Read the original article: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
In December 2020, FireEye uncovered and publicly disclosed a
widespread attacker campaign that is being tracked as UNC2452.
In some, but not all, of the intrusions associated with this campaign
where Mandiant has visibility, the attacker used their access to
on-premises networks to gain unauthorized access to the victim’s
Microsoft 365 environment.
Goals and Objectives
Methodologies that UNC2452 and other threat actors have used to move
laterally from on-premises networks to the Microsoft 365 cloud have
been detailed in our white paper,
Remediation
and Hardening Strategies for Microsoft 365 to Defend Against
UNC2452. The paper also discusses how organizations can
proactively harden their environments and remediate environments where
similar techniques have been observed.
Mandiant is releasing an auditing script, Azure
AD Investigator, through its GitHub repository that
organizations can use to check their Microsoft 365 tenants for
indicators of some of the techniques used by UNC2452. The script will
alert administrators and security practitioners to artifacts that may
require further review to determine if they are truly malicious or
part of legitimate activity. Many of the attacker techniques detailed
in the white paper are dual-use in nature—they can be used by threat
actors but also by legitimate tools. Therefore, a detailed review for
specific configuration parameters may be warranted, including
correlating and verifying that configurations are aligned with
authorized and expected activities.
Attacker Tactics, Techniques and Procedures (TTPs)
Mandiant has observed UNC2452 and other threat actors moving
laterally to the Microsoft 365 cloud using a combination of four
primary techniques:
- Steal the Active Directory Federation Services (AD FS)
token-signing certificate and use it to forge tokens for arbitrary
users (sometimes described as Golden
SAML). This would allow the attacker to authenticate into a
federated resource provider (such as Microsoft 365) as any user,
without the need for that user’s password or their corresponding
multi-factor authentication (MFA) mechanism. - Modify or add
trusted domains in Azure AD to add a new federated Identity Provider
(IdP) that the attacker controls. This would allow the attacker to
forge tokens for arbitrary users and has been described as an Azure AD backdoor. - Compromise the credentials of on-premises user accounts that are
synchronized to Microsoft 365 that have high privileged directory
roles, such as Global Administrator or Application
Administrator. -
Backdoor
an existing Microsoft 365 application by adding a new application or
service principal credential in order to use the legitimate
permissions assigned to the application, such as the ability to read
email, send email as an arbitrary user, access user calendars,
etc.
Read the white
paper for a detailed overview of each technique, including
practical remediation and hardening strategies, and check out our
auditing script, Azure
AD Investigator.
Detections
|
FireEye Helix Detection |
MITRE Technique |
Detection Logic |
|
MICROSOFT AZURE ACTIVE DIRECTORY |
Alert on suspicious logon |
|
|
OFFICE 365 [Federated Domain |
Alert on new domain |
|
|
OFFICE 365 [Modified Domain
|
Alert of modification to |
|
|
OFFICE 365 [User Added Credentials |
Alert on addition of |
|
|
OFFICE 365 ANALYTICS [Abnormal
|
Alert on suspicious login |
|
|
WINDOWS METHODOLOGY [ADFS |
Alert on activity access |
Read the original article: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452