Azure microsoft_defender_for_identity Mappings

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1087 Account Discovery
Comments
This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1087.002 Domain Account
Comments
The following alert of this control is able to detect domain account discovery: "Account enumeration reconnaissance (external ID 2003)". This shouldn't occur frequently and therefore the false positive rate should be minimal. The "Security principal reconnaissance (LDAP) (external ID 2038)" alert is also relevant and its machine learning capabilities should reduce the false positive rate. The "User and IP address reconnaissance (SMB) (external ID 2012)" alert can also provide a detection on a variation of this sub-technique.
References
    microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1482 Domain Trust Discovery
    Comments
    This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
    References
    microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1201 Password Policy Discovery
    Comments
    This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
    References
    microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1069 Permission Groups Discovery
    Comments
    This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
    References
    microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1069.002 Domain Groups
    Comments
    This control's "Security principal reconnaissance (LDAP) (external ID 2038)" alert can be used to detect when an adversary "perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed." This alert employs machine learning which should reduce the number of false positives. Additionally, this control's "User and Group membership reconnaissance (SAMR) (external ID 2021)" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.
    References
      microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1210 Exploitation of Remote Services
      Comments
      This control's "Remote code execution over DNS (external ID 2036)" alert can look for an attacker attempting to exploit CVE-2018-8626, a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability are made against a domain controller in the network. Likewise this controls "Suspected SMB packet manipulation (CVE-2020-0796 exploitation)" alert can detect a remote code execution vulnerability with SMBv3. Because these detections are specific to a few CVEs, its coverage is Minimal resulting in a Minimal score.
      References
      microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550 Use Alternate Authentication Material
      Comments
      This control provides partial detection for some of this technique's sub-techniques (due to unknown false-positive/true-positive rate), resulting in a Partial score.
      References
      microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550.002 Pass the Hash
      Comments
      This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
      References
        microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550.003 Pass the Ticket
        Comments
        This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
        References
          microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1557 Man-in-the-Middle
          Comments
          This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the other, resulting in an overall Minimal score.
          References
          microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
          Comments
          This control's "Suspected NTLM relay attack (Exchange account) (external ID 2037)" alert can detect NTLM relay attack specific to the Exchange service. Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score.
          References
            microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1110 Brute Force
            Comments
            This control provides significant detection of some of the sub-techniques of this technique and has therefore been assessed an overall score of Partial.
            References
            microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1110.003 Password Spraying
            Comments
            This control's "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds. The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.
            References
              microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1110.001 Password Guessing
              Comments
              This control's "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds. The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.
              References
                microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558 Steal or Forge Kerberos Tickets
                Comments
                This control provides partial detection for most of this technique's sub-techniques, resulting in an overall Partial score.
                References
                microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.003 Kerberoasting
                Comments
                This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique. The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
                References
                  microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.004 AS-REP Roasting
                  Comments
                  This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique. The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
                  References
                    microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.001 Golden Ticket
                    Comments
                    This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives. The accuracy of these alerts is unknown resulting in a partial score.
                    References
                      microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1133 External Remote Services
                      Comments
                      This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
                      References
                      microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1555 Credentials from Password Stores
                      Comments
                      This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                      References
                      microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1555.003 Credentials from Web Browsers
                      Comments
                      This control's "Malicious request of Data Protection API master key (external ID 2020)" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.
                      References
                        microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1047 Windows Management Instrumentation
                        Comments
                        This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via WMI. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
                        References
                        microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1059 Command and Scripting Interpreter
                        Comments
                        This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                        References
                        microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1059.001 PowerShell
                        Comments
                        This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Powershell. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
                        References
                          microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1021 Remote Services
                          Comments
                          This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                          References
                          microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1021.002 SMB/Windows Admin Shares
                          Comments
                          This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. This control's "Data exfiltration over SMB (external ID 2030)" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB.
                          References
                            microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1569 System Services
                            Comments
                            This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                            References
                            microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1569.002 Service Execution
                            Comments
                            This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
                            References
                              microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1207 Rogue Domain Controller
                              Comments
                              This control's "Suspected DCShadow attack (domain controller promotion) (external ID 2028)" and "Suspected DCShadow attack (domain controller replication request) (external ID 2029)" alerts can detect this technique. Also should be a low false positive rate as the quantity and identity of domain controllers on the network should change very infrequently.
                              References
                              microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1003 OS Credential Dumping
                              Comments
                              This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score.
                              References
                              microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1003.006 DCSync
                              Comments
                              This control's "Suspected DCSync attack (replication of directory services) (external ID 2006)" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.
                              References
                                microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1003.003 NTDS
                                Comments
                                The documentation for this control's "Data exfiltration over SMB (external ID 2030)" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score.
                                References
                                  microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1556 Modify Authentication Process
                                  Comments
                                  This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                                  References
                                  microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1556.001 Domain Controller Authentication
                                  Comments
                                  This control's "Suspected skeleton key attack (encryption downgrade) (external ID 2010)" alert can detect skeleton attacks. This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller. The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate.
                                  References
                                    microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1098 Account Manipulation
                                    Comments
                                    This controls's "Suspicious additions to sensitive groups (external ID 2024)" alert can utilize machine learning to detect when an attacker adds users to highly privileged groups. Adding users is done to gain access to more resources, and gain persistency. This detection relies on profiling the group modification activities of users, and alerting when an abnormal addition to a sensitive group is observed. Defender for Identity profiles continuously. This alert provides Partial coverage of this technique with a reduced false-positive rate by utilizing machine learning models.
                                    References
                                    microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1543 Create or Modify System Process
                                    Comments
                                    This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                                    References
                                    microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1543.003 Windows Service
                                    Comments
                                    This control's "Suspicious service creation (external ID 2026)" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.
                                    References
                                      microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1071 Application Layer Protocol
                                      Comments
                                      This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                                      References
                                      microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1071.004 DNS
                                      Comments
                                      This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.
                                      References
                                        microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1048 Exfiltration Over Alternative Protocol
                                        Comments
                                        This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                                        References
                                        microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
                                        Comments
                                        This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.
                                        References