From 70a6813fe59710452135bfa6a38811c61c55313c Mon Sep 17 00:00:00 2001 From: chryzsh Date: Wed, 26 Nov 2025 08:21:04 +0100 Subject: [PATCH] Add DHCP Administrators group to Tier Zero table. Addresses issue #9 by adding DHCP Administrators to the table with conditional Tier Zero classification. Updated to reflect that 'it depends' --- TierZeroTable.csv | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/TierZeroTable.csv b/TierZeroTable.csv index ab318ce..27a3526 100644 --- a/TierZeroTable.csv +++ b/TierZeroTable.csv @@ -35,6 +35,13 @@ This security group was introduced in Windows Vista SP1, and it hasn't changed i There are no known ways to abuse the membership of the group to compromise Tier Zero. The local privilege the group has on the domain controllers is considered security dependencies, and the group is therefore considered Tier Zero.";"MATCH (n:Group) WHERE n.objectid ENDS WITH 'S-1-5-32-569' RETURN n";YES;NO;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#cryptographic-operators +DHCP Administrators;AD group;Active Directory;CN: DHCP Administrators;"Members of the DHCP Administrators group have administrative access to DHCP servers. This group is created when the DHCP Server role is installed on a Windows Server. Members can view and modify all aspects of DHCP server configuration. + +The security impact of this group depends on where the DHCP service is running. According to Akamai research, 57% of organizations have a DHCP server installed on a domain controller.";NO;YES - Takeover;IT DEPENDS;"DHCP Administrators can escalate privileges to Tier Zero when DHCP runs on domain controllers or Tier Zero systems. Akamai research demonstrates privilege escalation via DHCP option abuse, enabling Kerberos coercion attacks followed by AD CS relay attacks. This can lead to compromise of the DHCP machine account and potentially the domain controller. + +When DHCP runs only on network appliances without access to domain infrastructure, the group is limited to Tier 1. However, with 57% of environments running DHCP on domain controllers, this represents a Tier Zero risk in common deployments.";"MATCH (n:Group) +WHERE n.name STARTS WITH 'DHCP ADMINISTRATORS@' +RETURN n";NO;NO;Community contribution;"https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains" Distributed COM Users;DC group;Active Directory;SID: S-1-5-32-562;"Members of the Distributed COM Users group can launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (also called the flexible single master operations or FSMO) role. The Distributed COM Users group applies to the Windows Server operating system in Default Active Directory security groups.";NO;NO;YES;"The Distributed COM Users group has local privileges on domain controllers to launch, activate, and use Distributed COM objects but no privilege to log in.