Azure AD Connect - Malicious replication of directory services

%3CLINGO-SUB%20id%3D%22lingo-sub-119022%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119022%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20implemented%20ATA%20and%20the%20first%20alert%20I%20got%20was%20from%20the%20MSOL%20account%20Azure%20AD%20Connect%20creates%20from%20the%20server%20it%20is%20running%20on.%20Is%20this%20to%20be%20expected%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ET%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-119022%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171020%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171020%22%20slang%3D%22en-US%22%3EHello%2C%20please%20exclude%20the%20AAD%20connect%20server%20from%20the%20detection.%20Seyfallah%20Tagrerout%20Microsoft%20MVP%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121728%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121728%22%20slang%3D%22en-US%22%3E%3CP%3EThen%20exclude%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121646%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121646%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20Azure%20AD%20Connect%20is%20on%20that%20machine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119879%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119879%22%20slang%3D%22en-US%22%3E%3CP%3Eare%20you%20expecting%20Azure%20AD%20connect%20to%20run%20on%20that%20box%3F%26nbsp%3B%20if%20yes%2C%20then%20exlude%20the%20machine%20from%20that%20detection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-722195%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722195%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20did%20you%20manage%20how%20to%20solve%20that%20without%20exclude%20the%20alert%20from%20such%20server%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-730917%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F746%22%20target%3D%22_blank%22%3E%40Petr%20Vlk%3C%2FA%3E%26nbsp%3Bno%2C%20I%20had%20to%20use%20an%20exclude%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-739528%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20-%20Malicious%20replication%20of%20directory%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-739528%22%20slang%3D%22en-US%22%3EI%20too%20had%20this%20same%20issue%20and%20was%20curious%20what%20to%20do.%20Thanks%20for%20the%20post%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi

 

Just implemented ATA and the first alert I got was from the MSOL account Azure AD Connect creates from the server it is running on. Is this to be expected?

 

Thanks

T

7 Replies
Highlighted

are you expecting Azure AD connect to run on that box?  if yes, then exlude the machine from that detection.

Highlighted

Yes Azure AD Connect is on that machine.

Highlighted
Highlighted
Hello, please exclude the AAD connect server from the detection. Seyfallah Tagrerout Microsoft MVP
Highlighted

Hi, did you manage how to solve that without exclude the alert from such server?

Highlighted
Highlighted
I too had this same issue and was curious what to do. Thanks for the post