In the ever-evolving cybersecurity landscape, organizations face an unending challenge to secure their sensitive data and networks. Microsoft Defender for Identity emerges as a formidable solution, purpose-built to identify and respond to anomalous or suspicious activities targeting domain controllers. To ensure the effectiveness of your Defender for Identity configuration, this article delves into a series of attack simulations. It’s essential to remember that the third-party hacking tools discussed in this article are intended solely for research purposes and should be employed exclusively within controlled test lab environments.
Network Mapping Reconnaissance (DNS)
Attackers often commence their campaigns by mapping an organization’s network structure. The Network Mapping Reconnaissance alert within Defender for Identity is designed to detect suspicious DNS requests, such as those originating from non-DNS servers or involving excessive requests. To simulate this attack, follow the provided commands, which should trigger the “Network mapping reconnaissance alert.”
User and IP Address Reconnaissance
User and IP Address Reconnaissance entails attackers attempting to enumerate SMB sessions against a domain controller. This reconnaissance seeks to identify users who have accessed the SYSVOL share. To simulate this attack, employ the provided command to prompt the “User and IP address reconnaissance alert.”
User and Group Membership Reconnaissance (SAMR)
In this scenario, attackers use User and Group Membership Reconnaissance to map the directory structure and pinpoint privileged accounts using the SAMR protocol. Simulate this attack by executing the provided commands to generate the “User and group membership reconnaissance alert.”
Security Principal Reconnaissance (LDAP)
Defender for Identity monitors LDAP security principal reconnaissance in this detection scenario, which is commonly the initial step in a Kerberoasting attack. Attackers aim to obtain a list of Security Principal Names (SPNs) as a foundation for compromising the network. To simulate this attack, use the provided tools and commands to trigger the “Security principal reconnaissance alert.”
Honeytoken Activity
Honeytokens act as bait, designed to attract attackers. Any activity involving them may indicate malicious behavior. To simulate this, attempt to sign in using an incorrect or valid password.
Active Directory Attributes Reconnaissance (LDAP)
Attackers often employ Active Directory LDAP Attributes Reconnaissance to gather critical information about the domain environment. This includes accounts with weak encryption ciphers. To simulate this reconnaissance, set specific LDAP filters or run the provided commands to trigger the “Active Directory attributes reconnaissance alert.”
Account Enumeration Reconnaissance
In this scenario, attackers attempt to identify valid usernames in the domain by making Kerberos or NTLM requests using a list of names. To simulate this attack, create a list of usernames and run the provided PowerShell command, which will trigger the “Account enumeration reconnaissance alert.”
Suspected Kerberos SPN Exposure
The “Suspected AS-REP Roasting attack” alert detects attackers attempting to enumerate service accounts and their Service Principal Names (SPNs). To simulate this attack, you can use the provided commands to run tools like Rubeus, which will trigger the “Suspected AS-REP Roasting attack alert.”
Suspected Brute-Force Attack (Kerberos, NTLM, and LDAP) & Password Spray Attack
Defender for Identity detects brute-force attacks involving multiple authentication failures. To simulate these attacks, try signing in with different passwords to a few accounts or conduct a password spray attack using the provided commands, which will trigger the respective alerts.
Malicious Request of Data Protection API (DPAPI) Master Key
Attackers may attempt to request the DPAPI master key to decrypt secrets protected by DPAPI on domain-joined Windows machines. Simulate this attack using the provided commands, triggering the “Malicious request of DPAPI master key alert.”
Suspected Skeleton Key Attack (Encryption Downgrade)
The “Suspected Skeleton Key attack” alert watches for malware that allows authentication to the domain without knowing the password, often using weaker encryption algorithms. To simulate this attack, follow the provided commands to trigger the “Suspected Skeleton Key attack alert.”
Suspected Netlogon Privilege Elevation Attempt (CVE-2020-1472 Exploitation)
The “Suspected Netlogon privilege elevation attempt” alert focuses on vulnerabilities within the Netlogon Remote Protocol, known as CVE-2020-1472. To simulate this attack, use the provided commands to trigger the “Suspected Netlogon privilege elevation attempt alert.”
Suspicious Network Connection Over Encrypting File System Remote Protocol
This alert is triggered when attackers attempt to exploit a flaw in the Encrypting File System Remote (EFSRPC) Protocol to take over an Active Directory domain. Simulate this scenario using the provided commands, triggering the “Suspicious network connection over Encrypting File System Remote Protocol alert.”
Suspected DCSync Attack (Replication of Directory Services)
Attackers may initiate replication requests to retrieve sensitive data from Active Directory, such as the krbtgt’s password hash. To simulate this attack, use the provided commands to trigger the “Suspected DCSync attack alert.”
Suspected DCShadow Attack (Domain Controller Replication Request)
Attackers might attempt a malicious replication request to change Active Directory objects on a genuine domain controller, which is part of the “Suspected DCShadow attack” alert. Follow the provided commands to simulate this scenario.
Remote Code Execution Attempts
Defender for Identity detects remote code execution attempts from client machines to domain controllers, such as PSexec, Remote WMI, or PowerShell connections. Simulate this scenario using the provided commands, which will trigger the “Remote code execution attempt alert.”
Data Exfiltration Over SMB
Defender for Identity can also track files uploaded from workstations or servers to a domain controller, essential for detecting abnormal activities. Review your user timeline to check for any “Files copied to a domain controller” activity.
Suspected Golden Ticket Usage
Golden Ticket attacks are a significant threat, allowing attackers to create Kerberos ticket-granting tickets (TGTs) that authorize any resource. This can compromise network security. To simulate these attacks, the provided commands trigger alerts for “Suspected Golden Ticket usage.”
Suspicious Additions to Sensitive Groups
Attackers often attempt to add users to highly privileged groups to gain access to more resources and maintain persistence. Defender for Identity monitors such changes and triggers alerts when suspicious additions to sensitive groups occur. Simulate this by adding users to sensitive groups within Active Directory Users and Computers (dsa.msc).
Conclusion
Microsoft Defender for Identity is a potent ally in the ongoing battle against cyber threats. Carrying out these attack simulations is crucial to ensure your configuration is well-prepared to thwart malicious actors. Nevertheless, remember that these are controlled tests, and caution should be exercised when using third-party tools.
To further bolster your cybersecurity defenses, delve into the wealth of resources Microsoft provides in the Microsoft Defender for Identity Playbooks. These resources offer comprehensive insights and guidance to maximize the potential of this formidable security solution.
In the dynamic realm of cybersecurity, maintaining.
Abou Conde's Blog 