Once we were able to track the user throughout the environment, we were able to correlate that data with Microsoft Defender ATP to gain an understanding of the tools used by the adversary throughout their journey. Without Azure ATP, investigating this incident could have taken weeks-or even months-since the data sources don’t often exist to make this type of rapid response and investigation possible. Azure ATP’s ability to identify and investigate suspicious user activities and advanced attack techniques throughout the cyber kill chain enabled our team to completely track the adversary’s movements in less than a day. This data enabled the team to perform more in-depth analysis on both user and machine level logs for the systems the adversary-controlled account touched. DART began querying the suspected compromised credentials within Azure ATP, which provided us with a broad swath of authentication-related activities on the network and helped us build an initial timeline of events and activities performed by the adversary, including:ĭetect and investigate advanced attacks on-premises and in the cloud. By having Azure ATP operational prior to an incident, the software had already normalized authentication and identity transactions within the customer network. Luckily for us, this customer had deployed Azure Advanced Threat Protection (ATP) prior to the incident. Typically, in this kind of investigation, your team would need to dive deeper into individual machine event logs, looking for remote access activities and movements, as well as looking at any domain controller logs that could help highlight the credentials used by the attacker(s). Looking at the initial VPN logs, we identified the starting point for our investigation. Once our team was able to determine the initially compromised accounts, we were able to begin the process of tracking the adversary within the on-premises systems. After the adversary was able to access the network through the company’s VPN, they moved laterally throughout the environment using legitimate user credentials harvested during a phishing campaign. Once the adversary had the credentials, they began their reconnaissance on the network by searching for documents about VPN remote access and other access methods stored on a user’s SharePoint and OneDrive. Recently, DART was called into an engagement where the adversary had a foothold within the on-premises network, which had been gained through compromising cloud credentials. Credentials can be harvested in numerous ways, including phishing campaigns, Mimikatz, and key loggers. From an investigation standpoint, tracking adversaries using this method is quite difficult as you need to sift through the data to determine whether the activities are being performed by the legitimate user or a bad actor.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |