So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?
Start here: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html![Vom Star geblendet 🤩](https://abs.twimg.com/emoji/v2/72x72/1f929.png)
But then what?? Let’s talk about some post-compromise techniques...
Start here: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
![Vom Star geblendet 🤩](https://abs.twimg.com/emoji/v2/72x72/1f929.png)
But then what?? Let’s talk about some post-compromise techniques...
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...
We just published more details on what we’ve been finding post-compromise: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
ADFS key material compromise, SAML shenanigans, OAuth keys added...
We just published more details on what we’ve been finding post-compromise: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Within the technical companion blog ( https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) we provide some late stage killchain activity observed many places.
I want to highlight the additional detections pushed to cover these techniques in @MSAzureSentinel (but anyone can use on the UAL for #DFIR) ...
I want to highlight the additional detections pushed to cover these techniques in @MSAzureSentinel (but anyone can use on the UAL for #DFIR) ...
AAD PowerShell tomfoolery:
Logic to expose when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Microsoft Graph
https://github.com/Azure/Azure-Sentinel/pull/1442/files
Logic to expose when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Microsoft Graph
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
Domain federation trust horseplay:
Logic to highlight when an Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain
https://github.com/Azure/Azure-Sentinel/pull/1443/files
Globally rare event. Always interesting.
Logic to highlight when an Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
Globally rare event. Always interesting.
OAuth App Credential Hijinks
Finds new credentials added to to an App/SP.
With sufficient privileges, an actor can add alternate authentication material for direct access to resources using this credential.
More from @_dirkjan https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
https://github.com/Azure/Azure-Sentinel/pull/1381
Finds new credentials added to to an App/SP.
With sufficient privileges, an actor can add alternate authentication material for direct access to resources using this credential.
More from @_dirkjan https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
What an honor to work with such talented people who didn’t let setbacks (or sleep) get in the way of finding evil and cracking the case.
See those names throughout the blogs; and there are more.
Alright; so much work to be done now!
Don’t give up along the way.![Man detective (mittelheller Hautton) 🕵🏼♂️](https://abs.twimg.com/emoji/v2/72x72/1f575-1f3fc-200d-2642-fe0f.png)
![Sonne mit Strahlen ☀️](https://abs.twimg.com/emoji/v2/72x72/2600.png)
![Wind blasendes Gesicht 🌬](https://abs.twimg.com/emoji/v2/72x72/1f32c.png)
https://twitter.com/itsreallynick/status/1336907125591855106
See those names throughout the blogs; and there are more.
Alright; so much work to be done now!
Don’t give up along the way.
![Man detective (mittelheller Hautton) 🕵🏼♂️](https://abs.twimg.com/emoji/v2/72x72/1f575-1f3fc-200d-2642-fe0f.png)
![Sonne mit Strahlen ☀️](https://abs.twimg.com/emoji/v2/72x72/2600.png)
![Wind blasendes Gesicht 🌬](https://abs.twimg.com/emoji/v2/72x72/1f32c.png)
![Zwinkerndes Gesicht 😉](https://abs.twimg.com/emoji/v2/72x72/1f609.png)
Oh and I must say... I was in the same spot as @SwiftOnSecurity (and let’s be honest, most everyone else) on SAML security. How could anyone know all of this??
Of course @cglyer somehow knows it
and helped me along.
Then #MSTIC brought in the big guns in Microsoft Identity
https://twitter.com/swiftonsecurity/status/1338387127374065667
Of course @cglyer somehow knows it
![Gesicht mit Freudentränen 😂](https://abs.twimg.com/emoji/v2/72x72/1f602.png)
Then #MSTIC brought in the big guns in Microsoft Identity
![Angespannter Bizeps 💪](https://abs.twimg.com/emoji/v2/72x72/1f4aa.png)
The benefit of understanding & detecting/hunting the above techniques is they can help identify post-compromise activity, even if* it's a different threat actor or a different initial infection vector: https://twitter.com/ItsReallyNick/status/1338532106629222400?s=20