Skip to main content
Link
Menu
Expand
(external link)
Document
Search
Copy
Copied
Defender for Identity
Introduction
Day 1: Deploy Microsoft Defender for Identity
1. Configure the Azure environment for Microsoft Defender for Identity
2. Connect to the Domain Controller and Microsoft Defender for Identify Quick Installation
3. Add a new sensor
4. Configure audit policies in AD environment
5. Create and manage groups
6. Configure Group Policy
Day 2: Attack, detect, and investigate. Exercise 1: Lab configuration
1. Create RDP files
2. Configure the Domain Controller
3. Configure MDI alert thresholds
4. Download the attack tools
5. Configure the workstations
Day 2: Attack, detect, and investigate. Exercise 2: Reconnaissance and discovery alerts
1. User and IP address reconnaissance (SMB)
2. Network mapping reconnaissance (DNS)
3. Investigate a reconnaissance and discovery alert
Day 2: Attack, detect, and investigate. Exercise 3: Persistence and privilege escalation alerts
1. Suspicious additions to sensitive groups
2. Investigate a persistence and privilege escalation alert
Day 2: Attack, detect, and investigate. Exercise 4: Credential access alerts
1. Security principal reconnaissance (LDAP)
2. Suspected DCSync attack (replication of directory services)
3. Honeytoken activity
4. Suspected Kerberos SPN exposure (Kerberoasting)
5. Investigate a credential access alert
Day 2: Attack, detect, and investigate. Exercise 5: Lateral movement alerts
1. Suspicious network connection over Encrypting File System Remote Protocol
2. Investigate a lateral movement alert
Day 2: Attack, detect, and investigate. Exercise 6: Other alerts
1. Data exfiltration over SMB
2. Remote code execution attempts
3. Investigate other alerts
TechExcel Defender for Identity
Day 2: Attack, detect, and investigate
Exercise 4: Credential access alerts
In this exercise, you’ll trigger and investigate a credentials access alert.
Table of contents
1. Security principal reconnaissance (LDAP)
2. Suspected DCSync attack (replication of directory services)
3. Honeytoken activity
4. Suspected Kerberos SPN exposure (Kerberoasting)
5. Investigate a credential access alert