Active Directory Assurance - Exposures Response and Remediation

Why did we develop this pack?

We believe that behind every breach headline there is an insecure Active Directory (AD) deployment. Active Directory became a “crown jewel“, a favored target for attackers to elevate privileges and facilitate lateral movement through leveraging known flaws and misconfigurations (exposures). Unfortunately, most organizations struggle with Active Directory security due to misconfigurations stacking up as domains increase in complexity, leaving security teams unable to fix flaws before they become business-impacting issues.

How did we implement this pack?

With you in mind (end users and security teams), our team of active directory experts, security analysts and developers digitized Active Directory remediation workflows into readable Playbooks, to address most common Active Directory misconfigurations and exposures.

What does this pack do?

This pack contains valuable playbooks which execute remediation workflows, step by step, to address Active Directory misconfiguration using PowerShell commands.

You can use our playbooks for various use cases:

Learn and setup an Active Directory documented remediation program (tracked through the XSOAR case management module)
Execute playbooks following a manual Active Directory audit’s findings
Execute playbooks against Audit alerts found by tools like PingCastle, Tenable.AD, Semphris, Microsoft ATP for AD
Leverage our playbooks in other workflows and use cases
Use our playbooks to consistently enforce configuration posture to Active Directories in your environment as a Pro Active Blue Team approach
Empower your Active Directory architects and engineering team with the XSOAR value through this pack.

As part of this pack, you will also get the out-of-the-box incident type and a layout for documenting AD exposures cases. These are easily customizable to suit the needs of your organization.

For more information, visit our website: www.soarxperts.com

Keen to test it out? Download the free PingCastle pack available on the marketplace and use this pack’s automation to parse and execute PingCastle audit report.

Name	Description
SXCreateGPPPasswordHTMLPage	Creates an HTML page explaining GPPPassword problems.
SXCreateKerberoastingPasswordPolicyHTMLPage	Creates the Kerberoasting Password Policy HTML page.
SXGenerateHTMLReport
SXCreateNTLMRelayHTMLPage	Creates an HTML page explaining NTLM Relay.
SXCreateLockoutPolicyHTMLPage	Creates an HTML page explaining lockout policy.
SXCheckForPowerShellVersionTwo	Check on the AD if powershell version 2 is enabled
SXCreateSMBSigningHTMLPage	Creates an HTML page explaining SMB Signing.
SXCreatePasswordPolicyHTMLPage	Creates an html page explaining password policy.
SXCreatePowerShellVersionTwoHTMLPage	Creates an html page explaining powershell version 2.
SXParsePingCastleReport	Parses the pingcastle report.
SXCheckADConfigured
SXCreateKerberoastingHTMLPage	Creates an HTML page explaining Kerberoasting.

Name	Description
SX Remediation ID
SX Remediation Impact
SX Remediation Priority
SX AD Mitre Attack Details
SX AD Exposure Topic	The specific exposure topic
SX AD Report Domain
SXKerberosServiceAccountName
SX Related Attacks & Tactics
SX AD Exposure Sub Topic	The specific sub topic of the exposure
SX AD Remediation Steps Summary	Lists remediation steps executed
SX Remediation Steps Summary
SX AD Report Date
SX Risk Severity
SX AD Exposure Pillar	The main category pillar
SX GPP table data
SXKerberosRemedMicrotopic

Name	Description
SX - AD - Password Age Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password age in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - NTLM Relay Manual Mitigation	This playbook is triggered by the discovery of an exposure allowing adversary initiate an NTLM attack. The exposure is a misconfiguration found in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - DES Manual Mitigation Steps	This playbook is triggered by the discovery of insecure DES encryption usage by accounts to authenticate to services in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Service Accounts Password Policy	This playbook is triggered by the discovery of a misconfiguration of Service Accounts in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - SMB Signing Manual Mitigation Steps	This playbook is triggered by the discovery of SMB signing misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Password Age & Length & Complexity Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password age, length and complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - GPP Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfigured group policy reversible encryption and obfuscated passwords in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Powershell V2 Manual Mitigation Steps	This playbook is triggered by the discovery of PowerShell version 2 misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Password Age & Complexity Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password age and complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - NTLM Relay NP01	This playbook is triggered by the discovery of an exposure allowing adversary initiate an NTLM attack. The exposure is a misconfiguration found in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - Password Length Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password length in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - LLMNR Manual Mitigation Steps	This playbook is triggered by the discovery of LLMNR protocol enabled in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - SMB Signing	This playbook is triggered by the discovery of SMB signing misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - NetBios Manual Mitigation Steps	This playbook is triggered by the discovery of NetBios protocol misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Powershell Version 2	This playbook is triggered by the discovery of a misconfiguration around PowerShell version 2 in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - Password Complexity Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - PC - Ping Castle Report	This playbook was written to replace the default "SX - PC PingCastle Report" as the default playbook for the PingCastle integration. It executes the previous playbook and in addition parses the JSON report received from PingCastle and creates incidents based on identified exposures with available playbooks from SoarXperts AD Assurance Pack.
SX - AD - Lockout Policy Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfigured lockout policy in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - GPP - Reversible Enc' & Obfuscated passwords	This playbook is triggered by the discovery of a misconfigured group policy reversible encryption and obfuscated passwords in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - Password Length & Complexity Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password length and complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Default AD Exposure Alert	This playbook will run with every Active Directory exposure incident created. The playbook then looks at the incident details and launches the matching playbook by SoarXperts AD Assurance pack.
SX - AD - Kerberoasting	This playbook is triggered by the discovery of an exposure allowing adversary initiate a Kerberoasting attack. The exposure is a misconfiguration found in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - Service Account in Privileged Group Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of Service Accounts in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Default Password Policy Misconfig Discovered	This playbook is triggered by the discovery of a misconfigured default password policy in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.
SX - AD - Password Age & Length Manual Mitigation Steps	This playbook is triggered by the discovery of a misconfiguration of password age and length in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure.
SX - AD - Lockout Policy	This playbook is triggered by the discovery of a misconfigured lockout policy in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated.

Certification	Certified	Read more
Supported By	Partner
Created	February 17, 2022
Last Release	February 17, 2022

Active Directory Assurance - Exposures Response and Remediation

Why did we develop this pack?

How did we implement this pack?

What does this pack do?

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER