![]() ![]() This activity was detected in Defender for Endpoint and used as an indicator of compromise (IoC) for further investigation. By scanning for open ports, the threat actor discovered devices that were accessible from the initially compromised device. ![]() The threat actor leveraged Advanced IP Scanner, an IP address scanning tool, to enumerate the IP addresses used in the environment and perform subsequent port scanning. After the enumeration and device discovery, the threat actors performed similar activities to identify vulnerable user accounts, groups, permissions, and software. These activities allowed the threat actors to identify information about the organization's internal network and target critical systems such as domain controllers, backup servers, databases, and cloud resources. Once the initial access was successful, environment enumeration and device discovery began. This allowed threat actors to perform a brute-force authentication attack and gain the initial foothold.ĭefender for Endpoint used threat intelligence to determine that there were numerous sign-ins from known brute-force sources and displayed them in the Microsoft 365 Defender portal. Ransomware campaigns use well-known vulnerabilities for their initial entry, typically using phishing emails or weaknesses in perimeter defense such as devices with the enabled Remote Desktop service exposed on the Internet.įor this incident, DART was able to locate a device that had TCP port 3389 for RDP exposed to the Internet. The following sections describe additional details based on the MITRE ATT&CK tactics and include examples of how the threat actor activities were detected with the Microsoft 365 Defender portal. Upon discovering this, DART reviewed the security data and found several vulnerable Internet-facing devices using the Remote Desktop Protocol (RDP).Īfter initial access was gained, the threat actor used the Mimikatz credential harvesting tool to dump password hashes, scanned for credentials stored in plaintext, created backdoors with Sticky Key manipulation, and moved laterally throughout the network using remote desktop sessions.įor this case study, here is the highlighted path that the attacker took. Once deployed, Defender for Endpoint began detecting successful logons from a brute force attack. Here are some common techniques that attackers use for ransomware attacks based on MITRE ATT&CK tactics.ĭART used Microsoft Defender for Endpoint to track the attacker through the environment, create a story depicting the incident, and then eradicate the threat and remediate. Public information regarding ransomware events focuses on the end impact, but rarely highlights the details of the operation and how threat actors were able to escalate their access undetected to discover, monetize, and extort. The attackĭART leverages incident response tools and tactics to identify threat actor behaviors for human operated ransomware. See Part 1 and Part 2 of DART's guide to combatting human-operated ransomware for more information. This article describes how DART investigated a recent ransomware incident with details on the attack tactics and detection mechanisms. DART leverages Microsoft's strategic partnerships with security organizations around the world and internal Microsoft product groups to provide the most complete and thorough investigation possible. DART provides onsite reactive incident response and remote proactive investigations. The Microsoft Detection and Response Team (DART) responds to security compromises to help customers become cyber-resilient. Although these attacks pose a clear and present danger to organizations and their IT infrastructure and data, they are a preventable disaster. These attacks take advantage of network misconfigurations and thrive on an organization's weak interior security. Human-operated ransomware continues to maintain its position as one of the most impactful cyberattack trends world-wide and is a significant threat that many organizations have faced in recent years. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |