Using Microsoft Defender for Identity to Detect Advanced Attacks

Using Microsoft Defender for Identity to Detect Advanced Attacks

07/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in using Microsoft Defender for Identity (MDI), a cloud-based security solution that leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats and compromised identities. MDI is an integral part of the Microsoft 365 Defender suite, providing critical visibility into suspicious activity in the identity environment [1].

Introduction

Identities are the new security perimeter. Modern cyberattacks often aim to compromise user and administrator credentials to gain privileged access, perform lateral movements, and exfiltrate data. Traditional network security solutions are often not enough to detect these sophisticated tactics. Microsoft Defender for Identity fills this gap by monitoring domain controllers' network traffic and event logs to identify anomalous behaviors that indicate identity attacks, such as Pass-the-Hash, Pass-the-Ticket, network reconnaissance, and privilege escalation [2].

This practical guide will cover the configuration and use of MDI, from deploying sensors to analyzing alerts and investigating incidents. Step-by-step instructions, example detections, and validation methods will be provided so that readers can implement and strengthen the protection of their identities, reducing risk exposure and improving responsiveness to advanced threats in their Microsoft environment.

Why is Microsoft Defender for Identity crucial?

  • Identity-Based Attack Detection: Identifies common tactics, techniques, and procedures (TTPs) used in identity attacks, such as Pass-the-Hash, Pass-the-Ticket, Golden Ticket, network reconnaissance, and privilege escalation.
  • Comprehensive Visibility: Monitors network traffic from domain controllers and event logs to build a profile of normal user behavior and detect anomalies.
  • Integration with Microsoft 365 Defender: Correlates MDI alerts with signals from other Defender solutions (Endpoint, Office 365, Cloud Apps) for a unified view of incidents.
  • Behavioral Analysis: Uses machine learning and behavioral analysis to detect threats that would go unnoticed by traditional signatures.
  • Reduce False Positives: Microsoft threat intelligence and behavior profiling helps you cut through the noise and focus on real threats.

Prerequisites

To implement Microsoft Defender for Identity, you will need the following items:

  1. Licensing: A Microsoft 365 E5 Security, Microsoft 365 E5, Enterprise Mobility + Security E5 license, or a Defender for Identity standalone license [3].
  2. Administrative Access: An account with the role of Global Administrator or Security Administrator in the Microsoft 365 Defender portal (https://security.microsoft.com).
  3. Active Directory Local: A local Active Directory domain, with at least one domain controller.
  4. Server for Sensor (Optional, but recommended): A Windows Server (2012 R2 or higher) server to install the standalone MDI sensor if you do not want to install it directly on the domain controllers. If installed on a domain controller, the sensor uses resources from the DC.
  5. Network Connectivity: The sensor server (or domain controller) must have outbound connectivity to the cloud MDI service endpoints (TCP port 443).

Step by Step: Configuring and Using Microsoft Defender for Identity

We'll cover sensor deployment and alert analysis.

1. Accessing the Microsoft 365 Defender Portal and Configuring MDI

  1. Open your browser and navigate to https://security.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Settings > Identities.
  4. On the identities settings page, you will see the status of your MDI environment. If it's not already set up, follow the instructions to begin setup.

2. Downloading and Installing Microsoft Defender for Identity Sensor

The MDI sensor can be installed directly into the dom controllersinium or on a dedicated server (standalone sensor).

  1. In the Microsoft 365 Defender portal, go to Settings > Identities > Sensors.
  2. Click Add sensor.

  3. Copy the Access Key and download the Sensor Installation Package.

  4. On the server (domain controller or dedicated server) where you want to install the sensor:

    • Run the installation package (Azure Advanced Threat Protection Sensor Setup.exe).
    • Follow the wizard's instructions. Paste the Access Key when prompted.
    • Note for Standalone Sensor: If you are installing a standalone sensor, ensure that port mirroring is configured on your network switches to send network traffic from domain controllers to the standalone sensor's network interface.

  5. After installation, the sensor should appear as Running on the Sensors page of the MDI portal.

3. Configuring Sensor Settings

It is important to configure sensor settings to ensure optimal detection.

  1. In the Microsoft 365 Defender portal, go to Settings > Identities > Sensors.
  2. Click a sensor to edit its settings.
  3. Check and configure:
    • Domain Controllers: Ensure all relevant domain controllers are listed.
    • Sync Accounts: If you have multiple Active Directory forests, configure sync accounts for each forest.
    • Exclusions: (With caution) Configure exclusions for entities or activities that you know are legitimate and generate false positives.

4. Analyzing Security Alerts

MDI generates alerts when it detects suspicious or malicious activity. These alerts are visible in the Microsoft 365 Defender portal.

  1. In the left navigation pane of the Microsoft 365 Defender portal, select Incidents and alerts > Alerts.
  2. Filter alerts by Service = Microsoft Defender for Identity.
  3. Click an alert to view details, including:
    • Description: Explains the nature of the attack.
    • Affected entities: Users, computers and resources involved.
    • Attack Timeline: A visual representation of the sequence of events.
    • Recommended Actions: Steps to investigate and remediate the alert.

5. Investigating Incidents

MDI correlates related alerts across incidents, providing a unified view of an attack.

  1. In the left navigation pane of the Microsoft 365 Defender portal, select Incidents and alerts > Incidents.
  2. Click on an incident to see all alerts and related entities, as well as the full attack history.
  3. Use investigation tools to deepen analysis, such as Advanced Hunting for custom KQL (Kusto Query Language) queries.

Validation and Testing

Validating the MDI is essential to ensure that it is correctly detecting threats and generating alerts.

1. Simulating a Pass-the-Hash (PtH) Attack

To simulate a PtH attack, you will need a test environment with a domain controller and a client computer. This test must be performed with extreme caution and only in controlled environments.

  1. On a client computer, use a tool like Mimikatz to extract the NTLM hash for a privileged user (e.g. Administrator).
    • Command (example, requires elevated privileges): cmd privilege::debug sekurlsa::logonpasswords
  2. Use the obtained hash to try to authenticate to another computer on the network without the real password.
    • Command (example, requires elevated privileges): cmd sekurlsa::pth /user:Administrator /domain:mydomain.com /ntlm:HASH_DO_ADMIN /run:cmd.exe
  3. Wait a few minutes.
  4. Check the Microsoft 365 Defender portal for a Suspicious Lateral Movement (Pass-the-Hash) or similar alert from Microsoft Defender for Identity.

2. Simulating a Network Reconnaissance

  1. On a test machine, run a network discovery command that MDI can detect.
    • Command (example LDAP query for all users): cmd nltest /domain_trusts or cmd dsquery user -limit 0
  2. Wait a few minutes.
  3. Check the Microsoft 36 portal5 Defend for a Network Awareness (User/Group Enumeration) or similar alert from Microsoft Defender for Identity.

Security Tips and Best Practices

  • Complete Domain Controller Coverage: Install MDI sensors on all domain controllers to ensure complete coverage of authentication traffic and logs.
  • Proper Port Mirroring: For standalone sensors, ensure port mirroring is configured correctly to capture all relevant traffic.
  • Continuous Alert Monitoring: Actively monitor alerts generated by MDI in the Microsoft 365 Defender portal and promptly investigate them.
  • SIEM/SOAR integration: Integrate MDI alerts with your SIEM (e.g. Microsoft Sentinel) or SOAR for incident response automation and correlation with other security data.
  • Active Directory Hygiene: Keep Active Directory clean and secure by removing inactive accounts, applying the principle of least privilege, and protecting privileged accounts.
  • Privileged Account Protection: Implement PIM (Privileged Identity Management) in conjunction with MDI to further protect privileged accounts.
  • Patches and Updates: Keep domain controllers and servers hosting MDI sensors updated with the latest security patches.

Common Troubleshooting

  • Sensor does not appear as "Running": Check the sensor's network connectivity to the cloud MDI service (port 443). Check the event logs on the sensor server for installation or communication errors. Restart the sensor service.
  • No alert generated: Check if the sensor is "Running". Ensure that network traffic from the domain controllers is being correctly mirrored to the standalone sensor (if applicable). Check for configured exclusions that may be preventing detection.
  • False Positive Alerts: Investigate alert details. You may need to adjust exclusions or settings to reduce noise, but do so with caution so as not to ignore real threats.
  • Domain controller performance issues: If the MDI sensor is installed directly on a domain controller and there are performance issues, check the hardware requirements and consider installing a standalone sensor on a dedicated server.
  • Domain sync issues: Ensure that the sync accounts for each AD forest are configured correctly in the MDI settings.

Conclusion

Microsoft Defender for Identity is an essential tool in defending against advanced attacks that target an organization's identity infrastructure. By providing deep visibility into Active Directory and detecting anomalous behavior in real time, MDI empowers security teams to quickly identify and respond to threats such as lateral movement, privilege escalation, and credential compromise. Careful implementation of MDI, combined with identity security best practices and integration with other Microsoft 365 Defender solutions, significantly strengthens the overall security posture. With this practical guide, security professionals will be able to use Microsoft Defender for Identity to protect their most valuable identities, ensuring a safer and more resilient environment against attackers' most sophisticated tactics.

References:

[1] Microsoft Learn. What is Microsoft Defender for Identity?. Available at: https://learn.microsoft.com/pt-br/defender-for-identity/what-is [2] Microsoft Learn. Overview of Microsoft Defender for Identity deployment. Available at: https://learn.microsoft.com/pt-br/defender-for-identity/deploy/deploy-defender-identity [3] Microsoft Learn. Microsoft Defender for Identity licensing requirements. Available at: https://learn.microsoft.com/pt-br/defender-for-identity/what-is#licensing-requirements