Typically, cyberattacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets. Valuable assets can be sensitive accounts, domain administrators, or highly sensitive data. Microsoft Defender for Identity identifies these advanced threats at the source throughout the entire attack kill chain and classifies them into the following phases:
To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see Understanding security alerts. For information about True positive (TP), Benign true positive (B-TP), and False positive (FP), see security alert classifications.
The following security alerts help you identify and remediate Other phase suspicious activities detected by Defender for Identity in your network.
Suspected DCShadow attack (domain controller promotion) (external ID 2028)
A domain controller shadow (DCShadow) attack is an attack designed to change directory objects using malicious replication. This attack can be performed from any machine by creating a rogue domain controller using a replication process.
In a DCShadow attack, RPC, and LDAP are used to:
Register the machine account as a domain controller (using domain admin rights).
Perform replication (using the granted replication rights) over DRSUAPI and send changes to directory objects.
In this Defender for Identity detection, a security alert is triggered when a machine in the network tries to register as a rogue domain controller.
Active Directory replication is the process by which changes that are made on one domain controller are synchronized with other domain controllers. Given necessary permissions, attackers can grant rights for their machine account, allowing them to impersonate a domain controller. Attackers strive to initiate a malicious replication request, allowing them to change Active Directory objects on a genuine domain controller, which can give the attackers persistence in the domain.
In this detection, an alert is triggered when a suspicious replication request is generated against a genuine domain controller protected by Defender for Identity. The behavior is indicative of techniques used in domain controller shadow attacks.
Attackers who compromise administrative credentials or use a zero-day exploit can execute remote commands on your domain controller or AD FS / AD CS server. This can be used for gaining persistency, collecting information, denial of service (DOS) attacks or any other reason. Defender for Identity detects PSexec, Remote WMI, and PowerShell connections.
Restrict remote access to domain controllers from non-Tier 0 machines.
Implement privileged access, allowing only hardened machines to connect to domain controllers for admins.
Implement less-privileged access on domain machines to allow specific users the right to create services.
Note
Remote code execution attempt alerts on attempted use of Powershell commands are only supported by Defender for Identity sensors.
Suspicious service creation (external ID 2026)
Previous name: Suspicious service creation
Severity: Medium
Description:
A suspicious service has been created on a domain controller or AD FS / AD CS server in your organization. This alert relies on event 7045 to identify this suspicious activity.
Restrict remote access to domain controllers from non-Tier 0 machines.
Implement privileged access to allow only hardened machines to connect to domain controllers for administrators.
Implement less-privileged access on domain machines to give only specific users the right to create services.
Suspicious communication over DNS (external ID 2031)
Previous name: Suspicious communication over DNS
Severity: Medium
Description:
The DNS protocol in most organizations is typically not monitored and rarely blocked for malicious activity. Enabling an attacker on a compromised machine, to abuse the DNS protocol. Malicious communication over DNS can be used for data exfiltration, command, and control, and/or evading corporate network restrictions.
Domain controllers hold the most sensitive organizational data. For most attackers, one of their top priorities is to gain domain controller access, to steal your most sensitive data. For example, exfiltration of the Ntds.dit file, stored on the DC, allows an attacker to forge Kerberos ticket granting tickets(TGT) providing authorization to any resource. Forged Kerberos TGTs enable the attacker to set the ticket expiration to any arbitrary time. A Defender for Identity Data exfiltration over SMB alert is triggered when suspicious transfers of data are observed from your monitored domain controllers.
Suspicious deletion of the certificate database entries (external ID 2433)
Severity: Medium
Description:
The deletion of certificate database entries is a red flag, indicating potential malicious activity. This attack could disrupt the functioning of Public Key Infrastructure (PKI) systems, impacting authentication and data integrity.
Suspicious deletion of the certificate database entries alerts are only supported by Defender for Identity sensors on AD CS.
Suspicious disable of audit filters of AD CS (external ID 2434)
Severity: Medium
Description:
Disabling audit filters in AD CS can allow attackers to operate without being detected. This attack aims to evade security monitoring by disabling filters that would otherwise flag suspicious activities.
Directory Services Restore Mode Password Change (external ID 2438)
Severity: Medium
Description:
Directory Services Restore Mode (DSRM) is a special boot mode in Microsoft Windows Server operating systems that allows an administrator to repair or restore the Active Directory database. This mode is typically used when there are issues with the Active Directory and normal booting isn't possible. The DSRM password is set during the promotion of a server to a domain controller. In this detection, an alert is triggered when Defender for Identity detects a DSRM password is changed.
We recommend investigating the source computer and the user who made the request to understand if the DSRM password change was initiated from a legitimate administrative action or if it raises concerns about unauthorized access or potential security threats.
In session theft, attackers steal the cookies of legitimate user and use it from other locations.
We recommend investigating the source IP performing the operations to determine whether those operations are legitimate or not, and that the IP address is used by the user.
Group Policy Tampering (external ID 2440) (Preview)
Severity: Medium
Description:
A suspicious change has been detected in Group Policy, resulting in the deactivation of Windows Defender Antivirus. This activity may indicate a security breach by an attacker with elevated privileges who could be setting the stage for distributing ransomware.
Suggested steps for investigation:
Understand if the GPO change is legitimate
If it wasn’t, revert the change
Understand how the group policy is linked, to estimate its scope of impact
Protect your Active Directory environment by securing user accounts to least privilege and placing them in the Protected Users group. Learn how to limit authentication scope and remediate potentially insecure accounts.