Event banner

Microsoft Detection and Response Team (DART) AMA

Event Ended
Tuesday, Mar 15, 2022, 09:00 AM PDT
In-Person

Event details

We are very excited to announce our Microsoft Detection and Response Team (DART) AMA!   About DART: Our job is to respond to compromises and help our customers become cyber-resilient. This is al...
Trevor_Rusher
Updated Feb 16, 2022
AMA
Jerad_Rodgers's avatar
Jerad_Rodgers
Copper Contributor
Mar 15, 2022
We recently discovered that a compromised account created a Azure Virtual Machine. We were not able to see the subscription in our tenant. How would you handle the incident response for this? How often has something like this been seen in the wild?
Petitohead's avatar
Petitohead
Icon for Microsoft rankMicrosoft
Mar 15, 2022
In some cases, there could be subscriptions that cannot be seen by Global Administrators. Therefore, they must elevate their access to be able to see and manage those subscriptions which may explain why you couldn't see it. Here is a good overview: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. This is a common tactic that we've seen. With those credentials they typically create a very expensive VM for coin mining and footing you with the bill or use that as a launching point for other attacks.
Date and Time
Mar 15, 20229:00 AM - 10:00 AM PDT