Skip to content

Commit cfbdd27

Browse files
AbbyMSFTAbbyMSFT
committed
Updated XDR alerts
1 parent 408d37a commit cfbdd27

File tree

4 files changed

+147
-183
lines changed

4 files changed

+147
-183
lines changed

ATPDocs/add-anchor-tags.ps1

Lines changed: 0 additions & 43 deletions
This file was deleted.

ATPDocs/alerts-mdi-classic.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ ms.reviewer: rlitinsky
88

99
# Microsoft Defender for Identity classic alerts
1010

11-
Microsoft Defender for Identity alerts Microsoft Defender XDR portal can appear in two different formats, depending on if they originate from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products.
11+
Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products.
1212

1313
To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see [View and manage alerts](understanding-security-alerts.md).
1414

@@ -85,7 +85,7 @@ The following security alerts help you identify and remediate **Credential acces
8585
|<a name="honeytoken-authentication-activity"></a><details><summary>Honeytoken authentication activity</summary><br>**Previous name**: Honeytoken activity.<br><br>**Description**:<br>Honeytoken accounts are decoy accounts set up to identify and track malicious activity that involves these accounts. Honeytoken accounts should be left unused while having an attractive name to lure attackers (for example, SQL-Admin). Any authentication activity from them might indicate malicious behavior.<br>For more information on honeytoken accounts, see [Manage sensitive or honeytoken accounts](/defender-for-identity/entity-tags).<br><br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **Secondary MITRE tactic**: [Discovery](https://attack.mitre.org/tactics/TA0007) <br> - **MITRE attack technique**: [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/)<br> - **MITRE attack sub-technique**: [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/) </details>|Medium|2014|
8686
|<a name="suspected-dcsync-attack-replication-of-directory-services"></a><details><summary>Suspected DCSync attack (replication of directory services)</summary><br>**Previous name**: Malicious replication of directory services.<br><br>**Description**:<br>Active Directory replication is the process by which changes that are made on one domain controller are synchronized with all other domain controllers. Given necessary permissions, attackers can initiate a replication request, allowing them to retrieve the data stored in Active Directory, including password hashes.<br>In this detection, an alert is triggered when a replication request is initiated from a computer that isn't a domain controller.<br>> **Note**:> If you have domain controllers on which Defender for Identity sensors aren't installed, those domain controllers aren't covered by Defender for Identity. When deploying a new domain controller on an unregistered or unprotected domain controller, it might not immediately be identified by Defender for Identity as a domain controller. It's highly recommended to install the Defender for Identity sensor on every domain controller to get full coverage.<br><br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **Secondary MITRE tactic [Persistence (TA0003)](https://attack.mitre.org/tactics/TA0003)<br> - **MITRE attack technique**: [OS Credential Dumping (T1003)](https://attack.mitre.org/techniques/T1003/)<br> - **MITRE attack sub-technique**: [DCSync (T1003.006)](https://attack.mitre.org/techniques/T1003/006/)<br>**Suggested steps for prevention:**:<br>Validate the following permissions:<br> - Replicate directory changes.<br> - Replicate directory changes all.<br> - For more information, see [Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013](/SharePoint/administration/user-profile-service-administration). You can use [AD ACL Scanner](/archive/blogs/pfesweplat/take-control-over-ad-permissions-and-the-ad-acl-scanner-tool) or create a Windows PowerShell script to determine who in the domain has these permissions.</details>|High|2006|
8787
|<a name="suspected-ad-fs-dkm-key-read"></a><details><summary>Suspected AD FS DKM key read </summary><br>**Description**:<br>The token signing and token decryption certificate, including the Active Directory Federation Services (AD FS) private keys, are stored in the AD FS configuration database. The certificates are encrypted using a technology called Distribute Key Manager. AD FS creates and uses these DKM keys when needed. To perform attacks like Golden SAML, the attacker would need the private keys that sign the SAML objects, similarly to how the **krbtgt** account is needed for Golden Ticket attacks. Using the AD FS user account, an attacker can access the DKM key and decrypt the certificates used to sign SAML tokens. This detection tries to find any actors that try to read the DKM key of AD FS object.<br><br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Unsecured Credentials (T1552)](https://attack.mitre.org/techniques/T1552/)<br - **MITRE attack sub-technique**: [Unsecured Credentials: Private Keys (T1552.004)](https://attack.mitre.org/techniques/T1552/004/)</details>|High|2413|
88-
|<a name="suspected-dfscoerce-attack-using-distributed-file-system-protocol"></a><details><summary>Suspected DFSCoerce attack using Distributed File System Protocol </summary><br>**Description**:<br>DFSCoerce attack can be used to force a domain controller to authenticate against a remote machine which is under an attacker’s control using the MS-DFSNM API, which triggers NTLM authentication. This, ultimately, enables a threat actor to launch an NTLM relay attack. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Forced Authentication (T1187)](https://attack.mitre.org/techniques/T1187/)<br> - **:MITRE attack sub-technique**:N/A </details>|High|2426|
88+
|<a name="suspected-dfscoerce-attack-using-distributed-file-system-protocol"></a><details><summary>Suspected DFSCoerce attack using Distributed File System Protocol </summary><br>**Description**:<br>DFSCoerce attack can be used to force a domain controller to authenticate against a remote machine which is under an attacker's control using the MS-DFSNM API, which triggers NTLM authentication. This, ultimately, enables a threat actor to launch an NTLM relay attack. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Forced Authentication (T1187)](https://attack.mitre.org/techniques/T1187/)<br> - **:MITRE attack sub-technique**:N/A </details>|High|2426|
8989
|<a name="suspicious-kerberos-delegation-attempt-using-bronzebit-method-cve-2020-17049-exploitation"></a><details><summary>Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) </summary><br>**Description**:<br>Exploiting a vulnerability (CVE-2020-17049), attackers attempt suspicious Kerberos delegation using the BronzeBit method. This could lead to unauthorized privilege escalation and compromise the security of the Kerberos authentication process. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Steal or Forge Kerberos Tickets (T1558)](https://attack.mitre.org/techniques/T1558/)<br> - **MITRE attack sub-technique**: N/A </details>|Medium|2048|
9090
|<a name="abnormal-active-directory-federation-services-ad-fs-authentication-using-a-suspicious-certificate"></a><details><summary>Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate </summary><br>**Description**:<br>Anomalous authentication attempts using suspicious certificates in Active Directory Federation Services (AD FS) might indicate potential security breaches. Monitoring and validating certificates during AD FS authentication are crucial for preventing unauthorized access. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Forge Web Credentials (T1606)](https://attack.mitre.org/techniques/T1606/)<br> - **MITRE attack sub-technique**: N/A<br>> **Note**:> Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate alerts are only supported by Defender for Identity sensors on AD FS.</details>|High|2424|
9191
|<a name="suspected-account-takeover-using-shadow-credentials"></a><details><summary>Suspected account takeover using shadow credentials </summary><br>**Description**:<br>The use of shadow credentials in an account takeover attempt suggests malicious activity. Attackers may attempt to exploit weak or compromised credentials to gain unauthorized access and control over user accounts. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> -**MITRE attack technique**: [OS Credential Dumping (T1003)](https://attack.mitre.org/techniques/T1003/)<br> - **MITRE attack sub-technique**: N/A </details>|High|2431|
@@ -135,7 +135,7 @@ The following security alerts help you identify and remediate **Other** phase su
135135
|<a name="suspicious-disable-of-audit-filters-of-ad-cs"></a><details><summary>Suspicious disable of audit filters of AD CS </summary><br>**Description**:<br>Disabling audit filters in AD CS can allow attackers to operate without being detected. This attack aims to evade security monitoring by disabling filters that would otherwise flag suspicious activities. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005 )<br>- **MITRE attack technique**: [Impair Defenses (T1562)](https://attack.mitre.org/techniques/T1562/)<br> - **MITRE attack subtechnique**: [Disable Windows Event Logging (T1562.002)](https://attack.mitre.org/techniques/T1562/002/) </details>|Medium|2434|
136136
|<a name="directory-services-restore-mode-password-change"></a><details><summary>Directory Services Restore Mode Password Change </summary><br>**Description**:<br>Directory Services Restore Mode (DSRM) is a special boot mode in Microsoft Windows Server operating systems that allows an administrator to repair or restore the Active Directory database. This mode is typically used when there are issues with the Active Directory and normal booting isn't possible. The DSRM password is set during the promotion of a server to a domain controller. In this detection, an alert is triggered when Defender for Identity detects a DSRM password is changed. <br>We recommend investigating the source computer and the user who made the request to understand if the DSRM password change was initiated from a legitimate administrative action or if it raises concerns about unauthorized access or potential security threats. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Persistence (TA0003)](https://attack.mitre.org/tactics/TA0003)- **MITRE attack technique**: [Account Manipulation (T1098)](https://attack.mitre.org/techniques/T1098/)- **MITRE attack subtechnique**: N/A </details>|Medium|2438|
137137
|<a name="possible-okta-session-theft"></a><details><summary>Possible Okta session theft </summary><br>**Description**:<br>In session theft, attackers steal the cookies of legitimate user and use it from other locations. <br>We recommend investigating the source IP performing the operations to determine whether those operations are legitimate or not, and that the IP address is used by the user.<br><br>**Learning period**: 2 weeks<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Collection (TA0009)](https://attack.mitre.org/tactics/TA0009)- **MITRE attack technique**: [Browser Session Hijacking (T1185)](https://attack.mitre.org/techniques/T1185/)- **MITRE attack subtechnique**: N/A </details>|High||
138-
|<a name="group-policy-tampering"></a><details><summary>Group Policy Tampering </summary><br>**Description**:<br>A suspicious change has been detected in Group Policy, resulting in the deactivation of Windows Defender Antivirus. This activity may indicate a security breach by an attacker with elevated privileges who could be setting the stage for distributing ransomware.<br>**Suggested steps for investigation:**<br> - Understand if the GPO change is legitimate.<br> - If it wasn’t, revert the change.<br> - Understand how the group policy is linked, to estimate its scope of impact.<br><br>**Learning period**: None<br><br>**MITRE**:<br>**Primary MITRE tactic**: [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005)<br> - **MITRE attack technique**: [Subvert Trust Controls (T1553)](https://attack.mitre.org/techniques/T1553/)<br> - **MITRE attack subtechnique**: N/A</details>|Medium|2440|
138+
|<a name="group-policy-tampering"></a><details><summary>Group Policy Tampering </summary><br>**Description**:<br>A suspicious change has been detected in Group Policy, resulting in the deactivation of Windows Defender Antivirus. This activity may indicate a security breach by an attacker with elevated privileges who could be setting the stage for distributing ransomware.<br>**Suggested steps for investigation:**<br> - Understand if the GPO change is legitimate.<br> - If it wasn't, revert the change.<br> - Understand how the group policy is linked, to estimate its scope of impact.<br><br>**Learning period**: None<br><br>**MITRE**:<br>**Primary MITRE tactic**: [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005)<br> - **MITRE attack technique**: [Subvert Trust Controls (T1553)](https://attack.mitre.org/techniques/T1553/)<br> - **MITRE attack subtechnique**: N/A</details>|Medium|2440|
139139

140140

141141
> [!NOTE]

0 commit comments

Comments
 (0)