One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2990623 |
| Date de publication | 2021-06-23 10:00:00 (vue: 2021-06-28 11:05:46) |
| Titre | Stories from the SOC - Office 365 account compromise and credential abuse (Recyclage) |
| Texte |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
Credential abuse and compromised user accounts are serious concerns for any organization. Credential abuse is often used to access other critical assets within an organization, subsidiaries, or another partner corporation. Once an account is compromised, it can be used for data exfiltration, or to further promote the agenda of a threat actor. Threat actors often compromise the internal email accounts of legitimate organizations for many reasons including to send internal users phishing links leading to additional compromise, to send malicious emails to external users for later compromise, or create inbox rules to forward confidential emails to the threat actor’s account outside of the organization. Monitoring for events surrounding internal, inbound, and outbound email activity is important.
The AT&T Managed Threat Detection and Response (MTDR) analyst team received several alarms in response to a user attempting to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. Upon reviewing the user's login behavior, it was observed that this user was seen logged in from foreign IPs which were outside of the user's typical logon behavior. Further analysis of events surrounding the user concluded that this incident was contained. An investigation was created with attached events, artifacts, and login activity to quickly engage the customer and remediate the compromise before the attack could be elevated.
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
There were three alarms generated from events involving Credential Abuse, Anomalous User Behavior, and Security Policy Violation from Office 365 activity from both a foreign country and the United States.
Credential abuse
Expanded Investigation
Events Search
The initial Credential Abuse alarm (image 1) for suspicious login activity was generated in response to 12 events related to successful logins from a foreign country and the United States within a 24 hour period. After expanding the events surrounding this user, it was discovered that this user has never logged in from countries outside the United States.
The team then used Open Source Intelligence (OSINT) tools to research the foreign IPs and discovered that these were IP addresses belonging to a foreign telecommunications company and were previously blacklisted. Utilizing OSINT during an investigation is imperative to determine ownership, location, history of abuse, and malicious activity surrounding an IP address or domain.
IP Blacklist check
The Anomalous User Behavior alarm (image 3) pertaining to Outlook 365 email activity was generated due to the excessive number of outbound emails. According to logs, there were fifty-three outbound emails sent from the foreign IP in 24 hours, which is a 1000% increase for this user. Due to the suspicious activity that was occurring, the Intrusion Prevention System (IPS) restricted the user's ability to send emails and generated an additional alarm for review. The implementation of an IPS is important in this instance, because it prevented data exfiltration from the compromised email account.
|
| Envoyé | Oui |
| Condensat | 1000 365 ability abnormal abuse access accordance according account accounts activity actor actor’s actors additional address addresses after agenda alarm alarms all analysis analyst anomalous another any are artifacts asset assets associated at&t attached attack attempting authentication because becoming before behavior being belonging blacklist blacklisted blocked blog both building business can check company compromise compromised concerns concluded conducted conducting confidential contacted contained corporation could countries country create created creating creation credential credentials critical customer customers data days deep describes detection determine different discovered dive domain due during elevated email emails engage ensure environment event events excessive executive exfiltration expanded expanding external factor failures fifty foreign forward from further generated geofencing has highlighted history hour hours image immediately imperative implementation implementing important inbound inbox incident included including increase increased indicators information initial instance intelligence interaction internal intrusion investigated investigation investigations involving ioc ips irp isolating last later leading legitimate limitations links location logged logging login logins logon logs malicious managed many mfa microsoft monitoring more mtdr multi never non number o365 observe observed occurred occurring office often once open opportunities order organization organizations osint other outbound outlook outside ownership partner passwords period pertaining phishing plan policy potential prevented prevention previously promote provided purposes quickly range real reasons received recent recommended reduce refrain related relevant remediate reported research response restricted restriction resulting review reviewing revoking risk rule rules same search searches security seen send sent series serious several soc source states stories subsidiaries successes successful summary surrounding suspicious system team telecommunications then these thorough threat three through tools typical united updating upon usage use used user user's users using utilizing violation websites when which within work world would |
| Tags | Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
Les reprises de l'article (1):
| Source | AlienVault Blog |
|---|---|
| Identifiant | 2970160 |
| Date de publication | 2021-06-23 10:00:00 (vue: 2021-06-23 10:05:34) |
| Titre | Stories from the SOC - Office 365 Account Compromise and Credential Abuse |
| Texte |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
Credential abuse and compromised user accounts are serious concerns for any organization. Credential abuse is often used to access other critical assets within an organization, subsidiaries, or another partner corporation. Once an account is compromised, it can be used for data exfiltration, or to further promote the agenda of a threat actor. Threat actors often compromise the internal email accounts of legitimate organizations for many reasons including to send internal users phishing links leading to additional compromise, to send malicious emails to external users for later compromise, or create inbox rules to forward confidential emails to the threat actor’s account outside of the organization. Monitoring for events surrounding internal, inbound, and outbound email activity is important.
The AT&T Managed Threat Detection and Response (MTDR) analyst team received several alarms in response to a user attempting to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. Upon reviewing the user's login behavior, it was observed that this user was seen logged in from foreign IPs which were outside of the user's typical logon behavior. Further analysis of events surrounding the user concluded that this incident was contained. An investigation was created with attached events, artifacts, and login activity to quickly engage the customer and remediate the compromise before the attack could be elevated.
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
There were three alarms generated from events involving Credential Abuse, Anomalous User Behavior, and Security Policy Violation from Office 365 activity from both a foreign country and the United States.
Credential abuse
Expanded Investigation
Events Search
The initial Credential Abuse alarm (image 1) for suspicious login activity was generated in response to 12 events related to successful logins from a foreign country and the United States within a 24 hour period. After expanding the events surrounding this user, it was discovered that this user has never logged in from countries outside the United States.
The team then used Open Source Intelligence (OSINT) tools to research the foreign IPs and discovered that these were IP addresses belonging to a foreign telecommunications company and were previously blacklisted. Utilizing OSINT during an investigation is imperative to determine ownership, location, history of abuse, and malicious activity surrounding an IP address or domain.
IP Blacklist check
The Anomalous User Behavior alarm (image 3) pertaining to Outlook 365 email activity was generated due to the excessive number of outbound emails. According to logs, there were fifty-three outbound emails sent from the foreign IP in 24 hours, which is a 1000% increase for this user. Due to the suspicious activity that was occurring, the Intrusion Prevention System (IPS) restricted the user's ability to send emails and generated an additional alarm for review. The implementation of an IPS is important in this instance, because it prevented data exfiltration from the compromised email account.
|
| Envoyé | Oui |
| Condensat | 1000 365 ability abnormal abuse access accordance according account accounts activity actor actor’s actors additional address addresses after agenda alarm alarms all analysis analyst anomalous another any are artifacts asset assets associated at&t attached attack attempting authentication because becoming before behavior being belonging blacklist blacklisted blocked blog both building business can check company compromise compromised concerns concluded conducted conducting confidential contacted contained corporation could countries country create created creating creation credential credentials critical customer customers data days deep describes detection determine different discovered dive domain due during elevated email emails engage ensure environment event events excessive executive exfiltration expanded expanding external factor failures fifty foreign forward from further generated geofencing has highlighted history hour hours image immediately imperative implementation implementing important inbound inbox incident included including increase increased indicators information initial instance intelligence interaction internal intrusion investigated investigation investigations involving ioc ips irp isolating last later leading legitimate limitations links location logged logging login logins logon logs malicious managed many mfa microsoft monitoring more mtdr multi never non number o365 observe observed occurred occurring office often once open opportunities order organization organizations osint other outbound outlook outside ownership partner passwords period pertaining phishing plan policy potential prevented prevention previously promote provided purposes quickly range real reasons received recent recommended reduce refrain related relevant remediate reported research response restricted restriction resulting review reviewing revoking risk rule rules same search searches security seen send sent series serious several soc source states stories subsidiaries successes successful summary surrounding suspicious system team telecommunications then these thorough threat three through tools typical united updating upon usage use used user user's users using utilizing violation websites when which within work world would |
| Tags | Threat Guideline |
| Stories | |
| Notes | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.