AD Connect MSOL_ User + Suspected DCSync Attack

%3CLINGO-SUB%20id%3D%22lingo-sub-788028%22%20slang%3D%22en-US%22%3EAD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788028%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20AD%20Connect%20in%20order%20to%20replicate%20our%20on%20premise%20AD%20accounts%20to%20Azure%20AD.%26nbsp%3B%20The%20replication%20process%20is%20completed%20under%20the%20context%20of%20the%20'MSOL_xxxxxxxx'%20user%20account.%26nbsp%3B%20The%20AD%20Connect%20application%20is%20installed%20on%20a%20member%20server%20(i.e.%20not%20on%20a%20DC).%26nbsp%3B%20AATP%20is%20reporting%20%22Suspected%20DCSync%20attack%20(replication%20of%20directory%20services)%22%20for%20the%20MSOL_%20user%20account%20running%20on%20that%20member%20server.%26nbsp%3B%20This%20appears%20to%20be%20a%20false%20positive.%26nbsp%3B%20Is%20this%20a%20known%20issue%2Ffalse%20positive%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788142%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788142%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358482%22%20target%3D%22_blank%22%3E%40Brian_Sutton%3C%2FA%3E%26nbsp%3B%20Yes%20it%20is%2C%20you%20should%20exclude%20the%20account%20or%20the%20machine%20from%20this%20alert%20for%20now.%3C%2FP%3E%0A%3CP%3E(Until%20we%20will%20have%20some%20news%20on%20this%2C%20we%20are%20working%20on%20a%20feature%20around%20this%20case%2C%20but%20it%20will%20take%20time%20to%20see%20results%20...)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788167%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BHow%20do%20I%20exclude%20this%20account%2Fmachine%20from%20this%20alert%3F%26nbsp%3B%20I%20only%20see%20an%20option%20to%20Close%20the%20alert%20or%20to%20Suppress%20it%20(resumes%20after%207%20days).%26nbsp%3B%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788177%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788177%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358482%22%20target%3D%22_blank%22%3E%40Brian_Sutton%3C%2FA%3E%26nbsp%3BGo%20to%20the%20configuration%20section%20%2C%20into%20the%20exclusions%20tab.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125609iED9625658DE1A18F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1462433%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BHow%20do%20we%20do%20this%20in%20MCAS%20as%20all%20ATP%20exclusions%20are%20now%20greyed%20out%3F!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20DCSync%20pre-configured%20policy%20doesn't%20seem%20to%20have%20an%20exclusion%20option.%20How%20should%20the%20AADConnect%20server%20be%20tagged%20to%20be%20excluded%20from%20the%20default%26nbsp%3B%3CSTRONG%3ESuspected%20DCSync%20attack%20(replication%20of%20directory%20services)%20policy%20%3F%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470059%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470059%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252175%22%20target%3D%22_blank%22%3E%40kristofvm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EFrom%20your%20message%20I%20am%20not%20sure%20whether%20it's%20not%20available%20in%20MCAS%20or%20in%20AATP.%20you%20can%20either%20change%20the%20setting%20in%20AATP%20if%20the%20MCAS%20is%20disabled%20or%20vice%20versa%20-%20but%20not%20both.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20some%20customers%20who%20are%20part%20of%20our%20preview%20program%20for%20AATP%20alert%20policies%20in%20AATP.%20Once%20the%20preview%20program%20is%20completed%20we%20will%20move%20the%20experience%20to%20MCAS%2C%20but%20until%20then%20you%20should%20use%20the%20AATP%20portal%20for%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1820358%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1820358%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164126%22%20target%3D%22_blank%22%3E%40Daniel%20Naim%3C%2FA%3E%26nbsp%3BI%20can't%20find%20this%20exclusion%20in%20both%20systems.%26nbsp%3B%20Please%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1820375%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1820375%22%20slang%3D%22en-US%22%3ELooking%20where%20to%20exclude.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1826647%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20MSOL_%20User%20%2B%20Suspected%20DCSync%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1826647%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F120502%22%20target%3D%22_blank%22%3E%40Michael%20Platt%3C%2FA%3E%26nbsp%3BWhat%20does%20Setting%20%26gt%3B%20Exclusions%20shows%20you%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We use AD Connect in order to replicate our on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  AATP is reporting "Suspected DCSync attack (replication of directory services)" for the MSOL_ user account running on that member server.  This appears to be a false positive.  Is this a known issue/false positive?

8 Replies
Highlighted

@Brian_Sutton  Yes it is, you should exclude the account or the machine from this alert for now.

(Until we will have some news on this, we are working on a feature around this case, but it will take time to see results ...)

Highlighted

@Eli Ofek How do I exclude this account/machine from this alert?  I only see an option to Close the alert or to Suppress it (resumes after 7 days).  Thanks!

Highlighted

@Brian_Sutton Go to the configuration section , into the exclusions tab.

clipboard_image_0.png

Highlighted

@Eli Ofek How do we do this in MCAS as all ATP exclusions are now greyed out?!

 

The DCSync pre-configured policy doesn't seem to have an exclusion option. How should the AADConnect server be tagged to be excluded from the default Suspected DCSync attack (replication of directory services) policy ?

Highlighted

@kristofvm 

 

Hi,

From your message I am not sure whether it's not available in MCAS or in AATP. you can either change the setting in AATP if the MCAS is disabled or vice versa - but not both.

 

There are some customers who are part of our preview program for AATP alert policies in AATP. Once the preview program is completed we will move the experience to MCAS, but until then you should use the AATP portal for that.

Highlighted

@Daniel Naim I can't find this exclusion in both systems.  Please help.

Highlighted
Highlighted

@Michael Platt What does Setting > Exclusions shows you?