-
Notifications
You must be signed in to change notification settings - Fork 1
Tier0 Specifications What tests are performed?
Ben Wilkinson edited this page Apr 4, 2017
·
4 revisions
Current Tests that are being performed * All known
| Criteria | Category | In Scope | Test Group ID | ||
| System is a Domain Controller | Host Control | Yes | |||
| Can access admin share on a domain controller | Host Control | Yes | |||
| Has write share access to Netlogon | Host Control | Yes | |||
| Has write NTFS permissions on SYSVOL or NETLOGON | Host Control | Yes | |||
| Has write access to a critical directory exposed as a share | Host Control | Yes | Not yet implemented | ||
| Principal has write permissions on a Windows Service | Host Control | Yes | |||
| Has write permission on Windows Service Controller | Host Control | Yes | Not yet implemented | ||
| Has WinRM access permission on a domain controller | Host Control | Yes | |||
| Can write to a batch job on a domain controller | Host Control | Yes | Not yet implemented | ||
| DRSM user account | Host Control | Yes | Not yet implemented | ||
| Principal with ILO/BMC access to a Domain Controller | Host Control | Yes | |||
| System where ILO/BMC user accounts are exposed | Host Control | Yes | |||
| Principal has write access to OUs that tier0 principals is member of | Directory Control | Yes | Not yet implemented | ||
| Has User Right: Act as part of the operating system (SeTcbPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Allow log on locally ? (SeInteractiveLogonRight ) | Host Control | Yes | 6 | ||
| Has User Right: Allow log on through Terminal Services (SeRemoteInteractiveLogonRight) | Host Control | Yes | 6 | ||
| Has User Right: Back up files and directories (SeBackupPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Change the system time (SeSystemtimePrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Create a token object (SeCreateTokenPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Debug programs (SeDebugPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Enable computer and user principals to be trusted for delegation (SeEnableDelegationPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Load and unload device drivers (SeLoadDriverPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Log on as a batch job (SeBatchLogonRight) | Host Control | Yes | 6 | ||
| Has User Right: Log on as a service (SeServiceLogonRight) | Host Control | Yes | 6 | ||
| Has User Right: Manage auditing and security log (SeSecurityPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Modify firmware environment values (SeSystemEnvironmentPrivilege) | Host Control | Yes | 6 | ||
| "Has User Right: Perform volume maintenance tasks (SeManageVolumePrivilege) | |||||
| Required to enable volume management privileges. | |||||
| User Right: Manage the files on a volume." | Host Control | Yes | 6 | ||
| Has User Right: Restore files and directories (SeRestorePrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Synchronize directory service data (SeSyncAgentPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Modify an object label (SeRelabelPrivilege) | Host Control | Yes | 6 | ||
| Has User Right: Take ownership of files or other objects (SeTakeOwnershipPrivilege) | Host Control | Yes | 6 | ||
| Prinpal has WMI remote launch permissions | Host Control | Yes | Not yet implemented | ||
| User has write permissions on sensitive registry key | Host Control | Yes | Not yet implemented | ||
| Has remote DCOM activation or Launch permissions | Host Control | Yes | Not yet implemented | ||
| Principal is the builtin Administrator account | Directory Control | Yes | Not yet implemented | builtin | |
| Principal is member of Account Operators | Directory Control | Yes | Group | builtin | 4 |
| Principal is member of Administrators group | Directory Control | Yes | Group | builtin | 4 |
| Principal is member of Backup Operators group | Directory Control | Yes | Group | builtin | 4 |
| Principal is member of Print Operators group | Directory Control | Yes | Group | builtin | 4 |
| Principal is member of Server Operators group | Directory Control | Yes | Group | builtin | 4 |
| Principal is member of Domain Admins group | Directory Control | Yes | Group | account | 4 |
| Principal is member of Enterprise Admins group | Directory Control | Yes | Group | account | 4 |
| Principal is member of Schema Admins group | Directory Control | Yes | Group | account | 4 |
| Principal has write permissions to a GPO linked to Domain Controllers OU | Directory Control | Yes | |||
| Principal has write permissions to a GPO linked to an OU containing tier0 principal | Directory Control | Yes | |||
| All machines where tier0 principal is logged on | Directory Control | Yes | |||
| Principal with SID History found on group principals matching privileged group SIDs | Directory Control | Yes | |||
| Principal with SID History found on user principals matching privileged group SIDs | Directory Control | Yes | |||
| Principal has write permissions on domain root (per domain) | Directory Control | Yes | Per Domain | "Pass in """"" | 1 |
| Principal has write permissions on Sites | Directory Control | Yes | Per forest | container | 1 |
| Principal has write permissions on Services | Directory Control | Yes | Per forest | container | 1 |
| Principal has write permissions on Public Key | Directory Control | Yes | Per forest | container | 1 |
| Principal has write permissions on Schema | Directory Control | Yes | Per forest | container | 1 |
| Principal has write permissions on Well Known Security Principals | Directory Control | Yes | Per forest | container | 1 |
| Principal has write permissions on Configuration | Directory Control | Yes | Per forest | container | 1 |
| Principal has write permissions on Schema Admins | Directory Control | Yes | Per domain | Account - users | 2 |
| Principal has write permissions on Enterprise Admins | Directory Control | Yes | Per domain | Account - users | 2 |
| Principal has write permissions on Domain Controller Machine Objects | Directory Control | Yes | Per Domain?! | Account/s | 5 |
| Principal has write permissions on Builtin (per domain) | Directory Control | Yes | Per domain | container | 1 |
| Principal has write permissions on Computers (per domain) | Directory Control | Yes | Per domain | container | 1 |
| Principal has write permissions on System (per domain) | Directory Control | Yes | Per domain | container | 1 |
| Principal has write permissions on AdminSDHolder | Directory Control | Yes | Per domain?! | Container under system | 1 |
| Principal has write permissions on Domain Controllers OU (per domain) | Directory Control | Yes | Per domain | container | 1 |
| Principal has write permissions on Users container (per domain) | Directory Control | Yes | Per domain | container | 1 |
| Principal has write permissions on Managed Service principals (per domain) | Directory Control | Yes | Per domain | Accounts/s | |
| Principal has write permissions on Domain Admins (per domain) | Directory Control | Yes | Per domain | group | 3 |
| Principal has write permissions on Domain Users (per domain) | Directory Control | Yes | Per domain | group | 3 |
| Principal has write permissions on Domain Computers (per domain) | Directory Control | Yes | Per domain | group | 3 |
| Principal has write permissions on Cloneable domain controllers (per domain) | Directory Control | Yes | Per domain | group | 3 |
| Principal has write permissions on Administrators (per domain) | Directory Control | Yes | Per domain | Account - builtin | 2 |
| Principal has write permissions on Account Operators (per domain) | Directory Control | Yes | Per domain | Account - builtin | 2 |
| Principal has write permissions on Server Operators (per domain) | Directory Control | Yes | Per domain | Account - builtin | 2 |
| Principal has write permissions on Print Operators (per domain) | Directory Control | Yes | Per domain | Account - builtin | 2 |
| Principal has write permissions on Backup Operators (per domain) | Directory Control | Yes | Per domain | Account - builtin | 2 |
| Principal has write permissions on Replicator (per domain) | Directory Control | Yes | Per domain | Account - builtin | 2 |