@Mandiant have produced a great report on responding to the #Solorigate/ #UNC2452 actor.
It has some really useful guidance on detection and response that everyone should read (the guidance is much more broadly applicable than just this TA)
https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf
It has some really useful guidance on detection and response that everyone should read (the guidance is much more broadly applicable than just this TA)
https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf
#MSTIC has created #AzureSentinel content that covers the vast majority of detection opportunities detailed in the report, this is a thread of them:
Monitor for access to the AD FS DKM:
@Cyb3rWard0g created this query for Event Logs: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
(The report details how to configure the logging needed for this).
If you're using Sysmon: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
@Cyb3rWard0g created this query for Event Logs: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
(The report details how to configure the logging needed for this).
If you're using Sysmon: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
Monitor for domain trust modifications - @ItsReallyNick has this covered: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/AuditLogs/ADFSDomainTrustMods.yaml
Monitor for credentials added to SPNs and applications: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
Look at SPNs and applications granted permissions to read users mail: https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml
Monitor accounts with privileged role access - use this query by @ashwinpatil :
https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml
You might want to add some additional roles such as ApplicationAdmins to this.
https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml
You might want to add some additional roles such as ApplicationAdmins to this.
We also have these queries and many other useful queries wrapped into this single Workbook you can import into #AzureSentinel for easy use.
https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Workbooks/SolarWindsPostCompromiseHunting.json
https://github.com/Azure/Azure-Sentinel/blob/53fd116195eb5a7a90e6ef6c9726aaa99d7993b2/Workbooks/SolarWindsPostCompromiseHunting.json