Identify Risky Conditions in Active Directory (Exposed Active Directory Domain Administrators)

A workflow guide for identifying exposed Active Directory domain administrators.

Workflow

Epiphany tracks all high value accounts within its data sets. When dealing with the complexity of Active Directory, Epiphany pays special attention to the Domain Administrators as they present the most direct risk if exposed. The Dashboard contains components specifically designed to track user identity exposures. For the Epiphany-specific process we'll be using the following workflow:

Go to Identity Tools -> Active Directory.
Check Effective Domain Admins.
Check Exposed Domain Admins.

Effective Domain Admins

Epiphany measures Domain Administrator privileges in two distinct ways, first is Direct Membership meaning the user was placed directly into that group within Active Directory. The second is Inherited (indirect) Membership meaning their permissions are inherited because they are members of a group that grants those permissions.

When clicking on this card, you will get the complete list of all members, Direct and Indirect, of the Domain Administrators group.

Epiphany will show you the Account Name, how it receives the Domain Administrators rights (Membership), other groups that user is a part of (Other Groups), and the ability to see the graph relationship of that accounts membership (Rights Chain).

This is an example of a simple direct membership rights chain.

Exposed Domain Admins

Exposed Domain Admins in Epiphany are any active session of a user with Domain Administrator rights currently active throughout the environment that is capable of being reached with an attack chain.

PreviousIdentify Risky Conditions in Active Directory (Kerberoastable Users and AS-REP Roastable Users)NextAudit High Value Groups

Last updated 3 years ago