Detect Malicious Changes in AD

Active Directory Threat Detection & Response

Monitor every change to Active Directory and Azure AD—including advanced threats that evade traditional monitoring.

Detecting threats to Active Directory and Azure AD

Organizations depend on the identity infrastructure to authenticate users and provide secure access to business-critical applications and services. For 90% of organizations worldwide, Active Directory and Azure Active Directory form the core of their identity services. But securing Active Directory is difficult given its constant flux, its sheer number of settings, and the increasingly sophisticated threat landscape. Protecting hybrid AD systems brings additional challenges, as many attacks start on-premises and move to the cloud. Guarding against attacks requires continuous monitoring of AD and Azure AD and a single view of malicious changes across the environment.

Semperis report:
of organizations are NOT confident they could prevent Azure AD attacks
Microsoft Digital Defense Report:
of organizations impacted by ransomware incidents did not employ AD and Azure AD security best practices
Microsoft Digital Defense Report:
1 hour, 42 minutes
the median time for an attacker to begin moving laterally after device compromise
Microsoft Digital Defense Report:
of organizations impacted by cyber incidents had no effective vulnerability and patch management process

Gain control of AD threat detection and response

To guard against constantly evolving threats, organizations need to continuously monitor Active Directory and Azure AD for Indicators of Exposure (IOEs) and Indicators of Compromise (IOCs), including advanced attacks such as DCShadow that evade traditional log- or event-based monitoring solutions.

eyeball icon

Continuously scan the AD and Azure AD environment for Indicators of Exposure (IOEs) and Compromise (IOCs)


Uncover advanced attacks such as DCShadow that evade traditional log- and event-based solutions, including SIEMs.

checklist icon

Stop attackers with tamperproof tracking, real-time notifications, and automated change rollback.

Detect and respond to increasing identity system attacks

Continuously monitor for new threats

Sophisticated ransomware-as-a-service (RaaS) groups are escalating their attacks on identity systems in an effort to gain access to critical resources. To defend the hybrid AD environment in the constantly changing threat landscape, organizations need to:

  • Scan AD and Azure AD for hundreds of vulnerabilities (IOEs and IOCs), constantly updated to address new threats
  • Capture malicious changes even if security logging is turned off, logs are deleted, agents are disabled or stop working, or changes are injected directly into AD
  • Find and fix unwanted AD and Azure AD object and attribute changes
  • Identify and isolate malicious changes to support Digital Forensics and Incident Response (DFIR) operations
  • Set real-time notifications on AD and Azure AD changes
Learn More
Defend against AD attacks that leave no trace

Cybercriminals continuously devise new tactics and techniques to gain access to Active Directory, making their attacks even more dangerous. When it comes to detecting potentially malicious actions within Active Directory (AD), most organizations rely on domain controller event log consolidation and SIEM solutions to spot abnormal logons and changes. This approach works—as long as the attack technique leaves a log trail. Some sophisticated attacks leave no evidence of malicious activity. Organizations need solutions that will detect and guard against attacks such as:

  • DCShadow, which registers a rogue DC, bypassing traditional SIEM monitoring
  • Group Policy changes, which are not captured by event logs by default
  • Zerologon attacks, which bypass monitoring tools that don’t watch for unexpected password changes on DCs
Learn more
Our mission resonates with industry leaders

Advanced actors are attacking on-premises identity deployments to effect systemic breach and bridge to cloud admin access. Organizations in hybrid Active Directory environments need identity-first security to protect their AD and Azure AD systems from attack. This requires continuous monitoring and assessment of AD and Azure AD security posture to defend against identity-based attacks in partnership with traditional security teams.

Alex Weinert VP of Identity Security, Microsoft
El Al Israel Airlines

Semperis offers superior technology, and their Directory Services Protector is a tremendous asset for any company that uses Active Directory.

Learn more Chen Amran Deputy Director of Infrastructure & Communication, El Al Airlines
Gartner Peer Insights

We have lots of changes happening to our Active Directory environment, adding Linux servers, etc… [Directory Services Protector] helps us monitor and revert dangerous changes with one button click.

Read review IT Team Member, Enterprise Organization
Gartner Peer Insights

Semperis DSP and ADFR were a breeze to deploy. The service and guidance we’ve received from the Semperis team has been exceptional.

Read review IT Specialist Enterprise Banking Organization
Gartner Peer Insights

Directory Services Protector is exceptional with reporting, real-time monitoring and remediation, active reporting and instant notifications when objects are modified or changed.

Read review Senior Windows Systems Administrator Enterprise Organization

Frequently asked questions about AD threat detection and response

What’s the best way to assess my current Active Directory vulnerabilities?

Hardening AD begins with getting a handle on the vulnerabilities and common configuration and management mishaps that pave the road to compromises. To defend AD, administrators need to know how attackers are targeting their environment. Conducting a complete vulnerability assessment on the AD environment requires a solution that is continually updated to scan for current Indicators of Exposure (IOEs) and Indicators of Compromise (IOCs). To conduct an initial assessment, you can download and use the free tool Purple Knight, which will scan your environment for hundreds of IOEs and IOCs, generate an overall security score, and provide prioritized remediation guidance from AD security experts.

What are the most critical AD security vulnerabilities?

Because of legacy AD misconfigurations that accumulate over time, many AD environments have dozens or hundreds of security vulnerabilities. Critical vulnerabilities include misconfigurations related to authentication, such as enabling anonymous access to AD. Permitting excessive privileges is another common source of AD security vulnerabilities. For more information about common AD security vulnerabilities, see “Do You Know Your Active Directory Security Vulnerabilities?

How can I detect AD attacks that are designed to evade monitoring systems?

Cyberattackers are developing increasingly sophisticated methods of breaching AD environments that avoid detection. To detect malicious changes that bypass traditional monitoring systems (such as SIEMs), you need a solution that uses multiple data sources. Look for a tool that can capture changes even if security logging is turned off, logs are deleted, agents are disabled or stop working, or changes are injected directly into AD.

How can I track security vulnerabilities in Azure AD?

You can use the free AD security assessment tool Purple Knight to scan your Azure AD environment for various IOEs and IOCs, including inactive guest accounts, misconfigured conditional access policies, and Azure AD privileged users who are also privileged users in on-prem AD, which can result in both environments being compromised. You can use Directory Services Protector to track Azure AD changes in real-time; for more information, see “5 New Ways to Secure AD and Azure AD

Detect and respond to AD attacks

Don’t miss AD or Azure AD threats

Check out Directory Services Protector

More resources

Learn more about how to reduce the AD attack surface and improve overall security posture.