FORENSIC LIBRARY

Deep-dive into the attack paths Netra detects and neutralizes.

🏰 Active Directory (AD) ☁️ Entra ID (Cloud) 📊 SIEM Integration

Active Directory Forensics

ADCS Misconfiguration (ESC1-ESC8)

Critical Risk

Misconfigured Certificate Templates in Active Directory Certificate Services (ADCS) allow any authenticated user to request certificates as a Domain Admin.

Netra Detection: Identifies templates where CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is enabled alongside risky EKU scopes.

Unconstrained Delegation

Tier-0 Risk

Servers with Unconstrained Delegation can cache the TGT of any user who authenticates to them. If a Domain Admin connects, their identity is compromised.

Netra Detection: Maps all computers with TRUSTED_FOR_DELEGATION and identifies potential "Hop-Points" to the Domain Controller.

GPP Password Decryption (Groups.xml)

Legacy Risk

Legacy Group Policy Preferences (GPP) often contain encrypted passwords in XML files. Since Microsoft published the AES key, these are easily decrypted by attackers.

Netra Detection: Scans the SYSVOL share for cpassword attributes and performs an immediate in-memory decryption audit.

Entra ID Forensics

Dangerous Graph API Scopes

Critical Risk

App Registrations with permissions like RoleManagement.ReadWrite.Directory or AppRoleAssignment.ReadWrite.All can be used to escalate to Global Admin.

Netra Detection: Audits Service Principals for "Toxic Combinations" of MS Graph permissions that facilitate tenant takeover.

PIM Hygiene Gaps

Privilege Risk

Privileged Identity Management (PIM) is often bypassed if "Eligible" role assignments do not require MFA or Approval for activation.

Netra Detection: Identifies privileged roles where activation lacks secondary validation requirements.

SIEM & SOC Integration

Netra is built for enterprise operations. All forensic findings can be exported in Standard JSON Format for ingestion into modern security stacks:

  • Microsoft Sentinel: Ingest via Log Analytics Data Collector API.
  • Splunk: Monitor the JSON output directory for automatic indexing.
  • Elastic / ELK: Use Filebeat to ship Netra-Go findings to your central cluster.