Update

New Microsoft Entra Connect sensor

August 2024 Update

New Microsoft Entra Connect sensor:
As part of our ongoing effort to enhance Microsoft Defender for Identity coverage in hybrid identity environments, we have introduced a new sensor for Microsoft Entra Connect servers. Additionally, we've released 3 new hybrid security detections and 4 new identity posture recommendations specifically for Microsoft Entra Connect, helping customers stay protected and mitigate potential risks.

New Microsoft Entra Connect Identity posture recommendations:

  • Rotate password for Microsoft Entra Connect connector account
    A compromised Microsoft Entra Connect connector account (AD DS connector account, commonly shown as MSOL_XXXXXXXX) can grant access to high-privilege functions like replication and password resets, allowing attackers to modify synchronization settings and compromise security in both cloud and on-premises environments as well as offering several paths for compromising the entire domain. In this assessment we recommend customers change the password of MSOL accounts with the password last set over 90 days ago. For more information click here.
  • Remove unnecessary replication permissions for Microsoft Entra Connect Account
    By default, the Microsoft Entra Connect connector account has extensive permissions to ensure proper synchronization (even if they aren't actually required). If Password Hash Sync isn't configured, it’s important to remove unnecessary permissions to reduce the potential attack surface. For more information click here
  • Change password for Microsoft Entra seamless SSO account configuration
    This report lists all Microsoft Entra seamless SSO computer accounts with password last set over 90 days ago. The password for the Azure SSO computer account isn't automatically changed every 30 days. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Microsoft Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Microsoft Entra ID. For more information click here.

New Microsoft Entra Connect detections:

  • Suspicious Interactive Logon to the Microsoft Entra Connect Server
    Direct logins to Microsoft Entra Connect servers are highly unusual and potentially malicious. Attackers often target these servers to steal credentials for broader network access. Microsoft Defender for Identity can now detect abnormal logins to Microsoft Entra Connect servers, helping you identify and respond to these potential threats faster. It's specifically applicable when the Microsoft Entra Connect server is a standalone server and not operating as a Domain Controller.
  • User Password Reset by Microsoft Entra Connect Account
    The Microsoft Entra Connect connector account often holds high privileges, including the ability to reset user’s passwords. Microsoft Defender for Identity now has visibility into those actions and will detect any usage of those permissions that were identified as malicious and non-legitimate. This alert will be triggered only if the password writeback feature is disabled.
  • Suspicious writeback by Microsoft Entra Connect on a sensitive user
    While Microsoft Entra Connect already prevents writeback for users in privileged groups, Microsoft Defender for Identity expands this protection by identifying additional types of sensitive accounts. This enhanced detection helps prevent unauthorized password resets on critical accounts, which can be a crucial step in advanced attacks targeting both cloud and on-premises environments.

Additional improvements and capabilities:

  • New activity of any failed password reset on a sensitive account available in the ‘IdentityDirectoryEvents’ table in Advanced Hunting. This can help customers track failed password reset events and create custom detection based on this data.
  • Enhanced accuracy for the DC sync attack detection.
  • New health issue for cases where the sensor is unable to retrieve the configuration from the Microsoft Entra Connect service.
  • Extended monitoring for security alerts, such as PowerShell Remote Execution Detector, by enabling the new sensor on Microsoft Entra Connect servers.

Updated DefenderForIdentity PowerShell module
The DefenderForIdentity PowerShell module has been updated, incorporating new functionality and addressing several bug fixes. Key improvements include:

  • New New-MDIDSA Cmdlet: Simplifies creation of service accounts, with a default setting for Group Managed Service Accounts (gMSA) and an option to create standard accounts.
  • Automatic PDCe Detection: Improves Group Policy Object (GPO) creation reliability by automatically targeting the Primary Domain Controller Emulator (PDCe) for most Active Directory operations.
  • Manual Domain Controller Targeting: New Server parameter for Get/Set/Test-MDIConfiguration cmdlets, allowing you to specify a domain controller for targeting instead of the PDCe.
Version: August 2024 Update Link
Receive Important Update Messages Stay tuned for upcoming Microsoft Defender for Identity updates

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad