Unmasking the Shadows: The Art of Threat Hunting in Defender for Identity
In the tangled world of cybersecurity, where threats often wear the cloak of invisibility, defenders must become hunters, actively seeking out their elusive adversaries. Within this digital battleground, Microsoft Defender for Identity emerges as a formidable ally, empowering cybersecurity teams to become vigilant hunters of potential threats before they strike.
The battle is unending in cybersecurity, and threats evolve with each passing day. But with Defender for Identity as a trusted companion, be ready for the challenges ahead. You know that proactive threat hunting is the best defense approach.
The story of threat hunting in Defender for Identity illustrates the importance of being a proactive guardian in the digital wilderness. It’s a reminder that organizations can turn the tide against even the most elusive cyber threats with the right tools and mindset. As the sun sets on another day in cybersecurity, remember the shadows may hide danger, but with Defender for Identity, you can unmask the threats that lurk within.
This post takes you into the cyber threat-hunting approach. It takes Microsoft Defender for Identity a few steps ahead with the Advanced Hunting Queries (AHQ) and threat-hunting approach together.
Cyber Threat Hunting
Cyber Threat Hunting is a valuable approach to Threat Detection to find cyber threats within an enterprise’s network before they do any damage. This includes looking for weak spots and signs of ongoing attacks within a digital infrastructure. Threat Hunting requires specific processes, solutions, and expertise.
Cyber threat hunting combines the human element with a dedicated solution’s considerable data processing power and specific security tools that will use solutions and intelligence to find adversaries who may evade typical defenses using techniques such as living off the land. Human threat hunters lean on data from complex security monitoring and analytics tools to help them proactively identify and neutralize threats.
The questions are about where to start and the right approach. There are many answers and approaches to this, but first, let’s receive some basic principles.
Situational Awareness
Threat Hunters must know system architecture, network infrastructure, and asset configurations. A fine-tuned visibility into the organization’s digital ecosystem allows tactically and strategically move on to further steps. Situational awareness means that Threat Hunters know the potential targets of attackers and the current level of protection. When it comes to the elements of the environment, hunters also view those “within a volume of time and space, the comprehension of their meaning, and the projection of their status into the near future.” A correct configuration of security tools and solutions is essential to have that kind of visibility.
Cyber Threat landscape
The Threat landscape is a prominent sight of all the cyber threats that might be risky. Many of them are assumed by Threat Hunters because there is not enough information about how they operate, what their goals are, etc. They might be invisible to the researcher’s eye. In some sources, you’ll find that the threat landscape lists all the known threats, but this view is limited. Acknowledging that some threat landscape is still in the shadows is better. Nevertheless, it exists. And Threat Hunters usually work with that shadow part.
The Attack Surface
The Attack Surface areas can be internal or external. The Attack surface is the overall number of vulnerabilities, potential misconfigurations, and anomalies in the organization’s digital infrastructure. Since today, many software applications have numerous dependencies and are often deployed on cloud servers. It’s barely possible to define a network perimeter as such. Hence, the attack surface increases. Understandably, the attack surface increases exponentially with the complexity of the network. And let’s not forget that threats exist even when there are no vulnerabilities.
If it Clouds, the Attack surface is huge, and as we know Active Directory, the attack surface is known but can be bypassed in many scenarios.
Risk Prioritization
There are many approaches to creating and maintaining cybersecurity risk management. Organizations employ frameworks from NIST, CIS, ISOs, and much more. It’s all about defining the risks that apply to a particular business context, prioritizing them, representing a risk, documenting mitigation playbooks, and regularly reviewing their efficiency.
What does risk management have to do with Threat Hunting? It’s where everything starts. For example, out of 100% of risky patterns, % are patched, % are not applicable due to network configuration, automated security solutions handle %, and % are remediated manually. So what’s left is % of the unknown risks. That’s where Threat Hunting starts.
Those are the basic principles, but they are the ones that can set the borders. Why? You can start Threat hunting with a specific point and end at another point irrelevant to the hunting process.
Types of Threat Hunting
Structured
Structured threat hunting is one of the approaches used by cybersecurity professionals to proactively search for signs of malicious activity or potential security threats within an organization’s network or systems. This type of threat hunting involves a systematic and well-organized methodology for identifying and mitigating security threats. Here are some key types of structured threat-hunting techniques:
It can be based on the Indicators of Attack (IOA) based on MITRE with Tactics, Techniques, and Procedures (TTP). The point of such a granular view on kill chains is to hunt down attackers before they know it.
Here are some key types of structured threat-hunting techniques:
The Anomaly-based threat hunting focuses on identifying deviations from established baseline behavior. Security analysts continuously monitor network and system activity to detect unusual or suspicious patterns, which may indicate the presence of a security threat. Machine learning and behavioral analytics are often used to establish baseline behavior and detect anomalies.
The Indicator of Attack (IoA) hunting involves looking for signs of malicious behavior unrelated to specific known threats (IoCs). Instead, it seeks to identify unusual or suspicious sequences of events or actions that could indicate an ongoing or potential attack, even if the attack is novel or unknown.
Intelligence-driven threat hunting relies on external intelligence sources to identify potential threats that may target an organization. Security teams use threat feeds, reports, and indicators from various sources to proactively search for relevant threats within their network and systems.
TTP (Tactics, Techniques, and Procedures)-based Hunting focuses on identifying threat actors’ tactics, techniques, and procedures. Security analysts analyze historical attack data and research threat actor behavior to proactively search for evidence of specific attack methods or tactics within their organization’s environment.
Attack Surface Reduction aims to reduce the organization’s attack surface by identifying and eliminating unnecessary or vulnerable assets, services, or configurations that attackers could exploit. It involves a proactive review of the network and system architecture.
Data-centric threat hunting involves monitoring and analyzing data flows and data access patterns to detect unusual or unauthorized activities related to data handling. This can help identify data breaches or data exfiltration attempts.
Unstructured
A suspicious event might act as a trigger for launching unstructured hunting. To gain more context, a Cyber Threat Hunter wants to gather all sorts of information. What happened before and after the trigger? What else happened? Do those events correlate, and how? They want to answer all these questions.
Unstructured threat hunting is a more flexible and creative approach to proactively searching for signs of malicious activity or security threats within an organization’s network and systems. Unlike structured threat hunting, which follows predefined methodologies and techniques, unstructured threat hunting relies on cybersecurity professionals’ intuition, experience, and expertise. Here are some key characteristics and methods associated with unstructured threat hunting:
Hypothesis-Driven – Unstructured threat hunting often begins with formulating hypotheses or theories about potential security threats. Security analysts leverage their knowledge of the organization’s environment, industry trends, and threat landscape to create hypotheses about where and how threats might manifest.
Ad Hoc Investigations – Unstructured threat hunting is not bound by rigid procedures or checklists. Instead, it allows security analysts to conduct ad hoc investigations and explore various data sources, logs, and network traffic to uncover signs of suspicious or anomalous behavior.
Creative Problem-Solving – This approach encourages creative problem-solving and out-of-the-box thinking. Security professionals may experiment with different search queries, data sources, or data correlation techniques to uncover hidden threats that may not be detectable using traditional methods.
Flexibility – Unstructured threat hunting does not follow a fixed timeline or process. Analysts can change their focus and investigative methods as they gather new information or insights during the hunt.
Expertise-Driven – The success of unstructured threat hunting heavily relies on the expertise and experience of security analysts. Seasoned professionals can use their knowledge of attack techniques, threat actors, and system behaviors to effectively guide their investigations.
Continuous Learning – Unstructured threat hunting fosters a culture of continuous learning and adaptation. Security teams may learn from each investigation, refine their hypotheses, and improve their detection capabilities.
Open-Ended Goals – Unstructured threat hunting does not have predefined success criteria or specific goals. Analysts may uncover various security issues, from previously undetected threats to misconfigurations or process improvements.
Collaboration – In unstructured threat hunting, collaboration among security analysts and different security teams (e.g., incident response, threat intelligence) is essential. Sharing insights and findings can provide a more comprehensive understanding of the threat landscape.
Situational
Situational threat-hunting is an approach that involves tailoring threat-hunting activities to specific situations or contexts within an organization. It emphasizes adapting threat-hunting strategies and techniques to address immediate or evolving security concerns. Situational threat hunting is highly dynamic and responsive, focusing on real-time or near-real-time threats and vulnerabilities. Here are some critical aspects of situational threat hunting:
Context-Driven – Situational threat hunting is driven by the organization’s current security context or situation. It considers recent incidents, changes in the threat landscape, business operations, and vulnerabilities that may require immediate attention.
Rapid Response – This approach emphasizes the need for quick response and action. Security teams closely monitor security events and alerts to detect and investigate potential threats as they arise, aiming to mitigate them swiftly.
Threat Intelligence Integration – Situational threat hunting often involves the integration of threat intelligence feeds and sources to stay informed about emerging threats. Security analysts rely on up-to-date threat intelligence to adapt their hunting techniques and focus on relevant threats.
Incident-driven – Situational threat hunting frequently aligns with incident response efforts. When a security incident occurs, threat hunters may focus on investigating the incident’s scope, identifying the root cause, and preventing further damage.
Tailored Strategies – Threat-hunting strategies are tailored to the specific situation. Depending on the circumstances, analysts may prioritize particular data sources, identities, endpoints, or network segments for investigation.
Continuous Monitoring – Organizations engaged in situational threat hunting continuously monitor their networks and systems. They actively look for signs of compromise and vulnerabilities and adjust their hunting activities accordingly.
Agility – Agility is a crucial characteristic of situational threat hunting. Security teams must be flexible and adapt to changing circumstances, which may involve shifting priorities, reallocating resources, or modifying their investigative techniques.
Collaboration – Collaboration across different security teams and departments is essential in situational threat hunting. Sharing information and expertise allows for a more holistic approach to addressing immediate threats.
Documentation and Analysis – Thorough documentation and analysis of situational threat-hunting activities are crucial. This information helps organizations understand the evolving threat landscape and improve their incident response and mitigation strategies.
Feedback Loop – Situational threat hunting often involves a feedback loop that helps organizations learn from each situation. Lessons from previous incidents or threat-hunting efforts inform future strategies and enhance the organization’s security.
Threat Hunting Maturity Model
The Threat Hunting Maturity Model is a framework used to assess an organization’s capabilities and maturity level in the field of threat hunting, which is a proactive approach to cybersecurity aimed at identifying and mitigating threats that may have bypassed traditional security measures. This model helps organizations evaluate their current state, set goals for improvement, and establish a roadmap for advancing their threat-hunting capabilities. Here is a simplified version of a typical Threat Hunting Maturity Model, which may vary in complexity depending on specific frameworks or methodologies:
Level 0 – Initial: At this level, organizations rely primarily on automated alerts from security tools. There is little to no proactive threat hunting, and any threat detection is based on predefined rules in security tools.
Level 1 – Minimal: Organizations at this level might have some threat intelligence feeds and use them to search for indicators of compromise (IoCs) within their environment. However, the process is mainly manual and not very frequent.
Level 2 – Procedural: Organizations have a more structured approach at this stage. They may have dedicated threat-hunting teams that regularly perform hunts based on known tactics, techniques, and procedures (TTPs). The hunting process is often based on standard procedures and checklists.
Level 3 – Innovative: Organizations at this level have a mature threat-hunting process. They look for known threats and try to identify new and unknown threats. They leverage advanced tools, analytics, and machine learning to find anomalies in their environment.
Level 4 – Leading: This is the highest level of maturity. Organizations at this level have integrated threat hunting into their daily security operations. They have a deep understanding of their environment and the threat landscape. They proactively search for threats, often developing their tools and techniques and collaborating with external organizations to share findings and intelligence.
Organizations can use this model to assess their current capabilities and set goals for where they want to be in terms of threat-hunting maturity. It’s important to note that the actual levels and their descriptions might vary based on the source or the specific version of the maturity model you’re looking at, but the general idea remains consistent.
It’s important to note that the maturity model may differ from one organization to another and may be adapted to fit a particular business’s requirements and goals. Advancing through these levels requires investment in technology, training, and personnel and a commitment to continuously improve the organization’s threat-hunting capabilities.
More information about Threat Hunting Maturity Model: Hunting Maturity Model by SANS.
Threat Hunting Criteria
Threat hunting is a proactive approach to cybersecurity that involves actively searching for signs of malicious activity or potential threats within an organization’s network or systems. Threat hunters typically use technology, data analysis, and human expertise to identify and mitigate security threats before they can cause significant damage. To conduct effective threat hunting, you should establish criteria and guidelines to guide your efforts.
Hypothesis-Driven: Instead of waiting for alerts, threat hunters develop hypotheses based on their knowledge of the network, its vulnerabilities, and potential threats. These hypotheses guide their investigations.
Deep Understanding of the Environment: Knowing the normal patterns and behaviors within an organization’s network is crucial. This includes understanding the typical traffic patterns, user behavior, and system activities.
Proactive and Iterative: Threat hunting is not a one-time event. It is a continuous process where hunters proactively seek out anomalies and iteratively refine their hypotheses and searches.
Intelligence Gathering: Threat hunters often utilize threat intelligence, which includes information about current threat actors and their tactics, techniques, and procedures (TTPs). This intelligence can come from various sources, including industry reports, threat intelligence feeds, and incident reports.
Use of Advanced Analytical Tools: Threat hunters employ tools, from basic system logs to advanced machine learning algorithms, to sift through data and identify anomalies.
Human-Centric: While automation and machine learning play a significant role, the human element is crucial in threat hunting. The intuition, experience, and expertise of a threat hunter are irreplaceable.
Advanced Analytical Skills: Threat hunters require strong analytical skills to examine complex data sets. They often use data analysis, pattern recognition, and advanced security analytics to identify unusual activities that may indicate a security threat.
Holistic View of the Network: Threat hunters don’t just focus on one part of the network. They take a holistic view, considering all data sources, network segments, and potential attack vectors.
By integrating these criteria, you can more effectively seek out and mitigate sophisticated cyber threats that might. Otherwise, they remain undetected in their networks.
Active Directory & MITRE
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive matrix and knowledge base for cyber threat modeling. It’s essentially a framework that categorizes and details the various tactics, techniques, and procedures (TTPs) adversaries may use to infiltrate and operate within an enterprise network. Here specific highlights:
Adversary Tactics and Techniques: It looks at attackers’ specific methods. These can range from initial access methods, like phishing, to lateral movement within the network and data exfiltration techniques.
Post-Compromise Behavior: A significant aspect of the model is its emphasis on post-compromise activities. This includes how attackers maintain persistence, escalate privileges, and move laterally within a network after gaining initial access.
Use in Threat Modeling and Security Planning: Organizations use MITRE ATT&CK to improve their understanding of potential threats and to enhance their security posture. By understanding the TTPs that adversaries use, they can better prepare defenses, develop more effective security strategies, and conduct thorough incident response planning.
The Active Directory Side
Let’s explore the connection between Active Directory security and the MITRE ATT&CK framework:
Active Directory Vulnerabilities in the MITRE ATT&CK Framework
- Many tactics and techniques in the MITRE ATT&CK framework pertain to AD. For example:
- Credential Dumping: Attackers often target AD to obtain credentials, which can be used for lateral movement and privilege escalation.
- Kerberoasting: A technique where attackers request Kerberos service tickets and then try to crack them offline to obtain service account credentials.
- Pass the Ticket/Pass the Hash: Techniques that exploit how Windows handles authentication.
- These techniques show how AD can be exploited and underscore the importance of securing AD environments.
Defending Active Directory Using MITRE ATT&CK
- By understanding the techniques listed in the ATT&CK framework, defenders can better prepare their AD environments against these known threats.
- Mitigations may include:
- Regularly monitoring and auditing AD logs to detect unusual or unauthorized activities.
- Implementing multi-factor authentication.
- Regularly update and patch systems to prevent exploitation.
- Limit administrative privileges and use the principle of least privilege.
Mapping Threat Intelligence to MITRE ATT&CK
- Organizations can map threat intelligence reports to ATT&CK techniques to understand how potential threats might target their AD environment.
- By understanding adversaries’ TTPs (Tactics, Techniques, and Procedures), organizations can better defend their AD environments against potential threats.
Enhanced Visibility
- The ATT&CK framework can help organizations understand where they may lack visibility in their AD environment. By mapping detected events to ATT&CK techniques, organizations can identify areas where they might be blind to potential threats.
Training and Simulations
- Red team exercises and penetration tests can simulate the techniques in the ATT&CK framework to test an organization’s defenses, especially in the context of AD.
- This helps organizations identify weaknesses and improve their defenses before an actual attacker can exploit them.
Active Directory in MITRE ATT&CK.
Within Active Directory, MITRE ATT&CK is a critical resource for organizations to identify, understand, and defend against specific threats targeting their AD infrastructure, strengthening their overall cybersecurity posture.
Advanced Hunting
Advanced Hunting in Microsoft Defender for Identity is a powerful feature that allows security analysts to query and investigate security-related data across their organization’s Identity, especially in Active Directory. It provides a flexible and customizable way to search for and analyze potential threats, anomalies, and security incidents using a structured query language called KQL.
Alerting: Advanced Hunting can set up custom alerts based on query results. This is useful for proactively identifying and responding to potential security incidents.
Threat Hunting: Security analysts can use Advanced Hunting for proactive threat hunting. You can uncover hidden threats by constructing queries for unusual or suspicious activities.
Incident Response: When a security incident occurs, Advanced Hunting can investigate the incident’s scope, determine the attack’s timeline, and identify affected identities.
Integration: Microsoft Defender for Identity can integrate with other security tools and solutions, allowing you to correlate data from different sources for a more comprehensive view of your organization.
Visualization: Advanced Hunting supports data visualization, enabling you to create charts and graphs to understand better the data you’re querying. This can help identify trends and anomalies.
Advanced Hunting Dashboard in the Defender XDR
Once you’ve landed on the Advanced Hunting dashboard in the Defender XDR, you can run many actions in the following categories:
The Schema includes multiple tables that provide either event information or information about devices, alerts, identities, and other entity types.
Functions are an enrichment function in advanced hunting and allow you to write more accurate queries.
Query provides the input field with all commands and queries itself
Export providing the output queries with all results
Filters provide a quick way to add filters to the query.
Create Detection Rules that let you proactively monitor various events and system states.
Tip: Always use a limit to avoid substantial result sets when trying new queries. You can also initially assess the size of the result set using counts.
Advanced Hunting Breaking Down
Behind the scenes, Advanced Hunting works with many components, tables, features, data sources, and various platforms and options. The way it works is exciting, so let’s break it down.
Data Sources
Advanced Hunting supports queries and data from various workspaces, including data about devices, emails, apps, and identities from the following platforms.
- Alerts & Behaviors
- Apps & Identities
-
Email & Collaboration
-
Devices
- Defender Vulnerability Management
Data Types
Advanced Hunting data has two main types:
Event or Activity includes tables such as alerts, security events, system events, and routine assessments. Data is received immediately after the sensors that collect them successfully transmit them to the corresponding cloud services.
Entity includes tables such as users and devices. This data comes from relatively static data sources, such as Active Directory entries, and dynamic sources, such as event logs.
To provide new data, tables are updated every 15 minutes with any further information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
Tip: When joining tables, specify the table with fewer rows first
Schema Tables
All data sources come into a few Schema types, and each schema type represents events and activities.
|
Alerts & Behaviors
|
Apps & Identities | Email & Collaboration | Devices | Defender Vulnerability Management |
| AlertEvidence | AADSignInEventsBeta | EmailEvents | DeviceInfo | DeviceBaselineComplianceAssessment |
| AlertInfo | AADSpnSignInEventsBeta | EmailAttachmentInfo | DeviceNetworkInfo | DeviceBaselineComplianceProfiles |
| BehaviorEntities | CloudAppEvents | EmailUrlInfo | DeviceProcessEvents | DeviceTvmBrowserExtensions |
| BehaviorInfo | IdentityDirectoryEvents | EmailPostDeliveryEvents | DeviceNetworkEvents | DeviceTvmBrowserExtensionsKB |
| IdentityInfo |
UrlClickEvents
|
DeviceFileEvents | DeviceTvmCertificateInfo | |
| IdentityLogonEvents | DeviceRegistryEvents | DeviceTvmHardwareFirmware | ||
| IdentityQueryEvents | DeviceLogonEvents | DeviceTvmInfoGathering | ||
| DeviceImageLoadEvents | DeviceTvmInfoGatheringKB | |||
| DeviceImageLoadEvents | DeviceTvmSecureConfigurationAssessment | |||
| DeviceImageLoadEvents | DeviceTvmSecureConfigurationAssessmentKB | |||
| DeviceTvmSoftwareEvidenceBeta | ||||
| DeviceTvmSoftwareInventory | ||||
| DeviceTvmSoftwareVulnerabilities | ||||
| DeviceTvmSoftwareVulnerabilitiesKB |
Tip: Look in a specific column rather than running full-text searches across all columns
Schema Columns
Each table includes data such as the Column name and Data type, and each contains the actual information.
The Column name contains the information type for each table, and each table and schema type has its Column Name. There’s a difference between the Email and Device tables.
The Data type contains each data’s value with shared values such as strings, boolean, int, DateTime, and long.
For example, The DeviceNetworkInfo table contains information about the networking configuration, including network adapters, IP and MAC addresses, and connected networks or domains.
Tip: each table contains a specific column name, so you cannot compare Email to Identity
Remember, every table has different columns, but in many situations, they overlap for the most common information types. For example, the following query appears to be filtering and processing events where there have been changes in AD group memberships, specifically focusing on groups that are considered sensitive.
Functions
The Function allows you to find more accurate information and, in some cases, to speed up analysis in Advanced Hunting. Functions are reusable queries or query parts and support a specific function: FileProfile. Additionally, a function is a type of query in advanced hunting that can be used in other queries as if it’s a command. You can create custom functions to reuse query logic when you hunt in your environment.
The FileProfile() function is an enrichment function in advanced hunting that adds the following data to files found by the query.
Queries
The part of Queries in Advanced Hunting is so significant because it makes life more manageable. There are hundreds of Advanced Hunting queries, for example, Delivery, Execution, C2, and so much more. Besides, you can save all your queries to My Queries and run them as you want.
Tip: When joining tables, specify the table with fewer rows first
Custom Detection
With custom detections, you can proactively monitor and respond to various events and system states, including suspected activities and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts and response actions.
In general, Custom detections provide:
- Alerts for rule-based detections built within advanced hunting queries
- Automatic response actions and remediations that apply to files and devices
You can create a custom detection rule with a specific response by the following actions:
- Prepare the query
- Create a rule and provide alert details
- Specify actions
Custom Detection Highlights
To create a custom detection rule, the query must return the following columns:
- Timestamp – used to set the timestamp for generated alerts
- ReportId – enables lookups for the original records
- The following columns identify specific objects: AccountObjectId, AccountSid, AccountUpn, and others.
Now that we know Advanced Hunting, we can move on and create queries for the Active Directory scenarios.
Threat Hunting in MDI
Now that we have briefly understood Cyber Threat Hunting and MITRE ATT&CK, we can proceed to the central part of running Threat Hunting in Microsoft Defender for Identity (MDI). In real life, we often apply the principles of some of the threat-hunting models (HMM) for many reasons. These reasons can be missing skills, lack of people, lack of time, and reality.
If I can provide a winning TIP, it will be to apply at least the threat-hunting models (HMM) for Microsoft Defender for Identity (MDI). This will make a high difference between “just to do threat hunting” and the method of “Managed Threat Hunting in MDI.”
Threat hunting in Microsoft Defender for Identity is a proactive security approach that involves searching for signs of malicious activities or potential security threats within your organization’s Active Directory environment. Microsoft Defender for Identity focuses on detecting and protecting against threats related to identity and authentication. Here are some steps you can take to perform threat hunting in Microsoft Defender for Identity:
Investigate Suspicious Activities – Use the portal’s investigation capabilities to explore alerts or suspicious activities. Investigate any anomalies or incidents related to identity and authentication.
Use Hunting Queries – Microsoft Defender for Identity provides built-in hunting queries to help you search for suspicious behaviors or patterns. These queries are based on known attack techniques and are continuously updated by Microsoft. Customize these queries to match your organization’s needs.
Create Custom Hunting Queries – You can create custom hunting queries to search for signs of compromise or unusual activities within your organization’s network. These queries can be tailored to your environment and threat landscape.
Analyze Authentication Data – Focus on authentication data and user behaviors. Look for unusual login patterns, failed attempts, privilege escalation, or suspicious lateral movement.
Check for Credential Theft or Misuse – Monitor for signs of credential theft or misuse. Look for instances where user credentials are used inappropriately, such as multiple failed logins from different locations.
Stay Informed – Keep up to date with the latest security threats and attack techniques. Microsoft regularly publishes threat intelligence reports and updates to help you stay informed about emerging threats.
Collaborate with Other Security Tools – Integrate Microsoft Defender for Identity with other security tools and services within your organization’s security ecosystem. This can help you correlate data and gain a more comprehensive view of your security landscape.
Continuous Improvement – Threat hunting is an ongoing process. Continuously refine your hunting techniques and queries based on your findings and the evolving threat landscape.
Alert categories
The Microsoft Defender for Identity (MDI) security alerts are divided into the following categories or phases, like those seen in a typical cyberattack kill chain. Learn more about each phase and the alerts designed to detect each attack using the following links:
- Reconnaissance alerts
- Compromised credentials alerts
- Lateral movement alerts
- Domain dominance alerts
- Exfiltration alerts
Alert classifications
Following proper investigation, all Defender for Identity security alerts can be classified as one of the following activity types:
- True Positive (TP): A malicious action detected.
- Benign True Positive (B-TP): A real action detected but is not malicious, such as a penetration test or known activity generated by an approved application.
- False Positive (FP): A false alarm, meaning the activity didn’t happen and was incorrectly raised.
TIP: Threat Actors target and abuse Active Directory. Blue-Teamers and Defenders must understand Active Directory much better to look for the relevant artifacts.
Microsoft Defender for Identity monitors information from Active Directory, network, and event activities to detect suspicious activity. The information enables Defender for Identity to help you determine the validity of each potential threat and correctly triage and respond.
In the case of a threat or true positive, Defender for Identity allows you to discover the scope of the breach for each incident, investigate which entities are involved, and determine how to remediate them. The information monitored by the Defender for Identity is presented as activities. More information is in the Monitored activities – Microsoft Defender for Identity.
Advanced Hunting – MDI Hero’s
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for known and potential threats. As a general rule of thumb, all Defender for Identity activities available in Microsoft Defender XDR fit into one of four data sets.
Hunting Tables
Defender for Identity provides a few tables in the advanced hunting schema containing information about queries performed against Active Directory objects. The tables are:
The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services charged by Microsoft Defender for Cloud Apps. It covers Azure AD logon activities tracked by Defender for Cloud Apps, specifically interactive sign-ins and authentication activities using ActiveSync and other legacy protocols.
The IdentityDirectoryEvents table in the advanced hunting schema contains events involving an on-premises domain controller running Active Directory. This table captures various identity-related events, like password changes, expiration, and UPN changes. It also captures system events on the Domain Controller, like the scheduling of tasks and PowerShell activity.
The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Azure Active Directory.
The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains.
Note: Remember that other tables, such as AlertInfo and AlertEvidence, can be part of the investigation. Each table depends on the investigation type and the information within.
Threat Hunting Scenario
While there are many Threat-Hunting and investigation scenarios in Defender for Identity, I took a specific one – Searching for old AD protocols and finding artifacts that could lead to exposure in the network.
Using (and sending) LDAP passwords in clear text has never been a good idea because it is easy for attackers to steal credentials. Unfortunately, in mid/large organizations, it’s quite boring to identify and fix all the applications that still use this insecure method of LDAP binding. And if no one is complaining, it’s easy to put off these basic cyber hygiene methods.
What information does the prevent clear text security assessment provide? This security assessment monitors your traffic for any entities exposing credentials in clear text. It alerts you to your organization’s current exposure risks with suggested remediation.
Why is clear text credential exposure risky? Entities exposing credentials in clear text are risky not only for the exposed entity in question but for your entire organization. The increased risk is because unsecured traffic, such as LDAP simple-bind, is highly susceptible to interception by attacker-in-the-middle attacks. These attacks result in malicious activities, including credential exposure, in which attackers can leverage credentials for malicious purposes.
Why do we need a threat-hunting scenario for a built-in report in the Defender for Identity? Because we need to dig into each action, entity, and reason. If we’ve got the Defender for Endpoint, it allows us to gain more information.
What do we need for this Threat-Hunting in MDI? Permission to the Advanced Threat Query, Defender for Identity with full coverage, knowing what we’re looking for, and the optional will be the Defender for Endpoint tables.
Phase 1 – Know the Field
The first phase will be to wet your legs, which means running many queries that will provide a wide picture of the Active Directory protocols.
Which AD Protocol is in Use? This query is designed to count and categorize logon events from Active Directory over the past 31 days, grouping them by the protocol, operating system platform, type of logon, and action type. This query helps analyze patterns and trends in logon activities.
IdentityLogonEvents
| where Timestamp >= ago(31d)
| where Application == “Active Directory”
| summarize count()by Protocol, OSPlatform, LogonType, ActionType
The big question is, can I do something with those used protocols? Except for the LDAP cleartext actions. As long it’s old protocol, it can be done. In large AD environments, the number of actions will be very high. While looking at the LDAP cleartext, we need more information.
From the pie chart, it can provide an additional view.
Check if it is not external for some reason
IdentityLogonEvents
| where Timestamp >= ago(3d)
| where Application == “Active Directory”
| where Protocol == “Ldap”
| where LogonType == “LDAP cleartext”
| where FailureReason == “Success”
| where ISP != “INTERNAL_NETWORK”
| summarize count()by ActionType, FailureReason, AccountName, DestinationPort
Summarize the FailureReason
IdentityLogonEvents
| where Timestamp >= ago(31d)
| where Application == “Active Directory”
| where Protocol == “Ldap”
| where LogonType == “LDAP cleartext”
| summarize count() by FailureReason, ActionType
The next query will be to Check the FailureReason with InvalidCredential.
IdentityLogonEvents
| where Timestamp >= ago(31d)
| where Application == “Active Directory”
| where Protocol == “Ldap”
| where LogonType == “LDAP cleartext”
| where FailureReason == “InvalidCredentials”
| summarize count() by AccountDisplayName | order by count_
Collected Artifacts – OSPlatform, LogonType, ActionType, IP Addresses, FailureReason, AccountName, DestinationPort.
Now that we have collected information about the AD protocols and the LDAP, we can go to the next phase, and this phase will work with the collected artifacts.
Phase 2 – Get the Actor
In this phase, we need to know the specific actors, where they come from, what they do, and more.
Check from a non-legitimate ip address.
In this query, we must identify potential security breaches or unauthorized access attempts through LDAP with clear text authentication in an Active Directory environment. It helps pinpoint which accounts might be compromised and the source of these attempts. Why do you need to add the legit IP’s. These IP’s have been collected from the previous queries. Why do we need them? To know which IP requests the LDAP.
let LegitIP = dynamic([
“ip address”
]);
IdentityLogonEvents
| where Timestamp >= ago(31d)
| where Application == “Active Directory”
| where Protocol == “Ldap”
| where LogonType == “LDAP cleartext”
| where IPAddress !in (LegitIP)
| summarize count() by AccountDisplayName, IPAddress
The following query summarizes these filtered events by grouping them based on the account display name, action type, port number, and the name of the destination device. This summary would help understand the frequency and nature of potentially insecure LDAP cleartext logons from a specific IP address, potentially highlighting security vulnerabilities or misuse within the network.
IdentityLogonEvents
| where Timestamp >= ago(31d)
| where Application == “Active Directory”
| where Protocol == “Ldap”
| where LogonType == “LDAP cleartext”
| where IPAddress == “ip address”
| summarize count() by AccountDisplayName, ActionType, Port, DestinationDeviceName
This query seeks to provide insights into successful LDAP cleartext logon events in an Active Directory environment, broken down by user accounts and operating systems, within the last month. This can be useful for security analysis, particularly in identifying potential vulnerabilities or patterns in logon activities.
IdentityLogonEvents| where Timestamp >= ago(31d)| where Application == “Active Directory”| where Protocol == “Ldap”| where LogonType == “LDAP cleartext”| where ActionType == “LogonSuccess”| extend Fields=parse_json(AdditionalFields)| extend OS=tostring(Fields.DestinationComputerOperatingSystem)| summarize count() by AccountDisplayName, ActionType, OS
Note: keep in mind to save relevant artifacts. What will be relevant artifacts? Any artifacts that are part of the output and are unique to your environment.
Phase 3 – LDAP Behavior
This query will count authentication requests each day. This will show us a pattern of all the logons a service account has made. The results count all the authentication requests for each day with the associated service account that belongs to it. At the results, we can also see where the service account has logged on to.
Looking for Anomalies
Additional query is designed to analyze identity logon events from Active Directory using LDAP protocol over the past 31 days, focusing specifically on LDAP cleartext logons. It creates a time series analysis to detect anomalies in the count of distinct logon types, grouped by account details, over a 3-hour period. The final output would include details about these anomalies, such as the count, timestamp, and scores, but currently, the query is set to show all expanded records from the last 3 hours, not just anomalies.
let lookBack_long = 30d;let TimeFrame = 3h;let AnomalyThreshold = 3;IdentityLogonEvents| where Timestamp >= ago(31d)| where Application == “Active Directory”| where Protocol == “Ldap”| where LogonType == “LDAP cleartext”| make-series DistinctIdentityCount = dcount(LogonType) on Timestamp in range(startofday(ago(lookBack_long)),now(), TimeFrame) by AccountName, AccountSid| extend (AnomaliesDetected, AnomaliesScore, AnomaliesBaseline) = series_decompose_anomalies(DistinctIdentityCount, AnomalyThreshold, -1, ‘linefit’)| mv-expand DistinctIdentityCount to typeof(double), Timestamp to typeof(datetime), AnomaliesDetected to typeof(double), AnomaliesScore to typeof(double), AnomaliesBaseline to typeof(long)//| where AnomaliesDetected == 1| where Timestamp >= ago(TimeFrame)
Now that we have massive information about the LDAP protocol, especially for LDAP client text, we can ensure that the requests are legit, what the anomaly is, and how to go to the next steps and mitigate LDAP Cleeartext.
In Conclusions
Threat hunting in Active Directory and Defender for Identity involves proactively identifying and mitigating potential security threats. Based on the nature of the query you provided and general practices in threat hunting, here are some key conclusions:
- Anomaly Detection is Crucial.
- Focus on High-Value Targets.
- Comprehensive Data Analysis.
- Threshold-Based Alerting.
- Contextual Information is Key.
- Proactive Hunting Reduces Risks.
- Continuous Improvement of Detection Capabilities.
Effective threat hunting in Active Directory and Defender for Identity requires advanced analytical techniques, focused monitoring of sensitive accounts, contextual data enrichment, and proactive strategies. It is also important to continuously adapt and refine these strategies based on the evolving cybersecurity landscape and organizational changes.
