{"id":18626152,"url":"https://github.com/specterops/tierzerotable","last_synced_at":"2025-06-20T09:38:51.056Z","repository":{"id":194305885,"uuid":"688997600","full_name":"SpecterOps/TierZeroTable","owner":"SpecterOps","description":"Table of AD and Azure assets and whether they belong to Tier Zero","archived":false,"fork":false,"pushed_at":"2025-06-18T11:47:32.000Z","size":228,"stargazers_count":226,"open_issues_count":1,"forks_count":23,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-06-18T12:47:50.528Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SpecterOps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-09-08T14:53:32.000Z","updated_at":"2025-06-18T11:47:36.000Z","dependencies_parsed_at":"2024-04-03T06:25:02.753Z","dependency_job_id":"9796bec9-4b50-4762-9e52-ee80ae4dd99f","html_url":"https://github.com/SpecterOps/TierZeroTable","commit_stats":null,"previous_names":["specterops/tierzerotable"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SpecterOps/TierZeroTable","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2FTierZeroTable","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2FTierZeroTable/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2FTierZeroTable/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2FTierZeroTable/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SpecterOps","download_url":"https://codeload.github.com/SpecterOps/TierZeroTable/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2FTierZeroTable/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260920367,"owners_count":23082967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T04:37:04.507Z","updated_at":"2025-06-20T09:38:46.041Z","avatar_url":"https://github.com/SpecterOps.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TierZeroTable\nTable of AD and Azure assets and whether they belong to Tier Zero.\n\nView the table here: [https://specterops.github.io/TierZeroTable](https://specterops.github.io/TierZeroTable/)\n\nBlog posts: \n  - [What is Tier Zero - Part 1](https://posts.specterops.io/what-is-tier-zero-part-1-e0da9b7cdfca)\n  - [What is Tier Zero - Part 2](https://posts.specterops.io/what-is-tier-zero-part-2-6e1d14fddcaf)\n\nWebinars:\n  - [Defining the Undefined: What is Tier Zero](https://www.youtube.com/watch?v=5Ho83R9Jy68)\n  - [Defining the Undefined: What is Tier Zero Part II](https://www.youtube.com/watch?v=SAI3mXQgy_I)\n  - [Defining the Undefined: What is Tier Zero Part III](https://www.youtube.com/watch?v=ykrse1rsvy4)\n  - [Defining the Undefined: What is Tier Zero Part IV](https://ghst.ly/4eSssxL)\n\n**DISCLAIMER: The table does not include all Tier Zero assets yet.** We will add assets to the table throughout the webinar series. So if you think we are missing something, then you are completely right. But feel free to make a pull request or open an issue with the asset you think we should add. All contributions are appreciated. Also if you disagree on something in the table :)\n\n# Table columns\n\n### Name\nCommon name of the asset.\n\n### Type\nType of the asset.\n\nValues:\n- AD computer\n- AD container\n- AD group\n- AD object\n- AD OU\n- AD user\n- Computer host\n- DC group\n- Entra ID role\n\n### IdP\nIdentity Provider of the asset.\n\nValues:\n- Active Directory\n- Entra ID\n\n### Identification\nHow the asset can be identified. E.g., SID of AD object.\n\n### Description\nDescription of the asset, i.e., its purpose of existence. This will be copied from Microsoft documentation if available.\n\n### Compromise by default\nWhether a publicly known abuse technique exists that allows compromise of Tier Zero assets using this asset. The abuse technique must work in an environment with default configurations.\n\nIf a publicly known abuse technique exists it will be described in the _Reasoning_ column and links will be provided in the _External links_ column.\n\nValues:\n- YES - Takeover - A publicly known abuse technique to takeover one or more Tier Zero assets exists and works in environments with default configurations.\n- YES - Disruption - A publicly known abuse technique to disrupt the operations of Tier Zero assets exists and works in environments with default configurations.\n- NO - No publicly known abuse technique to compromise Tier Zero assets in an environment with default configurations exists.\n- IT DEPENDS - A publicly known abuse technique to takeover or disrupt Tier Zero exists and works in some configurations.\n\n### Compromise by configuration\nWhether a publicly known abuse technique exists that allows compromise of Tier Zero assets using this asset, which is enabled do to a common non-default (mis)configuration.\n\nIf a publicly known abuse technique exists it will be described in the _Reasoning_ column and links will be provided in the _External links_ column.\n\nValues:\n- YES - Takeover - A publicly known abuse technique to takeover one or more Tier Zero assets exists and works in environments with a common non-default (mis)configuration.\n- YES - Disruption - A publicly known abuse technique to disrupt the operations of Tier Zero assets exists and works in environments with a common non-default (mis)configuration.\n- NO - No publicly known abuse technique to compromise Tier Zero assets in an environment with common non-default (mis)configurations exists.\n- N/A - Compromise by default - A publicly known abuse technique to compromise Tier Zero assets exists and works in environments with default configurations, hence it does not require any special configuration.\n\n### Is Tier Zero\nIf the asset should be considered Tier Zero based on our [Definition of Tier Zero](https://github.com/SpecterOps/TierZeroTable/tree/main#definition-of-tier-zero).\n\nValues:\n- YES\n- NO\n- IT DEPENDS - If the asset is Tier Zero in some legitimate configuration but not always.\n\n### Reasoning\nThe explanation of why the asset is or is not Tier Zero, including an abuse summary and if the asset is a security dependency for Tier Zero.\n\n### Cypher query\nCypher query to return the node representing the asset in [BloodHound](https://github.com/specterOps/BloodHound).\n\n### Privileged access security role\nWhether the asset is included in Microsoft's [Privileged access security roles](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-security-levels#privileged) list, or has a \"PRIVILEGED\" label if an Entra ID role. \n\nValues:\n- YES\n- NO\n\n### AdminSDHolder protected\nWhether the asset is part of the default [Protected Accounts and Groups in Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory), which are protected with the AdminSDHolder security descriptor.\n\nValues:\n- YES\n- NO\n- N/A - The asset cannot be protected by AdminSDHolder.\n\n### What is Tier Zero episode\nIn which episode of the _What is Tier Zero_ series was this asset discussed.\n\nValues:\n- 1\n- 2\n- 3\n- 4\n- Community contribution\n\n### External links\nLinks to documentation for the asset, abuse information, etc.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspecterops%2Ftierzerotable","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspecterops%2Ftierzerotable","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspecterops%2Ftierzerotable/lists"}