User Defined Rules
| Vuln ID | Name | Description | Severity | Key Conditions |
|---|---|---|---|---|
| 001 | Kerberoastable | Kerberoastable account | Medium | - Has SPN - Not disabled - Not a computer account - AdminCount != 1 |
| 002 | Kerberoastable High Privilege | Kerberoastable high privilege account | Medium | - Has SPN - AdminCount = 1 - Not disabled - Not a computer account |
| 003 | Password Never Expires | User account with password that never expires | Medium | - DONT_EXPIRE_PASSWORD flag - Is user account - Not MSOL_ account |
| 004 | Password Not Required | User account with password not required | High | - PASSWD_NOTREQD flag - Is user account - Not disabled |
| 005 | Admin with Reversible Encryption | Admin account with reversible encryption enabled | Informational | - ENCRYPTED_TEXT_PWD_ALLOWED flag - Is user account - Not disabled |
| 006 | Unconstrained Delegation | Account has unconstrained delegation enabled | High | - TRUSTED_FOR_DELEGATION flag - Not disabled |
| 007 | Old Password | Account with old password (>90 days) | Medium | - Password last set > 90 days - Is user account - Not disabled |
| 008 | Inactive Account | Inactive account (no login >30 days) | Medium | - Last logon > 30 days - Is user account - Not disabled |
| 009 | ASREPRoastable | User account does not require Kerberos preauthentication | High | - DONT_REQ_PREAUTH flag - Is user account - Not disabled |
| 010 | SMB Signing Disabled | Computer with SMB signing disabled | Medium | - Has DNS hostname - Has operating system - Not disabled |
| 011 | Constrained Delegation | Account configured for constrained delegation | Medium | - Has msDS-AllowedToDelegateTo - Not disabled |
| 012 | Resource Based Constrained Delegation | Account vulnerable to resource-based constrained delegation | High | - Has msDS-AllowedToActOnBehalfOfOtherIdentity - Not disabled |
| 013 | Empty Password | Account with empty password | Critical | - PASSWD_NOTREQD flag - pwdLastSet = 0 - Not disabled |
| 014 | Never Logged On | Account that has never logged on | Medium | - lastLogon = 0 - Not disabled |
| 015 | Admin with Plain Text Password | Admin account with password stored in reversible encryption | Critical | - Member of Administrators - ENCRYPTED_TEXT_PWD_ALLOWED flag - Not disabled |
| 016 | DC Auth Policy | Domain Controller with weak authentication policy | High | - Is DC (primaryGroupID=516) - SERVER_TRUST_ACCOUNT - No AES256 support |
| 019 | Inactive Admin | Inactive administrator account | High | - Member of Domain Admins - Last logon > 30 days - Not default Administrator - Not disabled |
| 020 | Admin Account Delegation | Admin account with delegation enabled | High | - Member of Domain Admins - NOT_DELEGATED flag not set - Not disabled |
| 021 | Default KRBTGT Password | KRBTGT account password may never have been changed | Critical | - Is krbtgt account - Password older than 180 days |
| 022 | RODC Password Replication | Sensitive account allowed for password replication to RODCs | High | - In Allowed RODC Password Replication Group - Member of Domain Admins - Not disabled |
| 023 | DNS Zone Transfer | DNS zone allows zone transfers to any server | Medium | - Is dnsZone object - Has allowedTransferIPs |
| 024 | Weak Certificate Template | Certificate template with vulnerable configuration | High | - Is pKICertificateTemplate - msPKI-Certificate-Name-Flag = 1 |
| 025 | GPO with CPassword | Group Policy with potential cpassword attribute | High | - Is groupPolicyContainer |
| 026 | High Machine Account Quota | Domain with high machine account quota | Medium | - Is domainDNS - ms-DS-MachineAccountQuota > 0 |
| 029 | Weak Password Policy | Domain with weak minimum password length | Low | - Is domainDNS - minPwdLength < 8 |
| 030 | No Lockout Policy | Domain without account lockout policy | Medium | - Is domainDNS - lockoutThreshold = 0 |
| 031 | Short Password Age | Domain with short maximum password age | Medium | - Is domainDNS - maxPwdAge ≤ 30 days - maxPwdAge ≠ 0 |
| 034 | Home Dir on SYSVOL | User with home directory on SYSVOL | High | - Is user - homeDirectory contains "sysvol" - Not disabled |
| 035 | Inactive Schema Admin | Inactive Schema Admins account | High | - Member of Schema Admins - Last logon > 90 days - Not disabled |
| 036 | Script Path in GPO | GPO with potentially malicious script path | Medium | - Is groupPolicyContainer - displayName contains "script" |
| 037 | Weak SPN Configuration | Service account with weak SPN configuration | Medium | - Has MSSQL SPN - Is user account - Not disabled |
| 038 | DNSAdmin Privilege Escalation | User in DnsAdmins group | High | - Member of DnsAdmins - Is user - Not in Domain Admins - Not disabled |
| 039 | Weak Password Complexity | Domain with password complexity disabled | Critical | - Is domainDNS - pwdProperties missing complexity flag |
| 040 | Password Not Required + Enabled | User with PASSWORD_NOT_REQUIRED flag and enabled | Critical | - Is user - Has UF_PASSWD_NOTREQD flag - Account enabled |
| 041 | Multiple Risky UAC Flags | User account with multiple risky UAC settings | High | - Is user - Has risky UAC flags - Account enabled |
| 042 | DC Weak Crypto | Domain controller with weak cryptography | High | - Is computer - Is domain controller - Missing AES encryption support |
| 043 | Inactive Privileged Account | Inactive account in privileged groups | High | - Last logon > 90 days - Account enabled - Is user |
