Microsoft has unveiled a new sensor for its Defender for Identity solution, aimed at bolstering the detection of certificate abuses by potential attackers.
Microsoft Defender for Identity is a cloud-based security solution that uses on-premises Active Directory signals to detect and investigate threats, compromised identities, and malicious insider actions.
New Sensor Deployment
The newly introduced sensor is designed to be deployed on Active Directory Certificate Services (ADCS) servers. Its primary function is to provide alerts and recommendations to IT professionals via Microsoft's Secure Score dashboard. The sensor is capable of identifying when attackers attempt to “relay NTLM authentication to ADCS” for the purpose of impersonation. Additionally, it will highlight any changes made to the ADCS log configuration, especially disablements, which attackers might use to hide their activities. The system will also notify IT experts about the deletion of certificate requests, a strategy often employed by attackers to mask their actions.
According to Microsoft, the new sensor is a response to the evolving tactics of attackers who constantly seek vulnerabilities in AD. The sensor not only builds upon existing detections for suspicious certificate usage but also broadens the capabilities of Defender for Identity across identity environments. The post emphasizes the potential risks associated with AD CS misconfigurations and the ease with which attackers can exploit these vulnerabilities.
Benefits and Recommendations
The new sensor will offer several benefits to Defender for Identity users, including:
- Detection of domain-controller certificate issuance for non-DC entities.
- Alerts for suspicious disablement of AD CS audit logs.
- Monitoring of suspicious deletions from the certificate database.
- Tracking of modifications to AD CS settings.
Furthermore, Microsoft will be rolling out security recommendations in Secure Score, such as:
- Preventing users from requesting certificates for arbitrary users based on vulnerable templates.
- Editing certificate templates with overly permissive EKU.
- Modifying misconfigured enrollment agent certificate templates.
For a more detailed overview of the new sensor and its capabilities, users can refer to Microsoft's official documentation.
Microsoft has future plans to enhance the sensor's capabilities. One of the anticipated features is the ability to detect modifications to ADCS, especially alterations to the access control list. Such changes could potentially grant attackers the power to execute “certificate authority level operations” that might lead to a domain takeover.
ADCS is not a standard component in every Active Directory (AD) instance. However, when utilized, it becomes a prime target for attackers. ADCS, a role within Windows Server, facilitates the creation and management of public key infrastructure (PKI) certificates. These certificates play a crucial role in establishing trusted and secure communication between users, devices, and applications on a network. More significantly, they can act as password equivalents for user authentication.