Forum Widgets
Latest Discussions
Suspected identity theft (pass-the-ticket) on multiple endpoints krbtgt
User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert? Related account: krbtgt Suspect account: domain user Hosts related: DC, DirectAccess server with local NPS Source host: domain user machine I can use the above SID and exclude but I'm hesitant as TP alerts may automatically close. I've several alerts like these daily.logger2115Feb 14, 2025Brass Contributor252Views0likes2CommentsUsing gMSA with ATP results in many 2947 events
We have an ATP deployment with several domains and different Trusts. We have 3 different credentials in use, 2 x 'ordinary' service accounts and 1 x gMSA. On the DCs in the domain where the gMSA is hosted the "Directory Service" event logs are full of 2947 events ("An attempt to fetch the password of a group managed service account failed.") for the gMSA. The source computers for these events are computers in other domains with the ATP sensor installed. Is there any way of filtering which credentials are used by the sensors in a given domain? The deluge of 2947 events is making it difficult to find useful information in the logs of the affected DCs.StuartSquibbFeb 05, 2025Copper Contributor12KViews0likes13CommentsSecure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?starman2hevenFeb 03, 2025Brass Contributor1.8KViews0likes27CommentsEasiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanksSolvedunderQualifriedFeb 03, 2025Copper Contributor38Views0likes2Comments- pugazhendhiJan 27, 2025Brass Contributor49Views0likes3Comments
Attack simulation Payload editor - recently broken?
Hello, Just last Wednesday, Jan. 8th, I created a new custom payload and was happy with the testing of the email. I logged in today and noticed that a majority of the formatting had been removed. I found this post: https://answers.microsoft.com/en-us/msoffice/forum/all/phishing-attack-simulation-payload-editor-is/88232e12-9744-4d87-9566-3fd5d8c2ed3a Seems like he is having the same issue I am facing. Nothing is centering and many of the blocks I have created are gone (ie the External email, banner). Anyone else having these issues or has anyone found a way to "fix" it. Here is a snip of the same payload, one sent Wednesday, the other Monday: Monday, Jan. 13th: Any help would be appreciated.Ke11yLeeJan 20, 2025Copper Contributor55Views0likes1CommentSuspected identity theft (pass-the-ticket) when switching LAN/WiFI
Hi, I see this alert "Suspected identity theft (pass-the-ticket)" when a user switches from LAN to WiFi or back. The laptop's DNS record has both IP addresses. I'm guessing Defender still thinks a different device is using the same Kerberos ticket. How do you deal with that? Can you tune the alert somehow so that doesn't keep alerting? Jan 16, 2025 4:15 PM This Kerberos ticket was first observed on 1/16/25 4:15 PM on [Device Name] (Laptop IP1). Jan 16, 2025 4:57 PM - Jan 16, 2025 4:57 PM [Username] accessed [Server Name] (CIFS) from [Server IP] (Laptop IP2). Thanks for your supportOsama_SalahJan 19, 2025Copper Contributor69Views0likes1Comment"The Sensor failed to register due to connectivity issues" when install Azure ATP Sensor agent on DC
"The Sensor failed to register due to connectivity issues" when install Azure ATP Sensor on Domain Controller running on Windows 2012 R2 . Any suggestion would be appreciated.SB_082030Jan 15, 2025Copper Contributor2.5KViews0likes3CommentsDefender for identity updated itself, now it wont start
I had defender for identity 2.240.18218.5822 working on my DCs for several weeks. Then on September 24th 2024, the ATP sensors auto-updated themselves to 2.240.18224.34815. Now about half of them won't start anymore and logs are no longer being produced in the Logs folders: No new logs produced in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18218.5822\Logs No Logs folder exists in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815 This is the error when the service tries to start. In the event log: The Azure Advanced Threat Protection Sensor Updater service terminated unexpectedly. It has done this 303511 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. I tried manually uninstalling and reinstalling on some of the servers but this has not worked.RyanP1895Dec 10, 2024Copper Contributor276Views0likes7CommentsCorrect defender for identity setup in a multidomain enviroment
I'm setting up a defender for identity in a multi domain enviroment. Lets call the top domain zzz.net with the subdomain xxx.zzz.net The top domain has very few users and computers. The sub domain is where all the users, Client computers, and more or less all the servers are. Beste practise is to use gmsa account. I have tried with one created in the top domain, but this did not work for the subdomain. I created a dedicated for the subdomain and that seems to work for the subdomain. But there is no data for the topdomain. Then i have created a normal service account in the topdomain. In the defender portal ->directory service account i have specified it like this. This is the same account. Account Domain def-svc zzz.net def-svc'at'zzz.net xxx.zzz.net Looks like it collect data from both domains - so it looks better. The sensor health is also ok in the portal. But there is very many error messages in the sensor log. Typically like this: Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=dcxxx.xxx.zzz.net IsGlobalCatalog=True DistinguishedName=DC=778977744,DC=_msdcs.zz.net,cn=MicrosoftDNS,DC=ForestDnsZones,DC=zzz,DC=net Scope=Base Filter=(|(objectClass=user)(objectClass=computer)(objectClass=group)) AttributeCount=65] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral] at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options) And Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=dc1.zzz.net IsGlobalCatalog=True DistinguishedName=DC=pc-xzy123,DC=xxx.zzz.net,cn=MicrosoftDNS,DC=ForestDnsZones,DC=zzz,DC=net Scope=Base Filter=(|(objectClass=user)(objectClass=computer)(objectClass=group)) AttributeCount=65] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral] at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options) What is wrong and how to fix this?MrCCWayDec 09, 2024Copper Contributor797Views1like5Comments
Resources
Tags
- Sensor44 Topics
- microsoft 365 defender41 Topics
- identity protection32 Topics
- Alerts16 Topics
- security posture15 Topics
- logging11 Topics
- azure active directory10 Topics
- updates9 Topics
- Investigations7 Topics
- Requirements6 Topics