Another thing that I noticed. There were 2 RMM tools running on that workstation, Ninja and CW Automate. Typically MSPs have only 1 RMM configured, unless they are transitioning over to another one. Some threat actors are utilizing RMM tools to backdoor into remote systems.
Came back to reference some of your syntax for the THM Advent of Cyber ;) . Always so helpful John, thanks for everything you contribute to the community.
I usually go through logs just to find what and when the original moment of compromise took place, unless the tenant has the enhanced security protections license for Explorer then it makes it easier to even prevent the threat.
So this video went from: User's Azure AD account was compromised -> Ad Break -> Now they have a foot hold in the work station. How?? Just because you have access to someone's Azure Credentials doesn't automatically give you remote access to their workstation. Can you expand a bit on how they would pivot from Azure AD to accessing a device on the network?
For sh automation the cut command has been replaced oldfashioned ways of detecting delimiters, like an obedient master-slave rekation tied to ever-lasting upgrading systems and EoL OS'es. setting up an Azure Workspace makes more sense. Or reuse something incidents reports with webparts. Excel is handy for manual digging and finding patrons based om experience.
Could you do some more Virus analysis? I’m not even in the industry but I love watching you pick apart and de-obfuscate viruses code. I had no idea people went to those extents to avoid detection. Some of them do stupid messy tricks, but some you have pulled apart and they seem insanely clever! Love learning about it all, even if I will never use the skills/knowledge 😂
Definitely a consideration because the default for Azure is 30 days which is inadequate. The maximum was raised to 180 days but just to CYA the correct answer is "as long as feasible" which means rolling into permanent storage.
Just curious, incase anyone picked up on it, did they say how the attacker initially accessed the device (pivot from cloud to disk)? I might be confused, but later in the video we look at security logs on the user's device, but it looks like there was a password spray against a specific application (possibly Azure portal?) hosted in the cloud. Thanks!
The DC in this example is in the Azure environment. It logged the pw spray including failures and the successfully compromised user - Afterwards, 10:45 you were shown that compromised user manipulating machines because they already had that users access into the environment. The machine in this case "WS-3" was likely a VDI from Azure, thus already in the environment. If it was physical and in a separate location with Azure AD, it could still be compromised, though we would probably be looking at attempts to use Onedrive or some other vector to have access to the machine. The exercise does not explicitly describe the physical vs virtual desktop scenario and you are only meant (IMO) to be looking at what was done with the Azure account (which would have been possible in either scenario once the actor had access to interactive login).
@@KrysticsCorner But WS3 wasn't the original foothold. WS1 was. How did the threat actor get WS3 to reach out to WS1's SMB share with no control over it, download and execute the payload? Workstations aren't going to just arbitrarily reach out to any host serving SMB shares and download things. This exercise seems to take a lot of liberties and doesn't demonstrate a real world scenario. There's a lot of assumptions and cut corners here.
@@iConk3r I've seen this happen real world. It isn't that a machine normally does this, simply that it is possible. In my scenario the Dom creds were not MFA protected, however, and the machines were physical. I wish I understood more about the micro level of Microsoft auth in the background here, but I don't have enough info to help further right now. Apologies.
@@KrysticsCorner I was talking about the first one. I get how though malware you can steal cookies. But the first account should have been protected by 2FA right? How did they bypass that?
@@casfrenthere are a few ways, but Evilproxy phishing is one common effective method. Google evilproxy, non FIDO2 mfa methods are vulnerable to this attack.
I think in this case the amount of failed logins within a certain timeframe would cause an alert. Not sure if its the same for like "all users" vs per user though.
@@wildstorm74users not being educated is basically a given and not a good excuse for a security team. There were many steps along the way where these attack steps could have been mitigated, detected, and even outright prevented. Security admins who blame end users are lazy and limit their own potential to actually implement cool and fun shit
@@wildstorm74 Prolly the user accepted MFA by accident - or was tricked through social engineering to accept it. ... Cookies would mean no password or MFA would be needed, it'd become an anomalous token As the ID was bruteforced/sprayed... Cookie/token hijack isn't the case, as they're raising unnecessary alarm bells
@@HexNebula MFA was via TXT which means that the token would have logically had to have been stolen via spearphishing. Plus, number matching is enforced in Azure so unless MFA is phone call, the user cant just click "yes" and log in. Token theft or sim swap are likely, but sim swap is very very rare.
@@Soup69GodMost likely a targeted phish after the successful password entry. John misspoke when he says the successes for Paul Bowman were later in the same minute, it was 49 minutes after. The attacker would have had time to perform an AitM attack targeted at Paul Bowman, possibly leveraging his known password as a way to gain trust. Although, an AitM attack doesn't require knowledge of the password, so it could be something else entirely.
If its easier for YOU, then thats great. Use whatever tools you can. the point is CSV means comma seperated so whatever can deal with that is fine. For me I use Sentintel which has all of the count and sort functions he used here built into the tool.
I am a noob. I have no idea what's going on here but I been falling asleep to hacker videos so a lot of these words are starting to sound familiar to me. I'm like a toddler for example, learning english for the very first time. 😅
Another thing that I noticed. There were 2 RMM tools running on that workstation, Ninja and CW Automate. Typically MSPs have only 1 RMM configured, unless they are transitioning over to another one. Some threat actors are utilizing RMM tools to backdoor into remote systems.
Came back to reference some of your syntax for the THM Advent of Cyber ;) . Always so helpful John, thanks for everything you contribute to the community.
Just a note - I don't think file auditing is on by default (please correct me if I'm wrong) in many orgs, so don't always expect to find ID 4663
It used to be that way with 365 tenants but it's on by default now.
A smile is a light in the window of your face to show your heart is at home.
No mention of how they bypassed 2fa after compromising the acct. Very informative video. Really enjoyed it.
They did mention that, aka cookie stealer. Keep learning young padawan.
Johns expression thumbnail is me when I see RMM on a DC - Great video❤
If you love someone, set them free. If they come back they're yours; if they don't they never were.
KQL my dude. No one does log analysis like that in Azure
even using Excel would be better lol
I hate how several KQL templates don’t work right off the bat.
John is just doing things how he's comfortable, I guess as long as you get the end result. That's all that matters.
This is the best way, how would you do that?
sometimes you have to deal with raw logs. sentinel and log analytics ease up the hunt but no harm in learning to dig through raw logs
I usually go through logs just to find what and when the original moment of compromise took place, unless the tenant has the enhanced security protections license for Explorer then it makes it easier to even prevent the threat.
So this video went from: User's Azure AD account was compromised -> Ad Break -> Now they have a foot hold in the work station.
How??
Just because you have access to someone's Azure Credentials doesn't automatically give you remote access to their workstation. Can you expand a bit on how they would pivot from Azure AD to accessing a device on the network?
Congratulations on 1 Million!!!! 🙌🙌🙌
For sh automation the cut command has been replaced oldfashioned ways of detecting delimiters, like an obedient master-slave rekation tied to ever-lasting upgrading systems and EoL OS'es.
setting up an Azure Workspace makes more sense. Or reuse something incidents reports with webparts.
Excel is handy for manual digging and finding patrons based om experience.
Could you do some more Virus analysis? I’m not even in the industry but I love watching you pick apart and de-obfuscate viruses code. I had no idea people went to those extents to avoid detection. Some of them do stupid messy tricks, but some you have pulled apart and they seem insanely clever! Love learning about it all, even if I will never use the skills/knowledge 😂
Entertaining and easily digestible information. Good job!
This raises an interesting question about how long you should retain logs.
Definitely a consideration because the default for Azure is 30 days which is inadequate. The maximum was raised to 180 days but just to CYA the correct answer is "as long as feasible" which means rolling into permanent storage.
big thanks
PCA from philippines
If you buy the on-demand access for antisyphontraining, do you get access to all the courses or just to the selected course?
Nicely Explained ! Great Video Man.
Remember always that you not only have the right to be an individual, you have an obligation to be one.
I'd always thought lightning was something only I could see.
Bad security check design,
it should ask for a new 2fa for the existing cookie to after a ip change.
It is a separate login..
Did we have a CVE about that? 🤔
Thank you, great stuff!!
Just curious, incase anyone picked up on it, did they say how the attacker initially accessed the device (pivot from cloud to disk)? I might be confused, but later in the video we look at security logs on the user's device, but it looks like there was a password spray against a specific application (possibly Azure portal?) hosted in the cloud.
Thanks!
The DC in this example is in the Azure environment. It logged the pw spray including failures and the successfully compromised user - Afterwards, 10:45 you were shown that compromised user manipulating machines because they already had that users access into the environment. The machine in this case "WS-3" was likely a VDI from Azure, thus already in the environment. If it was physical and in a separate location with Azure AD, it could still be compromised, though we would probably be looking at attempts to use Onedrive or some other vector to have access to the machine. The exercise does not explicitly describe the physical vs virtual desktop scenario and you are only meant (IMO) to be looking at what was done with the Azure account (which would have been possible in either scenario once the actor had access to interactive login).
Azure VDI interesting take/great insight thank you
@@KrysticsCorner But WS3 wasn't the original foothold. WS1 was. How did the threat actor get WS3 to reach out to WS1's SMB share with no control over it, download and execute the payload? Workstations aren't going to just arbitrarily reach out to any host serving SMB shares and download things.
This exercise seems to take a lot of liberties and doesn't demonstrate a real world scenario. There's a lot of assumptions and cut corners here.
@@iConk3r I've seen this happen real world. It isn't that a machine normally does this, simply that it is possible. In my scenario the Dom creds were not MFA protected, however, and the machines were physical. I wish I understood more about the micro level of Microsoft auth in the background here, but I don't have enough info to help further right now. Apologies.
Amazing video. Congratulations!
i still don't understand how did they bypass 2fa. I would really appreciate a explanation.
They did not have to bypass it directly. They used cookies that still had valid access from an authenticated session.
@@KrysticsCorner I was talking about the first one.
I get how though malware you can steal cookies. But the first account should have been protected by 2FA right? How did they bypass that?
@@casfrenthere are a few ways, but Evilproxy phishing is one common effective method. Google evilproxy, non FIDO2 mfa methods are vulnerable to this attack.
@@casfren I don't think that was covered in the video, but the training is out there for you to look at on your own.
Did you try to analyze Azure Log with Wazuh ?
SIMPLY AWESOME!
What triggered the investigation? Did we just randomly hunt or was something malicious detected?
I think in this case the amount of failed logins within a certain timeframe would cause an alert. Not sure if its the same for like "all users" vs per user though.
Login cred spraying to knowing the users MFA heh .. the “thin red line” kinda blows …😅
NinjaRMM and CyberCNS??? They should have been able to detect the threat.
As long as your going to be thinking anyway, think big.
So how did they bypass the 2 factor authentication in the beginning? It doesn't say.
@@wildstorm74users not being educated is basically a given and not a good excuse for a security team. There were many steps along the way where these attack steps could have been mitigated, detected, and even outright prevented. Security admins who blame end users are lazy and limit their own potential to actually implement cool and fun shit
@@wildstorm74 yeah but the initial access itself needed 2FA and it doesn't say how he bypassed the initial 2FA.
@@wildstorm74 Prolly the user accepted MFA by accident - or was tricked through social engineering to accept it.
... Cookies would mean no password or MFA would be needed, it'd become an anomalous token
As the ID was bruteforced/sprayed... Cookie/token hijack isn't the case, as they're raising unnecessary alarm bells
@@HexNebula MFA was via TXT which means that the token would have logically had to have been stolen via spearphishing. Plus, number matching is enforced in Azure so unless MFA is phone call, the user cant just click "yes" and log in. Token theft or sim swap are likely, but sim swap is very very rare.
@@Soup69GodMost likely a targeted phish after the successful password entry. John misspoke when he says the successes for Paul Bowman were later in the same minute, it was 49 minutes after.
The attacker would have had time to perform an AitM attack targeted at Paul Bowman, possibly leveraging his known password as a way to gain trust. Although, an AitM attack doesn't require knowledge of the password, so it could be something else entirely.
It's important to remember to be aware of rampaging grizzly bears.
Whats Azure? Microsoft tells me that theres only Entra ID these days...... /sarcasm
I feel like it'd be a lot easier to sort through this data in excel instead of using a text editor for a csv file.
That's true,
If its easier for YOU, then thats great. Use whatever tools you can. the point is CSV means comma seperated so whatever can deal with that is fine. For me I use Sentintel which has all of the count and sort functions he used here built into the tool.
What course was this for? I can't seem to find it on the site.
Simply awesome 👏👏👏🎊
That’s crazy my wiggaz
ah good , something that is useful finally
Slow down and everything you are chasing will come around and catch you.
I am a noob. I have no idea what's going on here but I been falling asleep to hacker videos so a lot of these words are starting to sound familiar to me. I'm like a toddler for example, learning english for the very first time. 😅
this video is very amaing video john as a bule team investigate like me should know these type of attacks in detail thanks for sharing 🤩🤩🤩🤩🤩🤩🤩🤩🤩💖💖💖💗💗
Is this incident response on try and hack me or any other platform?
All this is assuming the offender put 0 effort in wiping the logs :D
Imagine being Paul.
Early crew.
So you are doing incident response by looking into csv files? Yeah, that's efficient. 🤣 I'm stopping to watch now.
azure has a GUI for all of this lol
1st
Congrats