Just Released!

Real-time threat detection and change monitoring with single pane‑of‑glass visibility across AD and Entra ID.

Learn more › | Download ›

Threat Directory

Welcome to the Cayosoft Threat Directory— a continuously updated hub of intelligence on hybrid identity attack techniques and detection patterns. It’s designed to empower security teams to turn alerts into actionable insights with detailed remediation steps, enabling fast, confident response across Active Directory, Entra ID, Intune, and Microsoft 365.

Insufficient Active Directory domain controller auditing policy configuration

Base Threat Entry

AD domain allows unprivileged users to add computer accounts

CTD-000056

Exchange Online mailbox with Full Access permission assigned

CTD-000030

Microsoft Entra tenant with unsecure delegation of Global Admin role

CTD-000023

Exchange Online mailbox with SMTP forwarding address

CTD-000031

Guest account with Microsoft Entra role membership

CTD-000032

Privileged AD user not protected from using unsecure authentication methods

CTD-000079

Dangerous ACLs Expose GPOs Applied to Privileged Group Members

CTD-000151

AD domain with unsecure RBCD delegation on domain controllers

CTD-000089

AD forest with Recycle Bin not enabled

CTD-000075

Missing Conditional Access Policies for blocking legacy authentication

CTD-000170

Dangerous ACLs Expose DPAPI Key Objects

CTD-000144

Dangerous ACLs Expose Certificate Templates Container

CTD-000143

Constrained Delegation with Protocol Transition to the krbtgt Account

CTD-000139

AD forest with high numbers of privileged group accounts

CTD-000082

AD Domain where Enterprise Key Admins group has full access to the domain

CTD-000112

AD domain controller using unsecure encryption type

CTD-000088

AD domain allowing multicast name resolution (LLMNR)

CTD-000165

AD Domain Account’s Password Set to Never Expire

CTD-000001

Active Directory Dangerous ACLs Expose DFSR Settings Objects of the SYSVOL Share

CTD-000147

Entra ID tenant without policy to show application name context in Microsoft Authenticator notifications

CTD-000099

DNS Zone Allowing Unsecure Update

CTD-000091

AD domain controller deployed as a VM without drive encryption

CTD-000168

Active Directory dangerous user rights assignments on domain controllers

CTD-000172

AD domain without group policy restricting anonymous enumeration of SAM accounts and shared resources

CTD-000163

Inactive AD Domain Controller

CTD-000137

AD domain with non-default permissions on krbtgt account

CTD-000087

AD domain accounts with password not required

CTD-000053

AD domain account with Kerberos pre-authentication disabled

CTD-000052

Microsoft Entra app with client secrets

CTD-000008

Microsoft Entra tenant with device settings allowing brute force attacks

CTD-000096

AD object with schema update permissions

CTD-000122

AD User with Identical Passwords

CTD-000181

Regular AD user account with permissions to modify DNS server objects

CTD-000080

Microsoft Entra tenant allowing unsecure token persistence

CTD-000041

Microsoft Entra tenant with unsecure Guest user access permissions

CTD-000015

Microsoft Entra role with permanent active members

CTD-000016

Microsoft Entra tenant with security defaults not enabled

CTD-000021

Unauthorized certificate addition to Entra ID Enterprise Application

CTD-000169

Entra ID tenant allowing multicast name resolution (LLMNR)

CTD-000167

Entra ID Missing Conditional Access Policy for blocking access for untrusted locations

CTD-000162

Microsoft Entra tenant with unsecure access to Azure management

CTD-000038

Microsoft Entra Global Administrator with elevated access to Azure Resources

CTD-000013

Microsoft Entra app with risky write permissions

CTD-000010

AD User with Compromised Password

CTD-000178

AD domain account with password stored using reversible encryption

CTD-000055

AD no fine-grained password policy found or weak settings detected

CTD-000157

Privileged AD user not protected against delegation

CTD-000135

Privileged AD account password set to never expire

CTD-000033

AD user account with DES encryption type enabled

CTD-000054