Last Updated on August 28, 2024 by Michael Morten Sonne
Intoduction
In Public Preview as this post is written
What is Microsoft Defender for Identity
Microsoft Defender for Identity is a comprehensive security solution provided by Microsoft, specifically tailored for safeguarding organizational identities. It offers advanced threat detection capabilities to help protect against sophisticated cyberattacks targeting identity infrastructure.
By continuously monitoring user activities, behaviors, and configurations within on-premises and cloud environments, Microsoft Defender for Identity helps organizations detect suspicious activities indicative of potential security threats, such as unauthorized access attempts, lateral movement, or privilege escalation. Through its robust features and real-time alerts, it enables security teams to promptly respond to and mitigate security risks, thereby strengthening the overall security posture of the organization.
On what Defender for Identity it is, how to install it and so on, check out my blog post here: Microsoft Defender for Identity – What is it, how to install it and setup requirements – Blog – Sonne´s Cloud (sonnes.cloud) – there is scripts redy for you to deploy it! 🤝😎
I strongly advise all to install a sensor on any Domain Controller, AD CS, AD FS, or Microsoft Entra Connect server(s) if you have a license to it!
What is Entra ID Connect?
Entra ID Connect (formerly known as Azure AD Connect) is a Microsoft service that synchronizes on-premises Active Directory with Entra ID (previously Azure Active Directory). It enables identity management and single sign-on across on-premises and cloud resources, ensuring consistent and secure access for users.
The new Microsoft Defender for Identity sensor for Entra ID Connect servers enhances security by monitoring synchronization activities, detecting potential threats, and providing specific security alerts and posture recommendations for hybrid identity environments.
Prerequisites
- Microsoft .NET Framework 4.7 or later is installed on the machine. If Microsoft .NET Framework 4.7 or later isn’t installed, the Defender for Identity sensor setup package installs it, which might require a reboot of the server.
- The latest version of Entra ID Connect Server is now version 2.3.20.0 (Microsoft Entra Connect: Version release history). According to the Product Team, there are currently no general limitations, at least for now.
- A downloaded copy of your Defender for Identity sensor setup package and the access key.
- Valid Defender for Identity license
- Sensor installed on servers running Microsoft Entra Connect services
What is added
Microsoft Defender for Identity is extending its support to servers through Microsoft Entra Connect, formerly known as Azure AD Connect or AAD Connect. Microsoft Entra Connect is a Microsoft service designed to synchronize on-premises Active Directory environments with Entra ID (Azure Active Directory), facilitating identity management and enabling single sign-on capabilities across on-premises and cloud-based resources.
As of now, there is no estimated time for when Cloud Sync support will be available, but we hope it’s coming soon! 🫡
To maintain a proactive stance against emerging threats and to continuously provide robust security solutions to customers, the team at Microsoft is constantly evolving and refining the offerings toward a more comprehensive and integrated approach to securing identity infrastructure.
Customers can now bolster their security measures by installing a sensor on servers running Microsoft Entra Connect services. This integration offers immediate security coverage without necessitating any configuration. It extends security coverage to detect potential threats such as PowerShell Remote Execution and NTLM Relay attacks, while also enhancing visibility into various activities and refining the detection of false positives associated with the DC sync attack.
New detections
- Suspicious Interactive Logon to the Entra Connect Server
- Overview: Direct logins to Entra Connect servers are rare and potentially dangerous, as attackers may target these servers to steal credentials for broader access. This detection identifies abnormal logins, especially on standalone servers not functioning as Domain Controllers, to help quickly identify and respond to threats.
- Pre-requisite: The 4624 logon event must be enabled on Entra Connect servers that are not Domain Controllers.
- User Password Reset by Entra Connect Account
- Overview: The Entra Connect connector account holds significant privileges, including resetting user passwords. This detection identifies and alerts on any malicious or illegitimate use of these privileges, particularly when the password writeback feature is disabled.
- Suspicious Writeback by Entra Connect on a Sensitive User
- Overview: Expanding existing protections, this detection identifies unauthorized password resets on sensitive accounts, helping to safeguard against advanced attacks targeting both cloud and on-premises environments.
Additional Improvements and Capabilities
- Tracking Failed Password Resets: New logging of failed password reset attempts on sensitive accounts is available in the ‘IdentityDirectoryEvents’ table within Advanced Hunting, enabling custom detections and better monitoring.
- Enhanced DC Sync Attack Detection: Improved accuracy in detecting Domain Controller synchronization attacks.
- New Health Alerts: Alerts are generated if the sensor cannot retrieve configurations from the Entra Connect service, ensuring ongoing monitoring of sensor health.
- Extended Security Alert Monitoring: Enhanced monitoring capabilities include detecting PowerShell Remote Execution and other security threats when the new sensor is installed on Entra Connect servers.
New Posture Recommendations
- Rotate Password for Entra Connect Connector Account
- Overview: Regularly rotating the password of the Entra Connect connector account (MSOL_XXXXXXXX account) is critical, especially if the password hasn’t been changed in over 90 days. This helps prevent unauthorized access to high-privilege functions as replication and password resets, allowing attackers to modify synchronization settings and compromise security in both cloud and on-premises environments as well as offering several paths for compromising the entire domain. For more information click here.
- Remove Unnecessary Replication Permissions
- Overview: To reduce the attack surface, unnecessary replication permissions for the Entra Connect account should be removed, particularly if Password Hash Sync is not in use.
- Change Password for Entra Seamless SSO Account
- Overview: Entra seamless SSO account (AZUREADSSOACC) with passwords older than 90 days should have their passwords rotated to prevent attackers from exploiting these accounts to impersonate users. For more information click here.
- Importent: If an attacker gains control of this account, they can create service tickets for the AZUREADSSOACC account, allowing them to impersonate any user within the Entra tenant synchronized from Active Directory. This could enable the attacker to move laterally from Active Directory into Entra ID.
- Remove Resource-Based Constrained Delegation
- Overview: If configured, resource-based constrained delegation on the Azure SSO account should be removed to prevent potential lateral movement attacks from on-premises Active Directory to Entra ID.
You can now enhance your security by installing a sensor on servers running Microsoft Entra Connect services. These enhancements and recommendations aim to bolster security around Entra Connect servers, improving detection and response to potential threats and ensuring a more secure environment.
If you haven’t set up the Seamless SSO feature for your Entra ID Connect, the two recommendations for the Azure SSO account will not appear in your Secure Score overview 😉
You can read more here about the diffrent tasks:
- Permissions needed: https://aka.ms/IspmEntraConnectReplicationPermissions
- How to rotate password: https://aka.ms/IspmRotatePasswordEntraConnect
Those improvement actions are available in Microsoft Secure Score if you have the sensor installed. Your score will be updated accordingly too 🫡
How to install the new sensor
Get the installer needed
- Go to your Microsoft Defender portal and go to Settings > Identities.
- Select the Sensors tab in the top, which displays all of your Defender for Identity sensors currently installed and running.
- Select Add sensor. Then, in the Add a new sensor pane, select Download installer and save the installation package locally. The downloaded zip file includes the following files:
- The Defender for Identity sensor installer
- The configuration setting file with the required information to connect to the Defender for Identity cloud service.
- Npcap OEM version 1.0, which is automatically installed by the sensor installation if it’s not found to be already installed
- In the Add a new sensor pane, copy the Access key value and save it to a secured location. This access key is a one-time password for use when deploying the sensor, after which communication is performed using certificates for authentication and TLS encryption.
- Use the Regenerate key button if you ever need to regenerate the new access key. It won’t affect any previously deployed sensors, because it’s only used for initial registration of the sensor.
- Copy the downloaded installation package to the dedicated server where you’re installing the Defender for Identity sensor – in this post our Entra ID Connect Server 😎
INFO: If you have any issues regarding installation or upgradeing of your sensors, try to remove it complete via my PowerShell script here: Microsoft Defender for Identity – How to manually remove a malfunctioning sensor that can’t be installed, uninstalled or removed – and then try to install the sensor again! Tested a lot here and from other people in the community 🫡
Install the Microsoft Defender for Identity sensor for Entra ID Connect
Perform the following steps on your Microsoft Entra ID Connect Server – it´s supporting stageing servers too.
- Verify the machine has connectivity to the relevant Defender for Identity cloud service endpoint(s). – URL: <tenantname>sensorapi.atp.azure.com on HTTPS port 443.
- Extract the installation files from the zip file. Installing directly from the zip file itself will fail.
- Run Azure ATP sensor setup.exe with elevated privileges (Run as administrator) and follow the setup wizard.
- On the Welcome page, select your language and select Next.
The installation will automatically checks if the server is a Domain Controller, AD FS server, AC CS server, or a dedicated server:
- If it’s a domain controller / AD FS server / AD CS server, the Defender for Identity sensor is installed.
- If it’s a dedicated server, the Defender for Identity standalone sensor is installed.
But when I have tested this (in preview) as for now, the installer can´t select any of them, so the types is greyed out):
- Select Next.
If a domain controller, AD FS server, AD CS, or dedicated server fails to meet the minimum hardware requirements for installation, a warning will be generated.
However, this warning does not obstruct you from proceeding with the installation by selecting Next, as proceeding might still be appropriate. For instance, in scenarios such as setting up a small lab test environment, where lesser storage space is required, proceeding despite the warning could be suitable.
- On the Configure the sensor screen, enter the installation path and the setup package access key.
- Enter the following details:
- Installation path: The location where the Defender for Identity sensor is installed. By default the path is
%programfiles%\Azure Advanced Threat Protection sensor
. Leave the default value. - Access key: Retrieved from the Microsoft Defender portal in the previous step.
- Installation path: The location where the Defender for Identity sensor is installed. By default the path is
- Select Install. The following components are installed and configured during the installation of the Defender for Identity sensor.
After short time, the installer is done – and the agent is installed:
Now click on Finish and the installer ends. Now you should be able to see the new sensor installed in the Microsoft Defender portal under Settings > Identities.
Get sensor versions and types
View the sensor’s real version and state in the Microsoft Defender sensor settings page, in the executable path or in the version.
Advanced hunting
There is a table named IdentityDirectoryEvents – and here you can see a lot more data – here is some samples to start with 😉
This query is focused on filtering and displaying specific events related to PowerShell execution and service creation from the IdentityDirectoryEvents table:
IdentityDirectoryEvents
| where ActionType == 'PowerShell execution' or ActionType == 'Service creation'
| project Timestamp, ActionType, TargetDeviceName, DestinationDeviceName, Protocol, AccountDisplayName
| order by Timestamp desc
This query analyze the frequency of events over time to detect spikes or anomalies that might indicate an attack in progress:
IdentityDirectoryEvents
| summarize EventCount=count() by bin(Timestamp, 1h)
| render timechart
With this query you can look for activities associated with credential dumping or unauthorized replication attempts, which might indicate a security threat:
IdentityDirectoryEvents
| extend AdditionalFieldsJson = parse_json(AdditionalFields)
| extend AttackTechniques = tostring(AdditionalFieldsJson.AttackTechniques)
| extend SourceAccountId = tostring(AdditionalFieldsJson.SourceAccountId)
| extend SourceComputerId = tostring(AdditionalFieldsJson.SourceComputerId)
| extend DestinationComputerObjectGuid = tostring(AdditionalFieldsJson.DestinationComputerObjectGuid)
| extend IsSuccess = tostring(AdditionalFieldsJson.IsSuccess)
| where AttackTechniques has_any ("T1003", "T1003.006", "T1003.003")
| summarize Count=count() by Timestamp, SourceAccountId, SourceComputerId, DestinationComputerObjectGuid, AttackTechniques, IsSuccess, DeviceName
And with this query you can rack all directory service replication events to monitor for unusual patterns, especially those involving high-risk attack techniques.
IdentityDirectoryEvents
| extend AdditionalFieldsJson = parse_json(AdditionalFields)
| extend Task = tostring(AdditionalFieldsJson["ARG.TASK"])
| where Task == "Directory Services replication"
Do you have some other nice KQL samples for Entra ID Connect – let me hear, and we can add them to the post!
Conclusion
Identities are arguably the most targeted attack vector, with cybercriminals constantly evolving their strategies to exploit new vulnerabilities or gaps in protection. Many organizations manage hybrid identity environments, combining on-premises Active Directory with Entra ID in the cloud. The gaps between these two elements create significant opportunities for attackers, and as the primary bridge between them, Entra Connect servers are considered tier-0 level assets.
The expansion of Microsoft Defender for Identity support to servers with Microsoft Entra Connect marks a significant advancement in strengthening organizational security postures.
By integrating with Microsoft Entra Connect, formerly known as Azure AD Connect, Microsoft extends its robust threat detection capabilities to on-premises Active Directory environments, ensuring a seamless and comprehensive approach to identity security management. This integration empowers organizations to better protect their infrastructure against evolving cyber threats, providing enhanced visibility and control over user activities across both on-premises and cloud-based resources.
As Microsoft continues to evolve and refine its security offerings, this expansion underscores its commitment to delivering cutting-edge solutions that enable organizations to stay ahead of emerging threats and safeguard their critical assets effectively.
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳
References
Microsoft Defender for Identity documentation – Microsoft Defender for Identity | Microsoft Learn