Detecting Identity Threats
Understanding the Concept
Defender for Identity detects identity-based threats across the attack lifecycle: reconnaissance (LDAP, DNS, and SAM-R enumeration), credential compromise (brute force, Kerberoasting, AS-REP roasting), lateral movement (Pass-the-Hash, Pass-the-Ticket, overpass-the-hash), and domain dominance (DCSync, DCShadow, Golden Ticket).
Each detection is mapped to MITRE ATT&CK tactics and techniques. Alerts include severity rating, affected entities, evidence timeline, and recommended investigation steps. High-fidelity detections like DCSync or Golden Ticket indicate serious compromise.
Lateral movement paths (LMP) are a unique feature that visualizes how an attacker could move from a compromised account to sensitive accounts. This proactive analysis helps security teams close paths before attackers discover them.
Key Points
- Detects reconnaissance, credential attacks, lateral movement, domain dominance
- Key detections: Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket
- Alerts mapped to MITRE ATT&CK tactics and techniques
- Lateral Movement Paths visualize attack paths to sensitive accounts
- Identity security posture assessments identify configuration weaknesses
- Integration with Defender XDR for correlated incident view
Why This Matters in Real Organizations
Identity attacks are stealthy and devastating. An attacker with domain admin credentials can access any resource in the organization. Early detection of credential compromise and lateral movement is critical to preventing full domain compromise.
Common Mistakes to Avoid
Interview Tips
- Explain common identity attack techniques and how to detect them
- Discuss lateral movement path analysis and its value
Exam Tips (SC-200)
- Know the major identity attack techniques and their detections
- Understand lateral movement path analysis
- Know how identity alerts integrate with Defender XDR incidents
Course Complete!
You've finished all lessons