Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|---|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1087 | Account Discovery |
Comments
This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | significant | T1087.002 | Domain Account |
Comments
The following alert of this control is able to detect domain account discovery: "Account enumeration reconnaissance (external ID 2003)". This shouldn't occur frequently and therefore the false positive rate should be minimal.
The "Security principal reconnaissance (LDAP) (external ID 2038)" alert is also relevant and its machine learning capabilities should reduce the false positive rate.
The "User and IP address reconnaissance (SMB) (external ID 2012)" alert can also provide a detection on a variation of this sub-technique.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1482 | Domain Trust Discovery |
Comments
This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1201 | Password Policy Discovery |
Comments
This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1069 | Permission Groups Discovery |
Comments
This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | significant | T1069.002 | Domain Groups |
Comments
This control's "Security principal reconnaissance (LDAP) (external ID 2038)" alert can be used to detect when an adversary "perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed." This alert employs machine learning which should reduce the number of false positives.
Additionally, this control's "User and Group membership reconnaissance (SAMR) (external ID 2021)" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1210 | Exploitation of Remote Services |
Comments
This control's "Remote code execution over DNS (external ID 2036)" alert can look for an attacker attempting to exploit CVE-2018-8626, a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability are made against a domain controller in the network.
Likewise this controls "Suspected SMB packet manipulation (CVE-2020-0796 exploitation)" alert can detect a remote code execution vulnerability with SMBv3.
Because these detections are specific to a few CVEs, its coverage is Minimal resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1550 | Use Alternate Authentication Material |
Comments
This control provides partial detection for some of this technique's sub-techniques (due to unknown false-positive/true-positive rate), resulting in a Partial score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1550.002 | Pass the Hash |
Comments
This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1550.003 | Pass the Ticket |
Comments
This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1557 | Man-in-the-Middle |
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the other, resulting in an overall Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This control's "Suspected NTLM relay attack (Exchange account) (external ID 2037)" alert can detect NTLM relay attack specific to the Exchange service. Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1110 | Brute Force |
Comments
This control provides significant detection of some of the sub-techniques of this technique and has therefore been assessed an overall score of Partial.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | significant | T1110.003 | Password Spraying |
Comments
This control's "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives.
Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds.
The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | significant | T1110.001 | Password Guessing |
Comments
This control's "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives.
Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds.
The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control provides partial detection for most of this technique's sub-techniques, resulting in an overall Partial score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1558.003 | Kerberoasting |
Comments
This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.
Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique.
The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1558.004 | AS-REP Roasting |
Comments
This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.
Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique.
The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1558.001 | Golden Ticket |
Comments
This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives. The accuracy of these alerts is unknown resulting in a partial score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1133 | External Remote Services |
Comments
This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1555 | Credentials from Password Stores |
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1555.003 | Credentials from Web Browsers |
Comments
This control's "Malicious request of Data Protection API master key (external ID 2020)" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1047 | Windows Management Instrumentation |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via WMI. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1059.001 | PowerShell |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Powershell. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1021 | Remote Services |
Comments
This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1021.002 | SMB/Windows Admin Shares |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
This control's "Data exfiltration over SMB (external ID 2030)" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1569 | System Services |
Comments
This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1569.002 | Service Execution |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | significant | T1207 | Rogue Domain Controller |
Comments
This control's "Suspected DCShadow attack (domain controller promotion) (external ID 2028)" and "Suspected DCShadow attack (domain controller replication request) (external ID 2029)" alerts can detect this technique. Also should be a low false positive rate as the quantity and identity of domain controllers on the network should change very infrequently.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1003 | OS Credential Dumping |
Comments
This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | significant | T1003.006 | DCSync |
Comments
This control's "Suspected DCSync attack (replication of directory services) (external ID 2006)" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1003.003 | NTDS |
Comments
The documentation for this control's "Data exfiltration over SMB (external ID 2030)" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1556 | Modify Authentication Process |
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1556.001 | Domain Controller Authentication |
Comments
This control's "Suspected skeleton key attack (encryption downgrade) (external ID 2010)" alert can detect skeleton attacks. This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller. The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1098 | Account Manipulation |
Comments
This controls's "Suspicious additions to sensitive groups (external ID 2024)" alert can utilize machine learning to detect when an attacker adds users to highly privileged groups. Adding users is done to gain access to more resources, and gain persistency. This detection relies on profiling the group modification activities of users, and alerting when an abnormal addition to a sensitive group is observed. Defender for Identity profiles continuously.
This alert provides Partial coverage of this technique with a reduced false-positive rate by utilizing machine learning models.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1543 | Create or Modify System Process |
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1543.003 | Windows Service |
Comments
This control's "Suspicious service creation (external ID 2026)" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1071.004 | DNS |
Comments
This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | detect | partial | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Comments
This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.
References
|