Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Using Microsoft Defender for Identity Data to Make Powerful Advanced Hunting Queries

Daniel Naim's avatar
Daniel Naim
Icon for Microsoft rankMicrosoft
Jun 01, 2021

It’s been a while since we last talked about the events captured by Microsoft Defender for Identity. We last published a blog in August last year and so we thought it would be a good opportunity to give you an update with the latest events you can use to hunt for threats on your domain controllers using advanced hunting in Microsoft 365 Defender.

 

As a general rule of thumb, all Defender for Identity activities that are available in Microsoft 365 Defender advanced hunting fit into one of four data sets:

 

  • IdentityInfo
  • IdentityLogonEvents
  • IdentityQueryEvents
  • IdentityDirectoryEvents

(Figure 1 - The advanced hunting console available as part of Microsoft 365 Defender)

 

 

Learn about accounts in your organization using IdentityInfo

 

Every effective threat hunting style investigation starts with understanding what users we are protecting, and this is what we are presented with using the IdentityInfo table. Although this data set is not exclusive to Defender for Identity, it does provide comprehensive details for the accounts being utilized in the environment. Using information made available from this data set, you can easily correlate different account attributes such as cloud / on-premises SID, UPN, and object ID.

 

This table also provides rich account information from Active Directory such as personal details (name, surname, city, country), professional information (job title, department, email address), and other AD attributes (domain, display name).

 

 

 

 

 

 

//Find out what users are disabled.
IdentityInfo
| where IsAccountEnabled == “0”
| summarize arg_max(AccountName,*) by AccountUpn

 

 

 

 

 

 

 

Correlating information between Defender for Identity and Defender for Endpoint

 

With Defender for Identity installed in your organization, your on-premises Active Directory identities are protected against advanced threats, and you also have visibility into various logon events. These authentication activities, along with those being captured by Azure AD feeds into IdentityLogonEvents data set, where you can hunt over authentication activities easily.

 

Defender for Identity activities are covering authentications over Kerberos, LDAP, and NTLM. Each authentication activity provides details such as the account information, the device the authentication activity was performing on, network information (such as the IP and port number), and more.

 

Harnessing this data, you can easily hunt over abnormal logons during non-working hours, learn more about logon routine in the network, and correlate data with Microsoft Defender for Endpoint.

 

 

 

 

 

 

// Enrich logon events with network activities happening on the device at the same time
IdentityLogonEvents
| where Timestamp > ago(7d)
| project LogonTime = Timestamp, DeviceName, AccountName, Application, LogonType
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| project NetworkConnectionTime = Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine  
) on DeviceName, AccountName
| where LogonTime - NetworkConnectionTime between (-2m .. 2m)

 

 

 

 

 

 

 

Queries targeting Active Directory objects

 

With IdentityQueryEvents, you can quickly find out what queries are targeting the domain controller. Queries can happen over the network either naturally by different services or legitimate activities in the network but can often be used by an attacker to perform reconnaissance activities on different objects like users, groups, devices or domains – seeking out those with certain attributes or privileges.

 

In certain attack vectors, like AS-REP Roasting that we covered in an earlier blog post, the reconnaissance portion often involves the attacker performing enumeration techniques to find users that have the pre-authentication attribute turned on. This can be found easily with a similar query:

 

 

 

 

 

 

IdentityQueryEvents
| where Timestamp > ago(1d)
| where QueryTarget == "Domain Admins"
| where Query contains "attribute"
| take 100

 

 

 

 

 

Track Active Directory changes

 

Finally, we have the IdentityDirectoryEvents table. In general, this table captures three categories of events on your domain controller:

  • Remote code execution.
  • Changes to attributes of Active Directory objects, including groups, users, and devices.
  • Other activities performed against the directory, such as replication or SMB session enumeration.

Also, starting with Defender for Identity version 2.148, if you configure and collect event ID 4662, Defender for Identity will report which user made the Update Sequence Number (USN) change to various Active Directory object properties. For example, if an account password is changed and event 4662 is enabled, the event will record who changed the password. As a result, this information can be found using advanced hunting.

 

Here is a sample query you can use:

 

 

 

 

 

// Track service creation activities on domain controllers
IdentityDirectoryEvents
| where ActionType == "Service creation"
| extend ServiceName = AdditionalFields["ServiceName"]
| extend ServiceCommand = AdditionalFields["ServiceCommand"]
| project Timestamp, ActionType, Protocol, DC = TargetDeviceName, ServiceName, ServiceCommand, AccountDisplayName, AccountSid, AdditionalFields
| limit 100

 

 

 

 

 

 

 

As always, please let us know what you think and how we can enhance this capability further. Let us know what you use advanced hunting for in the comments too!

 

To learn more about advanced hunting in Microsoft 365 Defender and these new enhancements, go to the following links:

Updated Jun 30, 2021
Version 2.0
No CommentsBe the first to comment