Forum Widgets
Latest Discussions
Enriched NTLM authentication data using Windows Event 8004
Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the network? This information is now available in Azure ATP! Starting from Version 2.96, Azure ATP sensors parse Windows event 8004 for NTLM authentications. When NTLM auditing is enabled and Windows event 8004 are logged, Azure ATP sensors now automatically read the event and enrich your NTLM authentications activities display with the accessed server data. New Resource Access over NTLM activity is now available, showing the source user, source device and the accessed resource: Joye Parsons (1) is accessing CLIENT2 from W10-000100 device over NTLM. Enriched Failed log on activities providing the destination computer the user attempted, but failed to access: Joye Parsons (1) failing to log on to CLIENT2 from W10-000100 device over NTLM. In a future release, this data will also be available directly in authentication based Azure ATP security alerts such as Brute Force and Account Enumeration. Stay tuned for more updates. As always, your feedback and questions are welcome!Suspected brute-force attack and None of the passwords attempted where previously used passwords
Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords. This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before. If it is the 100 tries with just 1 never used password it is possible just someone who made a typo in a script (password) for example. If it was 100 different password it is a much bigger issue. I can not find this the documentation how i should read this. I am also not aware if there is a option to figure this out (kusto query for example). Anyone a idea?
AD Connect MSOL_ User + Suspected DCSync Attack
We use AD Connect in order to replicate our on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect application is installed on a member server (i.e. not on a DC). AATP is reporting "Suspected DCSync attack (replication of directory services)" for the MSOL_ user account running on that member server. This appears to be a false positive. Is this a known issue/false positive?
Manually uninstall the Azure ATP sensor
Hi all, Just looking for a bit of guidance on the following. Deploying the Azure ATP sensor to all our domain controllers, we've had one installation fail. Looking in Programs and Features it is listed as being installed, however there is no Azure ATP sensor service on the domain controller. Azure ATP is reporting the sensor stopped communicating. When trying to uninstall the Azure ATP sensor from Programs and Features, the uninstallation doesn't even start and the error is "Object reference not set to an instance of an object". When trying to uninstall via command line "Azure ATP Sensor Setup.exe /uninstall" the error is "Product is not installed". The program is registered in the Uninstall registry, so when trying to uninstall via "msiexec /x {guid}" - it says to verify the package exists. Trying to reinstall the Azure ATP Sensor says "Azure Advanced Threat Protection Sensor 2.0.0.0 is already installed." I believe if I can manually uninstall it (delete files and associated registry entries) and try to reinstall it again it should be fine. The original installation was pushed out via SCCM, so I'm not sure what happened during the install (if the server rebooted in the middle or what). Can someone shed some light on the reg settings etc I need to delete? Or if there is a way I can "force" a reinstall? Thanks, Noel.
Azure ATP Sensor install failing (Updater Service do not start)
Hello All! We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point ...then do some retries for about 3 minutes, during this time the service "Azure Advanced Threat Protection Sensor Updater" is several times on state "starting" und back to not started. Then setup fails with 0x80070643 and do a rollback. In the "Microsoft.Tri.Sensor.Updater-Errors" log, we find this error every 10 seconds during the setup: 2019-12-23 11:27:37.8384 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=5iiWw0iPCPzCGdZStU4OxA==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=]] at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater.UpdateConfigurationAsync(bool isStarted) at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at new Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater(IConfigurationManager configurationManager, IMetricManager metricManager, ISecretManager secretManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) A proxy is used which allows access to *.atp.azure.com without auth. In proxy logs, we see no block for this server, only successful requests from this DC. There is no indication that 443 would be blocked somewhere else... The AD account which is configured in the ATP portal was checked, domain is given in FQDN there and the password is correct. Any ideas someone?
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and the alert was accurate. But right now, we do have honeytoken activity from around 185 sources (clients) with sam-r queries so far, counting! It seems to be a bug and we will wait for the next releases from Defender for Identity, so far we couldn't find a cause which makes sense that this alert keeps being triggered... (meaning no signs of a real attack, no idea what update or other config changes could have started this behaviour) Maybe someone else experiences the same right now, this is meant as an information... BRJoin Our Security Community
We want you to speak directly to our engineering teams. We believe that the best way to improve our security products is by having no barriers between you and the people that create them. That's why we need your participation in our security community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining webinars and calls, or attending in-person events. Join Us To join our community, click here, and then click the join button and the heart icons of the groups your are interested in, as pictured below. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Azure Sentinel Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Internet of Things Azure Security Center for IoT Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find Us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free connect with me. Webinars and Calls Several of our product teams hold regular webinars or calls where they introduce the product, do a deep dive, preview forthcoming features, gather feedback, and answer questions. Registration links are posted below: Product Next Webinar Recordings of Past Webinars Azure Security Center for IoT 8/5/2019: Introduction https://aka.ms/ASCIoTRecordings Azure Advanced Threat Protection TBD https://aka.ms/AATPRecordings Azure Sentinel TBD http://aka.ms/AzureSentinelRecordings Azure Information Protection TBD https://aka.ms/AIPRecordings Microsoft Cloud App Security TBD https://aka.ms/MCASRecordings Security Intelligence Report TBD https://aka.ms/SIRRecordings Customer Advisory Council (CAC) We periodically select customers to be part of our Customer Advisory Council (CAC). We form a close relationship with these organizations, inviting them to exclusive, in-person events and giving them access to non-public roadmaps and information. CAC members give in-depth feedback our on products and consequently exert a great deal of influence our plans, priorities, and designs. Part of our criteria for choosing CAC members is how active they are in this community. If you would like to be part of our CAC, join our community, participate heavily, and then reach out to me. Submit Feature Requests In addition to engaging us in the ways listed above, you can also submit and vote on feature requests at https://microsoftsecurity.uservoice.com. We hope to hear from you soon!
