In honor of National Cybersecurity Awareness Month (NCSAM), we have a new post in our series highlighting real-world attacks that Azure Security Center helped detect, investigate, and mitigate. This post is about an attack which used PowerShell to run malicious code and collect user credentials. But before we jump in, here’s a recap of other blog posts in our series where Security Center detected a:

• SQL Brute Force attack
• Bitcoin mining attack
• DDoS attack using cyber threat intelligence
• Good applications being used maliciously

In this post, we’ll walk through another interesting real-world attack scenario which was detected by Azure Security Center and investigated by our team. Names of the affected company, all computer names, and all usernames have been changed to protect privacy. This particular attack employed the use of PowerShell to run malicious code in-memory with the goal of collecting credential information through password stealing, keystroke logging, clipboard scraping, and screen captures. We’ll map out the stages of the compromise which began with an RDP Force attack and resulted in the setup and configuration of persistent auto-starts (ASEP) in the registry. This case study provides insights into the dynamics of the attack and recommendations on how to detect and prevent similar attacks in your environment.

Read about it in the Azure blog.