Table of AD and Azure assets and whether they belong to Tier Zero.
View the table here: https://specterops.github.io/TierZeroTable
Blog posts:
Webinars:
- Defining the Undefined: What is Tier Zero
- Defining the Undefined: What is Tier Zero Part II
- Defining the Undefined: What is Tier Zero Part III
- Defining the Undefined: What is Tier Zero Part IV
DISCLAIMER: The table does not include all Tier Zero assets yet. We will add assets to the table throughout the webinar series. So if you think we are missing something, then you are completely right. But feel free to make a pull request or open an issue with the asset you think we should add. All contributions are appreciated. Also if you disagree on something in the table :)
Common name of the asset.
Type of the asset.
Values:
- AD computer
- AD container
- AD group
- AD object
- AD OU
- AD user
- Computer host
- DC group
- Entra ID role
Identity Provider of the asset.
Values:
- Active Directory
- Entra ID
How the asset can be identified. E.g., SID of AD object.
Description of the asset, i.e., its purpose of existence. This will be copied from Microsoft documentation if available.
Whether a publicly known abuse technique exists that allows compromise of Tier Zero assets using this asset. The abuse technique must work in an environment with default configurations.
If a publicly known abuse technique exists it will be described in the Reasoning column and links will be provided in the External links column.
Values:
- YES - Takeover - A publicly known abuse technique to takeover one or more Tier Zero assets exists and works in environments with default configurations.
- YES - Disruption - A publicly known abuse technique to disrupt the operations of Tier Zero assets exists and works in environments with default configurations.
- NO - No publicly known abuse technique to compromise Tier Zero assets in an environment with default configurations exists.
- IT DEPENDS - A publicly known abuse technique to takeover or disrupt Tier Zero exists and works in some configurations.
Whether a publicly known abuse technique exists that allows compromise of Tier Zero assets using this asset, which is enabled do to a common non-default (mis)configuration.
If a publicly known abuse technique exists it will be described in the Reasoning column and links will be provided in the External links column.
Values:
- YES - Takeover - A publicly known abuse technique to takeover one or more Tier Zero assets exists and works in environments with a common non-default (mis)configuration.
- YES - Disruption - A publicly known abuse technique to disrupt the operations of Tier Zero assets exists and works in environments with a common non-default (mis)configuration.
- NO - No publicly known abuse technique to compromise Tier Zero assets in an environment with common non-default (mis)configurations exists.
- N/A - Compromise by default - A publicly known abuse technique to compromise Tier Zero assets exists and works in environments with default configurations, hence it does not require any special configuration.
If the asset should be considered Tier Zero based on our Definition of Tier Zero.
Values:
- YES
- NO
- IT DEPENDS - If the asset is Tier Zero in some legitimate configuration but not always.
The explanation of why the asset is or is not Tier Zero, including an abuse summary and if the asset is a security dependency for Tier Zero.
Cypher query to return the node representing the asset in BloodHound.
Whether the asset is included in Microsoft's Privileged access security roles list, or has a "PRIVILEGED" label if an Entra ID role.
Values:
- YES
- NO
Whether the asset is part of the default Protected Accounts and Groups in Active Directory, which are protected with the AdminSDHolder security descriptor.
Values:
- YES
- NO
- N/A - The asset cannot be protected by AdminSDHolder.
In which episode of the What is Tier Zero series was this asset discussed.
Values:
- 1
- 2
- 3
- 4
- Community contribution
Links to documentation for the asset, abuse information, etc.