Update Distributed COM Users and add Performance Log Users

TierZeroTable.csv

@@ -40,9 +40,12 @@ All Tier Zero users and computers should be in the msDS-NeverRevealGroup attribu
 https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#denied-rodc-password-replication"
 Distributed COM Users;DC group;Active Directory;SID: S-1-5-32-562;"Members of the Distributed COM Users group can launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (also called the flexible single master operations or FSMO) role.
 
-The Distributed COM Users group applies to the Windows Server operating system in Default Active Directory security groups.";NO;NO;YES;"The Distributed COM Users group has local privileges on domain controllers to launch, activate, and use Distributed COM objects but no privilege to log in.
+The Distributed COM Users group applies to the Windows Server operating system in Default Active Directory security groups.";YES - Takeover;N/A - Compromise by default;YES;"The Distributed COM Users group has local privileges on domain controllers to launch, activate, and use Distributed COM objects but no privilege to log in.
 
-There are no known ways to abuse the membership of the group to compromise Tier Zero. The local privileges the group has on the DCs are considered security dependency, and the group is therefore considered Tier Zero.";YES;NO;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#distributed-com-users
+The DCOM access enable members of this group to remotely compromise users logged in on DCs through a coerce + NTLM relay attack. The attack can be remediated by adding users to Protected Users or deny outbound NTLM authentication on DCs.
+
+The local privileges the group has on the DCs are considered a security dependency for DCs as well. The group is therefore considered Tier Zero.";YES;NO;1;"https://decoder.cloud/2024/04/24/hello-im-your-domain-admin-and-i-want-to-authenticate-against-you/
+https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#distributed-com-users"
 Domain Admins;AD group;Active Directory;SID: S-1-5-21-<domain>-512;"Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that's created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
 
 The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Members of the service administrator groups in its domain (Administrators and Domain Admins) and members of the Enterprise Admins group can modify Domain Admins membership. This group is considered a service administrator account because its members have full access to the domain controllers in a domain.
@@ -55,7 +58,7 @@ The Domain Controllers group applies to the Windows Server operating system in D
 There are no known ways to abuse membership in this group to compromise Tier Zero. However, the GetChangesAll privilege is considered a security dependency that should only be held by Tier Zero principals. Additionally, control over the group allows one to impact the operability of Tier Zero by removing domain controllers from the group, which breaks AD replication. The group is therefore considered Tier Zero.";YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#domain-controllers
 Domain Controllers (OU);AD OU;Active Directory;DistinguishedName: OU=Domain Controllers,<Domain DN>;When domain controllers are added to the domain, their computer objects are automatically added to the Domain Controller OU. This OU has a default set of policies applied to it. To ensure that these policies are applied uniformly to all domain controllers, we recommend that you not move the computer objects of the domain controllers out of this OU. Failure to apply the default policies can cause a domain controller to fail to function properly.;YES - Takeover;N/A - Compromise by default;YES;Inheritance is not disabled by default on DCs and RODCs, which means they can inherit permissions placed on the Domain Controllers OU. An attacker could thereby grant themselves GenericAll on DCs and RODCs, which enable the attacker to perform a domain compromise. If the attacker has the privilege to create or modify GPOs, the attacker could compromise DCs with a malicious GPO. For these reasons, the Domain Controllers OU is Tier Zero.;NO;NO;2;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-of-default-containers-and-ous#domain-controller-ou
 Domain root object;AD domain;Active Directory;Top object in the Default Naming Context;A Domain root object represents the AD domain. It contains all AD objects in the Default Naming Context.;YES - Takeover;N/A - Compromise by default;YES;An attacker with control over the domain root object can compromise the domain in multiple ways, for example by a DCSync attack (see reference). The domain root object is therefore Tier Zero.;NO;NO;2;https://adsecurity.org/?p=1729
-DnsAdmins;AD group;Active Directory;S-1-5-21-<domain>-<variable RI>;"Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
+DnsAdmins;AD group;Active Directory;S-1-5-21-<domain>-<variable RID>;"Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
 
 For more information about security and DNS, see DNSSEC in Windows Server 2012.";YES - Takeover;N/A - Compromise by default;YES;Users from the DnsAdmins group could use a “feature” in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT AuthoritySystem, allowing DnsAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins).;NO;NO;Community contribution;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins
 https://www.semperis.com/blog/dnsadmins-revisited/"
@@ -90,6 +93,15 @@ KRBTGT is also the security principal name used by the KDC for a Windows Server
 
 Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.";YES - Takeover;N/A - Compromise by default;YES;The krbtgt's credentials allow one to create golden ticket and compromise the domain. Therefore, if you obtain the credentials of this account, then you can authenticate as any Tier Zero user. However, there is currently no known privilege on the object to obtain the Kerberos keys or to compromise the account in any other way. When you reset the password of krbtgt, AD will ignore your password input and use a random string instead. So, the reset password privilege does not work for a compromise. An attacker could use the reset password privilege to harm Tier Zero, as a double password reset causes all Kerberos TGTs in the domain to become invalid. So, since control over the account can harm Tier Zero, and there is no reason for delegating control to non-Tier Zero, the krbtgt is Tier Zero.;YES;YES;2;"https://adsecurity.org/?p=483
 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11)?redirectedfrom=MSDN#krbtgt-account"
+Performance Log Users;DC group;Active Directory;SID: S-1-5-32-559;"Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group:
+- Can use all the features that are available to the Performance Monitor Users group.
+- Can create and modify Data Collector Sets after the group is assigned the Log on as a batch job user right.
+- Can't use the Windows Kernel Trace event provider in Data Collector Sets.";YES - Takeover;N/A - Compromise by default;YES;"The Performance Log Users group has local privileges on domain controllers to launch, activate, and use Distributed COM objects but no privilege to log in.
+
+The DCOM access enable members of this group to remotely compromise users logged in on DCs through a coerce + NTLM relay attack. The attack can be remediated by adding users to Protected Users or deny outbound NTLM authentication on DCs.
+
+The local privileges the group has on the DCs are considered a security dependency for DCs as well. The group is therefore considered Tier Zero.";NO;NO;Community contribution;"https://decoder.cloud/2024/04/24/hello-im-your-domain-admin-and-i-want-to-authenticate-against-you/
+https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#performance-log-users"
 Print Operators;DC group;Active Directory;SID: S-1-5-32-550;"Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They also can manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
 
 This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group can't be renamed, deleted, or removed.