![]() Once our team was able to determine the initially compromised accounts, we were able to begin the process of tracking the adversary within the on-premises systems. After the adversary was able to access the network through the company’s VPN, they moved laterally throughout the environment using legitimate user credentials harvested during a phishing campaign. Once the adversary had the credentials, they began their reconnaissance on the network by searching for documents about VPN remote access and other access methods stored on a user’s SharePoint and OneDrive. Recently, DART was called into an engagement where the adversary had a foothold within the on-premises network, which had been gained through compromising cloud credentials. Credentials can be harvested in numerous ways, including phishing campaigns, Mimikatz, and key loggers. From an investigation standpoint, tracking adversaries using this method is quite difficult as you need to sift through the data to determine whether the activities are being performed by the legitimate user or a bad actor. About Us Hyper-converged infrastructure experts for the Microsoft cloud platformĪs members of Microsoft’s Detection and Response Team (DART), we’ve seen a significant increase in adversaries “living off the land” and using compromised account credentials for malicious purposes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |