Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In April 2022, Only Defender for Identity version 2.178 was released and it only included improvements and bug fixes for internal sensor infrastructure. In May 2022, three new versions of Microsoft Defender for Identity were released:

1. Version 2.179, released on May 1, 2022
2. Version 2.180, released on May 12, 2022
3. Version 2.181, released on May 22, 2022

These releases introduced the following functionality:

Remediation Actions

From Defender for Identity version 2.181 onward, admins can now take remediation actions directly on on-premises user accounts, using Microsoft Defender for Identity:

• Disable user – This temporarily prevents a user from signing in to the network. It can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
• Reset user password – This prompts the user to change their password at the next sign-in, ensuring that this account can't be used for further impersonation attempts.

These actions can be performed from several locations in Microsoft 365 Defender:

• The user page
• The user page side panel
• Advanced hunting,
• Custom detections.

Remediation Actions require setting up a privileged gMSA account that Microsoft Defender for Identity will use.

New security alert: Suspicious modification of a dNSHostName attribute (CVE-2022-26923)

In response to the publishing of a recent CVE-2022-26923, Microsoft Defender for Identity version 2.180, and up, triggers a security alert whenever an attacker is trying to exploit this Active Directory Domain Privilege Escalation Vulnerability with a CVSSv3 score of 8.8/7.7.

When exploiting this, an authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services (AD CS) that would allow elevation of privilege.

Renamed Security alert: Remote code execution attempt over DNS

Microsoft has renamed Remote code execution over DNS to Remote code execution attempt over DNS, as it better reflects the logic behind these security alerts.

Bugfixes for LDAP activity event ingestion

In Defender for Identity version 2.177, Microsoft released additional LDAP activities that can be covered by Defender for Identity. However, Microsoft found a bug that causes the events not to be presented and ingested in the Defender for Identity portal.

This has been fixed in version 2.180. From version 2.180 onward, after admins enable event ID 1644, they don't just get visibility into LDAP activities over Active Directory Web Services, but also other LDAP activities, include the user who performed the LDAP activity on the source computer. This applies for security alerts and logical activities that are based on LDAP events.

IMPROVEMENTS AND BUG FIXES

All three May 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.