Azure ATP: Clear text credentials using LDAP simple bind

%3CLINGO-SUB%20id%3D%22lingo-sub-1335594%22%20slang%3D%22en-US%22%3EAzure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335594%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3Eis%20there%20a%20possibility%20to%20get%20all%20the%20Computers%20where%20a%20%22Authentication%20with%20clear%20text%20credentials%20using%20LDAP%20simple%20bind%20from%20%25Computername%25%22%20was%20made%3F%3CBR%20%2F%3EI%20only%20can%20see%20it%20if%20i%20check%20the%20user%2C%20but%20i%20like%20to%20see%20all%20the%20Computer%20who%20accepted%20the%20LDAP%20simple%20bind.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22philipperismann_1-1587734630798.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186475iF57ACB9066EB3B71%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22philipperismann_1-1587734630798.png%22%20alt%3D%22philipperismann_1-1587734630798.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eregards%3CBR%20%2F%3EPhil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1335594%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELDAP%20simple%20bind%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335710%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335710%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F635790%22%20target%3D%22_blank%22%3E%40philipperismann%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20seen%20our%20security%20assessment%20for%20exposing%20credentials%20in%20clear%20text%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-cas-isp-clear-text%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-cas-isp-clear-text%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20get%20this%20list%20after%20you%20have%20integrated%20AATP%20with%20MCAS.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-mcas-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-mcas-integration%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20you%20don't%20have%20a%20subscription%20for%20Cloud%20App%20Security%2C%20you%20will%20still%20be%20able%20to%20use%20the%20Cloud%20App%20Security%20portal%20to%20investigate%20Azure%20ATP%20alerts%20and%20deep%20dive%20on%20users%20and%20their%20on-premise%20managed%20activities%2C%20but%20you%20won't%20receive%20related%20insights%20from%20your%20cloud%20applications.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335829%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335829%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314416%22%20target%3D%22_blank%22%3E%40BrandonLawson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%2C%20this%20already%20helps%20a%20lot%2C%20but%20i%20only%20can%20see%20the%3CSPAN%20class%3D%22AdTableToolbar-results%22%3E%26nbsp%3Btop%2020%20credential-exposing%20entities.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22AdTableToolbar-results%22%3Eis%20it%20possible%20to%20get%20a%20full%20list%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%20Phil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338358%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338358%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F635790%22%20target%3D%22_blank%22%3E%40philipperismann%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20now%20utilize%20MTP's%20Advanced%20hunting%20feature%20to%20query%20against%20Azure%20ATP%20data%20(using%20the%20IdentityLogonEvents%20table)%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-identitylogonevents-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-identitylogonevents-table%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2F%2F%20Finds%20Devices%20using%20LDAP%20cleartext%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EIdentityLogonEvents%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(30d)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20LogonType%20%3D%3D%20%22LDAP%20cleartext%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20distinct%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1342801%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1342801%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20your%20help.%3C%2FP%3E%3CP%3Ei%20can%20turn%20on%20%22Microsoft%20Threat%20Protection%22%20in%20security.microsoft.com%20but%20I%20don't%20see%20it%20under%20incidents%20or%20action%20center.%3C%2FP%3E%3CP%3Eregards%3C%2FP%3E%3CP%3EPhil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1344152%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1344152%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F635790%22%20target%3D%22_blank%22%3E%40philipperismann%3C%2FA%3E%26nbsp%3Bthat%20feature%20is%20under%20the%20%22Advanced%20hunting%22%20feature%2C%20you%20can%20access%20it%20from%20this%20link%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fadvanced-hunting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Fadvanced-hunting%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1398669%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%3A%20Clear%20text%20credentials%20using%20LDAP%20simple%20bind%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%20thanks%20a%20lot%2C%20this%20works%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,
is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made?
I only can see it if i check the user, but i like to see all the Computer who accepted the LDAP simple bind.

philipperismann_1-1587734630798.png

regards
Phil

6 Replies

Hi @philipperismann,

 

Have you seen our security assessment for exposing credentials in clear text?

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-cas-isp-clear-text

 

You can get this list after you have integrated AATP with MCAS.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-mcas-integration

 

If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Azure ATP alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.

 

 

Hi @BrandonLawson 

 

thanks, this already helps a lot, but i only can see the top 20 credential-exposing entities.

is it possible to get a full list?

 

regards Phil

@philipperismann 

You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-tab...

 

// Finds Devices using LDAP cleartext
IdentityLogonEvents
| where Timestamp > ago(30d)
| where LogonType == "LDAP cleartext"
| distinct DeviceName

Hi @Or Tsemah 

thanks for your help.

i can turn on "Microsoft Threat Protection" in security.microsoft.com but I don't see it under incidents or action center.

regards

Phil

@philipperismann that feature is under the "Advanced hunting" feature, you can access it from this link

https://security.microsoft.com/advanced-hunting

 

@Or Tsemah  thanks a lot, this works fine.

www.000webhost.com