Azure AD Connect - Malicious replication of directory services

%3CLINGO-SUB%20id%3D%22lingo-sub-119022%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119022%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20implemented%20ATA%20and%20the%20first%20alert%20I%20got%20was%20from%20the%20MSOL%20account%20Azure%20AD%20Connect%20creates%20from%20the%20server%20it%20is%20running%20on.%20Is%20this%20to%20be%20expected%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ET%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-119022%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171020%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171020%22%20slang%3D%22en-US%22%3EHello%2C%20please%20exclude%20the%20AAD%20connect%20server%20from%20the%20detection.%20Seyfallah%20Tagrerout%20Microsoft%20MVP%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121728%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121728%22%20slang%3D%22en-US%22%3E%3CP%3EThen%20exclude%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121646%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121646%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20Azure%20AD%20Connect%20is%20on%20that%20machine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119879%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119879%22%20slang%3D%22en-US%22%3E%3CP%3Eare%20you%20expecting%20Azure%20AD%20connect%20to%20run%20on%20that%20box%3F%26nbsp%3B%20if%20yes%2C%20then%20exlude%20the%20machine%20from%20that%20detection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722195%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722195%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20did%20you%20manage%20how%20to%20solve%20that%20without%20exclude%20the%20alert%20from%20such%20server%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-730917%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F746%22%20target%3D%22_blank%22%3E%40Petr%20Vlk%3C%2FA%3E%26nbsp%3Bno%2C%20I%20had%20to%20use%20an%20exclude%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-739528%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-739528%22%20slang%3D%22en-US%22%3EI%20too%20had%20this%20same%20issue%20and%20was%20curious%20what%20to%20do.%20Thanks%20for%20the%20post%3C%2FLINGO-BODY%3E
Contributor

Hi

 

Just implemented ATA and the first alert I got was from the MSOL account Azure AD Connect creates from the server it is running on. Is this to be expected?

 

Thanks

T

7 Replies

are you expecting Azure AD connect to run on that box?  if yes, then exlude the machine from that detection.

Yes Azure AD Connect is on that machine.

Hello, please exclude the AAD connect server from the detection. Seyfallah Tagrerout Microsoft MVP

Hi, did you manage how to solve that without exclude the alert from such server?

@Petr Vlk no, I had to use an exclude

I too had this same issue and was curious what to do. Thanks for the post