L4. Defender for Identity: Lateral Movement Detection
Video generating
Check back soon for the video lesson on Defender for Identity: Lateral Movement Detection
Microsoft Defender for Identity monitors on-premises Active Directory to detect lateral movement, credential theft, and domain dominance attacks. This lesson covers sensor deployment, detection capabilities, and Lateral Movement Paths for the SC-200 exam.
What Is Defender for Identity?
Microsoft Defender for Identity (MDI) monitors on-premises Active Directory traffic to detect identity-based threats. It captures and analyzes network traffic to and from domain controllers, detecting attacks like pass-the-hash, pass-the-ticket, Kerberoasting, and DCSync.
MDI feeds its alerts into Defender XDR, where they are correlated with endpoint, email, and cloud app signals.
Sensor Deployment
MDI uses sensors installed directly on domain controllers (or on standalone servers in older deployments):
| Sensor Type | Installation | Use Case |
|---|---|---|
| Domain controller sensor | Directly on the DC | Recommended for all deployments |
| AD FS sensor | On AD FS servers | Detects AD FS-based attacks |
| Standalone sensor | Dedicated server with port mirroring | Legacy option, not recommended for new deployments |
Key Detection Categories
MDI detections map to the MITRE ATT&CK framework: Reconnaissance:
- Account enumeration (LDAP, SAM-R)
- Network mapping scans
- DNS enumeration
- Kerberoasting (requesting service tickets for offline cracking)
- AS-REP Roasting (targeting accounts without pre-authentication)
- Brute force authentication attempts
- Suspicious authentication failures
- Pass-the-hash and pass-the-ticket attacks
- Overpass-the-hash (using NTLM hash to obtain Kerberos tickets)
- Remote code execution attempts
- Suspicious use of administrative protocols
- DCSync attacks (replicating directory data)
- Golden Ticket usage (forged Kerberos TGTs)
- Skeleton Key malware
- DCShadow attacks
Lateral Movement Paths
The Lateral Movement Paths (LMP) feature maps how an attacker could move from a compromised account to high-value targets like Domain Admins. It visualizes:
- Which accounts have sessions on which devices
- Which accounts have local admin rights on which devices
- Group memberships that grant access to sensitive resources
Use LMP to proactively identify and remediate overly permissive access before an attacker exploits it. Exam tip: Lateral Movement Paths are a proactive security posture tool, not just a detection feature. The exam may ask about using LMP to reduce attack surface.
Security Posture Assessments
MDI evaluates your Active Directory configuration and reports issues like:
- Accounts with cleartext passwords in Group Policy preferences
- Dormant accounts with privileged access
- Unsecured Kerberos delegation configurations
- Accounts exposing credentials in cleartext LDAP binds
These assessments appear as recommendations in Microsoft Secure Score.
Entity Pages
Every user and device monitored by MDI gets an entity page showing:
- Alert timeline
- Active Directory group memberships
- Lateral movement paths involving this entity
- Logon activity and resource access patterns
- ✓Domain controller sensors are the recommended deployment model for Defender for Identity.
- ✓MDI detects Kerberoasting, pass-the-hash, pass-the-ticket, DCSync, and Golden Ticket attacks.
- ✓Lateral Movement Paths visualize how attackers could reach high-value targets from a compromised account.
- ✓Security posture assessments identify AD misconfigurations and feed into Microsoft Secure Score.
- ✓MDI sensors capture network traffic, Windows events, and ETW traces from domain controllers.
1. An attacker compromises a standard user account and uses the Lateral Movement Paths feature. What does this feature help identify?
2. Which Defender for Identity sensor type is recommended for new deployments?
3. An attacker requests service tickets for multiple service accounts to crack them offline. Which detection does Defender for Identity trigger?