learn.microsoft.com Open in urlscan Pro
2a02:26f0:6c00:188::3544  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content


This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Table of contents Exit focus mode

Read in English Save
Table of contents Read in English Save Edit Print

Twitter LinkedIn Facebook Email
Table of contents


CREDENTIAL ACCESS ALERTS

 * Article
 * 05/31/2023
 * 3 contributors

Feedback



IN THIS ARTICLE

Typically, cyberattacks are launched against any accessible entity, such as a
low-privileged user, and then quickly move laterally until the attacker gains
access to valuable assets. Valuable assets can be sensitive accounts, domain
administrators, or highly sensitive data. Microsoft Defender for Identity
identifies these advanced threats at the source throughout the entire attack
kill chain and classifies them into the following phases:

 1. Reconnaissance and discovery alerts
 2. Persistence and privilege escalation alerts
 3. Credential access
 4. Lateral movement alerts
 5. Other alerts

To learn more about how to understand the structure, and common components of
all Defender for Identity security alerts, see Understanding security alerts.
For information about True positive (TP), Benign true positive (B-TP), and False
positive (FP), see security alert classifications.

The following security alerts help you identify and remediate Credential access
phase suspicious activities detected by Defender for Identity in your network.

Credential Access consists of techniques for stealing credentials like account
names and passwords. Techniques used to get credentials include keylogging or
credential dumping. Using legitimate credentials can give adversaries access to
systems, make them harder to detect, and provide the opportunity to create more
accounts to help achieve their goals.


SUSPECTED BRUTE FORCE ATTACK (LDAP) (EXTERNAL ID 2004)

Previous name: Brute force attack using LDAP simple bind

Severity: Medium

Description:

In a brute-force attack, the attacker attempts to authenticate with many
different passwords for different accounts until a correct password is found for
at least one account. Once found, an attacker can log in using that account.

In this detection, an alert is triggered when Defender for Identity detects a
massive number of simple bind authentications. This alert detects brute force
attacks performed either horizontally with a small set of passwords across many
users, vertically with a large set of passwords on just a few users, or any
combination of the two options. The alert is based on authentication events from
sensors running on domain controller and AD FS servers.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Brute
Force (T1110) MITRE attack sub-technique Password Guessing (T1110.001), Password
Spraying (T1110.003)

Suggested steps for prevention:

 1. Enforce complex and long passwords in the organization, it will provide the
    necessary first level of security against future brute-force attacks.
 2. Prevent future usage of LDAP clear text protocol in your organization.


SUSPECTED GOLDEN TICKET USAGE (FORGED AUTHORIZATION DATA) (EXTERNAL ID 2013)

Previous name: Privilege escalation using forged authorization data

Severity: High

Description:

Known vulnerabilities in older versions of Windows Server allow attackers to
manipulate the Privileged Attribute Certificate (PAC), a field in the Kerberos
ticket that contains a user authorization data (in Active Directory this is
group membership), granting attackers additional privileges.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Steal or
Forge Kerberos Tickets (T1558) MITRE attack sub-technique Golden Ticket
(T1558.001)

Suggested steps for prevention:

 1. Make sure all domain controllers with operating systems up to Windows Server
    2012 R2 are installed with KB3011780 and all member servers and domain
    controllers up to 2012 R2 are up-to-date with KB2496930. For more
    information, see Silver PAC and Forged PAC.


MALICIOUS REQUEST OF DATA PROTECTION API MASTER KEY (EXTERNAL ID 2020)

Previous name: Malicious Data Protection Private Information Request

Severity: High

Description:

The Data Protection API (DPAPI) is used by Windows to securely protect passwords
saved by browsers, encrypted files, and other sensitive data. Domain controllers
hold a backup master key that can be used to decrypt all secrets encrypted with
DPAPI on domain-joined Windows machines. Attackers can use the master key to
decrypt any secrets protected by DPAPI on all domain-joined machines. In this
detection, a Defender for Identity alert is triggered when the DPAPI is used to
retrieve the backup master key.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique
Credentials from Password Stores (T1555) MITRE attack sub-technique N/A


SUSPECTED BRUTE FORCE ATTACK (KERBEROS, NTLM) (EXTERNAL ID 2023)

Previous name: Suspicious authentication failures

Severity: Medium

Description:

In a brute-force attack, the attacker attempts to authenticate with multiple
passwords on different accounts until a correct password is found or by using
one password in a large-scale password spray that works for at least one
account. Once found, the attacker logs in using the authenticated account.

In this detection, an alert is triggered when many authentication failures occur
using Kerberos, NTLM, or use of a password spray is detected. Using Kerberos or
NTLM, this type of attack is typically committed either horizontal, using a
small set of passwords across many users, vertical with a large set of passwords
on a few users, or any combination of the two.

In a password spray, after successfully enumerating a list of valid users from
the domain controller, attackers try ONE carefully crafted password against ALL
of the known user accounts (one password to many accounts). If the initial
password spray fails, they try again, utilizing a different carefully crafted
password, normally after waiting 30 minutes between attempts. The wait time
allows attackers to avoid triggering most time-based account lockout thresholds.
Password spray has quickly become a favorite technique of both attackers and pen
testers. Password spray attacks have proven to be effective at gaining an
initial foothold in an organization, and for making subsequent lateral moves,
trying to escalate privileges. The minimum period before an alert can be
triggered is one week.

Learning period:

1 week

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Brute
Force (T1110) MITRE attack sub-technique Password Guessing (T1110.001), Password
Spraying (T1110.003)

Suggested steps for prevention:

 1. Enforce complex and long passwords in the organization, it will provide the
    necessary first level of security against future brute-force attacks.


SECURITY PRINCIPAL RECONNAISSANCE (LDAP) (EXTERNAL ID 2038)

Severity: Medium

Description:

Security principal reconnaissance is used by attackers to gain critical
information about the domain environment. Information that helps attackers map
the domain structure, as well as identify privileged accounts for use in later
steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP)
is one the most popular methods used for both legitimate and malicious purposes
to query Active Directory. LDAP focused security principal reconnaissance is
commonly used as the first phase of a Kerberoasting attack. Kerberoasting
attacks are used to get a target list of Security Principal Names (SPNs), which
attackers then attempt to get Ticket Granting Server (TGS) tickets for.

To allow Defender for Identity to accurately profile and learn legitimate users,
no alerts of this type are triggered in the first 10 days following Defender for
Identity deployment. Once the Defender for Identity initial learning phase is
completed, alerts are generated on computers that perform suspicious LDAP
enumeration queries or queries targeted to sensitive groups that using methods
not previously observed.

Learning period:

15 days per computer, starting from the day of the first event, observed from
the machine.

MITRE:

Primary MITRE tactic Discovery (TA0007) Secondary MITRE tactic Credential Access
(TA0006) MITRE attack technique Account Discovery (T1087) MITRE attack
sub-technique Domain Account (T1087.002)

Kerberoasting specific suggested steps for prevention:

 1. Require use of long and complex passwords for users with service principal
    accounts.
 2. Replace the user account by Group Managed Service Account (gMSA).

Note

Security principal reconnaissance (LDAP) alerts are supported by Defender for
Identity sensors only.


SUSPECTED KERBEROS SPN EXPOSURE (EXTERNAL ID 2410)

Severity: High

Description:

Attackers use tools to enumerate service accounts and their respective SPNs
(Service principal names), request a Kerberos service ticket for the services,
capture the Ticket Granting Service (TGS) tickets from memory and extract their
hashes, and save them for later use in an offline brute force attack.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Steal or
Forge Kerberos Tickets (T1558) MITRE attack sub-technique Kerberoasting
(T1558.003)


SUSPECTED AS-REP ROASTING ATTACK (EXTERNAL ID 2412)

Severity: High

Description:

Attackers use tools to detect accounts with their Kerberos preauthentication
disabled and send AS-REQ requests without the encrypted timestamp. In response
they receive AS-REP messages with TGT data, which may be encrypted with an
insecure algorithm such as RC4, and save them for later use in an offline
password cracking attack (similar to Kerberoasting) and expose plaintext
credentials.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Steal or
Forge Kerberos Tickets (T1558) MITRE attack sub-technique AS-REP Roasting
(T1558.004)

Suggested steps for prevention:

 1. Enable Kerberos preauthentication. For more information about account
    attributes and how to remediate them, see Unsecure account attributes.


SUSPICIOUS MODIFICATION OF A SAMNAMEACCOUNT ATTRIBUTE (CVE-2021-42278 AND
CVE-2021-42287 EXPLOITATION) (EXTERNAL ID 2419)

Severity: High

Description:

An attacker can create a straightforward path to a Domain Admin user in an
Active Directory environment that isn't patched. This escalation attack allows
attackers to easily elevate their privilege to that of a Domain Admin once they
compromise a regular user in the domain.

When performing an authentication using Kerberos, Ticket-Granting-Ticket (TGT)
and the Ticket-Granting-Service (TGS) are requested from the Key Distribution
Center (KDC). If a TGS was requested for an account that couldn't be found, the
KDC will attempt to search it again with a trailing $.

When processing the TGS request, the KDC will fail its lookup for the requestor
machine DC1 the attacker created. Therefore, the KDC will perform another lookup
appending a trailing $. The lookup will succeed. As a result, the KDC will issue
the ticket using the privileges of DC1$.

Combining CVEs CVE-2021-42278 and CVE-2021-42287, an attacker with domain user
credentials can leverage them for granting access as a domain admin.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Access
Token Manipulation (T1134),Exploitation for Privilege Escalation (T1068),Steal
or Forge Kerberos Tickets (T1558) MITRE attack sub-technique Token
Impersonation/Theft (T1134.001)




HONEYTOKEN AUTHENTICATION ACTIVITY (EXTERNAL ID 2014)

Previous name: Honeytoken activity

Severity: Medium

Description:

Honeytoken accounts are decoy accounts set up to identify and track malicious
activity that involves these accounts. Honeytoken accounts should be left unused
while having an attractive name to lure attackers (for example, SQL-Admin). Any
authentication activity from them might indicate malicious behavior. For more
information on honeytoken accounts, see Manage sensitive or honeytoken accounts.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) Secondary MITRE tactic Discovery
MITRE attack technique Account Discovery (T1087) MITRE attack sub-technique
Domain Account (T1087.002)


SUSPECTED DCSYNC ATTACK (REPLICATION OF DIRECTORY SERVICES) (EXTERNAL ID 2006)

Previous name: Malicious replication of directory services

Severity: High

Description:

Active Directory replication is the process by which changes that are made on
one domain controller are synchronized with all other domain controllers. Given
necessary permissions, attackers can initiate a replication request, allowing
them to retrieve the data stored in Active Directory, including password hashes.

In this detection, an alert is triggered when a replication request is initiated
from a computer that isn't a domain controller.

Note

If you have domain controllers on which Defender for Identity sensors are not
installed, those domain controllers are not covered by Defender for Identity.
When deploying a new domain controller on an unregistered or unprotected domain
controller, it may not immediately be identified by Defender for Identity as a
domain controller. It is highly recommended to install the Defender for Identity
sensor on every domain controller to get full coverage.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) Secondary MITRE tactic
Persistence (TA0003) MITRE attack technique OS Credential Dumping (T1003) MITRE
attack sub-technique DCSync (T1003.006)

Suggested steps for prevention::

Validate the following permissions:

 1. Replicate directory changes.
 2. Replicate directory changes all.
 3. For more information, see Grant Active Directory Domain Services permissions
    for profile synchronization in SharePoint Server 2013. You can use AD ACL
    Scanner or create a Windows PowerShell script to determine who in the domain
    has these permissions.


SUSPECTED AD FS DKM KEY READ (EXTERNAL ID 2413)

Severity: High

Description:

The token signing and token decryption certificate, including the Active
Directory Federation Services (AD FS) private keys, are stored in the AD FS
configuration database. The certificates are encrypted using a technology called
Distribute Key Manager. AD FS creates and uses these DKM keys when needed. To
perform attacks like Golden SAML, the attacker would need the private keys that
sign the SAML objects, similarly to how the krbtgt account is needed for Golden
Ticket attacks. Using the AD FS user account, an attacker can access the DKM key
and decrypt the certificates used to sign SAML tokens. This detection tries to
find any actors that try to read the DKM key of AD FS object.

Learning period:

None

MITRE:

Primary MITRE tactic Credential Access (TA0006) MITRE attack technique Unsecured
Credentials) MITRE attack sub-technique Unsecured Credentials: Private Keys
(T1552.004)


SEE ALSO

 * Investigate assets
 * Understanding security alerts
 * Manage security alerts
 * Defender for Identity SIEM log reference
 * Working with lateral movement paths
 * Check out the Defender for Identity forum!





FEEDBACK

Submit and view feedback for

This product This page
View all page feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES




Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023


ADDITIONAL RESOURCES






IN THIS ARTICLE



Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023