{"id":90419,"date":"2020-01-07T09:00:53","date_gmt":"2020-01-07T17:00:53","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90419"},"modified":"2023-09-26T08:39:16","modified_gmt":"2023-09-26T15:39:16","slug":"threat-hunting-azure-advanced-threat-protection","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/01\/07\/threat-hunting-azure-advanced-threat-protection\/","title":{"rendered":"Threat hunting in Azure Advanced Threat Protection (ATP)"},"content":{"rendered":"

As members of Microsoft\u2019s Detection and Response Team (DART),\u00a0we\u2019ve seen a significant increase in adversaries \u201cliving off the land\u201d and using compromised account credentials for malicious purposes. From an investigation standpoint, tracking adversaries using this method is quite difficult as you need to sift through the data to determine whether the activities are being performed by the legitimate user or a bad actor. Credentials can be harvested in numerous ways, including phishing campaigns, Mimikatz, and key loggers.<\/p>\n

Recently, DART was called into an engagement where the adversary had a foothold within the on-premises network, which had been gained through compromising cloud credentials. Once the adversary had the credentials, they began their reconnaissance on the network by searching for documents about VPN remote access and other access methods stored on a user\u2019s SharePoint and OneDrive. After the adversary was able to access the network through the company\u2019s VPN, they moved laterally throughout the environment using legitimate user credentials harvested during a phishing campaign.<\/p>\n

Once our team was able to determine the initially compromised accounts, we were able to begin the process of tracking the adversary within the on-premises systems. Looking at the initial VPN logs, we identified the starting point for our investigation. Typically, in this kind of investigation, your team would need to dive deeper into individual machine event logs, looking for remote access activities and movements, as well as looking at any domain controller logs that could help highlight the credentials used by the attacker(s).<\/p>\n

Luckily for us, this customer had deployed Azure Advanced Threat Protection (ATP)<\/a> prior to the incident. By having Azure ATP operational prior to an incident, the software had already normalized authentication and identity transactions within the customer network. DART began querying the suspected compromised credentials within Azure ATP, which provided us with a broad swath of authentication-related activities on the network and helped us build an initial timeline of events and activities performed by the adversary, including:<\/p>\n