Implicit Takeover

Description

The Source is a Tier0 security principal. Tier0 is the set of Active Directory objects that have the highest privileges in the domain, such as the members of the Domain Admins or Domain Controllers group. All Tier0 assets can implicitly compromise any other object in the domain, even if there is no explicit other relation.

This relation makes it possible to model implicit rights built-in to Active Directory. These rights are by design and documented, and thus known to attackers. However, Tenable Identity Exposure cannot collect these rights by standard means. Moreover, this relation simplifies attack path graphs, because as soon as attackers compromise a Tier0 node, they can attack any other object directly without going through other explicit relations.

In summary, Source Tier0 assets are considered to all have "Implicit Takeover" relations to any Target node in the graph.

Exploitation

The exact exploitation method depends on the type of the Source Tier0 asset targeted, but these are well-documented techniques that attackers efficiently master.

Remediation

This relation is by design and you cannot remediate it. It is almost impossible to stop an attacker who reaches a Tier0 asset from attacking further.

Remediation efforts must focus on upstream relations in attack paths.

See also