Recently I have seen some videos and read some blog posts about bypassing Microsoft Defender for Identity. I agree that there are possibilities to bypass Microsoft Defender for Identity, but in this blog post, I would like to add some notes about these bypasses.
Comments
- Auditing is critical for Microsoft Defender for Identity to work correctly. Either use my auditing tool or the Microsoft documentation to be sure you audit all events needed for Microsoft Defender for Identity to work correctly.
- Be sure to install the Microsoft Defender for Identity sensor on all Domain Controllers since security events do not replicate between Domain Controllers.
- When performing a domain dominance attack, you probably got detected during the lateral movement to achieve a domain dominance attack in the first place. Especially when all Microsoft Security E5 is installed and configured correctly.
- Install the Microsoft Defender for Identity sensor on all AD FS servers to detect attacks against the AD FS servers. Like Account Enumeration Reconnaissance, Suspected Brute Force Attack (LDAP), Remote Code Execution Attempt, and Abnormal ADFS authentication using a suspicious certificate.
- When using a test environment, some detections do not trigger because there is no baseline or enough information to detect an anomaly. These detections will trigger in a production environment.
- The recommended actions from Microsoft Defender for Identity are an excellent addition to creating a solid secure baseline for Active Directory.
- Please do not use a newly created account when using a honeytoken account. Attackers use the properties ‘logonCount’ and ‘badPwdCount’ to identify honeytoken accounts.
- Use a password that is not easy to brute-force for all accounts with a Service Principal Name to protect against Kerberoasting.
- Forcing AES on an account does not block an attacker from requesting an RC4 encrypted ticket. Disable RC4 encryption for Active Directory to prevent attackers from performing a Kerberoast attack.
- Use a dedicated Group Managed Service Account for Microsoft Defender for Identity, and do not use the account elsewhere. The Group Managed Service Account does have high privileges in Active Directory due to the response actions.
Conclusion
Like every security product, there are bypasses for Microsoft Defender for Identity. Attackers are still walking on eggshells, though. One simple mistake in the entire kill chain, and they get caught. It is getting worse for attackers when all Microsoft Security E5 is in place and configured correctly.
Remember that attackers use the on-premises environment as a stepping-stone to the cloud, so monitoring your environment is crucial even though you are moving to the cloud.
Microsoft Security Blog 