We’ve written in the past about how Azure Security Center helps detect malicious activity on compromised VMs, including a post detailing aBitcoin mining attackand one on anoutbound DDoS attack. In many cases, attackers use a set of malicious tools to carry out these and other actions on a compromised machine. However, our team of security researchers have identified a new trend where attackers are using good application to carry out malicious actions. This blog will discuss the use of known hacker tools and those tools that are not nefarious in nature, but are being used maliciously, and how Azure Security Center aids in detecting their use.
Generally, the first category of tools we see after a brute force attack are the Port and IP address scanning tools. Most of these tools were not written maliciously, but because of their ease of use, an attacker can scan IP ranges and ports to find vulnerable machines that they can target.