Incident Response: Azure Log Analysis

Поделиться
HTML-код
  • Опубликовано: 26 дек 2024

Комментарии •

  • @samadams4582
    @samadams4582 Год назад +10

    Another thing that I noticed. There were 2 RMM tools running on that workstation, Ninja and CW Automate. Typically MSPs have only 1 RMM configured, unless they are transitioning over to another one. Some threat actors are utilizing RMM tools to backdoor into remote systems.

  • @Logan-vw8bg
    @Logan-vw8bg Год назад +3

    Came back to reference some of your syntax for the THM Advent of Cyber ;) . Always so helpful John, thanks for everything you contribute to the community.

  • @Sharon-f5j
    @Sharon-f5j Год назад

    A smile is a light in the window of your face to show your heart is at home.

  • @dyarizadeh3
    @dyarizadeh3 Год назад +12

    Just a note - I don't think file auditing is on by default (please correct me if I'm wrong) in many orgs, so don't always expect to find ID 4663

    • @dyerseve3001
      @dyerseve3001 Год назад

      It used to be that way with 365 tenants but it's on by default now.

  • @biglike7981
    @biglike7981 Год назад +1

    No mention of how they bypassed 2fa after compromising the acct. Very informative video. Really enjoyed it.

    • @86ajmn
      @86ajmn 11 месяцев назад

      They did mention that, aka cookie stealer. Keep learning young padawan.

  • @bestsellervideos
    @bestsellervideos Год назад

    Congratulations on 1 Million!!!! 🙌🙌🙌

  • @MsDuketown
    @MsDuketown Год назад

    For sh automation the cut command has been replaced oldfashioned ways of detecting delimiters, like an obedient master-slave rekation tied to ever-lasting upgrading systems and EoL OS'es.
    setting up an Azure Workspace makes more sense. Or reuse something incidents reports with webparts.
    Excel is handy for manual digging and finding patrons based om experience.

  • @Solomon-c9o
    @Solomon-c9o Год назад

    If you love someone, set them free. If they come back they're yours; if they don't they never were.

  • @olevalente6523
    @olevalente6523 Год назад +1

    Entertaining and easily digestible information. Good job!

  • @kevinportillo1971
    @kevinportillo1971 Год назад

    I usually go through logs just to find what and when the original moment of compromise took place, unless the tenant has the enhanced security protections license for Explorer then it makes it easier to even prevent the threat.

  • @MyDFIR
    @MyDFIR Год назад

    Johns expression thumbnail is me when I see RMM on a DC - Great video❤

  • @landless-wind
    @landless-wind Год назад +1

    big thanks
    PCA from philippines

  • @paritoshbhatt
    @paritoshbhatt Год назад

    Nicely Explained ! Great Video Man.

  • @davidaustin967
    @davidaustin967 Год назад +2

    This raises an interesting question about how long you should retain logs.

    • @Wahinies
      @Wahinies Год назад +1

      Definitely a consideration because the default for Azure is 30 days which is inadequate. The maximum was raised to 180 days but just to CYA the correct answer is "as long as feasible" which means rolling into permanent storage.

  • @malvinportner
    @malvinportner Год назад +1

    If you buy the on-demand access for antisyphontraining, do you get access to all the courses or just to the selected course?

  • @casfren
    @casfren Год назад +3

    i still don't understand how did they bypass 2fa. I would really appreciate a explanation.

    • @KrysticsCorner
      @KrysticsCorner Год назад +1

      They did not have to bypass it directly. They used cookies that still had valid access from an authenticated session.

    • @casfren
      @casfren Год назад

      @@KrysticsCorner I was talking about the first one.
      I get how though malware you can steal cookies. But the first account should have been protected by 2FA right? How did they bypass that?

    • @grimtrigg3r
      @grimtrigg3r Год назад

      @@casfrenthere are a few ways, but Evilproxy phishing is one common effective method. Google evilproxy, non FIDO2 mfa methods are vulnerable to this attack.

    • @dyerseve3001
      @dyerseve3001 Год назад

      ​@@casfren I don't think that was covered in the video, but the training is out there for you to look at on your own.

  • @DrDoktor60
    @DrDoktor60 Год назад +40

    KQL my dude. No one does log analysis like that in Azure

    • @Soup69God
      @Soup69God Год назад +5

      even using Excel would be better lol

    • @kevinportillo1971
      @kevinportillo1971 Год назад +1

      I hate how several KQL templates don’t work right off the bat.

    • @forid200
      @forid200 Год назад +9

      John is just doing things how he's comfortable, I guess as long as you get the end result. That's all that matters.

    • @data_eng_tuts
      @data_eng_tuts Год назад +1

      This is the best way, how would you do that?

    • @krshn4n
      @krshn4n Год назад

      sometimes you have to deal with raw logs. sentinel and log analytics ease up the hunt but no harm in learning to dig through raw logs

  • @dyarizadeh3
    @dyarizadeh3 Год назад +2

    Just curious, incase anyone picked up on it, did they say how the attacker initially accessed the device (pivot from cloud to disk)? I might be confused, but later in the video we look at security logs on the user's device, but it looks like there was a password spray against a specific application (possibly Azure portal?) hosted in the cloud.
    Thanks!

    • @KrysticsCorner
      @KrysticsCorner Год назад +1

      The DC in this example is in the Azure environment. It logged the pw spray including failures and the successfully compromised user - Afterwards, 10:45 you were shown that compromised user manipulating machines because they already had that users access into the environment. The machine in this case "WS-3" was likely a VDI from Azure, thus already in the environment. If it was physical and in a separate location with Azure AD, it could still be compromised, though we would probably be looking at attempts to use Onedrive or some other vector to have access to the machine. The exercise does not explicitly describe the physical vs virtual desktop scenario and you are only meant (IMO) to be looking at what was done with the Azure account (which would have been possible in either scenario once the actor had access to interactive login).

    • @dyarizadeh3
      @dyarizadeh3 Год назад

      Azure VDI interesting take/great insight thank you

    • @iConk3r
      @iConk3r Год назад +2

      @@KrysticsCorner But WS3 wasn't the original foothold. WS1 was. How did the threat actor get WS3 to reach out to WS1's SMB share with no control over it, download and execute the payload? Workstations aren't going to just arbitrarily reach out to any host serving SMB shares and download things.
      This exercise seems to take a lot of liberties and doesn't demonstrate a real world scenario. There's a lot of assumptions and cut corners here.

    • @KrysticsCorner
      @KrysticsCorner Год назад

      @@iConk3r I've seen this happen real world. It isn't that a machine normally does this, simply that it is possible. In my scenario the Dom creds were not MFA protected, however, and the machines were physical. I wish I understood more about the micro level of Microsoft auth in the background here, but I don't have enough info to help further right now. Apologies.

  • @TheYossi86
    @TheYossi86 Год назад +3

    So how did they bypass the 2 factor authentication in the beginning? It doesn't say.

    • @isawrooka4
      @isawrooka4 Год назад

      @@wildstorm74users not being educated is basically a given and not a good excuse for a security team. There were many steps along the way where these attack steps could have been mitigated, detected, and even outright prevented. Security admins who blame end users are lazy and limit their own potential to actually implement cool and fun shit

    • @TheYossi86
      @TheYossi86 Год назад

      @@wildstorm74 yeah but the initial access itself needed 2FA and it doesn't say how he bypassed the initial 2FA.

    • @HexNebula
      @HexNebula Год назад +1

      @@wildstorm74 Prolly the user accepted MFA by accident - or was tricked through social engineering to accept it.
      ... Cookies would mean no password or MFA would be needed, it'd become an anomalous token
      As the ID was bruteforced/sprayed... Cookie/token hijack isn't the case, as they're raising unnecessary alarm bells

    • @Soup69God
      @Soup69God Год назад

      @@HexNebula MFA was via TXT which means that the token would have logically had to have been stolen via spearphishing. Plus, number matching is enforced in Azure so unless MFA is phone call, the user cant just click "yes" and log in. Token theft or sim swap are likely, but sim swap is very very rare.

    • @TylerFugate
      @TylerFugate Год назад +1

      @@Soup69GodMost likely a targeted phish after the successful password entry. John misspoke when he says the successes for Paul Bowman were later in the same minute, it was 49 minutes after.
      The attacker would have had time to perform an AitM attack targeted at Paul Bowman, possibly leveraging his known password as a way to gain trust. Although, an AitM attack doesn't require knowledge of the password, so it could be something else entirely.

  • @LtChachee
    @LtChachee Год назад

    What course was this for? I can't seem to find it on the site.

  • @iConk3r
    @iConk3r Год назад +4

    So this video went from: User's Azure AD account was compromised -> Ad Break -> Now they have a foot hold in the work station.
    How??
    Just because you have access to someone's Azure Credentials doesn't automatically give you remote access to their workstation. Can you expand a bit on how they would pivot from Azure AD to accessing a device on the network?

  • @mateusgodoy5060
    @mateusgodoy5060 Год назад

    Amazing video. Congratulations!

  • @Patrick-h9v
    @Patrick-h9v Год назад

    Remember always that you not only have the right to be an individual, you have an obligation to be one.

  • @hawks5196
    @hawks5196 Год назад +5

    Could you do some more Virus analysis? I’m not even in the industry but I love watching you pick apart and de-obfuscate viruses code. I had no idea people went to those extents to avoid detection. Some of them do stupid messy tricks, but some you have pulled apart and they seem insanely clever! Love learning about it all, even if I will never use the skills/knowledge 😂

  • @mattoney3805
    @mattoney3805 Год назад

    Thank you, great stuff!!

  • @davidbl1981
    @davidbl1981 Год назад

    Login cred spraying to knowing the users MFA heh .. the “thin red line” kinda blows …😅

  • @data_eng_tuts
    @data_eng_tuts Год назад

    Simply awesome 👏👏👏🎊

  • @eliemassaad5720
    @eliemassaad5720 Год назад

    Did you try to analyze Azure Log with Wazuh ?

  • @Jessica-s6s6g
    @Jessica-s6s6g Год назад

    As long as your going to be thinking anyway, think big.

  • @j_t_eklund
    @j_t_eklund Год назад

    Bad security check design,
    it should ask for a new 2fa for the existing cookie to after a ip change.
    It is a separate login..

  • @Miriam-v6r
    @Miriam-v6r Год назад

    I'd always thought lightning was something only I could see.

  • @BrutusMaximusAurelius
    @BrutusMaximusAurelius Год назад +1

    What triggered the investigation? Did we just randomly hunt or was something malicious detected?

    • @MrPapaFate
      @MrPapaFate Год назад +1

      I think in this case the amount of failed logins within a certain timeframe would cause an alert. Not sure if its the same for like "all users" vs per user though.

  • @Alexia-s4h
    @Alexia-s4h Год назад

    It's important to remember to be aware of rampaging grizzly bears.

  • @xXhotshot55Xx
    @xXhotshot55Xx Год назад +1

    I feel like it'd be a lot easier to sort through this data in excel instead of using a text editor for a csv file.

    • @cristophersoto1244
      @cristophersoto1244 Год назад

      That's true,

    • @86ajmn
      @86ajmn 11 месяцев назад

      If its easier for YOU, then thats great. Use whatever tools you can. the point is CSV means comma seperated so whatever can deal with that is fine. For me I use Sentintel which has all of the count and sort functions he used here built into the tool.

  • @steingat
    @steingat Год назад +1

    Whats Azure? Microsoft tells me that theres only Entra ID these days...... /sarcasm

  • @FusionTechAI
    @FusionTechAI Год назад

    Did we have a CVE about that? 🤔

  • @raycordero01
    @raycordero01 Год назад

    SIMPLY AWESOME!

  • @kevinportillo1971
    @kevinportillo1971 Год назад

    NinjaRMM and CyberCNS??? They should have been able to detect the threat.

  • @nsnsuplementos2397
    @nsnsuplementos2397 Год назад

    That’s crazy my wiggaz

  • @adrianocaporro639
    @adrianocaporro639 11 месяцев назад

    Is this incident response on try and hack me or any other platform?

  • @Sonyboj
    @Sonyboj Год назад

    ah good , something that is useful finally

  • @Isidore-g2o
    @Isidore-g2o Год назад

    Slow down and everything you are chasing will come around and catch you.

  • @ca7986
    @ca7986 Год назад

    Imagine being Paul.

  • @ac0rpbg
    @ac0rpbg Год назад

    All this is assuming the offender put 0 effort in wiping the logs :D

  • @balajisharathkumar9753
    @balajisharathkumar9753 Год назад

    this video is very amaing video john as a bule team investigate like me should know these type of attacks in detail thanks for sharing 🤩🤩🤩🤩🤩🤩🤩🤩🤩💖💖💖💗💗

  • @Zachsnotboard
    @Zachsnotboard Год назад

    azure has a GUI for all of this lol

  • @ReligionAndMaterialismDebunked

    Early crew.

  • @igyxo1439
    @igyxo1439 Год назад

    So you are doing incident response by looking into csv files? Yeah, that's efficient. 🤣 I'm stopping to watch now.

  • @Benmaluco9
    @Benmaluco9 Год назад +3

    1st

  • @anonsforever_cloud
    @anonsforever_cloud Год назад +1

    I am a noob. I have no idea what's going on here but I been falling asleep to hacker videos so a lot of these words are starting to sound familiar to me. I'm like a toddler for example, learning english for the very first time. 😅