Defender for Identity Defender for Identity
Level-500-Referenz für Sensorarchitektur, Alert-Katalog, AD-CS-/AD-FS-Schutz, Entity-Tags, Action Accounts und SIEM/XDR-Integration in Defender for Identity. Level-500 reference for sensor architecture, alert catalog, AD CS/AD FS protection, entity tags, action accounts, and SIEM/XDR integration in Defender for Identity.
Sensorik
Sensoring
MDI nutzt Sensoren auf Domain Controllern oder Standalone-Sensoren, um Kerberos, NTLM, LDAP, DNS, SAMR und AD-CS-/AD-FS-Signale zu analysieren. MDI uses sensors on domain controllers or standalone sensors to analyze Kerberos, NTLM, LDAP, DNS, SAMR, and AD CS/AD FS signals.
Identity Attack Chain
Identity attack chain
Reconnaissance, Credential Access, Lateral Movement und Domain Dominance werden mit Alerting, Lateral Movement Paths und Security Posture Assessments verbunden. Reconnaissance, credential access, lateral movement, and domain dominance are connected through alerting, lateral movement paths, and security posture assessments.
Hybrid Reality
Hybrid reality
Defender for Identity schließt die Lücke zwischen On-Prem AD und Defender XDR, indem es klassische AD-Angriffe in die Cloud-Incident-Story hebt. Defender for Identity closes the gap between on-prem AD and Defender XDR by lifting classic AD attacks into the cloud incident story.
Action Accounts
Action accounts
Gesteuerte Zugriffe auf AD für Remediation und Lateral-Movement-Pfade erfordern dedizierte, gehärtete Action Accounts mit klaren Rechten. Controlled AD access for remediation and lateral movement paths requires dedicated, hardened action accounts with clear permissions.
🚨 Vollständige DC-Abdeckung
🚨 Full DC coverage
Uninstallierte Sensoren auf einzelnen Domain Controllern sind ein Blind Spot für Replikationsangriffe, Kerberos-Anomalien und laterale Bewegungen. Für belastbare Erkennung sollten alle DCs eines Forests abgedeckt sein. Missing sensors on even a few domain controllers create blind spots for replication attacks, Kerberos anomalies, and lateral movement. For reliable detection, cover all DCs in the forest.
Architektur, Sensoren und Kapazitätsplanung Architecture, sensors, and capacity planning
| Baustein Component | Beschreibung Description | Design-Hinweis Design note |
|---|---|---|
| Sensor auf Domain Controller Sensor on domain controller | Standardmodus für Kerberos-, NTLM-, LDAP-, DNS- und Event-Sicht direkt am DC Default mode for Kerberos, NTLM, LDAP, DNS, and event visibility directly on the DC | Bevorzugte Option, da kein Port Mirroring notwendig ist und alle lokalen Signale vorliegen. Preferred option because it avoids port mirroring and provides all local signals. |
| Standalone Sensor Standalone sensor | Separater Server analysiert gespiegelteten Verkehr Separate server analyzes mirrored traffic | Sinnvoll, wenn DCs restriktiv behandelt werden, aber höherer Netzwerk- und Mirror-Aufwand. Useful when DCs are tightly controlled, but it requires more network and mirroring effort. |
| Cloud Service Cloud service | Korrelation, Profiling, Lateral Movement Paths und XDR-Integration Correlation, profiling, lateral movement paths, and XDR integration | Die Cloud-Komponente liefert langfristige Lernmodelle und verbindet Identity Alerts mit Incidents. The cloud component provides long-term learning models and links identity alerts with incidents. |
| Action Accounts Action accounts | Lesende oder definierte administrative Zugriffe für Auflösung und Reaktion Read or scoped administrative access for resolution and response | Action Accounts getrennt pro Forest und nach Tiering-Konzept pflegen. Maintain action accounts separately per forest and according to your tiering model. |
| AD CS / AD FS Sensors AD CS / AD FS sensors | Erweitern die Sicht auf Zertifikate, PKINIT und Federation-Angriffe Extend visibility to certificates, PKINIT, and federation attacks | Für ESC8, suspicious certificates oder Golden-SAML-nahe Szenarien hochrelevant. Highly relevant for ESC8, suspicious certificates, or Golden SAML–adjacent scenarios. |
| Sizing-Aspekt Sizing aspect | Faustregel Rule of thumb | Kommentar Comment |
|---|---|---|
| CPU CPU | DC-Sensoren benötigen Reserven für Peak-Authentifizierung DC sensors need headroom for peak authentication load | Auf hoch frequentierten DCs CPU-Baselines vor Pilot und nach Sensorinstallation vergleichen. Compare CPU baselines on busy DCs before and after sensor deployment. |
| RAM RAM | Reserve für Deep Packet Inspection und lokale Caches Reserve memory for deep packet inspection and local caches | Zu knappe RAM-Planung erzeugt Sensor-Health-Warnungen und Paketverluste. Tight RAM sizing creates sensor health warnings and packet loss. |
| Storage Storage | Temporäre Sensor-Dateien, Logs und Updates berücksichtigen Account for temporary sensor files, logs, and updates | Kein riesiger Footprint, aber Systempartition darf nicht dauerhaft am Limit laufen. The footprint is not huge, but the system partition must not run near full long term. |
| Network Network | Konstante Erreichbarkeit der Cloud-Endpunkte und internen DC-Signale Consistent reachability to cloud endpoints and internal DC signals | Proxy, TLS Inspection und Firewall-Ausnahmen früh validieren. Validate proxy, TLS inspection, and firewall exceptions early. |
| Forest/Domain Scale Forest/domain scale | Mehr Forests bedeuten mehr Action Accounts, mehr DNS/LDAP-Komplexität More forests mean more action accounts and more DNS/LDAP complexity | Rollenmodell und Health Monitoring pro Forest sauber trennen. Separate the role model and health monitoring per forest. |
Installation, Silent Install, Proxy und Multi-Forest Installation, silent install, proxy, and multi-forest
| Voraussetzung Prerequisite | Warum Why | Prüfung Validation |
|---|---|---|
| Unterstütztes Windows Server Build Supported Windows Server build | Sensor muss mit DC- oder AD FS/AD CS-Rolle kompatibel sein Sensor must be compatible with the DC or AD FS/AD CS role | Vor Rollout OS-Build, Patches und Defender-Kompatibilität prüfen. Validate OS build, patch level, and Defender compatibility before rollout. |
| .NET und Sensor-Voraussetzungen .NET and sensor prerequisites | Benötigt aktuelle Laufzeit und unterstützte Plattformbibliotheken Requires current runtime and supported platform libraries | Prüfe Install-Logs automatisiert im Vorfeld von Massenrollouts. Check install logs automatically before bulk deployment. |
| Zeit-Synchronisation Time synchronization | Kerberos- und Replikationsanalysen hängen an exakten Zeitstempeln Kerberos and replication analytics rely on accurate timestamps | NTP-/w32time-Drift pro Forest überwachen. Monitor NTP/w32time drift per forest. |
| Port- und Proxy-Zugriff Port and proxy access | Cloud Upload und Servicekommunikation erfordern erlaubte Endpunkte Cloud upload and service communication require allowed endpoints | Authentifizierende Proxys und TLS Inspection separat testen. Test authenticating proxies and TLS inspection separately. |
| Rechte für Setup Setup permissions | Lokale Installation und Sensorregistrierung Local installation and sensor registration | Deployment-Konto nicht dauerhaft als hochprivilegierten Betriebsaccount weiterverwenden. Do not reuse the deployment account permanently as a highly privileged operations account. |
PowerShell
PowerShell
# Beispielhafter Silent Install des MDI-Sensors
Start-Process msiexec.exe -Wait -ArgumentList @(
'/i', 'Azure ATP Sensor Setup.msi',
'/qn',
'ACCESSKEY=<tenant-access-key>',
'PROXYURL=https://proxy.contoso.com:8080',
'WORKSPACE="Tier0-DC01"'
)
| Szenario Scenario | Empfehlung Recommendation | Hinweis Note |
|---|---|---|
| Mehrere Forests Multiple forests | Eigene Action Accounts und Health-Review pro Forest Separate action accounts and health review per forest | Forest-übergreifende Trusts ändern die Bedeutung von lateral movement und sensitive account mapping. Cross-forest trusts change the meaning of lateral movement and sensitive account mapping. |
| Proxy Proxy | System- oder Sensor-Proxy dokumentieren und monitoren Document and monitor system or sensor proxy settings | Proxy-Ausfall wirkt wie Telemetrieverlust; Health Alerts ernst nehmen. Proxy failure behaves like telemetry loss; treat health alerts seriously. |
| Standalone Sensor Standalone sensor | Port Mirroring / SPAN sauber dimensionieren Size port mirroring / SPAN properly | Fehlendes oder asymmetrisches Mirroring zerstört Erkennungsqualität. Missing or asymmetric mirroring destroys detection quality. |
Alert-Katalog nach Angriffsphase Alert catalog by attack phase
Reconnaissance und Discovery Reconnaissance and discovery
| Alert Alert | Phase Phase | Analystennutzen Analyst value |
|---|---|---|
| Account Enumeration reconnaissance (LDAP) Account Enumeration reconnaissance (LDAP) | Discovery Discovery | Zeigt systematisches Raten oder Enumerieren gültiger Benutzerkonten über cLDAP. Shows systematic guessing or enumeration of valid user accounts via cLDAP. |
| Network-mapping reconnaissance (DNS) Network-mapping reconnaissance (DNS) | Discovery Discovery | Erkennt übermäßige DNS-Anfragen oder AXFR-Missbrauch zur Netzwerkkartierung. Detects excessive DNS requests or AXFR misuse for network mapping. |
| User and Group membership reconnaissance (SAMR) User and Group membership reconnaissance (SAMR) | Discovery Discovery | Wichtig für Angreifer, die privilegierte Gruppen und sensible Konten kartieren. Important for attackers mapping privileged groups and sensitive accounts. |
| Honeytoken was queried via LDAP Honeytoken was queried via LDAP | Discovery Discovery | Sehr wertvoller High-Signal-Treffer auf absichtliche AD-Reconnaissance. A very valuable high-signal hit for intentional AD reconnaissance. |
| Security principal reconnaissance (LDAP) Security principal reconnaissance (LDAP) | Discovery / Credential Access Discovery / credential access | Typischer Vorläufer von Kerberoasting, weil SPN-tragende Konten gesucht werden. Typical precursor to Kerberoasting because SPN-bearing accounts are being searched. |
Compromised Credentials und Credential Access Compromised credentials and credential access
| Alert Alert | Typischer Angriff Typical attack | Kommentar Comment |
|---|---|---|
| Suspected Brute Force attack (Kerberos, NTLM) Suspected Brute Force attack (Kerberos, NTLM) | Password Guessing / Password Spray Password guessing / password spray | Ein zentraler Frühindikator für Initial Access und spätere Lateral Movement. A critical early indicator for initial access and subsequent lateral movement. |
| Suspected Brute Force attack (SMB) Suspected Brute Force attack (SMB) | SMB-basierte Passwortangriffe SMB-based password attacks | Oft in älteren Admin-Netzen oder bei Move-to-Server-Szenarien sichtbar. Often visible in legacy admin networks or server pivot scenarios. |
| Suspected Kerberos SPN exposure Suspected Kerberos SPN exposure | Kerberoasting Kerberoasting | Signalisiert SPN-Enumeration und Ticket-Sammeln für Offline-Knacken. Signals SPN enumeration and ticket collection for offline cracking. |
| Suspected AS-REP Roasting attack Suspected AS-REP Roasting attack | AS-REP roasting AS-REP roasting | Fokussiert auf Konten ohne Preauthentication und damit oft direkt auf Fehlkonfigurationen. Focuses on accounts without preauthentication and therefore often on configuration gaps. |
| Suspected DCSync attack (replication of directory services) Suspected DCSync attack (replication of directory services) | Hash-Diebstahl über Replikationsrechte Hash theft through replication rights | Eines der wichtigsten Domain-Dominance-Signale in Hybrid-AD-Umgebungen. One of the most important domain-dominance signals in hybrid AD environments. |
| Suspected AD FS DKM key read Suspected AD FS DKM key read | Golden-SAML-nahe Credential-/Key-Abgriffe Golden SAML–adjacent credential or key theft | Besonders kritisch bei Federation-lastigen Umgebungen. Especially critical in federation-heavy environments. |
| Abnormal AD FS authentication using a suspicious certificate Abnormal AD FS authentication using a suspicious certificate | Zertifikatsmissbrauch in AD FS Certificate abuse in AD FS | Starker Hinweis auf kompromittierte Federation- oder PKI-Ketten. Strong indicator of compromised federation or PKI chains. |
| Suspicious certificate usage over Kerberos protocol (PKINIT) Suspicious certificate usage over Kerberos protocol (PKINIT) | PKINIT- / Zertifikatsmissbrauch PKINIT or certificate abuse | Relevant bei Smartcards, Certificate Auth und AD-CS-Angriffspfaden. Relevant for smartcards, certificate auth, and AD CS attack paths. |
| Suspicious rogue Kerberos certificate usage Suspicious rogue Kerberos certificate usage | Persistenz mit missbräuchlichen Zertifikaten Persistence using abusive certificates | Kann auf kompromittierte CA- oder Backdoor-Konten hinweisen. Can point to a compromised CA or backdoor accounts. |
Lateral Movement und Remote Execution Lateral movement and remote execution
| Alert Alert | Technique Technique | Kommentar Comment |
|---|---|---|
| Suspected identity theft (pass-the-hash) Suspected identity theft (pass-the-hash) | Pass-the-Hash Pass-the-Hash | Klassisches Indiz für NTLM-Hash-Diebstahl und Server-Pivots. Classic evidence of NTLM hash theft and server pivots. |
| Suspected identity theft (pass-the-ticket) Suspected identity theft (pass-the-ticket) | Pass-the-Ticket Pass-the-Ticket | Zeigt Kerberos-Ticket-Reuse über mehrere Hosts hinweg. Shows Kerberos ticket reuse across multiple hosts. |
| Suspected overpass-the-hash attack (Kerberos) Suspected overpass-the-hash attack (Kerberos) | Overpass-the-Hash Overpass-the-Hash | Verbindet NTLM-basierte Secrets mit Kerberos-basiertem Seitwärtsgang. Connects NTLM-derived secrets with Kerberos-based lateral movement. |
| Suspected over-pass-the-hash attack (forced encryption type) Suspected over-pass-the-hash attack (forced encryption type) | Overpass + Encryption downgrade Overpass + encryption downgrade | Nützlich bei komplexeren Kerberos-Manipulationen und Ransomware-Ketten. Useful for more complex Kerberos manipulation and ransomware chains. |
| Remote code execution attempt Remote code execution attempt | PSExec, Remote WMI, PowerShell PSExec, remote WMI, PowerShell | Guter Brückenschlag zwischen Identity- und Endpoint-Erkennung. A good bridge between identity and endpoint detection. |
| Remote code execution attempt over DNS Remote code execution attempt over DNS | Exploit against DNS service Exploit against DNS service | Zeigt ausnutzbare DC-Rollen und fehlendes Patchen. Shows exploitable DC roles and missing patching. |
| Suspected SMB packet manipulation (CVE-2020-0796 exploitation) Suspected SMB packet manipulation (CVE-2020-0796 exploitation) | SMBGhost exploitation SMBGhost exploitation | Hilfreich für ungepatchte Legacy-Segmente und Domain-Controller-Schutz. Helpful for unpatched legacy segments and domain-controller protection. |
| Exchange Server Remote Code Execution (CVE-2021-26855) Exchange Server Remote Code Execution (CVE-2021-26855) | ProxyLogon / Exchange exploitation ProxyLogon / Exchange exploitation | Wichtig, wenn Exchange on-prem in derselben AD-Vertrauensdomäne existiert. Important when on-prem Exchange exists in the same AD trust boundary. |
Domain Dominance, Persistenz und AD CS Abuse Domain dominance, persistence, and AD CS abuse
| Alert Alert | Technique Technique | Warum kritisch Why critical |
|---|---|---|
| Suspected Golden Ticket usage (encryption downgrade) Suspected Golden Ticket usage (encryption downgrade) | Golden Ticket Golden Ticket | Oft frühes Signal für Kerberos-Manipulation und KRBTGT-bezogene Missbrauchsversuche. Often an early signal for Kerberos manipulation and KRBTGT abuse. |
| Suspected Golden Ticket usage (nonexistent account) Suspected Golden Ticket usage (nonexistent account) | Golden Ticket Golden Ticket | Sehr starkes Signal, weil ein nicht existierendes Konto mit einem TGT arbeitet. A very strong signal because a non-existent account operates with a TGT. |
| Suspected Golden Ticket usage (ticket anomaly) Suspected Golden Ticket usage (ticket anomaly) | Golden Ticket Golden Ticket | Findet strukturelle Ticket-Anomalien jenseits einfacher Time Checks. Finds structural ticket anomalies beyond simple time checks. |
| Suspected Golden Ticket usage (ticket anomaly using RBCD) Suspected Golden Ticket usage (ticket anomaly using RBCD) | Golden Ticket + RBCD Golden Ticket + RBCD | Verbindet Kerberos-Fälschung mit Resource Based Constrained Delegation. Combines Kerberos forgery with resource-based constrained delegation. |
| Suspected Golden Ticket usage (time anomaly) Suspected Golden Ticket usage (time anomaly) | Golden Ticket Golden Ticket | Nutzt ungewöhnliche Ticket-Lebensdauern als Persistenzindikator. Uses abnormal ticket lifetime as a persistence indicator. |
| Suspected skeleton key attack (encryption downgrade) Suspected skeleton key attack (encryption downgrade) | Skeleton Key Skeleton Key | Hinweis auf kompromittierten DC und manipulierten Auth-Prozess. Indicates a compromised DC and manipulated authentication process. |
| Suspected DCShadow attack (domain controller promotion) Suspected DCShadow attack (domain controller promotion) | DCShadow DCShadow | Rogue-DC-Registrierung ist eine direkte Bedrohung für AD-Integrität. Rogue DC registration is a direct threat to AD integrity. |
| Suspected DCShadow attack (domain controller replication request) Suspected DCShadow attack (domain controller replication request) | DCShadow DCShadow | Zeigt manipulierte Replikationsanfragen gegen echte DCs. Shows manipulated replication requests against real DCs. |
| Directory Services Restore Mode Password Change Directory Services Restore Mode Password Change | Persistenz / Recovery Control Persistence / recovery control | DSRM-Kennwortänderungen verdienen unmittelbare T0-Prüfung. DSRM password changes deserve immediate Tier 0 review. |
| Suspicious Domain Controller certificate request (ESC8) Suspicious Domain Controller certificate request (ESC8) | AD CS ESC8 AD CS ESC8 | Hoher Wert für PKI-basierte Privilege Escalation und Relay-Szenarien. High-value signal for PKI-based privilege escalation and relay scenarios. |
| Suspicious modifications to the AD CS security permissions/settings Suspicious modifications to the AD CS security permissions/settings | AD CS Abuse AD CS abuse | Änderungen an Zertifikatsrechten können das komplette Trust-Modell aufbrechen. Changes to certificate permissions can break the entire trust model. |
Entity Tags, Exclusions und Rollen Entity tags, exclusions, and roles
| Feature Feature | Nutzen Value | Best Practice Best practice |
|---|---|---|
| Sensitive Sensitive | Markiert besonders schützenswerte Konten oder Systeme Marks especially sensitive accounts or systems | Alle Tier-0-Admins, KRBTGT-nahe Konten und kritische Service-Accounts abdecken. Cover all Tier 0 admins, KRBTGT-adjacent accounts, and critical service accounts. |
| Honeytoken Honeytoken | Bewusst platzierte Lockkonten für High-Signal-Detections Deliberately placed decoy accounts for high-signal detections | Nicht produktiv verwenden und regelmäßig auf versehentliche Nutzung prüfen. Do not use for production and review regularly for accidental access. |
| Exchange Exchange | MDI kennt Exchange-spezifische Angriffsoberflächen besser MDI understands Exchange-specific attack surfaces better | Nützlich bei Hybrid- oder On-Prem-Exchange-Szenarien. Useful in hybrid or on-prem Exchange scenarios. |
| Exclusions Exclusions | Reduzieren bekannte False Positives Reduce known false positives | Nur nach Ursachenanalyse setzen; Exclusions nie als Ersatz für Härtung verwenden. Use only after root-cause analysis; never use exclusions as a replacement for hardening. |
Lateral Movement Paths, Health Issues und Security Posture Assessments Lateral movement paths, health issues, and security posture assessments
| Bereich Area | Beispiel Example | Nutzen Value |
|---|---|---|
| Lateral Movement Paths Lateral movement paths | Admin hat implizite Adminrechte auf viele Server An admin implicitly has administrative access to many servers | Hilft bei Priorisierung von Identity Hardening und Tiering-Maßnahmen. Helps prioritize identity hardening and tiering measures. |
| Sensor Health Sensor health | Verlorene Pakete, Port-Mirroring-Probleme, Cloud-Konnektivität Lost packets, port mirroring issues, cloud connectivity | Health-Probleme sind Detection-Probleme und sollten wie Security Debt behandelt werden. Health issues are detection issues and should be treated as security debt. |
| Security Posture Assessment Security posture assessment | Unsecure account attributes, stale entities, weak certificate templates Unsecure account attributes, stale entities, weak certificate templates | Operationalisiert AD-Hardening weit über Alerts hinaus. Operationalizes AD hardening well beyond alerts. |
| AD CS Assessments AD CS assessments | ESC-Schwächen, PKINIT-Risiken, sensitive enrollment paths ESC weaknesses, PKINIT risks, sensitive enrollment paths | Erweitert das klassische AD-Assessment um moderne PKI-Angriffswege. Extends classic AD assessment with modern PKI attack paths. |
Advanced Settings, SIEM-Integration und Action Accounts Advanced settings, SIEM integration, and action accounts
| Setting Setting | Wofür Used for | Hinweis Note |
|---|---|---|
| Cloud service access Cloud service access | Sensor-zu-Cloud-Kommunikation Sensor-to-cloud communication | Firewall- und Proxy-Ausnahmen dokumentieren und testen. Document and test firewall and proxy exceptions. |
| Directory Services accounts Directory Services accounts | Auflösung von Entitäten und Berechnungen Entity resolution and calculations | Mindestrechte vergeben und Passwortrotation automatisieren. Grant minimum rights and automate password rotation. |
| SIEM forwarding SIEM forwarding | MDI-Alerts in Sentinel oder Dritt-SIEM weitergeben Forward MDI alerts into Sentinel or third-party SIEM | Im XDR-Zielbild Sentinel lieber als Correlation Layer und nicht als reines Relay nutzen. In the target XDR model, use Sentinel as the correlation layer rather than a simple relay. |
| Action accounts Action accounts | Lateral movement path calculations und Response-Funktionen Lateral movement path calculations and response features | Dedizierte Konten pro Forest, kein Shared Admin und strenges Auditing. Dedicated accounts per forest, no shared admins, and strict auditing. |
Graph API, PowerShell und Betrieb Graph API, PowerShell, and operations
PowerShell
PowerShell
# Sensor- und Dienststatus prüfen (Beispiel)
Get-Service | Where-Object { $_.Name -like '*AATP*' -or $_.DisplayName -like '*Defender for Identity*' } |
Select-Object Name, Status, StartType
Test-NetConnection -ComputerName "login.microsoftonline.com" -Port 443
HTTP
HTTP
GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftDefenderForIdentity'
Authorization: Bearer <token>
HTTP
HTTP
GET https://graph.microsoft.com/v1.0/security/incidents?$filter=contains(displayName,'Identity')
Authorization: Bearer <token>