilege-escalation primitive (SeImpersonate -\u003e Potato, SeDebug -\u003e Mimikatz, SeBackup -\u003e SAM dump, SeLoadDriver -\u003e BYOVD).\n\nFinding: SeLoadDriverPrivilege — held by non-admin SID(s): *S-1-5-32-550. Load kernel drivers (BYOVD precondition); Administrators only", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e ; grep [Se*Privilege]\nSeMachineAccountPrivilege = *S-1-5-11\nSeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\nSeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554\nSeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549\nSeCreatePagefilePrivilege = *S-1-5-32-544\nSeDebugPrivilege = *S-1-5-32-544\nSeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\nSeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\nSeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-82-3006700770-424185619-1745488364-794895919 …(truncated, 1 KB more)" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.2.4" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.15" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.20" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.35" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.39" }, { "type": "cis-benchmark", "id": "WinServer2022-2.2.49" }, { "type": "nist-800-53", "id": "AC-6" }, { "type": "nist-800-53", "id": "AC-6(1)" }, { "type": "disa-stig", "id": "WN22-UR-000010" }, { "type": "disa-stig", "id": "WN22-UR-000050" }, { "type": "disa-stig", "id": "WN22-UR-000110" }, { "type": "mitre-attack", "id": "T1134" }, { "type": "mitre-attack", "id": "T1134.001" }, { "type": "mitre-attack", "id": "T1134.002" }, { "type": "mitre-attack", "id": "T1003.001" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.175782822Z", "last_seen": "2026-04-28T01:41:56.175782822Z", "status": "OPEN" }, { "id": "8e88641f-25f6-4c79-9287-7540472bba91", "fingerprint": "e356b881b7f97901", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-003", "title": "Local password policy deviates from CIS / DISA STIG baseline — MinimumPasswordLength", "description": "One or more of the six CIS-mandated password policy fields is below the hardening threshold: history (\u003e=24), max age (1-365 not 0), min age (\u003e=1), length (\u003e=14), complexity enabled, reversible encryption disabled. Weak password policy is the foundation of credential-stuffing, password spray, and offline-cracking attacks.\n\nFinding: got \"7\", expected \u003e=14", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nPasswordHistorySize=24 MaximumPasswordAge=42 MinimumPasswordAge=1 MinimumPasswordLength=7 PasswordComplexity=1 ClearTextPassword=***REDACTED***" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nPasswordHistorySize=24 MaximumPasswordAge=42 MinimumPasswordAge=1 MinimumPasswordLength=7 PasswordComplexity=1 ClearTextPassword=***REDACTED***" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-1.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-1.1.2" }, { "type": "cis-benchmark", "id": "WinServer2022-1.1.3" }, { "type": "cis-benchmark", "id": "WinServer2022-1.1.4" }, { "type": "cis-benchmark", "id": "WinServer2022-1.1.5" }, { "type": "cis-benchmark", "id": "WinServer2022-1.1.7" }, { "type": "cis-benchmark", "id": "Win11-1.1.1" }, { "type": "cis-benchmark", "id": "Win11-1.1.2" }, { "type": "cis-benchmark", "id": "Win11-1.1.3" }, { "type": "cis-benchmark", "id": "Win11-1.1.4" }, { "type": "cis-benchmark", "id": "Win11-1.1.5" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "nist-800-53", "id": "AC-7" }, { "type": "disa-stig", "id": "WN22-AC-000005" }, { "type": "disa-stig", "id": "WN22-AC-000010" }, { "type": "disa-stig", "id": "WN22-AC-000020" }, { "type": "mitre-attack", "id": "T1110.001" }, { "type": "mitre-attack", "id": "T1110.002" }, { "type": "mitre-attack", "id": "T1110.003" }, { "type": "cwe", "id": "CWE-521" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.176191557Z", "last_seen": "2026-04-28T01:41:56.176191557Z", "status": "OPEN" }, { "id": "ff20dc20-6dc2-4035-a717-4c9e00778cd2", "fingerprint": "5d67c47b914b30d4", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "integrity", "rule_id": "AUD-WIN-LOG-005", "title": "Recent log-tampering events present (1102 / 4719 / 104) — EID-4719-AuditPolicyChanged", "description": "Get-WinEvent finds recent occurrences of canonical tamper IDs: 1102 (Security log cleared), 4719 (audit policy changed), 104 (other log cleared). 1102 within 30 days on a non-rebuild host is near-immediate IOC — Mimikatz / impacket-secretsdump / standard ransomware playbook clears audit log to hide activity (T1070.001).\n\nFinding: 57 audit-policy-change event(s) in last 30 days — abnormal volume. Review against change-control records; T1562.002 candidate", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-WinEvent FilterHashtable Id=1102|4719|104 last 30d\n1102=\"0\" (latest \"\" by \"\") 4719=\"57\" 104=\"0\" (latest \"\")" }, { "kind": "audit_probe", "content": "$ Get-WinEvent FilterHashtable Id=1102|4719|104 last 30d\n1102=\"0\" (latest \"\" by \"\") 4719=\"57\" 104=\"0\" (latest \"\")" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "nist-800-53", "id": "AU-9" }, { "type": "nist-800-53", "id": "SI-7" }, { "type": "mitre-attack", "id": "T1070.001" }, { "type": "mitre-attack", "id": "T1562.002" } ], "tags": [ "audit", "observed", "forensic" ], "first_seen": "2026-04-28T01:41:56.176237219Z", "last_seen": "2026-04-28T01:41:56.176237219Z", "status": "OPEN" }, { "id": "5196ab72-5351-4f4e-bef2-a83c58e24aee", "fingerprint": "68c0d7d2df1f89d3", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-006", "title": "Sysmon not installed / not configured — SysmonInstalled", "description": "Microsoft Sysmon (Sysinternals) is not installed, not running, or running with default config (no rules — virtually no detection). Sysmon is the canonical host-side telemetry source for ATT\u0026CK Execution / Defense Evasion / Credential Access detection. SwiftOnSecurity sysmon-config or Olaf Hartong sysmon-modular are the standard reference configs.\n\nFinding: Sysmon service is absent or stopped. Install from sysinternals.com and configure with SwiftOnSecurity sysmon-config or Olaf Hartong sysmon-modular (github.com/SwiftOnSecurity/sysmon-config, github.com/olafhartong/sysmon-modular)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-Service Sysmon* + fltmc filters + sysmon -c\nServiceCount=\"0\" Running=\"False\" ServiceName=\"\" DriverLoaded=\"False\" ConfigQueried=\"False\" RuleCount=\"0\"" }, { "kind": "audit_probe", "content": "$ Get-Service Sysmon* + fltmc filters + sysmon -c\nServiceCount=\"0\" Running=\"False\" ServiceName=\"\" DriverLoaded=\"False\" ConfigQueried=\"False\" RuleCount=\"0\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "nist-800-53", "id": "AU-2" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1562.001" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.176274156Z", "last_seen": "2026-04-28T01:41:56.176274156Z", "status": "OPEN" }, { "id": "d812490b-9e7e-48d4-a28c-51684ef3cfdf", "fingerprint": "fd9960fc8ed72ccf", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-001", "title": "Built-in Administrator account (RID 500) is enabled — Administrator", "description": "The built-in Administrator (well-known SID ending in -500) is enabled. This account is exempt from lockout policy and is the canonical target for password spray attacks against every Windows host worldwide (same SID across the planet). CIS, DISA STIG, and Microsoft Security Baseline all require it disabled. Renaming alone is not sufficient mitigation — adversaries enumerate by SID, not by name.\n\nFinding: RID 500 account enabled — disable via Disable-LocalUser -SID 'S-1-5-21-873624365-3528634227-720301803-500'", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-LocalUser | ? { $_.SID.Value -like '*-500' }\nName=Administrator Enabled=True SID=S-1-5-21-873624365-3528634227-720301803-500" }, { "kind": "audit_probe", "content": "$ Get-LocalUser | ? { $_.SID.Value -like '*-500' }\nName=Administrator Enabled=True SID=S-1-5-21-873624365-3528634227-720301803-500" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.1.1" }, { "type": "cis-benchmark", "id": "Win11-2.3.1.1" }, { "type": "nist-800-53", "id": "AC-2(11)" }, { "type": "nist-800-53", "id": "IA-5(1)" }, { "type": "disa-stig", "id": "WN22-SO-000010" }, { "type": "disa-stig", "id": "WN10-SO-000005" }, { "type": "mitre-attack", "id": "T1078.001" }, { "type": "mitre-attack", "id": "T1110.003" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.176315483Z", "last_seen": "2026-04-28T01:41:56.176315483Z", "status": "OPEN" }, { "id": "12fbf78f-73fe-448c-a792-4fca414bf790", "fingerprint": "62a2d860f5be1639", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-002", "title": "SMB signing not required (client and/or server) — ClientRequireSecuritySignature", "description": "SMB signing is the primary defense against NTLM-relay attacks targeting SMB sessions (SMBRelay, ntlmrelayx). Both client and server must require signing — if either negotiates 'optional', a relay attacker can downgrade the session and mount file shares as the victim. Default-on only on Win11 24H2 / Server 2025.\n\nFinding: got False, expected True. Fix: Set-SmbClientConfiguration -RequireSecuritySignature $true -Force", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-SmbServerConfiguration + Get-SmbClientConfiguration\nServerRequireSig=\"True\" ServerEnableSig=\"True\" ClientRequireSig=\"False\" ClientEnableSig=\"True\"" }, { "kind": "audit_probe", "content": "$ Get-SmbServerConfiguration + Get-SmbClientConfiguration\nServerRequireSig=\"True\" ServerEnableSig=\"True\" ClientRequireSig=\"False\" ClientEnableSig=\"True\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-2.3.8.1" }, { "type": "cis-benchmark", "id": "WinServer2022-2.3.9.2" }, { "type": "cis-benchmark", "id": "Win11-2.3.8.1" }, { "type": "cis-benchmark", "id": "Win11-2.3.9.2" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "nist-800-53", "id": "SC-23" }, { "type": "disa-stig", "id": "WN22-SO-000080" }, { "type": "disa-stig", "id": "WN22-SO-000090" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "cwe", "id": "CWE-300" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.17635591Z", "last_seen": "2026-04-28T01:41:56.17635591Z", "status": "OPEN" }, { "id": "edd97790-aa70-4bc9-8785-5a03bfdf3bab", "fingerprint": "4e339fd35d496404", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-004", "title": "Account lockout policy is below CIS / DISA STIG baseline — LockoutBadCount", "description": "Lockout threshold is 0 (no lockout), duration too short, or the modern AllowAdministratorLockout setting is not enabled. Without effective lockout the built-in Administrator (RID 500) becomes a free spray target — every attempt costs the attacker one HTTP/SMB request and there is no defender feedback loop.\n\nFinding: set to 0 — accounts can NEVER be locked out, password spray is unbounded", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nLockoutBadCount=0 LockoutDuration= ResetLockoutCount= AllowAdministratorLockout=" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nLockoutBadCount=0 LockoutDuration= ResetLockoutCount= AllowAdministratorLockout=" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-1.2.1" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.2" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.3" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.4" }, { "type": "cis-benchmark", "id": "Win11-1.2.1" }, { "type": "cis-benchmark", "id": "Win11-1.2.2" }, { "type": "cis-benchmark", "id": "Win11-1.2.3" }, { "type": "cis-benchmark", "id": "Win11-1.2.4" }, { "type": "nist-800-53", "id": "AC-7" }, { "type": "disa-stig", "id": "WN22-AC-000030" }, { "type": "disa-stig", "id": "WN22-AC-000040" }, { "type": "mitre-attack", "id": "T1110.001" }, { "type": "mitre-attack", "id": "T1110.003" }, { "type": "mitre-attack", "id": "T1110.004" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.176436489Z", "last_seen": "2026-04-28T01:41:56.176436489Z", "status": "OPEN" }, { "id": "53799b38-3f30-4961-a1e0-fe24fc36220d", "fingerprint": "4e339fd35d496404", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-004", "title": "Account lockout policy is below CIS / DISA STIG baseline — LockoutDuration", "description": "Lockout threshold is 0 (no lockout), duration too short, or the modern AllowAdministratorLockout setting is not enabled. Without effective lockout the built-in Administrator (RID 500) becomes a free spray target — every attempt costs the attacker one HTTP/SMB request and there is no defender feedback loop.\n\nFinding: got \"\" minutes, expected \u003e=15", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nLockoutBadCount=0 LockoutDuration= ResetLockoutCount= AllowAdministratorLockout=" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nLockoutBadCount=0 LockoutDuration= ResetLockoutCount= AllowAdministratorLockout=" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-1.2.1" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.2" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.3" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.4" }, { "type": "cis-benchmark", "id": "Win11-1.2.1" }, { "type": "cis-benchmark", "id": "Win11-1.2.2" }, { "type": "cis-benchmark", "id": "Win11-1.2.3" }, { "type": "cis-benchmark", "id": "Win11-1.2.4" }, { "type": "nist-800-53", "id": "AC-7" }, { "type": "disa-stig", "id": "WN22-AC-000030" }, { "type": "disa-stig", "id": "WN22-AC-000040" }, { "type": "mitre-attack", "id": "T1110.001" }, { "type": "mitre-attack", "id": "T1110.003" }, { "type": "mitre-attack", "id": "T1110.004" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.176460468Z", "last_seen": "2026-04-28T01:41:56.176460468Z", "status": "OPEN" }, { "id": "e232d36b-af7d-47e0-bdc2-157a8a769d43", "fingerprint": "4e339fd35d496404", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "auth", "rule_id": "AUD-WIN-IDENT-004", "title": "Account lockout policy is below CIS / DISA STIG baseline — ResetLockoutCount", "description": "Lockout threshold is 0 (no lockout), duration too short, or the modern AllowAdministratorLockout setting is not enabled. Without effective lockout the built-in Administrator (RID 500) becomes a free spray target — every attempt costs the attacker one HTTP/SMB request and there is no defender feedback loop.\n\nFinding: got \"\" minutes, expected \u003e=15 (window before bad-count counter resets)", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nLockoutBadCount=0 LockoutDuration= ResetLockoutCount= AllowAdministratorLockout=" }, { "kind": "audit_probe", "content": "$ secedit /export /cfg \u003ctmp\u003e /quiet ; Get-Content \u003ctmp\u003e\nLockoutBadCount=0 LockoutDuration= ResetLockoutCount= AllowAdministratorLockout=" } ], "severity": "LOW", "confidence": "OBSERVED", "scores": { "context": 2.5, "final": 2.5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-1.2.1" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.2" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.3" }, { "type": "cis-benchmark", "id": "WinServer2022-1.2.4" }, { "type": "cis-benchmark", "id": "Win11-1.2.1" }, { "type": "cis-benchmark", "id": "Win11-1.2.2" }, { "type": "cis-benchmark", "id": "Win11-1.2.3" }, { "type": "cis-benchmark", "id": "Win11-1.2.4" }, { "type": "nist-800-53", "id": "AC-7" }, { "type": "disa-stig", "id": "WN22-AC-000030" }, { "type": "disa-stig", "id": "WN22-AC-000040" }, { "type": "mitre-attack", "id": "T1110.001" }, { "type": "mitre-attack", "id": "T1110.003" }, { "type": "mitre-attack", "id": "T1110.004" } ], "tags": [ "audit", "observed", "identity" ], "first_seen": "2026-04-28T01:41:56.176479735Z", "last_seen": "2026-04-28T01:41:56.176479735Z", "status": "OPEN" }, { "id": "c059b432-614b-4a41-beed-272fc4ef0329", "fingerprint": "a23567044a6d5917", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-005", "title": "WPAD service not disabled (proxy-poisoning surface) — WinHttpAutoProxySvc", "description": "WinHttpAutoProxySvc is not Disabled (Start != 4). When WPAD is on, browsers and any WinHTTP consumer query DNS/LLMNR/NetBT for `wpad.\u003csuffix\u003e`. Responder answers, injects a malicious proxy, and captures the host's HTTP NTLM challenge — primary input for ntlmrelayx.py / Inveigh. Microsoft's own hardening guidance recommends disabling WPAD on managed endpoints.\n\nFinding: service can resolve WPAD queries via DNS/LLMNR/NetBT — Responder primitive. Fix: Set-Service -Name WinHttpAutoProxySvc -StartupType Disabled; Stop-Service WinHttpAutoProxySvc", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-Service WinHttpAutoProxySvc + Get-CimInstance Win32_Service + hosts grep\nStatus=\"Running\" StartType=\"Manual\" WMIStartMode=\"Manual\" WPADHostsEntry=\"False\"" }, { "kind": "audit_probe", "content": "$ Get-Service WinHttpAutoProxySvc + Get-CimInstance Win32_Service + hosts grep\nStatus=\"Running\" StartType=\"Manual\" WMIStartMode=\"Manual\" WPADHostsEntry=\"False\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "CM-7" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "mitre-attack", "id": "T1090.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176517288Z", "last_seen": "2026-04-28T01:41:56.176517288Z", "status": "OPEN" }, { "id": "842212a8-1ed3-4a28-880d-5ddb5b9a0faa", "fingerprint": "5c598f530cc3898f", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-004", "title": "Windows Defender Firewall posture below baseline — Domain-DefaultInboundAction", "description": "One or more firewall profiles (Domain, Private, Public) is disabled, defaults inbound to Allow, OR Public profile permits local rule additions (AllowLocalPolicyMerge=True — bypasses centralized policy). Composite check; each (profile, setting) gap is reported as a separate Item.\n\nFinding: Profile Domain DefaultInboundAction=\"NotConfigured\" (expected Block). Fix: Set-NetFirewallProfile -Name Domain -DefaultInboundAction Block", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-NetFirewallProfile -Name Domain,Private,Public\nDomain[Enabled=\"True\",Inbound=\"NotConfigured\",LMerge=\"\"] Private[\"True\",\"NotConfigured\",\"\"] Public[\"True\",\"NotConfigured\",\"\"]" }, { "kind": "audit_probe", "content": "$ Get-NetFirewallProfile -Name Domain,Private,Public\nDomain[Enabled=\"True\",Inbound=\"NotConfigured\",LMerge=\"\"] Private[\"True\",\"NotConfigured\",\"\"] Public[\"True\",\"NotConfigured\",\"\"]" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-9.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.1.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.2.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.2.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.4" }, { "type": "cis-benchmark", "id": "Win11-9.1.1" }, { "type": "cis-benchmark", "id": "Win11-9.2.1" }, { "type": "cis-benchmark", "id": "Win11-9.3.1" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "AC-4" }, { "type": "disa-stig", "id": "WN22-CC-000050" }, { "type": "disa-stig", "id": "WN22-CC-000060" }, { "type": "mitre-attack", "id": "T1562.004" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176566486Z", "last_seen": "2026-04-28T01:41:56.176566486Z", "status": "OPEN" }, { "id": "0bbaed74-1ba1-4e93-9d79-3e9356937277", "fingerprint": "5c598f530cc3898f", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-004", "title": "Windows Defender Firewall posture below baseline — Private-DefaultInboundAction", "description": "One or more firewall profiles (Domain, Private, Public) is disabled, defaults inbound to Allow, OR Public profile permits local rule additions (AllowLocalPolicyMerge=True — bypasses centralized policy). Composite check; each (profile, setting) gap is reported as a separate Item.\n\nFinding: Profile Private DefaultInboundAction=\"NotConfigured\" (expected Block). Fix: Set-NetFirewallProfile -Name Private -DefaultInboundAction Block", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-NetFirewallProfile -Name Domain,Private,Public\nDomain[Enabled=\"True\",Inbound=\"NotConfigured\",LMerge=\"\"] Private[\"True\",\"NotConfigured\",\"\"] Public[\"True\",\"NotConfigured\",\"\"]" }, { "kind": "audit_probe", "content": "$ Get-NetFirewallProfile -Name Domain,Private,Public\nDomain[Enabled=\"True\",Inbound=\"NotConfigured\",LMerge=\"\"] Private[\"True\",\"NotConfigured\",\"\"] Public[\"True\",\"NotConfigured\",\"\"]" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-9.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.1.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.2.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.2.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.4" }, { "type": "cis-benchmark", "id": "Win11-9.1.1" }, { "type": "cis-benchmark", "id": "Win11-9.2.1" }, { "type": "cis-benchmark", "id": "Win11-9.3.1" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "AC-4" }, { "type": "disa-stig", "id": "WN22-CC-000050" }, { "type": "disa-stig", "id": "WN22-CC-000060" }, { "type": "mitre-attack", "id": "T1562.004" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176592237Z", "last_seen": "2026-04-28T01:41:56.176592237Z", "status": "OPEN" }, { "id": "7c0314e0-2dd1-4912-9c0d-755dc977550c", "fingerprint": "5c598f530cc3898f", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-004", "title": "Windows Defender Firewall posture below baseline — Public-DefaultInboundAction", "description": "One or more firewall profiles (Domain, Private, Public) is disabled, defaults inbound to Allow, OR Public profile permits local rule additions (AllowLocalPolicyMerge=True — bypasses centralized policy). Composite check; each (profile, setting) gap is reported as a separate Item.\n\nFinding: Profile Public DefaultInboundAction=\"NotConfigured\" (expected Block). Fix: Set-NetFirewallProfile -Name Public -DefaultInboundAction Block", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-NetFirewallProfile -Name Domain,Private,Public\nDomain[Enabled=\"True\",Inbound=\"NotConfigured\",LMerge=\"\"] Private[\"True\",\"NotConfigured\",\"\"] Public[\"True\",\"NotConfigured\",\"\"]" }, { "kind": "audit_probe", "content": "$ Get-NetFirewallProfile -Name Domain,Private,Public\nDomain[Enabled=\"True\",Inbound=\"NotConfigured\",LMerge=\"\"] Private[\"True\",\"NotConfigured\",\"\"] Public[\"True\",\"NotConfigured\",\"\"]" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-9.1.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.1.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.2.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.2.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.2" }, { "type": "cis-benchmark", "id": "WinServer2022-9.3.4" }, { "type": "cis-benchmark", "id": "Win11-9.1.1" }, { "type": "cis-benchmark", "id": "Win11-9.2.1" }, { "type": "cis-benchmark", "id": "Win11-9.3.1" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "AC-4" }, { "type": "disa-stig", "id": "WN22-CC-000050" }, { "type": "disa-stig", "id": "WN22-CC-000060" }, { "type": "mitre-attack", "id": "T1562.004" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176619219Z", "last_seen": "2026-04-28T01:41:56.176619219Z", "status": "OPEN" }, { "id": "ab1b0705-b048-4fc4-a0df-3e5e8036c4b0", "fingerprint": "e0745b95d928febd", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-006", "title": "Hardened UNC Paths for SYSVOL / NETLOGON not configured (domain-joined) — SYSVOL", "description": "On a domain-joined host, HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths is missing entries for \\\\*\\NETLOGON and \\\\*\\SYSVOL with RequireMutualAuthentication=1 and RequireIntegrity=1. Without these, an attacker on the LAN can MITM SYSVOL traffic, deliver poisoned Group Policy files, and execute code as SYSTEM at next gpupdate (MS14-025 / MS15-011).\n\nFinding: \\\\*\\SYSVOL entry missing under HardenedPaths", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Test-Path HardenedPaths + Get-ItemProperty SYSVOL/NETLOGON\nKeyExists=\"True\" SYSVOL=\"\" NETLOGON=\"\"" }, { "kind": "audit_probe", "content": "$ Test-Path HardenedPaths + Get-ItemProperty SYSVOL/NETLOGON\nKeyExists=\"True\" SYSVOL=\"\" NETLOGON=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.6.14.1" }, { "type": "cis-benchmark", "id": "Win11-18.5.x" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "nist-800-53", "id": "SC-23" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176654917Z", "last_seen": "2026-04-28T01:41:56.176654917Z", "status": "OPEN" }, { "id": "cd51dee1-007a-4927-9dfa-0324b0bc1c9c", "fingerprint": "e0745b95d928febd", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-006", "title": "Hardened UNC Paths for SYSVOL / NETLOGON not configured (domain-joined) — NETLOGON", "description": "On a domain-joined host, HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths is missing entries for \\\\*\\NETLOGON and \\\\*\\SYSVOL with RequireMutualAuthentication=1 and RequireIntegrity=1. Without these, an attacker on the LAN can MITM SYSVOL traffic, deliver poisoned Group Policy files, and execute code as SYSTEM at next gpupdate (MS14-025 / MS15-011).\n\nFinding: \\\\*\\NETLOGON entry missing under HardenedPaths", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Test-Path HardenedPaths + Get-ItemProperty SYSVOL/NETLOGON\nKeyExists=\"True\" SYSVOL=\"\" NETLOGON=\"\"" }, { "kind": "audit_probe", "content": "$ Test-Path HardenedPaths + Get-ItemProperty SYSVOL/NETLOGON\nKeyExists=\"True\" SYSVOL=\"\" NETLOGON=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.6.14.1" }, { "type": "cis-benchmark", "id": "Win11-18.5.x" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "nist-800-53", "id": "SC-23" }, { "type": "mitre-attack", "id": "T1557.001" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176665781Z", "last_seen": "2026-04-28T01:41:56.176665781Z", "status": "OPEN" }, { "id": "d9926a38-7d83-4d38-90f4-f06fecac64a9", "fingerprint": "3148bfd241e2cac9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-006", "title": "Defender Network Protection / Controlled Folder Access / PUA below baseline — EnableNetworkProtection", "description": "EnableNetworkProtection != 1 (Block known-malicious outbound), EnableControlledFolderAccess != 1/2/3 (anti-ransomware folder lock), OR PUAProtection != 1 (block coin-miners / adware / browser hijackers). Each is an Exploit-Guard pillar that complements ASR rules.\n\nFinding: EnableNetworkProtection=0 (expected 1=Block) — note: Server SKUs require Set-MpPreference -AllowNetworkProtectionOnWinServer 1 first", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | NetProt+CFA+PUA\nNetProt=\"0\" CFA=\"0\" PUA=\"0\" AllowNetProtSrv=\"False\"" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | NetProt+CFA+PUA\nNetProt=\"0\" CFA=\"0\" PUA=\"0\" AllowNetProtSrv=\"False\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.16" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1486" }, { "type": "mitre-attack", "id": "T1090.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.176690633Z", "last_seen": "2026-04-28T01:41:56.176690633Z", "status": "OPEN" }, { "id": "85764ece-7754-4c9a-9a8b-ea91f9aa73e6", "fingerprint": "3148bfd241e2cac9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-006", "title": "Defender Network Protection / Controlled Folder Access / PUA below baseline — EnableControlledFolderAccess", "description": "EnableNetworkProtection != 1 (Block known-malicious outbound), EnableControlledFolderAccess != 1/2/3 (anti-ransomware folder lock), OR PUAProtection != 1 (block coin-miners / adware / browser hijackers). Each is an Exploit-Guard pillar that complements ASR rules.\n\nFinding: EnableControlledFolderAccess=0 — anti-ransomware folder lock not active", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | NetProt+CFA+PUA\nNetProt=\"0\" CFA=\"0\" PUA=\"0\" AllowNetProtSrv=\"False\"" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | NetProt+CFA+PUA\nNetProt=\"0\" CFA=\"0\" PUA=\"0\" AllowNetProtSrv=\"False\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.16" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1486" }, { "type": "mitre-attack", "id": "T1090.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.176704445Z", "last_seen": "2026-04-28T01:41:56.176704445Z", "status": "OPEN" }, { "id": "d5768cba-683d-43fc-a736-c58d133d9f51", "fingerprint": "3148bfd241e2cac9", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "threat", "rule_id": "AUD-WIN-THREAT-006", "title": "Defender Network Protection / Controlled Folder Access / PUA below baseline — PUAProtection", "description": "EnableNetworkProtection != 1 (Block known-malicious outbound), EnableControlledFolderAccess != 1/2/3 (anti-ransomware folder lock), OR PUAProtection != 1 (block coin-miners / adware / browser hijackers). Each is an Exploit-Guard pillar that complements ASR rules.\n\nFinding: PUAProtection=0 — coin miners / adware / browser hijackers not blocked", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-MpPreference | NetProt+CFA+PUA\nNetProt=\"0\" CFA=\"0\" PUA=\"0\" AllowNetProtSrv=\"False\"" }, { "kind": "audit_probe", "content": "$ Get-MpPreference | NetProt+CFA+PUA\nNetProt=\"0\" CFA=\"0\" PUA=\"0\" AllowNetProtSrv=\"False\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.6.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-18.10.42.16" }, { "type": "nist-800-53", "id": "SI-3" }, { "type": "nist-800-53", "id": "SI-4" }, { "type": "mitre-attack", "id": "T1486" }, { "type": "mitre-attack", "id": "T1090.001" } ], "tags": [ "audit", "observed", "threat" ], "first_seen": "2026-04-28T01:41:56.176717697Z", "last_seen": "2026-04-28T01:41:56.176717697Z", "status": "OPEN" }, { "id": "7ee9373e-c04b-4175-91e1-604b967a6ec5", "fingerprint": "e22fdb99179f5cf5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-003", "title": "Name-resolution poisoning surface (LLMNR / NetBT) not disabled — EnableMulticast", "description": "LLMNR EnableMulticast != 0 OR NetBT NodeType != 2 OR EnableNetbios != 0. Each gap is a Responder / Inveigh primitive: when a host can't resolve a name via DNS it broadcasts the question via LLMNR (UDP 5355) or NetBT (UDP 137), which an attacker on the same broadcast domain answers — capturing NTLMv2 challenge-response for offline crack OR relaying live to LDAP/SMB.\n\nFinding: got , expected 0 (LLMNR disabled). Fix: Set-ItemProperty 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient' -Name EnableMulticast -Value 0 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty DNSClient + NetBT\\Parameters\nEnableMulticast=\"\" EnableNetbios=\"\" NodeType=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty DNSClient + NetBT\\Parameters\nEnableMulticast=\"\" EnableNetbios=\"\" NodeType=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.4.7" }, { "type": "cis-benchmark", "id": "WinServer2022-18.6.4.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.6.4.3" }, { "type": "cis-benchmark", "id": "Win11-18.4.7" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "disa-stig", "id": "WN22-CC-000030" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "mitre-attack", "id": "T1071.004" }, { "type": "mitre-attack", "id": "T1090" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176760797Z", "last_seen": "2026-04-28T01:41:56.176760797Z", "status": "OPEN" }, { "id": "c9f80e29-5d70-4412-b40a-be16ca6a28fd", "fingerprint": "e22fdb99179f5cf5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-003", "title": "Name-resolution poisoning surface (LLMNR / NetBT) not disabled — EnableNetbios", "description": "LLMNR EnableMulticast != 0 OR NetBT NodeType != 2 OR EnableNetbios != 0. Each gap is a Responder / Inveigh primitive: when a host can't resolve a name via DNS it broadcasts the question via LLMNR (UDP 5355) or NetBT (UDP 137), which an attacker on the same broadcast domain answers — capturing NTLMv2 challenge-response for offline crack OR relaying live to LDAP/SMB.\n\nFinding: got , expected 0 (DNS client doesn't use NetBT fallback). Fix: Set-ItemProperty same path -Name EnableNetbios -Value 0 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty DNSClient + NetBT\\Parameters\nEnableMulticast=\"\" EnableNetbios=\"\" NodeType=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty DNSClient + NetBT\\Parameters\nEnableMulticast=\"\" EnableNetbios=\"\" NodeType=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.4.7" }, { "type": "cis-benchmark", "id": "WinServer2022-18.6.4.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.6.4.3" }, { "type": "cis-benchmark", "id": "Win11-18.4.7" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "disa-stig", "id": "WN22-CC-000030" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "mitre-attack", "id": "T1071.004" }, { "type": "mitre-attack", "id": "T1090" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176774573Z", "last_seen": "2026-04-28T01:41:56.176774573Z", "status": "OPEN" }, { "id": "5a619385-3065-4796-a3d6-66e5a471da27", "fingerprint": "e22fdb99179f5cf5", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "network", "rule_id": "AUD-WIN-NET-003", "title": "Name-resolution poisoning surface (LLMNR / NetBT) not disabled — NetBTNodeType", "description": "LLMNR EnableMulticast != 0 OR NetBT NodeType != 2 OR EnableNetbios != 0. Each gap is a Responder / Inveigh primitive: when a host can't resolve a name via DNS it broadcasts the question via LLMNR (UDP 5355) or NetBT (UDP 137), which an attacker on the same broadcast domain answers — capturing NTLMv2 challenge-response for offline crack OR relaying live to LDAP/SMB.\n\nFinding: got , expected 2 (P-node — only WINS, no broadcast NBT-NS). Fix: Set-ItemProperty 'HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters' -Name NodeType -Value 2 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ Get-ItemProperty DNSClient + NetBT\\Parameters\nEnableMulticast=\"\" EnableNetbios=\"\" NodeType=\"\"" }, { "kind": "audit_probe", "content": "$ Get-ItemProperty DNSClient + NetBT\\Parameters\nEnableMulticast=\"\" EnableNetbios=\"\" NodeType=\"\"" } ], "severity": "MEDIUM", "confidence": "OBSERVED", "scores": { "context": 5, "final": 5 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.4.7" }, { "type": "cis-benchmark", "id": "WinServer2022-18.6.4.2" }, { "type": "cis-benchmark", "id": "WinServer2022-18.6.4.3" }, { "type": "cis-benchmark", "id": "Win11-18.4.7" }, { "type": "nist-800-53", "id": "SC-7" }, { "type": "nist-800-53", "id": "SC-8" }, { "type": "disa-stig", "id": "WN22-CC-000030" }, { "type": "mitre-attack", "id": "T1557.001" }, { "type": "mitre-attack", "id": "T1071.004" }, { "type": "mitre-attack", "id": "T1090" } ], "tags": [ "audit", "observed", "network" ], "first_seen": "2026-04-28T01:41:56.176786291Z", "last_seen": "2026-04-28T01:41:56.176786291Z", "status": "OPEN" }, { "id": "395efdc9-e1ba-46d1-82a5-516d5a956524", "fingerprint": "66ed04c789b03145", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-004", "title": "Process Creation events missing command-line enrichment — ProcessCreationAudit", "description": "auditpol Process Creation = Success AND ProcessCreationIncludeCmdLine_Enabled = 1 must BOTH be set. Without the registry flag, 4688 events log only the executable path — useless for detection of LotL attacks where the binary is signed and the distinguishing payload is in the args (powershell -enc, mshta http://..., wmic process call create, etc.). KB3004375 Microsoft-recommended baseline.\n\nFinding: auditpol 'Process Creation' subcategory not set to Success. Fix: auditpol /set /subcategory:\"Process Creation\" /success:enable", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol Process Creation + Get-ItemProperty IncludeCmdLine_Enabled\nAuditPolicy snippet=Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting;;IP-208-84-101-7,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing,; IncludeCmdLine=\"\"" }, { "kind": "audit_probe", "content": "$ auditpol Process Creation + Get-ItemProperty IncludeCmdLine_Enabled\nAuditPolicy snippet=Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting;;IP-208-84-101-7,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing,; IncludeCmdLine=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "mitre-attack", "id": "T1059" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1106" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.176844709Z", "last_seen": "2026-04-28T01:41:56.176844709Z", "status": "OPEN" }, { "id": "6de1fa3f-1806-4fe6-bf8d-9faea2088cb5", "fingerprint": "66ed04c789b03145", "scan_id": "85beab58-0816-4f8b-bf47-613a8dffe587", "source": "audit", "category": "logging", "rule_id": "AUD-WIN-LOG-004", "title": "Process Creation events missing command-line enrichment — ProcessCreationIncludeCmdLine_Enabled", "description": "auditpol Process Creation = Success AND ProcessCreationIncludeCmdLine_Enabled = 1 must BOTH be set. Without the registry flag, 4688 events log only the executable path — useless for detection of LotL attacks where the binary is signed and the distinguishing payload is in the args (powershell -enc, mshta http://..., wmic process call create, etc.). KB3004375 Microsoft-recommended baseline.\n\nFinding: registry flag != 1 — 4688 events log only executable path (no args). Fix: Set-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit' -Name ProcessCreationIncludeCmdLine_Enabled -Value 1 -Type DWord", "target": { "type": "ssh", "name": "obexum-dc", "host": "208.84.101.79", "meta": { "port": "22", "user": "Administrator" } }, "evidence": [ { "kind": "audit_probe", "content": "$ auditpol Process Creation + Get-ItemProperty IncludeCmdLine_Enabled\nAuditPolicy snippet=Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting;;IP-208-84-101-7,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing,; IncludeCmdLine=\"\"" }, { "kind": "audit_probe", "content": "$ auditpol Process Creation + Get-ItemProperty IncludeCmdLine_Enabled\nAuditPolicy snippet=Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting;;IP-208-84-101-7,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing,; IncludeCmdLine=\"\"" } ], "severity": "HIGH", "confidence": "OBSERVED", "scores": { "context": 8, "final": 8 }, "references": [ { "type": "cis-benchmark", "id": "WinServer2022-18.9.3.1" }, { "type": "cis-benchmark", "id": "WinServer2022-17.3.2" }, { "type": "nist-800-53", "id": "AU-3" }, { "type": "nist-800-53", "id": "AU-12" }, { "type": "mitre-attack", "id": "T1059" }, { "type": "mitre-attack", "id": "T1218" }, { "type": "mitre-attack", "id": "T1106" } ], "tags": [ "audit", "observed", "logging" ], "first_seen": "2026-04-28T01:41:56.176889857Z", "last_seen": "2026-04-28T01:41:56.176889857Z", "status": "OPEN" } ] }