Lateral movement path enhancement

Microsoft

Yes, more new features! 

 

In an effort to continue to improve and enhance your experience using Azure ATP, major improvements were made to Azure ATP Lateral Movement Path (LMP).

Effective from V2.5.6 (11/25/2018) Azure ATP:

  • Saved, searchable LMP history.
  • From the Activities tab, added indication when a new potential LMP is identified.
  • Azure ATP security alert evidence lists now provide the related entities involved in each potential lateral movement path.

 

Learn more about investigations using lateral movement paths.

 

As always, your feedback is welcome!

 

More details:

 

Every computer or user profile discovered by Azure ATP to be in an LMP has a Lateral movement paths tab. Computers and profiles with no tab have never been discovered within a potential LMP.Each time the tab is clicked, Azure ATP displays the most recently discovered LMP. Each potential LMP is displayed for 48 hours following discovery. LMP history is available. View older LMPs that were discovered in the past by clicking on View a different date.

 

LMP1.png

V2.56 of Azure ATP adds two additional LMP capabilities. Discover when potential LMPs were identified and where, meaning which related entities are potentially involved.

 

When

From the Activities tab, we’ve added an indication when a new potential LMP was identified:

  • Sensitive users – when a new path was identified to a sensitive userLMP2.png
  • Non-sensitive users and computers – when this entity was identified in a potential LMP leading to a sensitive user.LMP3.png

Where

LMP can now directly assists with your investigation process. Azure ATP security alert evidence lists provide the related entities that are involved in each potential lateral movement path. The evidence lists directly help your security response team increase or reduce the importance of the security alert and/or investigation of the related entities. For example, when a Pass the Ticket alert is issued, the source computer, compromised user and destination computer the stolen ticket was used from, are all part of the potential lateral movement path leading to a sensitive user. The existence of the detected LMP makes investigating the alert and watching the suspected user even more important to prevent your adversary from additional lateral moves. Trackable evidence is provided in LMPs to make it easier and faster for you to prevent attackers from moving forward in your network.

 

LMPevidence.png

1 Reply
Nice to see that there is more focus on the essential stuff!

Thanks