Microsoft Defender for Identity Adds More Certificate Abuse Detections

Microsoft Defender for Identity now has a new sensor to further detect certificate abuses by attackers, per a Wednesday announcement.

The new sensor gets deployed on Active Directory Certificate Services (ADCS) servers, and will deliver alerts and recommendations to IT pros through Microsoft's Secure Score dashboard. It can detect when attackers "relay NTLM authentication to ADCS" for impersonation purposes. It'll flag ADCS log configuration changes, including disablement, which is done to cover attacker activities. IT pros also get alerted about deletion of certificate requests, another tactic used by attackers to obscure their actions.

Microsoft is planning to add the ability to detect ADCS modifications, too, such as changes made to the access control list, which can give attackers the ability to "perform certificate authority level operations that potentially can lead to domain takeover."

ADCS "is not a default element of every AD instance," Microsoft explained. However, when it's used, it turns out to be a prime target for attackers. ADCS is a Windows Server role that's used "to create and manage public key infrastructure (PKI) certificates," the announcement explained.

The certificates created by ADCS can serve as password equivalents, the announcement added:

These certificates are used to establish trusted and secure communication between users, devices, and applications on a network or, more importantly for this discussion, as password- equivalents for user authentication.

Moreover, ADCS "can be extremely easy to misconfigure," making it a "ripe target" for attackers.

Back in February, Microsoft had described how Microsoft Defender for Identity has sensors to detect an attack using a suspicious certificate over the Kerberos protocol. It also advised organizations to secure ADCS against "many various potential abuses and misconfigurations."

Here was Microsoft advice back in February for hardening environments against ADCS abuses:

  • Treat your AD CS servers as tier-0 assets. They are as important as Domain Controllers.
  • Harden your AD CS servers against ESC8 technique, according to this advisory.
  • Reduce attack surface. If possible, disable unused certificate templates and enrollment permissions.
  • Monitor certificate enrollments in your organization, to have further visibility on AD CS operations.

Organizations need to assure that they are collecting the required events to see the new Secure Score alerts about ADCS abuse. "To view the new alerts and Secure Score reports, make sure that the required events are being collected and logged on your server," Microsoft indicated in its "What's New in Microsoft Defender for Identity" document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube