Purple Knight, the free Active Directory (AD) security assessment tool downloaded by 5,000-plus users, now enables you to identify and address security gaps across your hybrid identity environment. That’s right: The latest release of Purple Knight introduces Azure AD security indicators. The ability to address security gaps across both on-prem AD and Azure AD gives you an edge when defending against current threats.

With a hybrid scenario, the potential attack surface expands for adversaries. Attacks now often start on-premises and move to the cloud—as in the SolarWinds attack—or move from cloud to on-prem. The new release of Purple Knight helps organizations uncover security gaps that can expose their hybrid identity systems to attackers.

Purple Knight 1.5—available for download here—also includes support for the MITRE D3FEND model, new on-prem AD security indicators, report enhancements, and a few bug fixes and script improvements.

What’s new in Purple Knight 1.5

In addition to introducing 10 Azure AD security indicators, Purple Knight 1.5 includes new security framework tags for the MITRE D3FEND model, a beta framework for network defense. MITRE D3FEND is a knowledge base of cybersecurity countermeasure techniques that can help you design, deploy, and better defend networked systems. Purple Knight also includes seven new security indicators for on-prem AD as well as HTML and PDF report enhancements. Here’s what Purple Knight 1.5 includes:

10 Azure AD security indicators to help you understand your overall security posture across the hybrid identity environment
Security framework tags for the MITRE D3FEND model, a beta framework for network defense
HTML Security Assessment Report enhancements, including a navigation pane that enables you to quickly locate specific information within the report without scrolling and an updated report structure that includes both AD and Azure AD assessments when run in a hybrid environment
Ability to generate an enhanced PDF version of the Security Assessment Report
Various bug fixes and script improvements

Purple Knight 1.5 Report Summary

Using Purple Knight to assess security of your hybrid identity environment

Purple Knight 1.5 scans your Azure AD environment for the following indicators of exposure (IOEs), which signal risky configurations that attackers can exploit:

AAD privileged users that are also privileged in AD
Administrative units are not being used
Check for guests having permissions to invite other guests
Check for risky API permissions granted to application service principals
Check if legacy authentication is allowed
MFA not configured for privileged accounts
Non-admin users can register custom applications
Privileged groups contain guest accounts
Security defaults not enabled
Unrestricted user consent allowed

Download script for connecting Purple Knight to Azure Active Directory

To run Purple Knight in your Azure AD environment, you need to create and update the app registration in Azure AD with a defined and consented set of application permissions for the Microsoft Graph. Jorge de Almeida Pinto, Semperis Senior Solutions Architect and Product Manager, created a PowerShell script that automates this step.

To use the script, you’ll need two PowerShell modules—AzureAD and Az.Accounts—and the account creating the application registration must be a Global Admin. The script supports the following tasks:

Creates and updates the app registration in Azure AD for Purple Knight 1.5 to be able to scan for vulnerabilities in Azure AD
Deletes the app registration in Azure AD
Assigns the required Microsoft Graph application permissions and provides consent when creating or updating the app
Creates a client secret that by default is valid for one hour when creating or updating the app (if needed, you can provide a customer lifetime in days for the client secret)
Deletes all client secrets from the app registration in Azure AD
Displays the tenant ID, the application ID, the assigned and consented permissions, and the client secret to be used in the Purple Knight executable file

See the full list of functions and examples and download the Purple Knight 1.5 PowerShell script at the Semperis GitHub account.

New Active Directory security indicators

In addition to introducing Azure AD security indicators, Purple Knight 1.5 includes seven new on-prem AD security indicators:

Accounts with Constrained Delegation configured to krbtgt
Certificate templates that allow requesters to specify a subjectAltName
Certificate templates with three or more insecure configurations
FGPP not applied to group
LDAP signing is not required on domain controllers
Operator Groups that are not empty
RC4 encryption type is supported by domain controllers

Getting access to Purple Knight 1.5

You can download Purple Knight 1.5 here. Remember to review the latest Purple Knight quick start document for important guidance before unzipping and executing Purple Knight. You’ll find the latest version details and SHA 256 here.

If you’re new to Purple Knight, also check out the following resources:

Read the quick start document
Join the Purple Knight Slack community
Explore our security indicators tracker
Check out our Purple Knight user guide

Purple Knight introduces Azure AD security indicators to combat hybrid identity attacks

With the introduction of Azure AD security indicators, Purple Knight is a powerful resource in your defense against attacks that target hybrid AD environments. We welcome your feedback and questions on the Purple Knight Slack channel, or you can email us here.

The post Purple Knight Introduces Azure AD Security Indicators appeared first on Semperis.