Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products.
To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see View and manage alerts.
Microsoft Defender for Identity classic alert categories
Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
- Reconnaissance and discovery alerts
- Persistence and privilege escalation alerts
- Credential access alerts
- Lateral movement alerts
- Other alerts
Reconnaissance and discovery alerts
Reconnaissance and discovery consist of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. In Microsoft Defender for Identity, these alerts usually involve internal account enumeration with different techniques.
The following security alerts help you identify and remediate Reconnaissance and discovery phase suspicious activities detected by Defender for Identity in your network.
| Security alert name | Severity | External ID |
|---|---|---|
Account Enumeration reconnaissancePrevious name: Reconnaissance using account enumeration. Description: In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain. Kerberos: Attacker makes Kerberos requests using these names to try to find a valid username in the domain. When a guess successfully determines a username, the attacker gets the Preauthentication required instead of Security principal unknown Kerberos error. NTLM: Attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker gets the WrongPassword (0xc000006a) instead of NoSuchUser (0xc0000064) NTLM error. In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers. Learning period: None MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087) - MITRE attack sub-technique: Domain Account (T1087.002) Suggested steps for prevention: Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration. |
Medium | 2003 |
Account Enumeration reconnaissance (LDAP)Description: In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as Ldapnomnom in an attempt to guess user names in the domain. LDAP: Attacker makes LDAP Ping requests (cLDAP) using these names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker may receive a response indicating that the user exists in the domain. In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on LDAP search activities from sensors running on domain controller servers. Learning period: None MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087) - MITRE attack sub-technique: Domain Account (T1087.002) |
Medium | 2437 |
Network-mapping reconnaissance (DNS)Previous name: Reconnaissance using DNS. Description: Your DNS server contains a map of all the computers, IP addresses, and services in your network. This information is used by attackers to map your network structure and target interesting computers for later steps in their attack. There are several query types in the DNS protocol. This Defender for Identity security alert detects suspicious requests, either requests using an AXFR (transfer) originating from non-DNS servers, or those using an excessive number of requests. Learning period: Eight days from the start of domain controller monitoring. MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087), Network Service Scanning (T1046), Remote System Discovery (T1018) - MITRE attack sub-technique: N/A Suggested steps for prevention: To prevent future attacks using AXFR queries, its important to secure your internal DNS server. - Secure your internal DNS server to prevent reconnaissance using DNS by disabling zone transfers or by restricting zone transfers only to specified IP addresses. Modifying zone transfers is one task among a checklist that should be addressed for securing your DNS servers from both internal and external attacks. |
Medium | 2007 |
User and IP address reconnaissance (SMB)Previous name: Reconnaissance using SMB Session Enumeration. Description: Enumeration using Server Message Block (SMB) protocol enables attackers to get information about where users recently logged on. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account. In this detection, an alert is triggered when an SMB session enumeration is performed against a domain controller. Learning period: None MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087), Network Service Scanning (T1046), Remote System Discovery (T1018) - MITRE attack sub-technique: N/A |
Medium | 2012 |
User and Group membership reconnaissance (SAMR)Previous name: Reconnaissance using directory services queries. Description: User and group membership reconnaissance are used by attackers to map the directory structure and target privileged accounts for later steps in their attack. The Security Account Manager Remote (SAM-R) protocol is one of the methods used to query the directory to perform this type of mapping. In this detection, no alerts are triggered in the first month after Defender for Identity is deployed (learning period). During the learning period, Defender for Identity profiles which SAM-R queries are made from which computers, both enumeration and individual queries of sensitive accounts. Learning period: Four weeks per domain controller starting from the first network activity of SAMR against the specific DC. MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087), Permission Groups Discovery (T1069) - MITRE attack sub-technique: Domain Account (T1087.002), Domain Group (T1069.002) Suggested steps for prevention: - Apply Network access and restrict clients allowed to make remote calls to SAM group policy. |
Medium | 2021 |
Active Directory attributes reconnaissance (LDAP)Description: Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure, as well as identify privileged accounts for use in later steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP) is one of the most popular methods used for both legitimate and malicious purposes to query Active Directory. Learning period: None MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087), System Network Connections Discovery (T1049) - MITRE attack sub-technique: Domain Account (T1087.002) |
Medium | 2210 |
Honeytoken was queried via LDAPDescription: User reconnaissance is used by attackers to map the directory structure and target privileged accounts for later steps in their attack. Lightweight Directory Access Protocol (LDAP) is one of the most popular methods used for both legitimate and malicious purposes to query Active Directory. In this detection, Microsoft Defender for Identity will trigger this alert for any reconnaissance activities against a pre-configured honeytoken user. Learning period: None MITRE: - Primary MITRE tactic: Discovery (TA0007) - MITRE attack technique: Account Discovery (T1087), Permission Groups Discovery (T1069) - MITRE attack sub-technique: Domain Account (T1087.002), Domain Group (T1069.002) |
Low | 2429 |
Persistence and privilege escalation alerts
After the attacker uses techniques to keep access to different on-premises resources they start the Privilege Escalation phase, which consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
The following security alerts help you identify and remediate Persistence and privilege escalation phase suspicious activities detected by Defender for Identity in your network.
| Security alert name | Severity | External ID |
|---|---|---|
Suspected Golden Ticket usage (encryption downgrade)Previous name: Encryption downgrade activity. Description: Encryption downgrade is a method of weakening Kerberos by downgrading the encryption level of different protocol fields that normally have the highest level of encryption. A weakened encrypted field can be an easier target to offline brute force attempts. Various attack methods utilize weak Kerberos encryption cyphers. In this detection, Defender for Identity learns the Kerberos encryption types used by computers and users, and alerts you when a weaker cypher is used that is unusual for the source computer and/or user and matches known attack techniques. In a Golden Ticket alert, the encryption method of the TGT field of TGS_REQ (service request) message from the source computer was detected as downgraded compared to the previously learned behavior. This isn't based on a time anomaly (as in the other Golden Ticket detection). In addition, in the case of this alert, there was no Kerberos authentication request associated with the previous service request, detected by Defender for Identity. Learning period: This alert has a learning period of five days from the start of domain controller monitoring. MITRE: - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Privilege Escalation (TA0004), Lateral Movement (TA0008) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Golden Ticket(T1558.001) Suggested steps for prevention: - Make sure all domain controllers with operating systems up to Windows Server 2012 R2 are installed with KB3011780 and all member servers and domain controllers up to 2012 R2 are up-to-date with KB2496930. For more information, see Silver PAC and Forged PAC. |
Medium | 2009 |
Suspected Golden Ticket usage (nonexistent account)Previous name: Kerberos golden ticket. Description: Attackers with domain admin rights can compromise the KRBTGT account. Using the KRBTGT account, they can create a Kerberos ticket granting ticket (TGT) that provides authorization to any resource and set the ticket expiration to any arbitrary time. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. In this detection, an alert is triggered by a nonexistent account. Learning period: None MITRE: - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Privilege Escalation (TA0004), Lateral Movement (TA0008) - MITRE attack technique: - Steal or Forge Kerberos Tickets (T1558), Exploitation for Privilege Escalation (T1068), Exploitation of Remote Services (T1210) - MITRE attack sub-technique: Golden Ticket(T1558.001) |
High | 2027 |
Suspected Golden Ticket usage (ticket anomaly)Description: Attackers with domain admin rights can compromise the KRBTGT account. Using the KRBTGT account, they can create a Kerberos ticket granting ticket (TGT) that provides authorization to any resource and set the ticket expiration to any arbitrary time. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. Forged Golden Tickets of this type have unique characteristics this detection is designed to identify. Learning period: None MITRE: - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Privilege Escalation (TA0004), Lateral Movement (TA0008) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Golden Ticket(T1558.001) |
High | 2032 |
Suspected Golden Ticket usage (ticket anomaly using RBCD)Description: Attackers with domain admin rights can compromise the KRBTGT account. Using the KRBTGT account, they can create a Kerberos ticket granting ticket (TGT) that provides authorization to any resource. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. In this detection, the alert is triggered by a golden ticket that was created by setting Resource Based Constrained Delegation (RBCD) permissions using the KRBTGT account for account (user\computer) with SPN. Learning period: None MITRE - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Golden Ticket(T1558.001) |
High | 2040 |
Suspected Golden Ticket usage (time anomaly)Previous name: Kerberos golden ticket. Description: Attackers with domain admin rights can compromise the KRBTGT account. Using the KRBTGT account, they can create a Kerberos ticket granting ticket (TGT) that provides authorization to any resource and set the ticket expiration to any arbitrary time. This fake TGT is called a "Golden Ticket" and allows attackers to achieve network persistence. This alert is triggered when a Kerberos ticket granting ticket is used for more than the allowed time permitted, as specified in the Maximum lifetime for user ticket. Learning period: None MITRE - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Privilege Escalation (TA0004), Lateral Movement (TA0008) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Golden Ticket(T1558.001) |
High | 2022 |
Suspected skeleton key attack (encryption downgrade)Previous name: Encryption downgrade activity. Description: Encryption downgrade is a method of weakening Kerberos using a downgraded encryption level for different fields of the protocol that normally have the highest level of encryption. A weakened encrypted field can be an easier target to offline brute force attempts. Various attack methods utilize weak Kerberos encryption cyphers. In this detection, Defender for Identity learns the Kerberos encryption types used by computers and users. The alert is issued when a weaker cypher is used that is unusual for the source computer, and/or user, and matches known attack techniques. Skeleton Key is malware that runs on domain controllers and allows authentication to the domain with any account without knowing its password. This malware often uses weaker encryption algorithms to hash the user's passwords on the domain controller. In this alert, the learned behavior of previous KRB_ERR message encryption from domain controller to the account requesting a ticket, was downgraded. Learning period: None MITRE - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210),Modify Authentication Process (T1556) - MITRE attack sub-technique: Domain Controller Authentication (T1556.001) |
Medium | 2010 |
Suspicious additions to sensitive groupsDescription: Attackers add users to highly privileged groups. Adding users is done to gain access to more resources, and gain persistency. This detection relies on profiling the group modification activities of users, and alerting when an abnormal addition to a sensitive group is seen. Defender for Identity profiles continuously. For a definition of sensitive groups in Defender for Identity, see Working with sensitive accounts. The detection relies on events audited on domain controllers. Make sure your domain controllers are auditing the events needed. Learning period: Four weeks per domain controller, starting from the first event. MITRE: - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Account Manipulation (T1098),Domain Policy Modification (T1484) - MITRE attack sub-technique: N/A Suggested steps for prevention: - To help prevent future attacks, minimize the number of users authorized to modify sensitive groups. - Set up Privileged Access Management for Active Directory if applicable. |
Medium | 2024 |
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)Description: Microsoft published CVE-2020-1472 announcing that a new vulnerability exists that allows the elevation of privileges to the domain controller. An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), also known as Netlogon Elevation of Privilege Vulnerability. Learning period: None MITRE - Primary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: N/A - MITRE attack sub-technique: N/A Suggested steps for prevention: - Review our guidance on managing changes in Netlogon secure channel connection which relate to and can prevent this vulnerability. |
High | 2411 |
Honeytoken user attributes modifiedDescription: Every user object in Active Directory has attributes that contain information such as first name, middle name, last name, phone number, address, and more. Sometimes attackers try to manipulate these objects for their benefit, for example by changing the phone number of an account to get access to any multifactor authentication attempt. Microsoft Defender for Identity triggers this alert for any attribute modification against a preconfigured honeytoken user. Learning period: None MITRE - Primary MITRE tactic: Persistence (TA0003) - MITRE attack technique: Account Manipulation (T1098) - MITRE attack sub-technique: N/A |
High | 2427 |
Honeytoken group membership changedDescription: In Active Directory, each user is a member of one or more groups. After gaining access to an account, attackers might attempt to add or remove permissions from it to other users, by removing or adding them to security groups. Microsoft Defender for Identity triggers an alert whenever there's a change made to a preconfigured honeytoken user account. Learning period: None MITRE - Primary MITRE tactic: Persistence (TA0003) - MITRE attack technique: Account Manipulation (T1098) - MITRE attack sub-technique: N/A |
High | 2428 |
Suspected SID-History injectionDescription: SIDHistory is an attribute in Active Directory that allows users to retain their permissions and access to resources when their account is migrated from one domain to another. When a user account is migrated to a new domain, the user's SID is added to the SIDHistory attribute of their account in the new domain. This attribute contains a list of SIDs from the user's previous domain. Adversaries may use the SIH history injection to escalate privileges and bypass access controls. This detection triggers when newly added SID was added to the SIDHistory attribute. Learning period: None MITRE - Primary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Account Manipulation (T1134) - MITRE attack sub-technique: SID-History Injection(T1134.005) |
High | 1106 |
Suspicious modification of a dNSHostName attribute (CVE-2022-26923)Description: This attack involves the unauthorized modification of the dNSHostName attribute, potentially exploiting a known vulnerability (CVE-2022-26923). Attackers might manipulate this attribute to compromise the integrity of the Domain Name System (DNS) resolution process, leading to various security risks, including man-in-the-middle attacks or unauthorized access to network resources. Learning period: None MITRE - Primary MITRE tactic: Privilege Escalation (TA0004) - Secondary MITRE tactic: Defense Evasion (TA0005) - MITRE attack technique: Exploitation for Privilege Escalation (T1068),Access Token Manipulation (T1134) - MITRE attack sub-technique: Token Impersonation/Theft (T1134.001) |
High | 2421 |
Suspicious modification of domain AdminSdHolderDescription: Attackers might target the Domain AdminSdHolder, making unauthorized modifications. This can lead to security vulnerabilities by altering the security descriptors of privileged accounts. Regular monitoring and securing of critical Active Directory objects are essential to prevent unauthorized changes. Learning period: None MITRE - Primary MITRE tactic: Persistence (TA0003) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Account Manipulation (T1098) - MITRE attack sub-technique: N/A |
High | 2430 |
Suspicious Kerberos delegation attempt by a newly created computerDescription: This attack involves a suspicious Kerberos ticket request by a newly created computer. Unauthorized Kerberos ticket requests can indicate potential security threats. Monitoring abnormal ticket requests, validating computer accounts, and promptly addressing suspicious activity are essential for preventing unauthorized access and potential compromise. Learning period: None MITRE - Primary MITRE tactic: Defense Evasion (TA0005) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Domain Policy Modification (T1484) - MITRE attack sub-technique: N/A |
High | 2422 |
Suspicious Domain Controller certificate request (ESC8)Description: An abnormal request for a Domain Controller certificate (ESC8) raises concerns about potential security threats. This could be an attempt to compromise the integrity of the certificate infrastructure, leading to unauthorized access and data breaches. Learning period: None MITRE - Primary MITRE tactic: Defense Evasion (TA0005) - Secondary MITRE tactic: Persistence (TA0003),Privilege Escalation (TA0004),Initial Access (TA0001) - MITRE attack technique: Valid Accounts (T1078) - MITRE attack sub-technique: N/A NOTE: Suspicious Domain Controller certificate request (ESC8) alerts are only supported by Defender for Identity sensors on AD CS. |
High | 2432 |
Suspicious modifications to the AD CS security permissions/settingsDescription: Attackers may target the security permissions and settings of the Active Directory Certificate Services (AD CS) to manipulate the issuance and management of certificates. Unauthorized modifications can introduce vulnerabilities, compromise certificate integrity, and impact the overall security of the PKI infrastructure. Learning period: None MITRE - Primary MITRE tactic: Defense Evasion (TA0005) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Domain Policy Modification (T1484) - MITRE attack sub-technique: N/A Note: Suspicious modifications to the AD CS security permissions/settings alerts are only supported by Defender for Identity sensors on AD CS. |
Medium | 2435 |
Suspicious modification of the trust relationship of AD FS serverDescription: Unauthorized changes to the trust relationship of AD FS servers can compromise the security of federated identity systems. Monitoring and securing trust configurations are critical for preventing unauthorized access. Learning period: None MITRE - Primary MITRE tactic: Defense Evasion (TA0005) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Domain Policy Modification (T1484) - MITRE attack sub-technique: Domain Trust Modification (T1484.002) Note: Suspicious modifications of the trust relationship of AD FS server alerts are only supported by Defender for Identity sensors on AD FS. |
Medium | 2420 |
Suspicious modification of the Resource Based Constrained Delegation attribute by a machine accountDescription: Unauthorized changes to the Resource-Based Constrained Delegation attribute by a machine account can lead to security breaches, allowing attackers to impersonate users and access resources. Monitoring and securing delegation configurations are essential for preventing misuse. Learning period: None MITRE - Primary MITRE tactic: Defense Evasion (TA0005) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Domain Policy Modification (T1484) - MITRE attack sub-technique: N/A |
High | 2423 |
Credential access alerts
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
The following security alerts help you identify and remediate Credential access phase suspicious activities detected by Defender for Identity in your network.
| Security alert name | Severity | External ID |
|---|---|---|
Suspected Brute Force attack (LDAP)Previous name: Brute force attack using LDAP simple bind. Description: In a brute-force attack, the attacker attempts to authenticate with many different passwords for different accounts until a correct password is found for at least one account. Once found, an attacker can log in using that account. In this detection, an alert is triggered when Defender for Identity detects a massive number of simple bind authentications. This alert detects brute force attacks performed either horizontally with a small set of passwords across many users, vertically with a large set of passwords on just a few users, or any combination of the two options. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Brute Force (T1110) - MITRE attack sub-technique: Password Guessing (T1110.001), Password Spraying (T1110.003) Suggested steps for prevention: - Enforce complex and long passwords in the organization. Doing so provides the necessary first level of security against future brute-force attacks. - Prevent future usage of LDAP clear text protocol in your organization. |
Medium | 2004 |
Suspected Golden Ticket usage (forged authorization data)Previous name: Privilege escalation using forged authorization data. Description: Known vulnerabilities in older versions of Windows Server allow attackers to manipulate the Privileged Attribute Certificate (PAC), a field in the Kerberos ticket that contains a user authorization data (in Active Directory this is group membership), granting attackers additional privileges. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Golden Ticket (T1558.001) Suggested steps for prevention: - Make sure all domain controllers with operating systems up to Windows Server 2012 R2 are installed with KB3011780 and all member servers and domain controllers up to 2012 R2 are up-to-date with KB2496930. For more information, see Silver PAC and Forged PAC. |
High | 2013 |
Malicious request of Data Protection API master keyPrevious name: Malicious Data Protection Private Information Request. Description: The Data Protection API (DPAPI) is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. Domain controllers hold a backup master key that can be used to decrypt all secrets encrypted with DPAPI on domain-joined Windows machines. Attackers can use the master key to decrypt any secrets protected by DPAPI on all domain-joined machines. In this detection, a Defender for Identity alert is triggered when the DPAPI is used to retrieve the backup master key. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Credentials from Password Stores (T1555) - MITRE attack sub-technique: N/A |
High | 2020 |
Suspected Brute Force attack (Kerberos, NTLM)Previous name: Suspicious authentication failures. Description: In a brute-force attack, the attacker attempts to authenticate with multiple passwords on different accounts until a correct password is found or by using one password in a large-scale password spray that works for at least one account. Once found, the attacker logs in using the authenticated account. In this detection, an alert is triggered when many authentication failures occur using Kerberos, NTLM, or use of a password spray is detected. Using Kerberos or NTLM, this type of attack is typically committed either horizontal, using a small set of passwords across many users, vertical with a large set of passwords on a few users, or any combination of the two. In a password spray, after successfully enumerating a list of valid users from the domain controller, attackers try ONE carefully crafted password against ALL of the known user accounts (one password to many accounts). If the initial password spray fails, they try again, utilizing a different carefully crafted password, normally after waiting 30 minutes between attempts. The wait time allows attackers to avoid triggering most time-based account lockout thresholds. Password spray has quickly become a favorite technique of both attackers and pen testers. Password spray attacks prove to be effective at gaining an initial foothold in an organization, and for making subsequent lateral moves, trying to escalate privileges. The minimum period before an alert can be triggered is one week. Learning period: One week MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Brute Force (T1110) - MITRE attack sub-technique: Password Guessing (T1110.001), Password Spraying (T1110.003) Suggested steps for prevention: - Enforce complex and long passwords in the organization. Doing so provides the necessary first level of security against future brute-force attacks. |
Medium | 2023 |
Security principal reconnaissance (LDAP)Description: Security principal reconnaissance is used by attackers to gain critical information about the domain environment. Information that helps attackers map the domain structure, and identify privileged accounts for use in later steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP) is one the most popular methods used for both legitimate and malicious purposes to query Active Directory. LDAP focused security principal reconnaissance is commonly used as the first phase of a Kerberoasting attack. Kerberoasting attacks are used to get a target list of Security Principal Names (SPNs), which attackers then attempt to get Ticket Granting Server (TGS) tickets for. To allow Defender for Identity to accurately profile and learn legitimate users, no alerts of this type are triggered in the first 10 days following Defender for Identity deployment. Once the Defender for Identity initial learning phase is completed, alerts are generated on computers that perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that using methods not previously observed. Learning period: 15 days per computer, starting from the day of the first event, observed from the machine. MITRE: - Primary MITRE tactic: Discovery (TA0007) - Secondary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Account Discovery (T1087) - MITRE attack sub-technique: Domain Account (T1087.002) Kerberoasting specific suggested steps for prevention: - Require use of long and complex passwords for users with service principal accounts. - Replace the user account by Group Managed Service Account (gMSA). > Note:> Security principal reconnaissance (LDAP) alerts are supported by Defender for Identity sensors only. |
Medium | 2038 |
Suspected Kerberos SPN exposureDescription: Attackers use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Kerberoasting (T1558.003) |
High | 2410 |
Suspected AS-REP Roasting attackDescription: Attackers use tools to detect accounts with their Kerberos preauthentication disabled and send AS-REQ requests without the encrypted timestamp. In response they receive AS-REP messages with TGT data, which may be encrypted with an insecure algorithm such as RC4, and save them for later use in an offline password cracking attack (similar to Kerberoasting) and expose plaintext credentials. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: AS-REP Roasting (T1558.004) Suggested steps for prevention: - Enable Kerberos preauthentication. For more information about account attributes and how to remediate them, see Unsecure account attributes. |
High | 2412 |
Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation)Description: An attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that isn't patched. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain. When performing an authentication using Kerberos, Ticket-Granting-Ticket (TGT) and the Ticket-Granting-Service (TGS) are requested from the Key Distribution Center (KDC). If a TGS was requested for an account that couldn't be found, the KDC attemptS to search it again with a trailing $. When processing the TGS request, the KDC fails its lookup for the requestor machine DC1 the attacker created. Therefore, the KDC performs another lookup appending a trailing $. The lookup succeeds. As a result, the KDC issues the ticket using the privileges of DC1$. Combining CVEs CVE-2021-42278 and CVE-2021-42287, an attacker with domain user credentials can leverage them for granting access as a domain admin. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Access Token Manipulation (T1134),Exploitation for Privilege Escalation (T1068),Steal, or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: Token Impersonation/Theft (T1134.001) |
High | 2419 |
Honeytoken authentication activityPrevious name: Honeytoken activity. Description: Honeytoken accounts are decoy accounts set up to identify and track malicious activity that involves these accounts. Honeytoken accounts should be left unused while having an attractive name to lure attackers (for example, SQL-Admin). Any authentication activity from them might indicate malicious behavior. For more information on honeytoken accounts, see Manage sensitive or honeytoken accounts. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - Secondary MITRE tactic: Discovery - MITRE attack technique: Account Discovery (T1087) - MITRE attack sub-technique: Domain Account (T1087.002) |
Medium | 2014 |
Suspected DCSync attack (replication of directory services)Previous name: Malicious replication of directory services. Description: Active Directory replication is the process by which changes that are made on one domain controller are synchronized with all other domain controllers. Given necessary permissions, attackers can initiate a replication request, allowing them to retrieve the data stored in Active Directory, including password hashes. In this detection, an alert is triggered when a replication request is initiated from a computer that isn't a domain controller. > Note:> If you have domain controllers on which Defender for Identity sensors aren't installed, those domain controllers aren't covered by Defender for Identity. When deploying a new domain controller on an unregistered or unprotected domain controller, it might not immediately be identified by Defender for Identity as a domain controller. It's highly recommended to install the Defender for Identity sensor on every domain controller to get full coverage. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - **Secondary MITRE tactic Persistence (TA0003) - MITRE attack technique: OS Credential Dumping (T1003) - MITRE attack sub-technique: DCSync (T1003.006) Suggested steps for prevention:: Validate the following permissions: - Replicate directory changes. - Replicate directory changes all. - For more information, see Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013. You can use AD ACL Scanner or create a Windows PowerShell script to determine who in the domain has these permissions. |
High | 2006 |
Suspected AD FS DKM key readDescription: The token signing and token decryption certificate, including the Active Directory Federation Services (AD FS) private keys, are stored in the AD FS configuration database. The certificates are encrypted using a technology called Distribute Key Manager. AD FS creates and uses these DKM keys when needed. To perform attacks like Golden SAML, the attacker would need the private keys that sign the SAML objects, similarly to how the krbtgt account is needed for Golden Ticket attacks. Using the AD FS user account, an attacker can access the DKM key and decrypt the certificates used to sign SAML tokens. This detection tries to find any actors that try to read the DKM key of AD FS object. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Unsecured Credentials (T1552)<br - MITRE attack sub-technique: Unsecured Credentials: Private Keys (T1552.004) |
High | 2413 |
Suspected DFSCoerce attack using Distributed File System ProtocolDescription: DFSCoerce attack can be used to force a domain controller to authenticate against a remote machine which is under an attacker's control using the MS-DFSNM API, which triggers NTLM authentication. This, ultimately, enables a threat actor to launch an NTLM relay attack. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Forced Authentication (T1187) - :MITRE attack sub-technique:N/A |
High | 2426 |
Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation)Description: Exploiting a vulnerability (CVE-2020-17049), attackers attempt suspicious Kerberos delegation using the BronzeBit method. This could lead to unauthorized privilege escalation and compromise the security of the Kerberos authentication process. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Steal or Forge Kerberos Tickets (T1558) - MITRE attack sub-technique: N/A |
Medium | 2048 |
Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificateDescription: Anomalous authentication attempts using suspicious certificates in Active Directory Federation Services (AD FS) might indicate potential security breaches. Monitoring and validating certificates during AD FS authentication are crucial for preventing unauthorized access. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - MITRE attack technique: Forge Web Credentials (T1606) - MITRE attack sub-technique: N/A > Note:> Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate alerts are only supported by Defender for Identity sensors on AD FS. |
High | 2424 |
Suspected account takeover using shadow credentialsDescription: The use of shadow credentials in an account takeover attempt suggests malicious activity. Attackers may attempt to exploit weak or compromised credentials to gain unauthorized access and control over user accounts. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) -MITRE attack technique: OS Credential Dumping (T1003) - MITRE attack sub-technique: N/A |
High | 2431 |
Suspected suspicious Kerberos ticket requestDescription: This attack involves the suspicion of abnormal Kerberos ticket requests. Attackers might attempt to exploit vulnerabilities in the Kerberos authentication process, potentially leading to unauthorized access and compromise of the security infrastructure. Learning period: None MITRE: - Primary MITRE tactic: Credential Access (TA0006) - Secondary MITRE tactic: Collection (TA0009) - MITRE attack technique: Adversary-in-the-Middle (T1557) - MITRE attack sub-technique: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) |
High | 2418 |
Lateral movement alerts
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. Microsoft Defender for Identity can cover different passing attacks (pass the ticket, pass the hash, etc.) or other exploitations against the domain controller, like PrintNightmare or remote code execution.
| Security alert name | Severity | External ID |
|---|---|---|
Suspected exploitation attempt on Windows Print Spooler serviceDescription: Adversaries might exploit the Windows Print Spooler service to perform privileged file operations in an improper manner. An attacker who has (or obtains) the ability to execute code on the target, and who successfully exploits the vulnerability, could run arbitrary code with SYSTEM privileges on a target system. If run against a domain controller, the attack would allow a compromised non-administrator account to perform actions against a domain controller as SYSTEM. This functionally allows any attacker who enters the network to instantly elevate privileges to Domain Administrator, steal all domain credentials, and distribute further malware as a Domain Admin. Learning period: None MITRE: - Primary MITRE tactic : Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/ASuggested steps for prevention: - Due to the risk of the domain controller being compromised, install the security updates for CVE-2021-34527 on Windows domain controllers, before installing on member servers and workstations. - You can use the Defender for Identity built-in security assessment that tracks the availability of Print spooler services on domain controllers. Learn more. |
High or Medium | 2415 |
Remote code execution attempt over DNSDescription: 12/11/2018 Microsoft published CVE-2018-8626, announcing that a newly discovered remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. In this vulnerability, servers fail to properly handle requests. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the Local System Account. Windows servers currently configured as DNS servers are at risk from this vulnerability. In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability are made against a domain controller in the network. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - **Secondary MITRE tactic **: Privilege Escalation (TA0004) - MITRE attack technique: Exploitation for Privilege Escalation (T1068), Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A Suggested remediation and steps for prevention: - Make sure all DNS servers in the environment are up-to-date, and patched against CVE-2018-8626. |
Medium | 2036 |
Suspected identity theft (pass-the-hash)Previous name: Identity theft using Pass-the-Hash attack. Description: Pass-the-Hash is a lateral movement technique in which attackers steal a user's NTLM hash from one computer and use it to gain access to another computer. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Use Alternate Authentication Material (T1550) - MITRE attack sub-technique: Pass the Hash (T1550.002) |
High | 2017 |
Suspected identity theft (pass-the-ticket)Previous name: Identity theft using Pass-the-Ticket attack. Description: Pass-the-Ticket is a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket. In this detection, a Kerberos ticket is seen used on two (or more) different computers. Learning period: None MITRE: ** - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Use Alternate Authentication Material (T1550) - MITRE attack sub-technique: Pass the Ticket (T1550.003) |
High or Medium | 2018 |
Suspected NTLM authentication tamperingDescription: In June 2019, Microsoft published Security Vulnerability CVE-2019-1040, announcing discovery of a new tampering vulnerability in Microsoft Windows, when a "man-in-the-middle" attack is able to successfully bypass NTLM MIC (Message Integrity Check) protection. Malicious actors that successfully exploit this vulnerability have the ability to downgrade NTLM security features, and may successfully create authenticated sessions on behalf of other accounts. Unpatched Windows Servers are at risk from this vulnerability. In this detection, a Defender for Identity security alert is triggered when NTLM authentication requests suspected of exploiting security vulnerability identified in CVE-2019-1040 are made against a domain controller in the network. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) **- Secondary MITRE tactic **: Privilege Escalation (TA0004) - MITRE attack technique: Exploitation for Privilege Escalation (T1068), Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A Suggested steps for prevention: - Force the use of sealed NTLMv2 in the domain, using the Network security: LAN Manager authentication level group policy. For more information, see LAN Manager authentication level instructions for setting the group policy for domain controllers. - Make sure all devices in the environment are up-to-date, and patched against CVE-2019-1040. |
Medium | 2039 |
Suspected NTLM relay attack (Exchange account)Description: An Exchange Server computer account can be configured to trigger NTLM authentication with the Exchange Server computer account to a remote http server, run by an attacker. The server waits for the Exchange Server communication to relay its own sensitive authentication to any other server, or even more interestingly to Active Directory over LDAP, and grabs the authentication information. Once the relay server receives the NTLM authentication, it provides a challenge that was originally created by the target server. The client responds to the challenge, preventing an attacker from taking the response, and using it to continue NTLM negotiation with the target domain controller. In this detection, an alert is triggered when Defender for Identity identify use of Exchange account credentials from a suspicious source. Learning period: None MITRE: - Primary MITRE tactic: Lateral Movement (TA0008) - Secondary MITRE tactic: Privilege Escalation (TA0004) - MITRE attack technique: Exploitation for Privilege Escalation (T1068), Exploitation of Remote Services (T1210), Man-in-the-Middle (T1557) - MITRE attack sub-technique: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Suggested steps for prevention: - Force the use of sealed NTLMv2 in the domain, using the Network security: LAN Manager authentication level group policy. For more information, see LAN Manager authentication level instructions for setting the group policy for domain controllers. |
Medium or Low if observed using signed NTLM v2 protocol | 2037 |
Suspected overpass-the-hash attack (Kerberos)Previous name: Unusual Kerberos protocol implementation (potential overpass-the-hash attack). Description: Attackers use tools that implement various protocols such as Kerberos and SMB in non-standard ways. While Microsoft Windows accepts this type of network traffic without warnings, Defender for Identity is able to recognize potential malicious intent. The behavior is indicative of techniques such as over-pass-the-hash, Brute Force, and advanced ransomware exploits such as WannaCry, are used. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210),Use Alternate Authentication Material (T1550) - MITRE attack sub-technique: Pass the Has (T1550.002), Pass the Ticket (T1550.003) |
Medium | 2002 |
Suspected rogue Kerberos certificate usageDescription: Rogue certificate attack is a persistence technique used by attackers after gaining control over the organization. Attackers compromise the Certificate Authority (CA) server and generate certificates that can be used as backdoor accounts in future attacks. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008)**Secondary MITRE tactic **: Persistence (TA0003), Privilege Escalation (TA0004) - MITRE attack technique: N/A - MITRE attack sub-technique: N/A |
High | 2047 |
Suspected SMB packet manipulation (CVE-2020-0796 exploitation)Description: 03/12/2020 Microsoft published CVE-2020-0796, announcing that a newly remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. Unpatched Windows servers are at risk from this vulnerability. In this detection, a Defender for Identity security alert is triggered when SMBv3 packet suspected of exploiting the CVE-2020-0796 security vulnerability are made against a domain controller in the network. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A Suggested steps for prevention: - If your have computers with operating systems that don't support KB4551762, we recommend disabling the SMBv3 compression feature in the environment, as described in the Workarounds section. - Make sure all devices in the environment are up-to-date, and patched against CVE-2020-0796. |
High | 2406 |
Suspicious network connection over Encrypting File System Remote ProtocolDescription: Adversaries may exploit the Encrypting File System Remote Protocol to improperly perform privileged file operations. In this attack, the attacker can escalate privileges in an Active Directory network by coercing authentication from machine accounts and relaying to the certificate service. This attack allows an attacker to take over an Active Directory (AD) Domain by exploiting a flaw in the Encrypting File System Remote (EFSRPC) Protocol and chaining it with a flaw in Active Directory Certificate Services. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A |
High or Medium | 2416 |
Exchange Server Remote Code Execution (CVE-2021-26855)Description: Some Exchange vulnerabilities can be used in combination to allow unauthenticated remote code execution on devices running Exchange Server. Microsoft has also observed subsequent web shell implantation, code execution, and data exfiltration activities during attacks. This threat may be exacerbated by the fact that numerous organizations publish Exchange Server deployments to the internet to support mobile and work-from-home scenarios. In many of the observed attacks, one of the first steps attackers took following successful exploitation of CVE-2021-26855, which allows unauthenticated remote code execution, was to establish persistent access to the compromised environment via a web shell. Adversaries may create authentication bypass vulnerability results from having to treat requests to static resources as authenticated requests on the backend, because files such as scripts and images must be available even without authentication. Prerequisites: Defender for Identity needs Windows Event 4662 to be enabled and collected to monitor for this attack. For information on how to configure and collect this event, see Configure Windows Event collection, and follow the instructions for Enable auditing on an Exchange object. Learning period: None MITRE: **- Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A Suggested steps for prevention: Update your Exchange servers with the latest security patches. The vulnerabilities are addressed in the March 2021 Exchange Server Security Updates. |
High | 2414 |
Suspected Brute Force attack (SMB)Previous name: Unusual protocol implementation (potential use of malicious tools such as Hydra). Description: Attackers use tools that implement various protocols such as SMB, Kerberos, and NTLM in non-standard ways. While this type of network traffic is accepted by Windows without warnings, Defender for Identity is able to recognize potential malicious intent. The behavior is indicative of brute force techniques. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Brute Force (T1110) - MITRE attack sub-technique: Password Guessing (T1110.001), Password Spraying (T1110.003) Suggested steps for prevention: - Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against future brute-force attacks. - Disable SMBv1 |
Medium | 2033 |
Suspected WannaCry ransomware attackPrevious name: Unusual protocol implementation (potential WannaCry ransomware attack). Description: Attackers use tools that implement various protocols in non-standard ways. While this type of network traffic is accepted by Windows without warnings, Defender for Identity is able to recognize potential malicious intent. The behavior is indicative of techniques used by advanced ransomware, such as WannaCry. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A Suggested steps for prevention: - Patch all of your machines, making sure to apply security updates. - Disable SMBv1 |
Medium | 2035 |
Suspected use of Metasploit hacking frameworkPrevious name: Unusual protocol implementation (potential use of Metasploit hacking tools). Description: Attackers use tools that implement various protocols (SMB, Kerberos, NTLM) in non-standard ways. While this type of network traffic is accepted by Windows without warnings, Defender for Identity is able to recognize potential malicious intent. The behavior is indicative of techniques such as use of the Metasploit hacking framework. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Exploitation of Remote Services (T1210) - MITRE attack sub-technique: N/A Suggested remediation and steps for prevention: - Disable SMBv1 |
Medium | 2034 |
Suspicious certificate usage over Kerberos protocol (PKINIT)Description: Attackers exploit vulnerabilities in the PKINIT extension of the Kerberos protocol by using suspicious certificates. This can lead to identity theft and unauthorized access. Possible attacks include the use of invalid or compromised certificates, man-in-the-middle attacks, and poor certificate management. Regular security audits and adherence to PKI best practices are crucial to mitigate these risks. Learning period: None MITRE: - **Primary MITRE tactic **: Lateral Movement (TA0008) - MITRE attack technique: Use Alternate Authentication Material (T1550) - MITRE attack sub-technique: N/A **Note: Suspicious certificate usage over Kerberos protocol (PKINIT) alerts are only supported by Defender for Identity sensors on AD CS. |
High | 2425 |
Suspected over-pass-the-hash attack (forced encryption type)Description: Over-pass-the-hash attacks involving forced encryption types can exploit vulnerabilities in protocols like Kerberos. Attackers attempt to manipulate network traffic, bypassing security measures and gaining unauthorized access. Defending against such attacks requires robust encryption configurations and monitoring. Learning period: One month MITRE - **Primary MITRE tactic **: Lateral Movement (TA0008)**Secondary MITRE tactic **: Defense Evasion (TA0005) - MITRE attack technique: Use Alternate Authentication Material (T1550) - MITRE attack sub-technique: Pass the Hash (T1550.002), Pass the Ticket (T1550.003) |
Medium | 2008 |
Other alerts
The following security alerts help you identify and remediate Other phase suspicious activities detected by Defender for Identity in your network.
| Security alert name | Severity | External ID |
|---|---|---|
Suspected DCShadow attack (domain controller promotion)Previous name: Suspicious domain controller promotion (potential DCShadow attack). Description: A domain controller shadow (DCShadow) attack is an attack designed to change directory objects using malicious replication. This attack can be performed from any machine by creating a rogue domain controller using a replication process. In a DCShadow attack, RPC, and LDAP are used to: - Register the machine account as a domain controller (using domain admin rights). - Perform replication (using the granted replication rights) over DRSUAPI and send changes to directory objects. In this Defender for Identity detection, a security alert is triggered when a machine in the network tries to register as a rogue domain controller. Learning period: None MITRE: - Primary MITRE tactic: Defense Evasion (TA0005) - MITRE attack technique: Rogue Domain Controller (T1207) - MITRE attack subtechnique: N/A Suggested steps for prevention: Validate the following permissions: - Replicate directory changes. - Replicate directory changes all. - For more information, see Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013. You can use AD ACL Scanner or create a Windows PowerShell script to determine who has these permissions in the domain. Note: Suspicious domain controller promotion (potential DCShadow attack) alerts are supported by Defender for Identity sensors only. |
High | 2028 |
Suspected DCShadow attack (domain controller replication request)Previous name: Suspicious replication request (potential DCShadow attack). Description: Active Directory replication is the process by which changes that are made on one domain controller are synchronized with other domain controllers. Given necessary permissions, attackers can grant rights for their machine account, allowing them to impersonate a domain controller. Attackers strive to initiate a malicious replication request, allowing them to change Active Directory objects on a genuine domain controller, which can give the attackers persistence in the domain. In this detection, an alert is triggered when a suspicious replication request is generated against a genuine domain controller protected by Defender for Identity. The behavior is indicative of techniques used in domain controller shadow attacks. Learning period: None MITRE: - Primary MITRE tactic: Defense Evasion (TA0005) - MITRE attack technique: Rogue Domain Controller (T1207) - MITRE attack subtechnique: N/A Suggested remediation and steps for prevention: Validate the following permissions: - Replicate directory changes. - Replicate directory changes all. - For more information, see Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013. You can use AD ACL Scanner or create a Windows PowerShell script to determine who in the domain has these permissions. Note: Suspicious replication request (potential DCShadow attack) alerts are supported by Defender for Identity sensors only. |
High | 2029 |
Suspicious VPN connectionPrevious name: Suspicious VPN connection. Description: Defender for Identity learns the entity behavior for users VPN connections over a sliding period of one month. The VPN-behavior model is based on the machines users log in to and the locations the users connect from. An alert is opened when there's a deviation from the user's behavior based on a machine learning algorithm. Learning period: 30 days from the first VPN connection, and at least 5 VPN connections in the last 30 days, per user. MITRE: - Primary MITRE tactic: Defense Evasion (TA0005) - Secondary MITRE tactic: Persistence (TA0003) - MITRE attack technique: External Remote Services (T1133) - MITRE attack subtechnique: N/A |
Medium | 2025 |
Remote code execution attemptPrevious name: Remote code execution attempt. Description: Attackers who compromise administrative credentials or use a zero-day exploit can execute remote commands on your domain controller or AD FS / AD CS server. This can be used for gaining persistency, collecting information, denial of service (DOS) attacks or any other reason. Defender for Identity detects PSexec, Remote WMI, and PowerShell connections. Learning period: None MITRE: - Primary MITRE tactic: Execution (TA0002) - Secondary MITRE tactic: Lateral Movement (TA0008) - MITRE attack technique: Command and Scripting Interpreter (T1059),Remote Services (T1021) - MITRE attack subtechnique: PowerShell (T1059.001), Windows Remote Management (T1021.006) Suggested steps for prevention: - Restrict remote access to domain controllers from non-Tier 0 machines. - Implement privileged access, allowing only hardened machines to connect to domain controllers for admins. - Implement less-privileged access on domain machines to allow specific users the right to create services. Note: Remote code execution attempt alerts on attempted use of PowerShell commands are only supported by Defender for Identity sensors. |
Medium | 2019 |
Suspicious service creationPrevious name: Suspicious service creation. Description: A suspicious service has been created on a domain controller or AD FS / AD CS server in your organization. This alert relies on event 7045 to identify this suspicious activity. Learning period: None MITRE: - Primary MITRE tactic: Execution (TA0002) - **Secondary MITRE tactic: Persistence (TA0003), Privilege Escalation (TA0004), Defense Evasion (TA0005), Lateral Movement (TA0008) - MITRE attack technique: Remote Services (T1021), Command, and Scripting Interpreter (T1059), System Services (T1569), Create or Modify System Process (T1543) - MITRE attack subtechnique: Service Execution (T1569.002), Windows Service (T1543.003) Suggested steps for prevention: - Restrict remote access to domain controllers from non-Tier 0 machines. - Implement privileged access to allow only hardened machines to connect to domain controllers for administrators. - Implement less-privileged access on domain machines to give only specific users the right to create services. |
Medium | 2026 |
Suspicious communication over DNSPrevious name: Suspicious communication over DNS. Description: The DNS protocol in most organizations is typically not monitored and rarely blocked for malicious activity. Enabling an attacker on a compromised machine, to abuse the DNS protocol. Malicious communication over DNS can be used for data exfiltration, command, and control, and/or evading corporate network restrictions. Learning period: None MITRE: - Primary MITRE tactic: Exfiltration (TA0010) - MITRE attack technique: Exfiltration Over Alternative Protocol (T1048), Exfiltration Over C2 Channel (T1041), Scheduled Transfer (T1029), Automated Exfiltration (T1020), Application Layer Protocol (T1071) - MITRE attack subtechnique: DNS (T1071.004), Exfiltration over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) |
Medium | 2031 |
Data exfiltration over SMBDescription: Domain controllers hold the most sensitive organizational data. For most attackers, one of their top priorities is to gain domain controller access, to steal your most sensitive data. For example, exfiltration of the Ntds.dit file, stored on the DC, allows an attacker to forge Kerberos ticket granting tickets(TGT) providing authorization to any resource. Forged Kerberos TGTs enable the attacker to set the ticket expiration to any arbitrary time. A Defender for Identity Data exfiltration over SMB alert is triggered when suspicious transfers of data are observed from your monitored domain controllers. Learning period: None MITRE: - Primary MITRE tactic: Exfiltration (TA0010) - Secondary MITRE tactic: Lateral Movement (TA0008),Command, and Control (TA0011) - MITRE attack technique: Exfiltration Over Alternative Protocol (T1048), Lateral Tool Transfer (T1570) - MITRE attack subtechnique: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) |
High | 2030 |
Suspicious deletion of the certificate database entriesDescription: The deletion of certificate database entries is a red flag, indicating potential malicious activity. This attack could disrupt the functioning of Public Key Infrastructure (PKI) systems, impacting authentication, and data integrity. Learning period: None MITRE: - Primary MITRE tactic: Defense Evasion (TA0005) - MITRE attack technique: Indicator Removal (T1070)- MITRE attack subtechnique: N/A Note: Suspicious deletions of the certificate database entries alerts are only supported by Defender for Identity sensors on AD CS. |
Medium | 2433 |
Suspicious disable of audit filters of AD CSDescription: Disabling audit filters in AD CS can allow attackers to operate without being detected. This attack aims to evade security monitoring by disabling filters that would otherwise flag suspicious activities. Learning period: None MITRE: - Primary MITRE tactic: Defense Evasion (TA0005) - MITRE attack technique: Impair Defenses (T1562) - MITRE attack subtechnique: Disable Windows Event Logging (T1562.002) |
Medium | 2434 |
Directory Services Restore Mode Password ChangeDescription: Directory Services Restore Mode (DSRM) is a special boot mode in Microsoft Windows Server operating systems that allows an administrator to repair or restore the Active Directory database. This mode is typically used when there are issues with the Active Directory and normal booting isn't possible. The DSRM password is set during the promotion of a server to a domain controller. In this detection, an alert is triggered when Defender for Identity detects a DSRM password is changed. We recommend investigating the source computer and the user who made the request to understand if the DSRM password change was initiated from a legitimate administrative action or if it raises concerns about unauthorized access or potential security threats. Learning period: None MITRE: - Primary MITRE tactic: Persistence (TA0003)- MITRE attack technique: Account Manipulation (T1098)- MITRE attack subtechnique: N/A |
Medium | 2438 |
Group Policy TamperingDescription: A suspicious change has been detected in Group Policy, resulting in the deactivation of Windows Defender Antivirus. This activity may indicate a security breach by an attacker with elevated privileges who could be setting the stage for distributing ransomware. Suggested steps for investigation: - Understand if the GPO change is legitimate. - If it wasn't, revert the change. - Understand how the group policy is linked, to estimate its scope of impact. Learning period: None MITRE: Primary MITRE tactic: Defense Evasion (TA0005) - MITRE attack technique: Subvert Trust Controls (T1553) - MITRE attack subtechnique: N/A |
Medium | 2440 |
Note
Contact support to disable security alerts.