Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Microsoft Defender for Identity - Azure ATP Deployment and Troubleshooting
Published Sep 16 2020 06:59 PM 27.9K Views
Microsoft

 

MDfIst.gif

Hi IT Pros,

 

Recently, I searched the internet and could not find the document for Microsoft Defender for Identity (Azure ATP) Setup and Troubleshooting. So, I prepared this document for our convenient reference and deployment in the future.

Please check it out and give your feedback.

If you need to trace all kinds of Identity attacks using the MD for Identity tool, please view this blog article, "Microsoft Defender for Identity Daily Operation".

____

Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender for Identity includes the following features:

  • Monitor users, entity behavior, and activities with learning-based analytics
  • Protect user identities and credentials stored in Active Directory
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

                                                                                            

The setup procedure for Microsoft Defender for Identity,  includes the following steps:

  1. Prepare On-prem Domain for Microsoft Defender for Identity operation.
  2. Install Sensors for Domain Controllers
  3. Configure Microsoft Defender for Identity
  4. Troubleshoot and Test.

 

A.   Prepare On-prem Domain for Microsoft Defender for Identity

 

  1. Creating the group Managed Service Accounts (gMSA) for Microsoft Defender for Identity.

In Windows Server 2012 and later Domain, services or service administrators do not need to manage password synchronization between service instances when using group Managed Service Accounts (gMSA).

You provision the gMSA in AD and then configure the service which supports Managed Service Accounts.

You can provision a gMSA using the *-ADServiceAccount cmdlets which are part of the Active Directory module. Service identity configuration on the host is supported by:

  • Same APIs as sMSA, so products which support sMSA will support gMSA
  • Services which use Service Control Manager to configure logon identity
  • Services which use the IIS manager for application pools to configure identity
  • Tasks using Task Scheduler.

 

gMSA Prerequisite:

  • gMSA required KDS Root Key. It is used by the KDS service on DCs (along with other information) to generate passwords. It is required only once per forest.
a)      To Create KDS Root key:

Add-KdsRootKey -EffectiveImmediately

BrandonWilson_0-1600315351386.png

 

Will need time for the key to be propagated to all other DCs,

 

b)     To create a gMSA using the New-ADServiceAccount cmdlet

 

On the Windows Server 2012 domain controller or later, Run AD Powershell:

 

  • New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.donlearning.com -PrincipalsAllowedToRetrieveManagedPassword DC01$ -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.donlearning.com/donlearning.com, http/ITFarm1.donlearning.com/donlearning, http/ITFarm1/donlearning.com, http/ITFarm1/donlearning

 

Name

ITFarm1

DNSHostName

DC01.donlearning.com

KerberosEncryptionType

None, RC4, AES128, AES256

ManagedPasswordIntervalInDays

Password change interval in days (default is 30 days if not provided)

PrincipalsAllowedToRetrieveManagedPassword

The computer accounts of the member hosts or the security group that the member hosts are a member of

SamAccountName

NetBIOS name for the service if not same as Name

ServicePrincipalNames

Service Principal Names (SPNs) for the service http/ITFarm1.donlearning.com/donlearning.com, http/ITFarm1.donlearning.com/donlearning, http/ITFarm1/donlearning.com, http/ITFarm1/donlearning, MSSQLSvc/ITFarm1.donlearning.com:1433, MSSQLSvc/ITFarm1.donlearning.com:INST01

 

Note: The password change interval can only be set during creation and cannot change later.

 
To create a gMSA for outbound authentication only using the New-ADServiceAccount cmdlet

 

  • New-ADServiceAccount ITFarm1 -RestrictToOutboundAuthenticationOnly - PrincipalsAllowedToRetrieveManagedPassword DC01$
 
c)      Add member hosts to gMSA
  • Get-ADServiceAccount [-Identity] ITFarm1 -Properties PrincipalsAllowedToRetrieveManagedPassword

BrandonWilson_1-1600315351395.png

 

  • Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword DC01$,DC02$,DC03$

Or a better option:

You could create AD Security Group “SensorDCs” whose members are Sensor DCs and set AD service account to allow retrieving password:

 

  • Set-ADServiceAccount ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword SensorDCs

BrandonWilson_2-1600315351398.png

 

B.     Installing Sensor for All Domain Controllers

 
           Prerequisites for Domain Controllers:
  • Make sure Microsoft .Net Framework 4.7 or later is installed on the machine. If Microsoft .Net Framework 4.7 or later isn't installed, the Azure ATP sensor setup package installs it, which may require a reboot of the server.
  • For Stand-alone Sensor in Isolated Network, installing the Npcap driver, this allow network adapter to collect all network traffic packets (windows capture in promicuos mode).Download the Npcap version 1.0 from https://nmap.org/npcap/
    • Uninstall Wincap if you already installed it.
    • Installing Npcap with the following options: loopback_support=no and winpcap_mode=yes. (deselect the loopback support and select WinPcap mode). 
  • Quick check if the Domain Controllers have enough CPU and Memory for Sensor to collect traffic packets and analyze them. The following CPU and Random Access Memory (RAM) capacity refers to the sensor's own consumption, not the domain controller capacity.

Packets per second

CPU (cores)*

Memory** (GB)

0-1k

0.25

2.50

1k-5k

0.75

6.00

5k-10k

1.00

6.50

10k-20k

2.00

9.00

20k-50k

3.50

9.50

50k-75k

3.50

9.50

75k-100k

3.50

9.50

 

* This includes physical cores, not hyper-threaded cores.
** Random-access memory (RAM)

 

a.     Create Microsoft Defender for Identity Instance

Sign in to https://portal.atp.azure.com with the Azure Account used as Microsoft Defender for Identity (AATP) administrator

 

A new AATP Instance will be created:

BrandonWilson_3-1600315351404.png

 

Your Azure ATP instance is automatically named with the Azure AD initial domain name and created in the data center located closest to your Azure AD.

 

BrandonWilson_4-1600315351410.png

 

Click ConfigurationManage role groups, and use the Azure AD Admin Center link to manage your role groups.

 

BrandonWilson_5-1600315351413.png

 

b.    Connect AATP Instance to AD Forest

 

The first time you open the Azure ATP portal, the following screen appears:

 

BrandonWilson_6-1600315351417.png

 

c.     Download and Install the Sensor to DC

Download and copy the Access key. The access key is required for the Azure ATP sensor to connect to your Azure ATP instance (one-time-password for sensor deployment).

 

BrandonWilson_7-1600315351420.png

 

Under Configure the sensor, enter the installation path and the access key that you copied from the previous step, based on your environment:

 

ConfigSensor.png

 

Azure ATP sensor service and Azure ATP sensor updater service are now available in Windows Services as shown:

 

BrandonWilson_9-1600315351435.png

 

To finish, reboot the DC Sensor Server.

 

If the domain controller is the first deployed sensor, you will need to wait at least 15 minutes to allow the database backend to finish initial deployment of the necessary microservices.

 

If you experience any error during installation process, please refer to the Troubleshooting section (section IV)

 

d.    To check if Sensor is working correctly:

   Sign in to portal.atp.azure.com and check if sensor is working:

 

BrandonWilson_10-1600315351440.png

 

Installing Microsoft Defender for Identity AATP Sensor on Core Server:

  • Support for Windows 2016, 2019 Server Core (nano editions are not supported)
  • "Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<Access Key>"
  • Or by Powershell: ./"Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<Access Key>"
  • To Update Sensor: "Azure ATP sensor Setup.exe" [/quiet] [/Help] [NetFrameworkCommandLineArguments="/q"]

 

C. Configure Microsoft Defender for Identity-AATP

    a. To Configure detection Exclusions and Honeytoken

Honeytoken accounts, which are used as traps for malicious actors - any authentication associated with these honeytoken accounts (normally dormant), triggers an alert.

Honeytokens can exist in many forms, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity. A particular example of a honeytoken is a fake email address used to track if a mailing list has been stolen.

  1. From the Azure ATP portal, click on the settings icon.
  2. Under Detection, click Entity tags.
  3. Under Honeytoken accounts, enter the Honeytoken account name and click the + sign. The Honeytoken accounts field is searchable and automatically displays entities in your network. Click Save.

BrandonWilson_11-1600315351445.png

  1. Add Sensitive Accounts:

Sensitive Accounts: Enter the account you want to monitor lateral movement, modification change, high privilege accounts.

Sensitive groups:  Enter the account you want to monitor lateral movement, modification change, high privilege administrative group.

  1. Click Exclusions. Enter a user account or IP address to be excluded from the detection, for each type of threat.
  2. Click the plus sign. The Add entity (user or computer) field is searchable and will autofill with entities in your network. For more information, see Excluding entities from detections and the security alert guide.

BrandonWilson_12-1600315351454.png

  1. Click Save.
b. To receive notifications to a specific email address:
  1. In the Azure ATP portal, select the “settings” icon
  2. Click Notifications.
  3. Under Mail notifications, specify which notifications should be sent via email - they can be sent for new alerts (suspicious activities) and new health issues.
  4. Click Save.

BrandonWilson_13-1600315351460.png

c. Configure the Collection of Audit Events in GPO

Azure Advanced Threat Protection (Azure ATP) detection relies on specific Windows Event log entries to enhance some detections and provide additional information on who performed specific actions such as NTLM logons, security group modifications and others.

You can use the Default Domain Controllers Policy or a dedicated GPO to set the following audit policies:

  • Go to Computer Configuration > Policies > Windows Settings > Security Settings
  • Go to Advanced Audit Policy Configuration
  • Audit Policies.

BrandonWilson_14-1600315351494.png

  • Under Audit Policies, edit each of the following policies
  •  select Configure the following audit events for both Success and Failure events.

GPO SETTINGS

Audit policy

Subcategory

Triggers event IDs

Account Logon

Audit Credential Validation

4776

Account Management

Audit Computer Account Management

4743

Account Management

Audit Distribution Group Management

4753, 4763

Account Management

Audit Security Group Management

4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758

Account Management

Audit User Account Management

4726

System

Audit Security System Extension

7045

              

 d. Configure the Collection of Event 8004 NTLM Authentication:
  • Go to Local Policies > Security Options.
  • Under Security Options, configure the specified security policies, as follows:

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Audit all

Network security: Restrict NTLM: Audit NTLM authentication in this domain

Enable all

Network security: Restrict NTLM: Audit Incoming NTLM Traffic

Enable auditing for all accounts

BrandonWilson_15-1600315351507.png

e. To configure Azure ATP service for accessing to SAM-R

To allow the Defender for Identity Service to perform SAM-R enumeration correctly and build Lateral Movement paths, you'll need to edit the SAM policy.

  • In Group Policy > Windows Settings > Security Settings > Local Policies > Security Options> "Network access: Restrict clients allowed to make remote calls to SAM"

TanTran_0-1626191393649.png

  • Add the Defender for Identity service account, AATP Service, to the list of approved accounts able to perform this action on your modern Windows systems.

aatpPol.png

D. Test MDI results and Troubleshooting

a. To Test AATP

You could simulate the attacks from from  at the following link :

https://docs.microsoft.com/en-us/defender-for-identity/playbook-lab-overview

View MDI responded alerts from MDI-MCAS portal at https://portal.cloudappsecurity.com

  • Investigate\Activity logs

BrandonWilson_16-1600315351526.png

       

    b. Troubleshooting

        AATP logs ‘ locations:

  • Azure ATP Deployment logs

The Azure ATP deployment logs are located in the temp directory for the user who installed the product.  C:\Users\Administrator\AppData\Local\Temp (or one directory above %temp%).

  • Azure ATP logs

C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs.

  • Microsoft.Tri.Sensor.log – This log contains everything that happens in the Azure ATP sensor (including resolution and errors).
  • Microsoft.Tri.Sensor-Errors.log – This log contains just the errors that are caught by the ATP sensor.
  • Microsoft.Tri.Sensor.Updater.log - This log is used for the sensor updater process (automatically updated).
The knowns issue related to AATP setup and Configuration as follow:

 

  • Sensor Installation error, error ID 1068: 

             Solution: Reboot is needed to start sensor service.

 

  • Sensor Installation error, “Sensor Failure Communication”

System.Net.Http.HttpRequestException: An error occurred while sending the request. --->

or System.Net.WebException: Unable to connect to the remote server --->

or System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond...

Solution: Make sure that communication is not blocked for localhost, on TCP port 444

 

  • Sensor Installation error on DC with NIC Teaming

NIC Teaming for AATP required Npcap driver with WinPcap mode.

Solution:

- Uninstall Sensor,

- Install the Npcap version 0.9984 installer from https://nmap.org/npcap/

- using the GUI installer, deselect the loopback support and select WinPcap mode.

Reinstall the sensor package.

 

  • Sensor installation error on DC with Multi Processor Group mode

For Windows Operating systems 2008R2 and 2012, Azure ATP Sensor is not supported in a Multi Processor Group mode.

 

Suggested possible workarounds:

 

If hyper threading is on, turn it off. This may reduce the number of logical cores enough to avoid needing to run in Multi Processor Group mode.

 

If your machine has less than 64 logical cores and is running on a HP host, you may be able to change the NUMA Group Size Optimization BIOS setting from the default of Clustered to Flat.

 

  • Sensor service "Azure Advanced Threat Protection" could not run and continue in Starting state:
    • You get error in event viewer, system log
      • The Open procedure for service ".NETFramework" in DLL "C:\Windows\system32\mscoree.dll" failed with error code Access is denied.. Performance data for this service will not be available.
      • The Open procedure for service "Lsa" in DLL "C:\Windows\System32\Secur32.dll" failed with error code Access is denied.. Performance data for this service will not be available.
      • The Open procedure for service "WmiApRpl" in DLL "C:\Windows\system32\wbem\wmiaprpl.dll" failed with error code The device is not ready.. Performance data for this service will not be available.
    • Microsoft.TriSensorError.log:  Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
      2021-07-13 14:56:20.2976 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
      at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager 
    • Cause: NT Service\All Services do not have the right to logon as a service.
    • Solution: Add Domain Controller Policy with the logon as a service as shown here:   
       

       

      TanTran_1-1626191416452.png

 

  • Create AD Service Account with “key does not exist” error

Solution: You will need to create KDS Root key if get error: “Key does not exist”

 

BrandonWilson_17-1600315351528.png

 

Reference:

Azure ATP setup

Server Core setup:

Azure ATP Configuration

Troubleshooting

 

Thanks for reading this blog. Our next discussion topic would be the “Microsoft Defender for Identity - AATP Operation” blog article, you could access the article from here

Happy AATP Monitoring!

 

 

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

12 Comments

Thank you for sharing this blog post

 

Brass Contributor

Thank you for Sharing.

Bronze Contributor

Awesome guide @TanTran 

Microsoft

thanks for your comment and support, I will prepare more on AATP subject.

Microsoft

Thanks for blogging this as I now have documentation for myself and clients. Great article!

Bronze Contributor

Thank you for sharing.

Hope in future we have less scripting. 

I love scripting but in production environment we prefer like automated troubleshooting where system detect and fix the issue itself and report to us or more GUI interaction.

Microsoft

Yes, I will balance the amount of scripting on blog page's content in the future. Thanks for your suggestion

Microsoft

Thankyou for your efforts Tan. Your both blogs on ATP are really helpful in learning this products.

Brass Contributor

Hi we are using ATP for servers now.

We want to migrate ATA to MS defender for identity.

But in the firs step i can create instance.

Marek_Belan_0-1614330044571.png

 

Copper Contributor

Thank you Tan for your article!  This has been a great help and is greatly appreciated.

Copper Contributor

Thank you for sharing the article!  This has been a great help and is greatly appreciated.

Copper Contributor

Are you sure about the SPNs in your command, shouldn't it just be -ServicePrincipalNames "http/ITfarm1.donlearning.com, http/ITfarm1"? When I used the formatting you have I got the error "The name reference is invalid"

And why do you list the MSSQL SPNs in your table but they aren't actaully in your Powershell command?

Co-Authors
Version history
Last update:
‎Jul 25 2021 03:07 AM
Updated by: