Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate( also referred to as Sunburst by FireEye) involving a render chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of the potential impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at https :// aka.ms/ solorigate.
This blog is a comprehensive guide for security operations and incident response teams applying Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment. The description of the attack in this blog is based on current analysis and investigations by researchers across Microsoft, our partners, and the intelligence community who are actively collaborating to respond to the attack. This is an active menace that continue to evolve, and the findings included here represent what we know at the time of publishing. We continue to publish and update intelligence, indicators, tactics, techniques, and procedures( TTPs ), and related details as we discover them. The report from the Microsoft Security Response Center( MSRC) includes the latest analysis of this menace, known indicators of compromise( IOCs ), and initial recommended defenses, and will be updated as new data becomes available.
This blog covers 😛 TAGEND
The Solorigate attack chain Reviewing affected machines and related incidents with Threat analytics Detecting and blocking malicious activity on endpoint( Microsoft Defender for Endpoint, Microsoft 365 Defender hunting ) Detecting hands-on-keyboard activity within on-prem environment( Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft 365 Defender hunting ) Detecting hands-on-keyboard activity in the cloud environment( Microsoft Cloud App Security, Microsoft 365 Defender hunting ) Summary of detectings and hunting queries across Microsoft 365 Defender
The Solorigate attack is an example of a modern cross-domain compromise. Since these types of attacks span multiple domains, having visibility into the entire scope of the attack is key to stopping and preventing its spread.
This attack features a sophisticated technique involving a software supply chain compromise that allowed attackers to introduce malicious code into signed binaries on the SolarWinds Orion Platform, a popular IT management software. The compromised application awards attackers “free” and easy deployment across a wide range of organizations who use and regularly update the application, with little peril of detection because the signed application and binaries are common and are considered trusted. With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating inside( while others remain an option at any point as long as the backdoor is installed and undetected ). Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources through the following steps 😛 TAGEND
Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device Apply the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens use any of two methods:
Stealing the SAML signing certificate( Path 1) Adding to or modifying existing federation trust( Path 2)
Using attacker-created SAML tokens to access cloud resources and perform activities leading to the exfiltration of emails and perseverance in the cloud
This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being saw. The deep integrated cross-domain security capabilities in Microsoft 365 Defender can empower organizations and their security procedures( SOC) teams to uncover this attack, scope out the end-to-end breach from endpoint to the cloud, and take action to block and remediate it. This blog will give step-by-step guidance to do this by outlining 😛 TAGEND
How indicators of attack is an indication across endpoints, identity, and the cloud How Microsoft 365 Defender automatically blends alarms across these different realms into a comprehensive end-to-end narrative How to leverage the powerful toolset available for deep investigation, hunting, and response to enable SOCs to duel the attackers and evict these attackers from both on-premises and cloud environments
Threat analytics: Understanding and responding to active attacks
As soon as this attack was discovered, Microsoft researchers published two threat analytics reports to help organizations determine if they are affected, assess the impact of the attack, and recognize actions to contain it.
Sophisticated actor assaults FireEye provides information about the FireEye breach and compromised red team tools Solorigate supply chain attack furnishes a detailed analysis of the SolarWinds supply chain compromise
The reports are published in Microsoft 365 security center, accessible to all Microsoft Defender for Endpoint customers and Microsoft 365 Defender early adopters. In addition to detailed descriptions of the attack, TTPs, and indicators of compromise( IoCs ), the reports render real-time data aggregated from signals across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization, as well as details about relevant incidents and alarms to initiate investigation on. These reports continue to be updated as additional information becomes available.
Given the importance of ensuring this menace, we are making similar relevant Microsoft threat intelligence data, including the updated list of IOCs, available to everyone publicly. A comprehensive list of the guidelines and insights is available at https :// aka.ms/ solorigate.
We recommend Microsoft 365 Defender customers to start their investigations here. After gaining deep understanding of the threat and get the latest research findings, you can take the following recommended stairs 😛 TAGEND Find machines with the compromised SolarWinds Orion application
The threat analytics report utilizes insights from threat and vulnerability handling to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.
From the Vulnerability patching status chart in menace analytics, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2 020 -0 002, which was added specifically to help with Solorigate investigations 😛 TAGEND
Figure 3. Threat and vulnerability management data demonstrates data on disclosed devices
Threat and vulnerability management renders more info about the vulnerability ID TVM-2 020 -0 002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.
Analyse pertained alertings and incidents
From the threat analytics report, you can quickly locate machines with alertings related to the attack. The Device with alerts chart recognizes machines with malicious components or activities known to be directly related to Solorigate. Click through to get the list of alertings and investigate.
Some Solorigate activities is no longer able be immediately tied to this specific threat but will trigger alarms due to generally suspicious or malicious behaviors. All alarms in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. Incidents help you consider the relationship between saw activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner.
Figure 5. Consolidated Incident view for Solorigate
Some alertings are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and mail targeted attack notifications. If you ascertain an alerting labelled with Microsoft Threat Experts, we strongly recommend that you commit it immediate attention.
Additionally, Microsoft Threat Experts clients with Experts on requirement subscriptions can reach out immediately to our on-demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.
Hunt for related attacker activity
The threat analytics report also provides advanced hunting queries that are able analysts situate additional related or similar activities across endpoint, identity, and cloud. Advanced hunting use a rich situated of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory( Azure AD) examination logs into advanced hunting, available for all customers in public preview. These logs offer traceability for all changes done by various features within Azure AD. Examples of audit logs include varies made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies. Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see our recommended advanced hunting queries.
Currently, this data is available to customers who have Microsoft Cloud App Security with the Office3 65 connector. Our intent is to expand availability to more Microsoft 365 Defender clients. The new log data is available in the CloudAppEvents table 😛 TAGEND
CloudAppEvents | where Application ==” Office 365″
The log data contains activity logs useful for investigating and finding Azure AD-related activities. This data further enriches the CloudAppEvents table, which also has Exchange Online and Microsoft Teams activities.
CloudAppEvents | where Application ==” Office 365″ | where ActionType ==” Consent to application .” | where RawEventData.ModifiedProperties[ 0 ]. Name == “ConsentContext.IsAdminConsent” and RawEventData.ModifiedProperties[ 0 ]. NewValue == “True” | extend spnID= tostring( RawEventData.Target[ 3 ]. ID) | parse RawEventData.ModifiedProperties[ 4 ]. NewValue with* “=> [[” dummpy “Scope: ” After “]]”* | widen PermissionsGranted= separate( After, “]”, 0) | project ConsentTime= Timestamp, AccountDisplayName, spnID, PermissionsGranted | join( CloudAppEvents | where Application ==” Office 365″ | where ActionType ==” Add service principal credentials .” or ActionType ==” Update application- Credentials and secrets handling” | widen spnID= tostring( RawEventData.Target[ 3 ]. ID) | programme AddSecretTime= Timestamp, AccountDisplayName, spnID) on spnID | where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1
Microsoft 356 Defender advanced hunting can also assist in many of the recommended incident investigation tasks outlined in the blog, Advice for incident responders on recuperation from systemic identity compromises.
In the remaining parts, we will discuss select examples of alerts raised by Microsoft 365 answers that monitor and see Solorigate activities across the attack chain on endpoint, identity, and the cloud. These are alerts you may encounter when investigating incidents in Microsoft 365 security center if your organization is affected by this menace. We will also indicate activities which are now blocked by Microsoft 365 Defender. Lastly, each section contains examples of hunting queries you will find useful for hunting for various attacker activities in your environment.
Detect and blocking malware and malicious behaviour on endpoints
Discovering and blocking backdoor activity
When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive listing of checks to ensure it’s running in an actual endeavor network and not on an analyst’s machine. It then contacts a command-and-control( C2) server utilizing a subdomain that is generated partly with information gathered from the affected machine, which means a unique subdomain is generated for each affected realm. The backdoor allows the attackers to remotely operated commands on the machine and move to the next stages of the attack. For more information, read our in-depth analysis of the Solorigate malware.
Microsoft Defender for Endpoint delivers comprehensive protection from this threat( consider full listing of detecting and protection alerts at the end of this blog ). Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviours. It quarantines the malware, even if the process is running.
Figure 8. Microsoft Defender for Endpoint blocks malicious binaries
If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. It then attempts to contact numerous C2 domains, with the primary domain being *. avsvmcloud [.] com. The backdoor uses a realm generation algorithm to escape detecting. Microsoft 365 Defender sees and blocks this behavior.
Figure 9. Microsoft Defender for Endpoint avoided malicious C2 callback
Discovering potentially tampered devices
To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running process, loaded motorists, and registry keys, with the goal of incapacitating them.
The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering strives, including “Attempt to stop Microsoft Defender for Endpoint sensor”, “Tampering with Microsoft Defender for Endpoint sensor settings”, or “Possible sensor tampering in memory”.
Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting find activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tamper technique employed might have been successful. The following advanced hunting query can be used to locate devices that should be reporting but aren’t 😛 TAGEND
// Times to be modified as appropriate let timeAgo= 1d; let silenceTime= 8h; // Get all silent machines and IPs from network events let allNetwork= materialize( DeviceNetworkEvents | where Timestamp> ago( timeAgo) and isnotempty( LocalIP) and isnotempty( RemoteIP) and ActionType in (” ConnectionSuccess”, “InboundConnectionAccepted”) and LocalIP! in (” 127.0.0.1″, “:: 1 “) | project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId ); let nonSilentDevices= allNetwork | where Timestamp> ago( silenceTime) | union( DeviceProcessEvents | where Timestamp> ago( silenceTime )) | summarize by DeviceId; let nonSilentIPs= allNetwork | where Timestamp> ago( silenceTime) | summarize by LocalIP; let silentDevices= allNetwork | where DeviceId! in( nonSilentDevices) and LocalIP! in( nonSilentIPs) | programme DeviceId, LocalIP, Timestamp, ReportId; // Get all remote IPs that were recently active let addressesDuringSilence= allNetwork | where Timestamp> ago( silenceTime) | summarize by RemoteIP; // Potentially disconnected devices were connected but are silent silentDevices | where LocalIP in( addressesDuringSilence) | summarize ReportId= arg_max( Timestamp, ReportId ), Timestamp= max( Timestamp ), LocalIP= arg_max( Timestamp, LocalIP) by DeviceId | programme DeviceId, ReportId= ReportId1, Timestamp, LocalIP= LocalIP1
Microsoft is continuously developing additional measures to both block and alarm on those kinds of tampering activities.
Find hands-on-keyboard activity within an on-premises environment
After establishing a backdoor linkage on an affected device, the attacker’s next purpose to attain off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. One technique we have seen the attackers use is to go after the organization’s Active Directory Federation Services( AD FS) server to obtain the proverbial “keys” to the identity kingdom. AD FS enables federated identity and access handling by securely sharing digital identity and entitlement rights across security and enterprise frontiers; effectively, it is the “LSASS for the cloud.” Among other things, AD FS storages the Security Assertion Markup Language( SAML) token signing certificate, which is used to create authorization tokens for customers or services in “the organizations activities” so they can access cloud applications and resources after authentication.
To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral motion, and credential theft. Building from the backdoor described above, the attackers leverage fileless techniques for privilege escalation, perseverance, and lateral movement, including evading analysis by utilizing system binaries and exploration tools that masquerade as other benign binaries. The attackers also carefully chose organization-specific command-and-control( C2) domains and use custom organization-specific tool naming and locations.
Microsoft Defender for Endpoint detects a wide array of these strike techniques, letting SOC teams to track the attacker’s activities in the environment and take actions to contain the attack. The following article embraces detections for the techniques used by the attackers to compromise the AD FS infrastructure.
Identifying attacker reconnaissance
Attackers collect data from Active Directory use a renamed version of the utility ADFind, operating queries against Domain Controllers as part of the reconnaissance stage of the attack. Microsoft Defender for Endpoint sees this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.
Figure 12. Microsoft Defender for Endpoint detects usage of masquerading exploration tools
Figure 13. Microsoft Defender for Endpoint sees usage LDAP query for reconnaissance.
Cease lateral movement and credential theft
To gain access to a highly privileged report needed for later stairs in the kill chain, the attackers move laterally between devices and dump credentials until an report with the needed privileges is compromised, all while remaining as stealthy as possible.
A variety of credential steal techniques, such as dumping LSASS memory, are identified and blocked by Microsoft Defender for Endpoint. The instance below shows the detection of lateral movement utilize Windows Management Instrumentation( WMI) to run the attacker’s payload employing the Rundll3 2. exe process.
Figure 14. Microsoft Defender for Endpoint alert for suspicious remote WMI execution highlighting the attacker’s device and payload
Microsoft Defender for Identity likewise detects and raises alertings on a variety of credential steal techniques. In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. Here are a couple of instance Microsoft Defender for Identity queries looking for such patterns 😛 TAGEND
Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity
let MaxTime= 1d; let MinNumberLogon= 5; //devices attempting enumeration of high-value DC IdentityQueryEvents | where Timestamp> ago( 30 d) | where Application ==” Active Directory” | where QueryTarget in (” Read-only Domain Controllers “) //high-value RODC assets | project Timestamp, Protocol, Query, DeviceName, AccountUpn | join kind= innerunique( //devices trying to logon MaxTime after enumeration IdentityLogonEvents | where Timestamp> ago( 30 d) | where ActionType == “LogonSuccess” | programme LogonTime= Timestamp, DeviceName, DestinationDeviceName) on DeviceName | where LogonTime between( Timestamp ..( Timestamp+ MaxTime )) | summarize n =d count( DestinationDeviceName ), TargetedDC= makeset( DestinationDeviceName) by Timestamp, Protocol, DeviceName | where n >= MinNumberLogon
High-volume of LDAP queries in short time filtering for non-DC devices
let Threshold= 12; let BinTime= 1m; //approximate list of DC let listDC= IdentityDirectoryEvents | where Application ==” Active Directory” | where ActionType ==” Directory Services replication” | summarize by DestinationDeviceName; IdentityQueryEvents | where Timestamp> ago( 30 d) //filter out LDAP traffic across DC | where DeviceName! in( listDC) | where ActionType == “LDAP query” | parse Query with* “Search Scope: ” SearchScope”, Base Object :” BaseObject”, Search Filter:” SearchFilter | summarize NumberOfDistinctLdapQueries= dcount( SearchFilter) by DeviceName, bin( Timestamp, BinTime) | where NumberOfDistinctLdapQueries> Threshold
At this point, SOC squads can take containment measurements within the Microsoft 365 security center, for example, employing indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised.
Find and remediating persistence
Microsoft Defender for Endpoint likewise sees the advanced defense deception and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical customer to remain persistent. Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.
Figure 15. Microsoft Defender for Endpoint alert for WMI event filter bound to a suspicious consumer proving the perseverance and the scheduled command line
Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud
The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate tracks that lead to the same outcome–the ability to create valid SAML tokens allowing impersonation of users in the cloud 😛 TAGEND
Path 1- Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on-premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing. Path 2- Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory( Azure AD) privileges applying compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a ensue, any SAML token they create and sign will be valid for the identity of their choosing.
In the first track, procuring the SAML signing certificate ordinarily entails first querying the private encryption key that is currently in the AD FS receptacle and then using that key to decrypt the signing certificate. The credential can then be used to create illicit but valid SAML tokens that allow the actor to impersonate consumers, enabling them to access enterprise cloud applications and services.
Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. Both answers leverage unique LDAP telemetry to raise high-severity alarms highlighting the attacker’s progress towards creating illicit SAML tokens.
Figure 16. Microsoft Defender for Endpoint detects a suspicious LDAP query being launched and an attempted AD FS private key extraction
Figure 17. Microsoft Defender for Identity detects private key extraction via malicious LDAP petitions
For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. The following advanced hunting query over Azure AD audit logs proves when realm federation determines are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own ratify credential. As these are rare actions, we advise verifying that any instances recognized are the result of legitimate administrative activity.
let auditLookback= 1d; CloudAppEvents | where Timestamp> ago( auditLookback) | where ActionType =~” Set federation defines on domain .” | widen targetDetails= parse_json( ActivityObjects[ 1 ]) | extend targetDisplayName= targetDetails.Name | widen resultStatus= extractjson (“$. ResultStatus”, tostring( RawEventData ), typeof( string )) | project Timestamp, ActionType, InitiatingUserOrApp= AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress= IPAddress, UserAgent
If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through credential rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence.
If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication( MFA ), since the service or application accepting the token presumes MFA is a necessary previous step in creating a properly signed token. To avoid attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage.
Discover the hands-on-keyboard activity in the cloud environment
With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised machine or be confined to on-premises persistence. By abusing API access via existing OAuth applications or services principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permissions to read email content via Microsoft Graph from Exchange Online. If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.
Identifying unusual addition of credentials to an OAuth app
Microsoft Cloud App Security( MCAS) has added new automatic detecting of unusual credential additions to an OAuth application to alarm SOCs about apps that have been compromised to extract data from the organization. This detecting logic is built on an anomaly detecting locomotive that learns from each user in the environment, filtering out normal utilization patterns to ensure alerts highlight real assaults and not false positives. If you see this alert in your environment and substantiate malicious activity, you should take immediate action to suspend the user, marking the user as compromised, reset the user’s password, and withdraw existing credential additions. You considers that it is incapacitating the application during investigation and remediation.
SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD examination logs to examine when new credentials have been added to a service principle or application. In general, credential modifications may be rare depending on the type and use of the service principal or application. SOCs should confirm unusual modifications with their respective owners to ensure they are the result of legitimate administrative actions.
let auditLookback= 1d; CloudAppEvents | where Timestamp> ago( auditLookback) | where ActionType in (” Add service principal .”,” Add service principal credentials .”,” Update application- Certifications and secrets management “) | extend RawEventData= parse_json( RawEventData) | where RawEventData.ResultStatus =~ “success” | where AccountDisplayName has “@” | widen targetDetails= parse_json( ActivityObjects[ 1 ]) | extend targetId= targetDetails.Id | widen targetType= targetDetails.Type | extend targetDisplayName= targetDetails.Name | widen keyEvents= RawEventData.ModifiedProperties | where keyEvents has ” KeyIdentifier =” and keyEvents has ” KeyUsage= Verify” | mvexpand keyEvents | where keyEvents.Name =~ “KeyDescription” | parse keyEvents.NewValue with* “KeyIdentifier=” keyIdentifier: string”, KeyType =” keyType: string”, KeyUsage =” keyUsage: string”, DisplayName =” keyDisplayName: string “]”* | parse keyEvents.OldValue with* “KeyIdentifier=” keyIdentifierOld: string”, KeyType”* | where keyEvents.OldValue == “” or keyIdentifier != keyIdentifierOld | where keyUsage == “Verify” | project-away keyEvents | programme Timestamp, ActionType, InitiatingUserOrApp= AccountDisplayName, InitiatingIPAddress= IPAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier
Discovering malicious access to mail items
OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissions can read email content from Exchange Online via the Microsoft Graph. To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. See if this feature is enabled by default for you. Important note for customers: If you have customized the list of the board of auditors events you are collecting, you may need to manually enable this telemetry.
If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops producing auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes.
let starttime= 2d; let endtime= 1d; CloudAppEvents | where Timestamp between( startofday( ago( starttime )).. startofday( ago( endtime ))) | where ActionType == “MailItemsAccessed” | where isnotempty( RawEventData [‘ ClientAppId ‘]) and RawEventData [‘ OperationProperties ‘][ 1] has ” True” | programme Timestamp, RawEventData [‘ OrganizationId ‘], AccountObjectId, UserAgent
In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period.
// Look for OAuth App reading mail via GraphAPI — that did not read mail via graph API in prior week let appMailReadActivity=( timeframeStart :d atetime, timeframeEnd :d atetime) where ActionType == “MailItemsAccessed” ; appMailReadActivity( ago( 1d ), now ()) // detection period | join kind= leftanti appMailReadActivity( ago( 7d ), ago( 2d )) // baseline interval on OAuthAppId
Like the rest of the security industry, Microsoft continues to track the Solorigate attack, an active menace that continues to unfold as well as evolve. As part of empowering our customers and the larger security community to respond to this attack through sharing intelligence and providing advice, this blog serves to guide Microsoft 365 customers to take full advantage of the comprehensive visibility and the rich investigation tools available in Microsoft 365 Defender. This blog shows that many of the existing abilities in Microsoft 365 Defender help address this attack, but the unique scenarios created by the threat resulted in some Solorigate-specific detectings and other innovative protections, including ones that are made possible by deep integrated cross-domain threat defense.
For additional information and further guidance, refer to these Microsoft resources 😛 TAGEND
Customer guidance on recent nation-state cyber attacks Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack SolarWinds post-compromise hunting with Azure Sentinel Advice for incident responders on recuperation from systemic identity compromises
Microsoft will continue to provide public information about the patterns and techniques of this attack and associated intelligence for customers to defend themselves, in addition to enhancing the protection capabilities of Microsoft security solutions.
Appendix: Additional details for detecting and hunting Detection details
Initial access Microsoft Defender for Endpoint 😛 TAGEND
Execution and persistence Microsoft Defender for Endpoint 😛 TAGEND
‘ Solorigate’ high-severity malware was detected/ blocked/ prevented( Trojan: Win6 4/ Cobaltstrike.RN! dha, Trojan 😛 owerShell/ Solorigate.H! dha) Suspicious process launch by Rundll3 2. exe Use of living-off-the-land binary to run malicious code A WMI event filter is under an obligation to a suspicious event consumer
Defense evasion Microsoft Defender for Endpoint 😛 TAGEND
Suspicious examination policy tampering
Reconnaissance Microsoft Defender for Endpoint 😛 TAGEND
Masquerading Active Directory exploration tool Suspicious sequence of exploration activities Execution of suspicious known LDAP query fragments
Credential access Microsoft Defender for Endpoint 😛 TAGEND
Suspicious be made available to LSASS( credential access) AD FS private key extraction try Possible attempt to access ADFS key substance Suspicious ADFS adapter process made
Microsoft Defender for Identity 😛 TAGEND
Unusual addition of permissions to an OAuth app Active Directory attributes Reconnaissance using LDAP
Unusual addition of credentials to an OAuth app
Lateral movement Microsoft Defender for Endpoint
Suspicious file creation initiated remotely( lateral movement) Suspicious Remote WMI Execution( lateral movement)
Exfiltration Microsoft Defender for Endpoint
Suspicious mailbox export or access adjustment Suspicious archive creation
Advanced hunting queries
Attack stage Query relate in GitHub repo
Initial access Microsoft Defender for Endpoint 😛 TAGEND
Execution Microsoft Defender for Endpoint 😛 TAGEND
SolarWinds procedures launching PowerShell with Base6 4 SolarWinds process launching CMD with echo ADFS adapter process spawning:
DeviceProcessEvents | where InitiatingProcessFileName =~” Microsoft.IdentityServer.ServiceHost.exe” | where FileName in ~(” werfault.exe”, “csc.exe”) | where ProcessCommandLine! contains (” nameId “)
Credentials added to AAD app after admin consent New access credential added to application or service principal Domain federation trust fixeds modified Add uncommon credential type to application Service Principal Added To Role
The post Using Microsoft 365 Defender to protect against Solorigate appeared first on Microsoft Security .
Read more: microsoft.com