Skip to content

Table of AD and Azure assets and whether they belong to Tier Zero

License

Notifications You must be signed in to change notification settings

SpecterOps/TierZeroTable

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TierZeroTable

Table of AD and Azure assets and whether they belong to Tier Zero.

View the table here: https://specterops.github.io/TierZeroTable

Blog posts:

Webinars:

DISCLAIMER: The table does not include all Tier Zero assets yet. We will add assets to the table throughout the webinar series. So if you think we are missing something, then you are completely right. But feel free to make a pull request or open an issue with the asset you think we should add. All contributions are appreciated. Also if you disagree on something in the table :)

Table columns

Name

Common name of the asset.

Type

Type of the asset.

Values:

  • AD computer
  • AD container
  • AD group
  • AD object
  • AD OU
  • AD user
  • Computer host
  • DC group
  • Entra ID role

IdP

Identity Provider of the asset.

Values:

  • Active Directory
  • Entra ID

Identification

How the asset can be identified. E.g., SID of AD object.

Description

Description of the asset, i.e., its purpose of existence. This will be copied from Microsoft documentation if available.

Compromise by default

Whether a publicly known abuse technique exists that allows compromise of Tier Zero assets using this asset. The abuse technique must work in an environment with default configurations.

If a publicly known abuse technique exists it will be described in the Reasoning column and links will be provided in the External links column.

Values:

  • YES - Takeover - A publicly known abuse technique to takeover one or more Tier Zero assets exists and works in environments with default configurations.
  • YES - Disruption - A publicly known abuse technique to disrupt the operations of Tier Zero assets exists and works in environments with default configurations.
  • NO - No publicly known abuse technique to compromise Tier Zero assets in an environment with default configurations exists.
  • IT DEPENDS - A publicly known abuse technique to takeover or disrupt Tier Zero exists and works in some configurations.

Compromise by configuration

Whether a publicly known abuse technique exists that allows compromise of Tier Zero assets using this asset, which is enabled do to a common non-default (mis)configuration.

If a publicly known abuse technique exists it will be described in the Reasoning column and links will be provided in the External links column.

Values:

  • YES - Takeover - A publicly known abuse technique to takeover one or more Tier Zero assets exists and works in environments with a common non-default (mis)configuration.
  • YES - Disruption - A publicly known abuse technique to disrupt the operations of Tier Zero assets exists and works in environments with a common non-default (mis)configuration.
  • NO - No publicly known abuse technique to compromise Tier Zero assets in an environment with common non-default (mis)configurations exists.
  • N/A - Compromise by default - A publicly known abuse technique to compromise Tier Zero assets exists and works in environments with default configurations, hence it does not require any special configuration.

Is Tier Zero

If the asset should be considered Tier Zero based on our Definition of Tier Zero.

Values:

  • YES
  • NO
  • IT DEPENDS - If the asset is Tier Zero in some legitimate configuration but not always.

Reasoning

The explanation of why the asset is or is not Tier Zero, including an abuse summary and if the asset is a security dependency for Tier Zero.

Cypher query

Cypher query to return the node representing the asset in BloodHound.

Privileged access security role

Whether the asset is included in Microsoft's Privileged access security roles list, or has a "PRIVILEGED" label if an Entra ID role.

Values:

  • YES
  • NO

AdminSDHolder protected

Whether the asset is part of the default Protected Accounts and Groups in Active Directory, which are protected with the AdminSDHolder security descriptor.

Values:

  • YES
  • NO
  • N/A - The asset cannot be protected by AdminSDHolder.

What is Tier Zero episode

In which episode of the What is Tier Zero series was this asset discussed.

Values:

  • 1
  • 2
  • 3
  • 4
  • Community contribution

External links

Links to documentation for the asset, abuse information, etc.