Recover an ADCS platform from compromise
Discover how Microsoft DART executes the recovery of an Active Directory Certificate Services server amidst a ransomware incident. Gain insights into the vital components necessary for a successful restoration, enabling ongoing recovery efforts for infrastructure, data, and applications affected by this threat.A BlackByte Ransomware intrusion case study
Introduction As ransomware attacks grow in number and sophistication every year, threat actors can quickly impact business operations if organizations are not well prepared. In this blog, we detail an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization. During the investigation, the Microsoft Incident Response team (formerly known as DART) identified the threat actor employing a range of tools & techniques to achieve their objectives, including: Exploitation of unpatched internet exposed Microsoft Exchange Servers Web Shell deployment facilitating remote access Use of living of the land tools for persistence and reconnaissance Cobalt Strike beacons for command and control Process Hollowing and the use of vulnerable drivers for defense evasion Deployment of custom developed backdoors to facilitate persistence Deployment of a custom developed data collection and exfiltration tool Forensic analysis Initial Access In order to obtain initial access into the victim’s environment, the Threat Actor was observed exploiting known vulnerabilities (ProxyShell) on unpatched Microsoft Exchange Servers: CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 The exploitation of these vulnerabilities allowed the Threat Actor to: Attain SYSTEM level privileges on the compromised Exchange host Enumerate LegacyDN of users by sending an Autodiscover requests, including SIDs of users Construct a valid authentication token and use it against the Exchange Powershell backend Impersonate domain admin users and creates a web shell by using the New-MailboxExportRequest cmdlet Create web shells in order to obtain remote control on the affected servers The Threat Actor was observed operating from the following IP to exploit ProxyShell and access the web shell: 185.225.73[.]244 Persistence Backdoor Microsoft IR identified the creation of Registry Run Keys, a common persistence mechanism employed by threat actors to maintain access to a compromised device, where a payload is executed each time a specific user logs in. Registry Key ValueName ValueData HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsEdgeMsE rundll32 C:\Users\user\Downloads\api-msvc.dll,Default HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsEdgeMsE rundll32 C:\temp\api-msvc.dll,Default HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsEdgeMsE rundll32 C:\systemtest\api-system.png,Default api-msvc.dll, detected by Microsoft Defender Antivirus as Trojan:Win32/Kovter!MSR, was determined to be a backdoor capable of collecting system information such as installed antivirus products, device name and IP address. This information is then sent via HTTP POST request to a command and control (C2) channel: hxxps://myvisit[.]alteksecurity[.]org/t FileName SHA-256 api-msvc.dll 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e Unfortunately, the organization was not using Microsoft Defender as the primary AV/EDR solution, preventing to take action against the malicious code. An additional file name, api-system.png, was identified with similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged Run Keys for persistence. Cobalt Strike Beacon The threat actor leveraged Cobalt Strike, a common commercial penetration testing tool, to achieve persistence. The file sys.exe, detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike beacon and was downloaded directly from the file sharing service temp.sh: hxxps://temp[.]sh/szAyn/sys.exe This beacon was configured to communicate with the following command and control (C2) channel: 109.206.243[.]59:443 FileName SHA-256 sys.exe 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 AnyDesk Microsoft IR frequently observes threat actors leveraging legitimate remote access during an intrusion, in an effort to blend in on a victim network. In this case, the threat actor utilized AnyDesk, a common remote administration tool to maintain persistence and move laterally within the network. AnyDesk was installed as a Service and was executed from the following paths: C:\systemtest\anydesk\AnyDesk.exe C:\Program Files (x86)\AnyDesk\AnyDesk.exe C:\Scripts\AnyDesk.exe Successful connections were observed in AnyDesk Logs (ad_svc.trace) involving anonymizer service IP addresses linked to TOR and MULLVAD VPN. This is a common technique that actors employ to obscure their source IP ranges. Reconnaissance and Privilege Escalation Microsoft IR found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration, under the following executable names: netscan.exe netapp.exe FileName SHA-256 netscan.exe 1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e netapp.exe 1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e In addition, execution of AdFind, an Active Directory reconnaissance tool, was observed in the environment. FileName SHA-256 adfind.exe f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e Credential Access Evidence of likely Mimikatz usage, a credential theft tool commonly used by threat actors, was also uncovered, through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts. Lateral Movement Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol and Powershell Remoting to obtain access to other servers in the environment, including Domain Controllers. Data Staging and Data Exfiltration A suspicious file named “explorer.exe” was identified. The file was recognized by Microsoft Defender Antivirus as “Trojan:Win64/WinGoObfusc.LK!MT” and quarantined, but after disabling Windows Defender Antivirus service, the threat actor was able to execute the file using the following command: explorer.exe P@$$w0rd FileName SHA-256 explorer.exe 2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 Explorer.exe was reverse engineered by Microsoft IR and determined to be ExByte, a GoLang based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. The binary is capable of enumerating files of interest across the network, and upon execution creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path: C:\Exchange\MSExchLog.log Analysis of the binary revealed a list of file extensions which are targeted for enumeration. Binary analysis showing file extensions enumerated by explorer.exe Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials which ExByte leveraged to authenticate to the popular file sharing platform Mega NZ, via it’s API at: hxxps://g.api.mega.co[.]nz Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ Microsoft IR also determined that this tool was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address. Execution Flow Upon execution ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0: If this check fails, ShellExecuteW is invoked with IpOperation parameter RunAs which runs explorer.exe with elevated privilege. After this access check, explorer.exe attempts to read data.txt file in the current location: If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory: C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function and then decrypts the data using the key provided in the command-line. The decrypted data is then parsed as JSON below and fed for login function: { “a”:”us0”, “user”:”<CONTENT FROM data.txt>” } Finally, it then forms an URL for login to the API of file sharing service MEGA NZ: hxxps://g.api.mega.co[.]nz/cs?id=1674017543 Data Encryption and Destruction MICROSOFT IR found several devices where files had been encrypted and identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names: wEFT.exe schillerized.exe The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. This binary requires an 8-digit key number to encrypt files. Two modes of execution were identified: When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on When the -a parameter is provided, the ransomware conducts enumeration and uses an UPX packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network. Depending on the switch (-s or -a), execution may create below files: C:\SystemData\M8yl89s7.exe (Random Name – UPX Packed PsExec) C:\SystemData\wEFT.exe (Additional BlackByte binary) C:\SystemData\MsExchangeLog1.log (Log file) C:\SystemData\rENEgOtiAtES A Vulnerable (CVE-2019-16098) driver RtCore64.sys, used to evade detection by installed AV/EDR software C:\SystemData\iHu6c4.ico (Random Name – BlackBytes icon) C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe File) C:\SystemData\skip_bypass.txt (Unknown) FileName SHA-256 M8yl89s7.exe (RANDOM NAME) ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f rENEgOtiAtES 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd Some capabilities identified for the BlackByte 2.0 ransomware were: AV/EDR Bypass: The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read/write to arbitrary memory. The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed AV/EDR software. Process Hollowing Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command: cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q Modification / Disabling of Windows Firewall The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely: cmd /c netsh advfirewall set allprofiles state off cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes Modification of Volume Shadow Copies The following commands are executed to destroy volume shadow copies on the machine: cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSuze=401MB cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED Modification of Registry Keys/Values The following commands are executed to modify the registry, facilitating elecated execution on the device: cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f Additional Functionality Ability to terminate running services and processes. Ability to enumerate and mount volumes and network shares for encryption. Perform anti-forensics technique time-stomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00) Ability to perform anti-debugging techniques. Recommendations To guard against BlackByte ransomware attacks, Microsoft IR recommends the following: Ensure that you have a patch management process in place and that patching for internet exposed devices is prioritized. Implement an EDR solution like Microsoft Defender for Endpoint to gain visibility of malicious activity in real time across your network Ensure antivirus signatures are updated regularly and that your AV solution is configured to block threats Block inbound traffic from Ips specified in the Indicators of Compromise table Block inbound traffic from TOR Exit Nodes Block inbound access from unauthorized public VPN services Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools Indicators of compromise (IOC) The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. Indicator Type Description api-msvc.dll (Backdoor installed through RunKeys) SHA-256 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e sys.exe (Cobalt Strike Beacon) SHA-256 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 explorer.exe (Exbyte, file enumeration and exfiltration tool) SHA-256 2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary) SHA-256 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd [RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary) SHA-256 ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f “netscan.exe”, “netapp.exe (Netscan network discovery tool) SHA-256 1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e AdFind.exe (Active Directory information gathering tool) SHA-256 f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e hxxps://myvisit[.]alteksecurity[.]org/t URL C2 for backdoor api-msvc.dll hxxps://temp[.]sh/szAyn/sys.exe URL Download URL for sys.exe 109.206.242[.]59 IP Address C2 for Cobalt Strike beacon sys.exe 185.225.73[.]44 IP Address Originating IP address for ProxyShell exploitation and web shell interaction NOTE: These indicators should not be considered exhaustive for this observed activity. Detections Microsoft 365 Defender Microsoft Defender Antivirus Trojan:Win32/Kovter!MSR Trojan:Win64/WinGoObfusc.LK!MT Trojan:Win64/BlackByte!MSR HackTool:Win32/AdFind!MSR Trojan:Win64/CobaltStrike!MSR Microsoft Defender for Endpoint Microsoft Defender for Endpoint customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report. 'CVE-2021-31207' exploit malware was detected An active 'NetShDisableFireWall' malware in a command line was prevented from executing. Suspicious registry modification. ‘Rtcore64’ hacktool was detected Possible ongoing hands-on-keyboard activity (Cobalt Strike) A file or network connection related to a ransomware-linked emerging threat activity group detected Suspicious sequence of exploration activities A process was injected with potentially malicious code Suspicious behavior by cmd.exe was observed 'Blackbyte' ransomware was detected Microsoft Defender Vulnerability Management Microsoft Defender Vulnerability Management surfaces impacted devices that may be affected by the Exchange (ProxyShell) and drivers vulnerabilities used in the attack: CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 CVE-2019-16098 Advanced hunting queries Microsoft 365 Defender and Microsoft Sentinel ProxyShell Web Shell Creation Events DeviceProcessEvents | where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any (("-RequestFile","-FilePath") Suspicious Vssadmin Events DeviceProcessEvents | where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED") Conclusions BlackByte Ransomware attacks are still targeting organizations having infrastructure with old unpatched vulnerabilities, allowing them to accomplish their objectives with a minimum effort. According to Shodan, at the time this blog was written, there are nearly 3300 public facing servers still affected to ProxyShell vulnerabilities, making this an easy target for threat actors looking to impact organizations around the world. As Microsoft shows in the Microsoft Digital Defense Report, key practices like “Keep up to date” in conjunction to other good practices mentioned from a basic security hygiene strategy, could protect against 98 percent of attacks. As new tools are being developed by threat actors, a modern threat protection solution M365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents. To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR. Appendix Encryption Different file extensions are targeted by BlackByte binary for Encryption: .4dd .4dl .accdb .accdc .accde .accdr .accdt .accft .adb .ade .adf .adp .arc .ora .alf .ask .btr .bdf .cat .cdb .ckp .cma .cpd .dacpac .dad .dadiagrams .daschema .db .db-shm .db-wal .db3 .dbc .dbf .dbs .dbt .dbv . dbx . dcb . dct . dcx . ddl . dlis . dp1 . dqy . dsk . dsn . dtsx . dxl . eco . ecx . edb . epim . exb . fcd . fdb . fic . fmp . fmp12 . fmpsl . fol .fp3 . fp4 . fp5 . fp7 . fpt . frm . gdb . grdb . gwi . hdb . his . ib . idb . ihx . itdb . itw . jet . jtx . kdb . kexi . kexic . kexis . lgc . lwx . maf . maq . mar . masmav . mdb . mpd . mrg . mud . mwb . myd . ndf . nnt . nrmlib . ns2 . ns3 . ns4 . nsf . nv . nv2 . nwdb . nyf . odb . ogy . orx . owc . p96 . p97 . pan . pdb . pdm . pnz . qry . qvd . rbf . rctd . rod . rodx . rpd . rsd . sas7bdat . sbf . scx . sdb . sdc . sdf . sis . spg . sql . sqlite . sqlite3 . sqlitedb . te . temx . tmd . tps . trc . trm . udb . udl . usr . v12 . vis . vpd . vvv . wdb . wmdb . wrk . xdb . xld . xmlff . abcddb . abs . abx . accdw . and . db2 . fm5 . hjt . icg . icr . kdb . lut . maw . mdn . mdt File extensions targeted by BlackByte binary for encryption Also, the following Shared Folders are targeted to encrypt: Users Backup Veeam homes home media common Storage Server Public Web Images Downloads BackupData ActiveBackupForBusiness Backups NAS-DC DCBACKUP DirectorFiles share Example: \\IP_Address\Downloads Extensions ignored: .ini .url .msilog .log .ldf .lock .theme .msi .sys .wpx .cpl .adv .msc .scr .key .ico .dll .hta .deskthemepack .nomedia .msu .rtp .msp .idx .ani .386 .diagcfg .bin .mod .ics .com .hlp .spl .nls .cab .exe .diagpkg .icl .ocx .rom .prf .thempack .msstyles .icns .mpa .drv .cur .diagcab .cmd .shs Folders ignored: windows boot program files (x86) windows.old programdata intel bitdefender trend micro windowsapps appdata application data system volume information perflogs msocache Files ignored: bootnxt ntldr bootmgr thumbs.db ntuser.dat bootsect.bak autoexec.bat iconcache.db bootfont.bin Process terminated by BlackByte binary teracopy teamviewer nsservice nsctrl uranium processhacker procmon pestudio procmon64 x32dbg x64dbg cff explorer procexp pslist tcpview tcpvcon dbgview rammap rammap64 vmmap ollydbg autoruns autorunssc filemon regmon idaq idaq64 immunitydebugger wireshark dumpcap hookexplorer importrec petools lordpe sysinspector proc_analyzer sysanalyzer sniff_hit windbg joeboxcontrol joeboxserver resourcehacker fiddler httpdebugger dumpit rammap rammap64 vmmap agntsvc cntaosmgr dbeng50 dbsnmp encsvc infopath isqlplussvc mbamtray msaccess msftesql mspub mydesktopqos mydesktopservice mysqld mysqld-nt mysqld-opt Ntrtscan ocautoupds ocomm ocssd onenote oracle outlook PccNTMon powerpnt sqbcoreservice sql sqlagent sqlbrowser sqlservr sqlwriter steam synctime tbirdconfig thebat thebat64 thunderbird tmlisten visio winword wordpad xfssvccon zoolz Services terminated by BlackByte binary CybereasonRansomFree vnetd bpcd SamSs TeraCopyService msftesql nsService klvssbridge64 vapiendpoint ShMonitor Smcinst SmcService SntpService svcGenericHost Swi_ TmCCSF tmlisten TrueKey TrueKeyScheduler TrueKeyServiceHelper WRSVC McTaskManager OracleClientCache80 mfefire wbengine mfemms RESvc mfevtp sacsvr SAVAdminService SepMasterService PDVFSService ESHASRV SDRSVC FA_Scheduler KAVFS KAVFS_KAVFSGT kavfsslp klnagent macmnsvc masvc MBAMService MBEndpointAgent McShield audioendpointbuilder Antivirus AVP DCAgent bedbg EhttpSrv MMS ekrn EPSecurityService EPUpdateService ntrtscan EsgShKernel msexchangeadtopology AcrSch2Svc MSOLAP$TPSAMA Intel(R) PROSet Monitoring msexchangeimap4 ARSM unistoresvc_1af40a ReportServer$TPS MSOLAP$SYSTEM_BGC W3Svc MSExchangeSRS ReportServer$TPSAMA Zoolz 2 Service MSOLAP$TPS aphidmonitorservice SstpSvc MSExchangeMTA ReportServer$SYSTEM_BGC Symantec System Recovery UI0Detect MSExchangeSA MSExchangeIS ReportServer MsDtsServer110 POP3Svc MSExchangeMGMT SMTPSvc MsDtsServer IisAdmin MSExchangeES EraserSvc11710 Enterprise Client Service MsDtsServer100 NetMsmqActivator stc_raw_agent VSNAPVSS PDVFSService AcrSch2Svc Acronis CASAD2DWebSvc CAARCUpdateSvc McAfee avpsus DLPAgentService mfewc BMR Boot Service DefWatch ccEvtMgr ccSetMgr SavRoam RTVsc screenconnect ransom sqltelemetry msexch vnc teamviewer msolap veeam backup sql memtas vss sophos svc$ mepocs wuauserv EDR/AV drivers Blackbyte can bypass 360avflt.sys 360box.sys 360fsflt.sys 360qpesv.sys 5nine.cbt.sys a2acc.sys a2acc64.sys a2ertpx64.sys a2ertpx86.sys a2gffi64.sys a2gffx64.sys a2gffx86.sys aaf.sys aalprotect.sys abrpmon.sys accessvalidator.sys acdriver.sys acdrv.sys adaptivaclientcache32.sys adaptivaclientcache64.sys adcvcsnt.sys adspiderdoc.sys aefilter.sys agentrtm64.sys agfsmon.sys agseclock.sys agsyslock.sys ahkamflt.sys ahksvpro.sys ahkusbfw.sys ahnrghlh.sys aictracedrv_am.sys airship-filter.sys ajfsprot.sys alcapture.sys alfaff.sys altcbt.sys amfd.sys amfsm.sys amm6460.sys amm8660.sys amsfilter.sys amznmon.sys antileakfilter.sys antispyfilter.sys anvfsm.sys apexsqlfilterdriver.sys appcheckd.sys appguard.sys appvmon.sys arfmonnt.sys arta.sys arwflt.sys asgard.sys ashavscan.sys asiofms.sys aswfsblk.sys aswmonflt.sys aswsnx.sys aswsp.sys aszfltnt.sys atamptnt.sys atc.sys atdragent.sys atdragent64.sys aternityregistryhook.sys atflt.sys atrsdfw.sys auditflt.sys aupdrv.sys avapsfd.sys avc3.sys avckf.sys avfsmn.sys avgmfi64.sys avgmfrs.sys avgmfx64.sys avgmfx86.sys avgntflt.sys avgtpx64.sys avgtpx86.sys avipbb.sys avkmgr.sys avmf.sys awarecore.sys axfltdrv.sys axfsysmon.sys ayfilter.sys b9kernel.sys backupreader.sys bamfltr.sys bapfecpt.sys bbfilter.sys bd0003.sys bddevflt.sys bdfiledefend.sys bdfilespy.sys bdfm.sys bdfsfltr.sys bdprivmon.sys bdrdfolder.sys bdsdkit.sys bdsfilter.sys bdsflt.sys bdsvm.sys bdsysmon.sys bedaisy.sys bemk.sys bfaccess.sys bfilter.sys bfmon.sys bhdrvx64.sys bhdrvx86.sys bhkavka.sys bhkavki.sys bkavautoflt.sys bkavsdflt.sys blackbirdfsa.sys blackcat.sys bmfsdrv.sys bmregdrv.sys boscmflt.sys bosfsfltr.sys bouncer.sys boxifier.sys brcow_x_x_x_x.sys brfilter.sys brnfilelock.sys brnseclock.sys browsermon.sys bsrfsflt.sys bssaudit.sys bsyaed.sys bsyar.sys bsydf.sys bsyirmf.sys bsyrtm.sys bsysp.sys bsywl.sys bwfsdrv.sys bzsenspdrv.sys bzsenth.sys bzsenyaradrv.sys caadflt.sys caavfltr.sys cancelsafe.sys carbonblackk.sys catflt.sys catmf.sys cbelam.sys cbfilter20.sys cbfltfs4.sys cbfsfilter2017.sys cbfsfilter2020.sys cbsampledrv.sys cdo.sys cdrrsflt.sys cdsgfsfilter.sys centrifyfsf.sys cfrmd.sys cfsfdrv cgwmf.sys change.sys changelog.sys chemometecfilter.sys ciscoampcefwdriver.sys ciscoampheurdriver.sys ciscosam.sys clumiochangeblockmf.sys cmdccav.sys cmdcwagt.sys cmdguard.sys cmdmnefs.sys cmflt.sys code42filter.sys codex.sys conduantfsfltr.sys containermonitor.sys cpavfilter.sys cpavkernel.sys cpepmon.sys crexecprev.sys crncache32.sys crncache64.sys crnsysm.sys cruncopy.sys csaam.sys csaav.sys csacentr.sys csaenh.sys csagent.sys csareg.sys csascr.sys csbfilter.sys csdevicecontrol.sys csfirmwareanalysis.sys csflt.sys csmon.sys cssdlp.sys ctamflt.sys ctifile.sys ctinet.sys ctrpamon.sys ctx.sys cvcbt.sys cvofflineflt32.sys cvofflineflt64.sys cvsflt.sys cwdriver.sys cwmem2k64.sys cybkerneltracker.sys cylancedrv64.sys cyoptics.sys cyprotectdrv32.sys cyprotectdrv64.sys cytmon.sys cyverak.sys cyvrfsfd.sys cyvrlpc.sys cyvrmtgn.sys datanow_driver.sys dattofsf.sys da_ctl.sys dcfafilter.sys dcfsgrd.sys dcsnaprestore.sys deepinsfs.sys delete_flt.sys devmonminifilter.sys dfmfilter.sys dgedriver.sys dgfilter.sys dgsafe.sys dhwatchdog.sys diflt.sys diskactmon.sys dkdrv.sys dkrtwrt.sys dktlfsmf.sys dnafsmonitor.sys docvmonk.sys docvmonk64.sys dpmfilter.sys drbdlock.sys drivesentryfilterdriver2lite.sys drsfile.sys drvhookcsmf.sys drvhookcsmf_amd64.sys drwebfwflt.sys drwebfwft.sys dsark.sys dsdriver.sys dsfemon.sys dsflt.sys dsfltfs.sys dskmn.sys dtdsel.sys dtpl.sys dwprot.sys dwshield.sys dwshield64.sys eamonm.sys easeflt.sys easyanticheat.sys eaw.sys ecatdriver.sys edevmon.sys ednemfsfilter.sys edrdrv.sys edrsensor.sys edsigk.sys eectrl.sys eetd32.sys eetd64.sys eeyehv.sys eeyehv64.sys egambit.sys egfilterk.sys egminflt.sys egnfsflt.sys ehdrv.sys elock2fsctldriver.sys emxdrv2.sys enigmafilemondriver.sys enmon.sys epdrv.sys epfw.sys epfwwfp.sys epicfilter.sys epklib.sys epp64.sys epregflt.sys eps.sys epsmn.sys equ8_helper.sys eraser.sys esensor.sys esprobe.sys estprmon.sys estprp.sys estregmon.sys estregp.sys estrkmon.sys estrkr.sys eventmon.sys evmf.sys evscase.sys excfs.sys exprevdriver.sys failattach.sys failmount.sys fam.sys fangcloud_autolock_driver.sys fapmonitor.sys farflt.sys farwflt.sys fasdriver fcnotify.sys fcontrol.sys fdrtrace.sys fekern.sys fencry.sys ffcfilt.sys ffdriver.sys fildds.sys filefilter.sys fileflt.sys fileguard.sys filehubagent.sys filemon.sys filemonitor.sys filenamevalidator.sys filescan.sys filesharemon.sys filesightmf.sys filesystemcbt.sys filetrace.sys file_monitor.sys file_protector.sys file_tracker.sys filrdriver.sys fim.sys fiometer.sys fiopolicyfilter.sys fjgsdis2.sys fjseparettifilterredirect.sys flashaccelfs.sys flightrecorder.sys fltrs329.sys flyfs.sys fmdrive.sys fmkkc.sys fmm.sys fortiaptfilter.sys fortimon2.sys fortirmon.sys fortishield.sys fpav_rtp.sys fpepflt.sys fsafilter.sys fsatp.sys fsfilter.sys fsgk.sys fshs.sys fsmon.sys fsmonitor.sys fsnk.sys fsrfilter.sys fstrace.sys fsulgk.sys fsw31rj1.sys gagsecurity.sys gbpkm.sys gcffilter.sys gddcv.sys gefcmp.sys gemma.sys geprotection.sys ggc.sys gibepcore.sys gkff.sys gkff64.sys gkpfcb.sys gkpfcb64.sys gofsmf.sys gpminifilter.sys groundling32.sys groundling64.sys gtkdrv.sys gumhfilter.sys gzflt.sys hafsnk.sys hbflt.sys hbfsfltr.sys hcp_kernel_acq.sys hdcorrelatefdrv.sys hdfilemon.sys hdransomoffdrv.sys hdrfs.sys heimdall.sys hexisfsmonitor.sys hfileflt.sys hiofs.sys hmpalert.sys hookcentre.sys hooksys.sys hpreg.sys hsmltmon.sys hsmltwhl.sys hssfwhl.sys hvlminifilter.sys ibr2fsk.sys iccfileioad.sys iccfilteraudit.sys iccfiltersc.sys icfclientflt.sys icrlmonitor.sys iderafilterdriver.sys ielcp.sys ieslp.sys ifs64.sys ignis.sys iguard.sys iiscache.sys ikfilesec.sys im.sys imffilter.sys imfilter.sys imgguard.sys immflex.sys immunetprotect.sys immunetselfprotect.sys inisbdrv64.sys ino_fltr.sys intelcas.sys intmfs.sys inuse.sys invprotectdrv.sys invprotectdrv64.sys ionmonwdrv.sys iothorfs.sys ipcomfltr.sys ipfilter.sys iprotect.sys iridiumswitch.sys irongatefd.sys isafekrnl.sys isafekrnlmon.sys isafermon isecureflt.sys isedrv.sys isfpdrv.sys isirmfmon.sys isregflt.sys isregflt64.sys issfltr.sys issregistry.sys it2drv.sys it2reg.sys ivappmon.sys iwdmfs.sys iwhlp.sys iwhlp2.sys iwhlpxp.sys jdppsf.sys jdppwf.sys jkppob.sys jkppok.sys jkpppf.sys jkppxk.sys k7sentry.sys kavnsi.sys kawachfsminifilter.sys kc3.sys kconv.sys kernelagent32.sys kewf.sys kfac.sys kfileflt.sys kisknl.sys klam.sys klbg.sys klboot.sys kldback.sys kldlinf.sys kldtool.sys klfdefsf.sys klflt.sys klgse.sys klhk.sys klif.sys klifaa.sys klifks.sys klifsm.sys klrsps.sys klsnsr.sys klupd_klif_arkmon.sys kmkuflt.sys kmnwch.sys kmxagent.sys kmxfile.sys kmxsbx.sys ksfsflt.sys ktfsfilter.sys ktsyncfsflt.sys kubwksp.sys lafs.sys lbd.sys lbprotect.sys lcgadmon.sys lcgfile.sys lcgfilemon.sys lcmadmon.sys lcmfile.sys lcmfilemon.sys lcmprintmon.sys ldsecdrv.sys libwamf.sys livedrivefilter.sys llfilter.sys lmdriver.sys lnvscenter.sys locksmith.sys lragentmf.sys lrtp.sys magicbackupmonitor.sys magicprotect.sys majoradvapi.sys marspy.sys maxcryptmon.sys maxproc64.sys maxprotector.sys mbae64.sys mbam.sys mbamchameleon.sys mbamshuriken.sys mbamswissarmy.sys mbamwatchdog.sys mblmon.sys mcfilemon32.sys mcfilemon64.sys mcstrg.sys mearwfltdriver.sys message.sys mfdriver.sys mfeaack.sys mfeaskm.sys mfeavfk.sys mfeclnrk.sys mfeelamk.sys mfefirek.sys mfehidk.sys mfencbdc.sys mfencfilter.sys mfencoas.sys mfencrk.sys mfeplk.sys mfewfpk.sys miniicpt.sys minispy.sys minitrc.sys mlsaff.sys mmpsy32.sys mmpsy64.sys monsterk.sys mozycorpfilter.sys mozyenterprisefilter.sys mozyentfilter.sys mozyhomefilter.sys mozynextfilter.sys mozyoemfilter.sys mozyprofilter.sys mpfilter.sys mpkernel.sys mpksldrv.sys mpxmon.sys mracdrv.sys mrxgoogle.sys mscan-rt.sys msiodrv4.sys msixpackagingtoolmonitor.sys msnfsflt.sys mspy.sys mssecflt.sys mtsvcdf.sys mumdi.sys mwac.sys mwatcher.sys mwfsmfltr.sys mydlpmf.sys namechanger.sys nanoavmf.sys naswsp.sys ndgdmk.sys neokerbyfilter netaccctrl.sys netaccctrl64.sys netguard.sys netpeeker.sys ngscan.sys nlcbhelpi64.sys nlcbhelpx64.sys nlcbhelpx86.sys nlxff.sys nmlhssrv01.sys nmpfilter.sys nntinfo.sys novashield.sys nowonmf.sys npetw.sys nprosec.sys npxgd.sys npxgd64.sys nravwka.sys nrcomgrdka.sys nrcomgrdki.sys nregsec.sys nrpmonka.sys nrpmonki.sys nsminflt.sys nsminflt64.sys ntest.sys ntfsf.sys ntguard.sys ntps_fa.sys nullfilter.sys nvcmflt.sys nvmon.sys nwedriver.sys nxfsmon.sys nxrmflt.sys oadevice.sys oavfm.sys oczminifilter.sys odfsfilter.sys odfsfimfilter.sys odfstokenfilter.sys offsm.sys omfltlh.sys osiris.sys ospfile_mini.sys ospmon.sys parity.sys passthrough.sys path8flt.sys pavdrv.sys pcpifd.sys pctcore.sys pctcore64.sys pdgenfam.sys pecfilter.sys perfectworldanticheatsys.sys pervac.sys pfkrnl.sys pfracdrv.sys pgpfs.sys pgpwdefs.sys phantomd.sys phdcbtdrv.sys pkgfilter.sys pkticpt.sys plgfltr.sys plpoffdrv.sys pointguardvista64f.sys pointguardvistaf.sys pointguardvistar32.sys pointguardvistar64.sys procmon11.sys proggerdriver.sys psacfileaccessfilter.sys pscff.sys psgdflt.sys psgfoctrl.sys psinfile.sys psinproc.sys psisolator.sys pwipf6.sys pwprotect.sys pzdrvxp.sys qdocumentref.sys qfapflt.sys qfilter.sys qfimdvr.sys qfmon.sys qminspec.sys qmon.sys qqprotect.sys qqprotectx64.sys qqsysmon.sys qqsysmonx64.sys qutmdrv.sys ranpodfs.sys ransomdefensexxx.sys ransomdetect.sys reaqtor.sys redlight.sys regguard.sys reghook.sys regmonex.sys repdrv.sys repmon.sys revefltmgr.sys reveprocprotection.sys revonetdriver.sys rflog.sys rgnt.sys rmdiskmon.sys rmphvmonitor.sys rpwatcher.sys rrmon32.sys rrmon64.sys rsfdrv.sys rsflt.sys rspcrtw.sys rsrtw.sys rswctrl.sys rswmon.sys rtologon.sys rtw.sys ruaff.sys rubrikfileaudit.sys ruidiskfs.sys ruieye.sys ruifileaccess.sys ruimachine.sys ruiminispy.sys rvsavd.sys rvsmon.sys rw7fsflt.sys rwchangedrv.sys ryfilter.sys ryguard.sys safe-agent.sys safsfilter.sys sagntflt.sys sahara.sys sakfile.sys sakmfile.sys samflt.sys samsungrapidfsfltr.sys sanddriver.sys santa.sys sascan.sys savant.sys savonaccess.sys scaegis.sys scauthfsflt.sys scauthiodrv.sys scensemon.sys scfltr.sys scifsflt.sys sciptflt.sys sconnect.sys scred.sys sdactmon.sys sddrvldr.sys sdvfilter.sys se46filter.sys secdodriver.sys secone_filemon10.sys secone_proc10.sys secone_reg10.sys secone_usb.sys secrmm.sys secufile.sys secure_os.sys secure_os_mf.sys securofsd_x64.sys sefo.sys segf.sys segiraflt.sys segmd.sys segmp.sys sentinelmonitor.sys serdr.sys serfs.sys sfac.sys sfavflt.sys sfdfilter.sys sfpmonitor.sys sgresflt.sys shdlpmedia.sys shdlpsf.sys sheedantivirusfilterdriver.sys sheedselfprotection.sys shldflt.sys si32_file.sys si64_file.sys sieflt.sys simrep.sys sisipsfilefilter sk.sys skyamdrv.sys skyrgdrv.sys skywpdrv.sys slb_guard.sys sld.sys smbresilfilter.sys smdrvnt.sys sndacs.sys snexequota.sys snilog.sys snimg.sys snscore.sys snsrflt.sys sodatpfl.sys softfilterxxx.sys soidriver.sys solitkm.sys sonar.sys sophosdt2.sys sophosed.sys sophosntplwf.sys sophossupport.sys spbbcdrv.sys spellmon.sys spider3g.sys spiderg3.sys spiminifilter.sys spotlight.sys sprtdrv.sys sqlsafefilterdriver.sys srminifilterdrv.sys srtsp.sys srtsp64.sys srtspit.sys ssfmonm.sys ssrfsf.sys ssvhook.sys stcvsm.sys stegoprotect.sys stest.sys stflt.sys stkrnl64.sys storagedrv.sys strapvista.sys strapvista64.sys svcbt.sys swcommfltr.sys swfsfltr.sys swfsfltrv2.sys swin.sys symafr.sys symefa.sys symefa64.sys symefasi.sys symevent.sys symevent64x86.sys symevnt.sys symevnt32.sys symhsm.sys symrg.sys sysdiag.sys sysmon.sys sysmondrv.sys sysplant.sys szardrv.sys szdfmdrv.sys szdfmdrv_usb.sys szedrdrv.sys szpcmdrv.sys taniumrecorderdrv.sys taobserveflt.sys tbfsfilt.sys tbmninifilter.sys tbrdrv.sys tdevflt.sys tedrdrv.sys tenrsafe2.sys tesmon.sys tesxnginx.sys tesxporter.sys tffregnt.sys tfsflt.sys tgfsmf.sys thetta.sys thfilter.sys threatstackfim.sys tkdac2k.sys tkdacxp.sys tkdacxp64.sys tkfsavxp.sys tkfsavxp64.sys tkfsft.sys tkfsft64.sys tkpcftcb.sys tkpcftcb64.sys tkpl2k.sys tkpl2k64.sys tksp2k.sys tkspxp.sys tkspxp64.sys tmactmon.sys tmcomm.sys tmesflt.sys tmevtmgr.sys tmeyes.sys tmfsdrv2.sys tmkmsnsr.sys tmnciesc.sys tmpreflt.sys tmumh.sys tmums.sys tmusa.sys tmxpflt.sys topdogfsfilt.sys trace.sys trfsfilter.sys tritiumfltr.sys trpmnflt.sys trufos.sys trustededgeffd.sys tsifilemon.sys tss.sys tstfilter.sys tstfsredir.sys tstregredir.sys tsyscare.sys tvdriver.sys tvfiltr.sys tvmfltr.sys tvptfile.sys tvspfltr.sys twbdcfilter.sys txfilefilter.sys txregmon.sys uamflt.sys ucafltdriver.sys ufdfilter.sys uncheater.sys upguardrealtime.sys usbl_ifsfltr.sys usbpdh.sys usbtest.sys uvmcifsf.sys uwfreg.sys uwfs.sys v3flt2k.sys v3flu2k.sys v3ift2k.sys v3iftmnt.sys v3mifint.sys varpffmon.sys vast.sys vcdriv.sys vchle.sys vcmfilter.sys vcreg.sys veeamfct.sys vfdrv.sys vfilefilter.sys vfpd.sys vfsenc.sys vhddelta.sys vhdtrack.sys vidderfs.sys vintmfs.sys virtfile.sys virtualagent.sys vk_fsf.sys vlflt.sys vmwvvpfsd.sys vollock.sys vpdrvnt.sys vradfil2.sys vraptdef.sys vraptflt.sys vrarnflt.sys vrbbdflt.sys vrexpdrv.sys vrfsftm.sys vrfsftmx.sys vrnsfilter.sys vrsdam.sys vrsdcore.sys vrsdetri.sys vrsdetrix.sys vrsdfmx.sys vrvbrfsfilter.sys vsepflt.sys vsscanner.sys vtsysflt.sys vxfsrep.sys wats_se.sys wbfilter.sys wcsdriver.sys wdcfilter.sys wdfilter.sys wdocsafe.sys wfp_mrt.sys wgfile.sys whiteshield.sys windbdrv.sys windd.sys winfladrv.sys winflahdrv.sys winfldrv.sys winfpdrv.sys winload.sys winteonminifilter.sys wiper.sys wlminisecmod.sys wntgpdrv.sys wraekernel.sys wrcore.sys wrcore.x64.sys wrdwizfileprot.sys wrdwizregprot.sys wrdwizscanner.sys wrdwizsecure64.sys wrkrn.sys wrpfv.sys wsafefilter.sys wscm.sys xcpl.sys xendowflt.sys xfsgk.sys xhunter1.sys xhunter64.sys xiaobaifs.sys xiaobaifsr.sys xkfsfd.sys xoiv8x64.sys xomfcbt8x64.sys yahoostorage.sys yfsd.sys yfsd2.sys yfsdr.sys yfsrd.sys zampit_ml.sys zesfsmf.sys zqfilter.sys zsfprt.sys zwasatom.sys zwpxesvr.sys zxfsfilt.sys zyfm.sys zzpensys.sysFrom prevention to recovery: Microsoft Unified’s holistic cybersecurity approach
Author - Paul Saigar The latest Microsoft Digital Defense Report states that 80 percent of organizations have attack paths that expose critical assets. Furthermore, Microsoft has observed a 2.75x increase year over year in ransomware attacks among our customers. Cyber-enabled financial fraud is also rising globally. According to our report, the daily traffic volume for Tech scams – a type of fraud that tricks users by impersonating legitimate services or using fake tech support and ads – has skyrocketed by 400 per cent since 2022. This is a stark contrast to the 180 per cent increase in malware and 30 per cent in phishing over the same period. Microsoft is committed to helping organizations meet this growing challenge with a suite of integrated technologies and services designed to let customers operate with confidence. Microsoft Unified services and the role of Microsoft IR (incident response) Microsoft IR is backed by our elite Detection and Response Team (DART) and is an essential component of Microsoft’s overall cybersecurity offering for customers. This team consists of highly skilled cybersecurity professionals with extensive backgrounds in threat hunting and intelligence, digital forensics and tactical recovery, with experience in handling both proactive and reactive incident response. DART’s approach is twofold: it focuses on immediate incident response and pre-emptive measures to prevent security breaches before they occur. Proactive measures: Microsoft IR, backed by DART, conducts comprehensive assessments of organizational security infrastructures, seeking out vulnerabilities and potential threats. By evaluating the security readiness of identity and endpoint management systems, our DART experts provide customized recommendations to enhance security measures. Reactive strategies: In the event of a cybersecurity incident, DART’s response is swift and effective. The team engages directly with the threat, isolating affected systems to prevent further damage while conducting a thorough analysis to identify the source and nature of the attack. Recovery processes are implemented to restore integrity to the systems and data affected. Throughout the cybersecurity response, our DART experts provide continuous support and updates to ensure stakeholders are informed and prepared for necessary actions. This comprehensive approach is supported by Microsoft’s vast threat intelligence, which analyses 78 trillion security signals daily, and state-of-the-art technologies. That includes proprietary tools and widely recognized solutions such as the Microsoft Defender suite and Microsoft Sentinel. The depth of expertise within DART ensures it is equipped to manage complex cyber threats efficiently, making the team a trusted and vital component of our cybersecurity offering. Expanding Microsoft Unified’s cybersecurity offering Recognizing the critical need for rapid and robust incident management, Microsoft IR, our Cybersecurity Incident Response (CIR) service, is being offered through Microsoft Unified. This offering provides access to our global network of cybersecurity experts, who offer onsite and remote support, ensuring comprehensive coverage and swift action. Our CIR offering also integrates seamlessly with our broader Microsoft Unified framework. Initial contact: Our Unified team serves as the first line of contact for triage and validation of suspected cybersecurity incidents, providing timely and efficient incident isolation and remediation. Escalated response: When an incident escalates beyond initial containment, our CIR team takes comprehensive control, ensuring extensive investigation, containment, and recovery. The suite of services that make up CIR includes prioritized response times, with DART experts available within two hours to address security incidents. It also includes comprehensive services ranging from threat investigation, digital forensics, and malware analysis to complete recovery and remediation efforts. Organizations can also access proactive compromise assessments that delve deep into their environments to unearth vulnerabilities, potential indicators of compromise, potential attack vectors, and inform roadmaps to bolster their defenses. These services are complemented by regular threat intelligence briefings tailored to specific industry and geographical threats to keep organizations informed and prepared. Engage with Microsoft Unified Microsoft Unified provides an indispensable resource for organizations aiming to enhance their cybersecurity readiness. We integrate proactive assessments with rapid, effective incident response capabilities to equip businesses with the necessary tools and expertise to confront and mitigate cyber threats. To learn more about how Microsoft can help protect your organization from cyber threats, visit our Microsoft Unified page. To learn more about Microsoft IR (incident response), please visit Microsoft Incident Response page.Investigating malicious OAuth applications using the Unified Audit Log
Abstract Supply chain attacks continue to evolve in sophistication with new TTPs emerging every few months. In this article we highlight some of the most recently observed TTPs and our recommendations for investigating and mitigating them in your environments. Specifically, Microsoft is seeing new and ongoing incidents where Threat Actors are compromising a trusted partner such as a cloud solution provider or reseller partner to gain access to a victim organization. This access is often in the form of creating or modifying an enterprise application so that the Threat Actor can use that application for the purpose of gaining access to sensitive information including email messages, Teams messages, and documents stored in SharePoint or OneDrive for Business. In 2021, Microsoft published general guidance on investigating cloud solution providers in this post. This article provides additional guidance for incident responders on investigating such events. A key to any investigation is what is forensic data is logged, where that data is available, and how long is the retention of that data. For Microsoft Entra ID and Microsoft 365 services, log data can be found in several places, as visualized below. Figure 1. Data retention in Microsoft 365 and Microsoft Entra ID NOTE: As noted here https://learn.microsoft.com/en-us/purview/audit-log-search, Microsoft has recently changed the default retention period for Audit (Standard) from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023, are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023, follow the new default retention of 180 days. Many organizations may be sending the log data from Microsoft Entra ID and Microsoft Defender for Cloud Apps to a SIEM solution such as Microsoft Sentinel. For organizations that are using a SIEM solution which retains data for an extended period, the investigation may be done more easily in those environments but is beyond the scope of this article. The guidance provided here is focuses on using data from the Unified Audit Log and Microsoft Entra ID sign in & audit logs taken from the portal itself, since this data is available to all organizations. Unified Audit Log If you are looking for audit information that is older than logs retained in Microsoft 365 XDR Advanced Hunting, Microsoft Sentinel or another SIEM, then you can use the Unified Audit Log to retrieve information. Depending on your licensing level, data can be available up to a year. The Unified Audit Log is a central collection of audit events relating to Microsoft 365, including activities such as file download events from SharePoint or OneDrive. Using the Audit search functionality, you can create custom searches to retrieve the relevant information from the Unified Audit Log. This data can then be downloaded as a CSV file and analyzed to understand what happened. Figure 2. Unified Audit Log search portal You can select specific date periods, users, even specific activities, and workloads (such as file download events from SharePoint). You can additionally complete free text searches on any indictors of compromise, such as an IP address, or the guid associated with an application object. In addition to the GUI, you can also retrieve information via PowerShell, using the Search-UnifiedAuditLog cmdlet. Via PowerShell, you can still filter on users, time ranges or events. As the central location of all audit data for Microsoft 365, the various activities all have different data associated with them. For instance, a file download event would have the name of the file, and the user associated with the activity. When a user creates a mailbox rule in Exchange Online, it has the name of the rule and configuration settings specific to it. Because of the dynamic nature of these different events, it is recommended to do broad searches to ensure all activities are retrieved. Depending on the nature of your investigation, some recommendations for ensuring all activities are retrieved. In some cases, the friendly user principal name (UPN) is not logged in the Unified Audit Log but rather only the User Principal Object Id (UPOID), or in some cases, the value is contains the UPOID value with the hyphens removed. For completeness, doing three sets of searches of the Unified Audit Log for activity from a suspect user identity should be undertaken: Search for the UPN, i.e. search for eric.lang@contosohotels.com both using the -UserIds switch and the -FreeText switch. Searching based on the -UserId switch will return the events where the UserId value is the actor. To recover events where the user identity was the target of the action, the -FreeText search is required. Search for the UPOID, i.e. 8a1e7b36-e60c-409a-992f-dc838f27a102 both using the -UserIds switch and the -FreeText switch Search for the UPOID without hashes with the term “user_” prepended i.e. user_8a1e7b36e60c409a992fdc838f27a102 using both the -UserIds switch and the -FreeText switch. For activity associated with application abuse, search for the Application Id (sometimes known as the Client Id) of the application with and without the hyphens, such as cb457366-b74c-42f2-a8c7-a7648e4572f1 and cb457366b74c42f2a8c7a7648e4572f1. This should be a “-FreeText” search using the Search-UnifiedAuditLog cmdlet. When searching for IP indicators, there are few important notes Some events will record the IP address of the Microsoft service rather than the IP address of the actual identity, try to correlate that information with known indicators of compromise or sign in event data to ensure it is malicious. Searching in the GUI or using the Search-UnifiedAuditLog cmdlet by specifying the IP address as a search term may not return all results. Those commands are searching over the indexed terms in the Unified Audit Log. In the case of the Client IP address, that address is stored in the ClientIP address field in the AuditData object. In some cases, that value may not be populated, but another IP address field in the AuditData field may be populated. For these cases, also do a “-FreeText” search against the Unified Audit Log. Searching the Unified Audit Log using Search-UnifiedAuditLog powershell cmdlet using the filter parameters (-UserIds, -IPAddresses, -SiteIds, -ObjectIds, -Operations, -RecordType) searches only the values in the “common schema” which are indexed by the system (see https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#common-schema for the common schema definition). The different workloads may store additional content in the raw “AuditData” object. Using the -FreeText switch will search through the raw event data except for items which are indexed in the common schema. Therefore, it is important to search both by property (eg -IpAddresses) and using the -FreeText option to capture all events which contain the specific indicator of attack or indicator of compromise. Example Investigative Process Microsoft Incident Response (Microsft IR) recently investigated an attack which included suspicious activity associated with an application in the victim’s tenant. Here is how we went about the investigation. A conceptual framework for the investigation is shown in the figure below where there can be bidirectional iteration between each data collection until the common operating picture of the event converges. That is, Microsoft IR continues to pivot on these interconnected IOCs, until no new events, or compromised identities, are uncovered. Figure 3. Visualization of the investigative process Given the indicator of attack/compromise consisting of a suspicious ApplicationId, we collected data from the Unified Audit Log using a query like the following: Search-UnifiedAuditLog -StartDate <StartDate> -EndDate <EndDate> -FreeText <ApplicationId> Specifically, we used a variation of the script located https://learn.microsoft.com/en-us/purview/audit-log-search-script to do the search. If in your environment you have document names, group names, user display names or other forensic information that may contain non-ascii characters, we recommend including the -Encoding UTF8 switch at the end of your commands, as this will ensure the export handles those characters properly. In our example, we observed audit events of the type: Add application. Add service principal. Update application. Consent to application. Add app role assignment to service principal. Update application – Certificates and secrets management And additional audit events indicating that the application was used to access information from the customer environment We then analyzed the resultant data and were able to determine the following: When was the application created? Who created or modified the application? What consent was granted to the application? Were credentials added to the application or related service principal (aka workload identity) associated with the application. What identity was used to grant or modify consent to the application? What IP addresses were associated with the creation or modification of the malicious application? In this case, the analysis revealed that the identities associated with creating the application and modifying the application belonged to cloud service providers (CSPs). Following from that finding, the investigation took the following path. Understand what additional activities were carried out by the identity that created the application Pivot on the identity that created the application to understand what else that account did. Searching the Microsoft Entra ID audit log for the user, as well searching the Unified Audit Log for the username, and the users object id with and without the hyphens. To accomplish this using the Search-UnifiedAuditLog cmdlet, doing a search based on the UserIds switch based on the UserPrincipalName (eg eric.lang@contosohotels.com) and then repeat the search using the -FreeText switch and the -UserIds switch, the UPOID, and the user_<UPOID no hyphens> version for the same time frame. This can help establish time windows where the activity from that identity should be viewed as potentially malicious or Threat Actor related. If this uncovered other applications created, or users created, then the same process should be completed for those applications and users. Investigative work like this is often repeated cycles of determining user or application compromise, and then investigating those users or applications to discover additional indicators and understand impact On top of persistence mechanisms, or any other configuration changes, this will also surface any data access events Pivot through any malicious IP addresses located To accomplish this using the Search-UnifiedAuditLog cmdlet, Microsoft IR completed a search based on the -IPAddresses switch on the uncovered addresses (eg 50.50.50.50) and then repeat the search using the -FreeText switch and the IP Address. These IP addresses may uncover additional compromised identities - either users or applications They also may uncover further data access events or other persistence mechanisms Pivot through any newly found identities As you uncover additional compromised identities, the same cycle of investigation begins A question often asked by customers in these engagements was what email was accessed, or what Teams messages were accessed. Data sources such as Microsoft Defender for Cloud Apps and the Unified Audit Log will audit the metadata related to email and Teams access events, such as email or message identifiers. The content of the messages or emails however is not logged, which makes sense – it is not practical to log the entire contents of an email. For items such as email or Teams messages, the event metadata is retrieved. From that surfaced metadata, Microsoft IR then exports the full content from Exchange Online or Microsoft Graph APIs and provides that to the customer to complete a data impact assessment. For file download events, the name and path of the files are provided so that customers can understand what data was exfiltrated. A complete analysis of the content accessed by the Threat Actor is required to determine if the Threat Actor may have gained additional methods to access the environment or establish persistence. Microsoft IR utilizes Azure Data Explorer (ADX) and Kusto Query Language (KQL) to query all these log sources at scale to understand the story of the compromise. However, there is no requirement to use a specific platform for your investigation, if you have Microsoft Sentinel, or another SIEM with the required data, you can perform your investigation there. For smaller scale compromises, using the inbuilt portals can also be sufficient. Some examples of forensically interesting events, and how Microsoft IR analyses the data associated are: FileDownloaded – This will show the filename and file path of file downloaded events, and the identity that triggered the action – whether that is a user or an application. Microsoft IR provides customers with a list of downloaded files that were attributed to the threat actor so the customer can understand what data has been exfiltrated MailItemsAccessed – this event shows that an email within a mailbox in Exchange Online was accessed. Events can either be a bind, in the case of a single email being accessed. Bind operations are aggregated into 2-minute intervals, but each individual message accessed is still listed in each single audit event. The second type of event is a sync, in the case of a folder being synced from the full Outlook client. To reduce noise, only a single sync record is logged for each folder that was synced - and we assume that all emails in a folder have been synced. Additional information about this audit event can be found here MessagesListed – When a Teams message is retrieved from the Microsoft Graph API, this event is logged. It is not logged when a message is listed from the Microsoft Teams client itself. Threat actors can use tooling they have created to interact directly with the Microsoft Graph API and access messages in bulk, the MessagesListed event is valuable for understanding the impact of this kind of activity. Add service principal: This event is logged when a service principal is added to the tenant. If this is malicious activity during the investigation, then Microsoft IR pivots on that application to understand what other activities it completed, and what data and services it accessed. The ApplicationId, which is a guid, of the newly created application is a strong indicator of compromise. New-InboxRule: A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app. With these events Microsoft IR is interested in what actions the rule was taking, was it trying to hide emails with particular words or phrases, that may be an indicator of threat actor intent. If they are hiding emails related to invoices or payment, it may be a sign the threat actor is seeking financial gain through business email compromise. Several thousand unique events can be written to the Unified Audit Log, a listing of the most common is available here. There is also specific guidance for Microsoft Teams. Microsoft IR has previously covered tips and tricks for using the Unified Audit Log in the post Good UAL Hunting. It is often not feasible to extract the entire Unified Audit Log for a tenant due to sheer volume of data held within it. Therefore, Microsoft investigators take an iterative approach. Starting with known indicators of compromise and then expanding based on those initial findings. When the operational picture converges and no additional indicators of attack or compromise are revealed, the data collection phase can be viewed as complete. Recommendations While the CSP to customer partnership is unique in terms of providing privilege into a customer tenant, the investigative process remains very similar to any investigation of Microsoft Entra ID and Microsoft 365. We recommend that customers take the following steps: Audit current partner agreements and understand if they are required, they may be longer required. Over time, customers can change partners as business requirements or commercial agreements change. Often older partners still hold privilege over customer tenants If using delegated admin privileges then migrate to granular delegated admin privileges and grant partners to only the access required to complete their work. From a partner point of view, migrating from DAP to GDAP has no effect on the partner earned credit (PEC) program If partners need to complete privileged work and you are uncomfortable with any standing access via DAP or GAP, you can, of course, create them a named account in your own tenant and require they adhere to the security policies, such as Conditional Access, which you dictate Understand where the forensic information related to Microsoft 365 and Microsoft Entra ID is available, and how to query that data in case of compromise If organizations do not have the capability to investigate these types of compromises, it is recommended to engage an experienced incident response team, such as Microsoft IR. Detailed below is a reminder on the different type of CSP privilege models in Microsoft 365 and some additional notes on finding forensic data directly in the various portals, this can be valuable for finding events in the last 30 days. Understanding partnership models in Microsoft 365 & Microsoft Entra ID Several types of partner configurations can exist between a customer and a CSP which provide some level of privilege in the customer tenant, these include. Microsoft Entra ID delegated administration privileges (DAP) The DAP permissions model was created to allow Cloud Solution Providers (CSP) to provide services and licensing support to customers. A CSP could send an invitation to a customer to request a partner relationship. This was designed to allow partners to manage various aspects of customers Microsoft 365 and Azure services without needing another set of credentials. For CSP’s that deal with thousands of customers, this provides a much simpler way to manage those relationships, instead of maintaining thousands of unique credentials across customer tenants. Prior to an update to the permissions model, upon accepting one of these invitations, the CSP would gain Global Administrator rights in the customer tenant. Microsoft Entra ID granular delegated administration privileges (GDAP) GDAP is an updated version of DAP built with the principles of Zero Trust at the forefront. GDAP was added not long after the publication of the 2021 article linked above. GDAP gives customers much stronger controls over what access partners are granted into their tenant. Instead of allowing blanket Global Administrator access to partners, customers can instead pick and choose more specific roles better aligned to the work the CSP needs to complete. If the relationship is purely to facilitate licensing requirements, then the Licensing Administrator role may be better fit and more aligned to the principle of least privilege. In addition, GDAP grants are time bound. Customers must re-approve the granting of these privileges. Identifying existing relationships Customers can find the existing partnerships configured in their tenant, and which permissions model is currently being used. These can be found by browsing to the Microsoft 365 admin center and then navigating to Settings then to Partner relationships. In the Partner relationships pane, you can view a list of all service providers that have established a relationship with the tenant and whether the service provider has any roles assigned. Figure 4. Identifying DAP & GDAP as a downstream customer Customers should audit the list of partners visible here and determine if they are still required. Often these partnership configurations may be a relic of prior commercial agreements and the two organizations are not actively working with each other anymore. For customers, it is important to understand that these partner relationships, especially in the case of DAP, may maintain full Global Administrative rights over your tenant. Just like your own Global Administrators, or other users of privilege, should be monitored, so should any activity from partner accounts, and alerts created for suspicious actions. While end customers cannot see a list of all users in the service provider’s tenant that can make administrative changes to the end customer tenant, they can see any sign in activity, audit events and other activities in the Unified Audit Log and Microsoft Defender for Cloud Apps (if it is enabled at the time of the event). Finding Partner Sign in Events When a partner signs into a customer tenant in Microsoft Entra ID, it is categorized as a unique type of sign in type. Customers can find these logins (refer to Figure 2) by viewing the Microsoft Entra ID sign-in logs and filtering for a Cross tenant access type of Service provider. The results can be exported by clicking Download and leveraged to further target your triage across Azure and Microsoft 365. Figure 5. Sign-ins by service providers Hunting for Partner Data Access In many cases, CSP compromise can lead to downstream data access in a customer tenant, such as the exfiltration of data from SharePoint or OneDrive. Microsoft Defender for Cloud Apps tracks these kinds of events across Microsoft 365, and any third-party applications you have connected. If you believe an adversary has taken control of a partner account and accessed your tenant, then Microsoft Defender for Cloud Apps is a good place to start to determine the impact to your data. You can create specific searches in the Microsoft Defender for Cloud Apps activity log, looking for specific users, or IP addresses or activities. Figure 6. Defender for Cloud Apps activity log If you need more granular queries, you can select the Advanced filters option. For events older than 30 days, you can select the ‘Investigate 6 months back’ option, though the filtering options for that historical data are limited. Importantly for organizations, it is important to ensure that Microsoft Defender for Cloud Apps is fully connected with Microsoft Entra ID and Microsoft 365. You can confirm this by browsing to the Settings page in the Microsoft 365 XDR portal, from there, select Cloud Apps. Once the settings for Microsoft Defender for Cloud Apps loads fully, select App Connectors. A list of all the applications connected will be presented, for Microsoft 365, select the Edit settings option. Figure 7. Editing the Microsoft 365 Connector in Microsoft Defender for Cloud Apps And ensure that all the options are connected. If you are already licensed for Microsoft Defender for Cloud Apps, there is no additional cost to enable this. If you send this data to Microsoft Sentinel however, there will be added events sent which will incur additional ingestion charges. Figure 8. Enabling all components of the Microsoft 365 connector Hunting for Partner Audit Events Once a partner account has accessed your tenant, any changes they make to Microsoft Entra ID will be logged into the audit log, in the same way as your regular users would be. The audit log will track any platform level changes to Microsoft Entra ID, including user creation events, users being assigned to privileged roles, MFA registration events, application creation events and more. You can search the Microsoft Entra ID Audit Logs for any events for specific accounts. Figure 9. Filtering the audit log in Microsoft Entra ID When looking for events associated with users, remember that a user account can be either the initiator (the actor) or the target of an event. If eric.lang@contosohotels.com changes the password of bob.smith@fabrikam.com then Eric Lang is the actor and Bob Smith is the target. Additionally, in the case of malicious application abuse, the initiator may be the application itself, rather than a user. As mentioned at the outset, for any investigation understanding where data resides and how to access it when required, and the retention of that data, is crucial to success. Once Microsoft IR gets access to the required forensic data, an iterative process is then undertaken to ensure that the entire story of the compromise is uncovered.
