Attack Path Node Types
The attack path feature in Tenable Identity Exposure shows you a graph visualizing attack paths open to attackers within your Active Directory environment. The graph comprises edges that represent attack relations and nodes that represent Active Directory (LDAP/SYSVOL) objects.
The following list describes all the possible node types that you can expect to see in attack path graphs.
Node Type | Location | Icon | Description |
---|---|---|---|
User |
LDAP |
LDAP object that has its objectClass attribute containing the class user but not computer. |
|
Group | LDAP |
LDAP object that has its objectClass attribute containing the class group. |
|
Device | LDAP |
LDAP object that has its objectClass attribute containing the class computer but not msDS-GroupManagedServiceAccount. Its primaryGroupID attribute does not equal 516 (DC) or 521 (RODC). Note: To differentiate Tenable products, this category is called "Device" instead of "Computer" to be more generic. |
|
Organizational Unit (OU) | LDAP |
LDAP object that has its objectClass attribute containing the class organizationalUnit. Avoid confusion between objects of the container class and the fact that any Active Directory (AD) object can serve as a container, allowing it to contain other objects. |
|
Domain | LDAP |
LDAP object that has its objectClass attribute containing the class domainDNS and certain attributes. |
|
Domain Controller (DC) | LDAP |
LDAP object that has its objectClass attribute containing the class computer and its primaryGroupID attribute equal to 516 (therefore not an RODC). |
|
Read-Only Domain Controller (RODC) | LDAP |
LDAP object that has its objectClass attribute containing the class computer and its primaryGroupID attribute equal to 521 (therefore not a normal DC). |
|
Group Policy (GPC) | LDAP |
LDAP object that has its objectClass attribute containing the class groupPolicyContainer. |
|
GPO file | SYSVOL |
File found in the SYSVOL share of a specific GPO (for example "\\example.net\sysvol\example.net\Policies\{A8370D7F-8AC0-452E-A875-2A6A52E9D392}\{Machine,User}\Preferences\ScheduledTasks\ScheduledTasks.xml") |
|
GPO folder | SYSVOL |
Folder found in the SYSVOL share of a specific GPO. There is one for each GPO (for example "\\example.net\sysvol\example.net\Policies\{A8370D7F-8AC0-452E-A875-2A6A52E9D392}\Machine\Scripts\Startup") |
|
Group-Managed Service Account (gMSA) | LDAP |
LDAP object that has its objectClass attribute containing the class msDS-GroupManagedServiceAccount. |
|
Enterprise NtAuth store | LDAP |
LDAP object that has its objectClass attribute containing the class certificationAuthority. |
|
PKI certificate template | LDAP |
LDAP object that has its objectClass attribute containing the class pKICertificateTemplate. |
|
Unresolved security principal | LDAP |
LDAP object that has its objectSid or DistinguishedName attribute used at some point when building relations, but for which there is an unknown corresponding LDAP security principal object (classic case of "unresolved SID"). Also lacking information about the specific security principal type (User, Computer, Group, etc.) associated with them; only their SID/DN is known. |
|
Special Identity | LDAP | Windows and Active Directory use well-known identities internally. These identities function similarly to groups, but AD does not declare them as such. For more information, see Special Identity Groups. | |
Others | Currently all AD/SYSVOL objects that do not fall into the mentioned categories. |