Security Immersion - Into The Breach - Instructors Guide - Aug 2022

Microsoft
Into The Breach

Instructor Guide
©2022 Circadence Corporation. All rights reserved. Circadence, the Circadence logo, Project Ares, and the Project Ares logo
are trademarks or registered trademarks of Circadence in the U.S and in other countries.
All other trademarks or registered trademarks belong to their respective owners.
Table of Contents
Contents
Target Audience ...................................................................................................................................................4
Course Description ...............................................................................................................................................4
Prerequisites ........................................................................................................................................................4
Conventions Used in this Guide ...........................................................................................................................4
Version Control ....................................................................................................................................................4
Player Access ........................................................................................................................................................5
System Requirements ......................................................................................................................................5
Connectivity Test..............................................................................................................................................6
Account Activation ...........................................................................................................................................6
Instructor Login Process.......................................................................................................................................6
Navigating Instructor Tools ..................................................................................................................................8
Navigating the Instructor Dashboard.................................................................................................................13
Navigation Basics: How to Run Into The Breach ................................................................................................14
Into The Breach Scenario Narrative ...................................................................................................................18
Threat Actor’s Attack Path Summary .............................................................................................................18
Victim Scenario ..............................................................................................................................................19
UVM Health (Victim) Network Architecture ..................................................................................................20
Solving Mission Tasks .........................................................................................................................................21
Using Hints to Solve Mission Tasks ....................................................................................................................22
Using the VNC console .......................................................................................................................................23
Running Microsoft Sentinel ...............................................................................................................................24
Running Microsoft 365 Defender ......................................................................................................................29
Microsoft 365 Defender and Sentinel Documentation .....................................................................................31
Answering Questions via the Analyst Portal ......................................................................................................32
Into The Breach - Objectives and Solutions .......................................................................................................34
Objective 01: Can you take a Hint? ................................................................................................................34
Objective 02: Piling Bricks ..............................................................................................................................35
Objective 03: Malware Everywhere! .............................................................................................................37
Objective 04: Repeat Offender ......................................................................................................................38
Objective 05: The Source of Evil ....................................................................................................................40
2 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Document version 2022.08.12
Objective 06: Sniffing Around ........................................................................................................................42
Objective 07: Sneaking Through the Back .....................................................................................................44
Objective 08: Well That's Not Supposed to be Here .....................................................................................46
Objective 09: Hollaback Girl? More like Callback Script ................................................................................48
Objective 10: Friend or Foe? ..........................................................................................................................50
Objective 11: Same Task, Different Box .........................................................................................................52
Objective 12: The Sneakiest of Services.........................................................................................................54
Objective 13: Dumping Hashes for Days ........................................................................................................56
Objective 14: Disabling Our Defenses ............................................................................................................57
Objective 15: Knock Knock Knocking on the DMZ Door ................................................................................59
Objective 16: The Call is Coming from Inside the House ...............................................................................60
Objective 17: If at First You Don’t Succeed…Try, Try Again ...........................................................................61
Objective 18: Stranger Danger: ......................................................................................................................63
Objective 19: I’ve Got You Now! ....................................................................................................................65
Objective 20: And Life Goes On .....................................................................................................................66
Objective 21: Well That Can’t Be Good .........................................................................................................67
Objective 22: Automation For the Win ..........................................................................................................68
Objective 23: Getting Their Bearings .............................................................................................................70
Objective 24: Hey, That’s My Data! ...............................................................................................................72
Objective 25: Weaseling Their Way In ...........................................................................................................73
Objective 26: One is Enough ..........................................................................................................................75
Objective 27: Strutting Around Like They Own the Place ..............................................................................77
Objective 28: Pivoting Constantly ..................................................................................................................79
Objective 29: Blocking Baddies ......................................................................................................................81
Objective 30: Everything But the Kitchen Sink ..............................................................................................82
Objective 31: Attacking from Every Direction ...............................................................................................84
Objective 32: Learning Our Lesson ................................................................................................................86
Appendix A .........................................................................................................................................................87

Target Audience
This Study Guide is for Instructors teaching the Microsoft Into The Breach (ITB).
Course Description
The Microsoft Into The Breach (ITB) will empower students with in-depth knowledge of defending
against a cyberattack using Microsoft Defender and Sentinel Cyber defense tools.
Prerequisites
Players should be familiar with Microsoft Defender and Sentinel Cyber defense tools.
Conventions Used in this Guide

Any Microsoft Sentinel, Defender, or Project Ares button or menu option that the student is
expected to click on will use
Version Control
Version control for this document can be found in Appendix A here.

Player Access
The first step to running a successful outcome will be to ensure all players have proper access to the
platform and understand basic navigation. This section will review these important topics.
System Requirements
While we cannot control the type of endpoint participants use, we can reduce the risk by ensuring
that their systems meet the minimum requirements to ensure a great Project Ares experience.
If a player communicates issues from the start of the event (for example, everything is
running very slowly), review the minimum system requirements with them.

Connectivity Test
Players participating in this event will have different network configurations. To ensure each enjoys
the best experience, we encourage users to check their configuration using the same endpoint and
internet connection that they plan on using at the time of the event.
Players can test their network connections by running the test located here:
https://projectares.academy/test-your-connection
Account Activation
Players should already have activated their accounts prior to the event, however, for last minute
additions there is a resource to help get players activated and onto the platform.
Watch the Account Activation video: https://projectares.academy/support/account-activation
Reach out to your Project Ares coordinator: InstructorServices@ProjectAres.Academy
Instructor Login Process

During account activation players will automatically log in to Project Ares, however, there could be a
lag between activation and players logging in for the first event. If a player forgets how to logon,
they can use these resources to get quickly logged on.
Here is a brief video on how to logon to Project Ares: Logging on to Project Ares.
Pro Tip: Have players bookmark our homepage: Welcome to Project Ares

To log on as an Instructor to Into The Breach, go to the
Logon Page here.
Enter the credentials provided to you.
After successfully logging on, you will be taken to the Home page. As an instructor you have access
to a Dashboard for tracking student progress covered here. Click on .
Your account has been created with an Instructor profile, allowing you to enter as an Instructor.
Click

Navigating Instructor Tools

Navigating the Instructor Dashboard
On the post-logon Home page, you can view player progress by selecting the Dashboard option.
This opens the Dashboard page where you can view overall player progress on this mission.

Navigation Basics: How to Run Into The Breach
There are two options for launching the Microsoft Security Immersion Workshop - Into the Breach:
On the mission dashboard shown below, No Data Available appears the first time this mission runs.
The History tab displays information about dates, scores, and mission statistics.
On the left side, adjacent to the mission coin, is a brief description of the mission where players can
choose a difficulty level, and then, click on to begin the mission.

After clicking , a brief video will play.
After the video, the Mission control panel appears as shown below. Players click on the gold
button to review the mission’s orders.

The player reviews each mission tab starting with the tab on the left.
Each tab provides the player with different informational aspects about the
mission. Clicking each tab sequentially allows the player to review each topic where they learn
important information related to the mission. On reading the final tab, clicking on
Continue returns the player back to Mission Control.
The mission button will initially ignite in red as the Azure cloud environment initializes
the Virtual Machines (VMs) required to run the mission scenarios.
When the button turns gold, the mission is ready to play.

Clicking on the gold button takes the player to the Field Operations User Interface
shown below. A Reconnaissance network map is displayed with mission tasks to the right. Working
through the various mission tasks, also known as Learning Objectives, becomes the focus of the
player’s effort for the remainder of the mission.

Into The Breach Scenario Narrative
Threat Actor’s Attack Path Summary
1. Attacker sends a phishing email to several employees at UBM Health claiming that the connection
to their NMIS is faulty and requesting that they open the attached file for instructions on fixing it.
2. One employee actually opens the attached Word document which prompts the execution of an
embedded malicious macro. The macro execution connects to the attacker’s C2 server to download
the Remote Access Trojan (RAT). When the RAT is executed, the attacker receives a callback shell
from the initial access endpoint: REHAB-6.
3. Attacker performs some local system enumeration before establishing persistence.
4. Attacker identifies a network share containing patient records, then copies the contents of the share
to the local system before archiving and exfiltrating.
5. Attacker performs privilege escalation to achieve SYSTEM access.
6. Attacker wipes local Defender definitions and performs network enumeration.
7. Attacker stages Netcat executable, then sends internal spearphishing email from compromised
account (JROADER) to SBEAVERS. This email included the renamed Netcat executable as an
attachment. This email is quarantined by Defender.
8. When the internal spearphishing attempt fails, the attacker performs a port scan of the network.
9. Attacker then targets SBEAVERS account for brute force against FLOOR-5-ADM (172.16.20.100)
using port 3389 (RDP).
10. With a successful RDP brute force, attacker uses the credentials to perform WMI commands on
FLOOR-5-ADM, including the creation of a scheduled task to get a callback and establish
persistence.
11. With RDP access, attacker uses PsExec and Mimikatz to dump credential hashes.
12. With the hash for UVMADMIN, attacker uses WMIexec to create a scheduled task to get a callback
and establish persistence on the DC.
13. Once on the Domain Controller (DC), attacker performs Active Directory (AD) recon using
Bloodhound.
14. Attacker attempts to stage ransomware on the DC, but the files are quarantined by Defender.
15. Attacker pivots to attacking from the NMIS endpoint, using that trusted connection to perform
remote execution in order to download and execute the ransomware on every accessible endpoint.

Victim Scenario
The latest targets of opportunity in a string of ransomware attacks are hospitals and medical
centers. In these attacks, records have been encrypted, affecting thousands of patients, including
some that are in the middle of ongoing treatment. Additionally, these attacks are responsible for
threatening patients’ lives by postponing critical life-saving surgeries. And, if that weren’t bad
enough, malicious actors are threatening to release patients’ personally identifiable information (PII)
on dark web sites if ransoms are not paid promptly. To make matters worse, ransom payments must
be in cryptocurrency, which is harder for law enforcement to track and recover.
The Into The Breach Players are being requested to assist with the Incident Response investigation
of an attack on the UVM Health Network.
You have arrived at the hospital and begin working with the local IT support office. Their network
security was provided by a managed security service MSSP and still hosts an NMIS with a trusted
connection into the hospital.

UVM Health (Victim) Network Architecture

Solving Mission Tasks
Players will work through the Into the Breach mission by clicking on, and working through each of
the 34 mission tasks.
Using the Field Operations screen below as a reference, note the second mission objective “Piling
Bricks: On what endpoint did the ransomware execute successfully?”
The player can launch VNC Access to open a new browser in order to access the Microsoft Sentinel
and Defender tools. If unable to answer a question you can seek help using by clicking on the
question mark which opens the Hints window shown below.
There are four hints, with the final hint providing the answer. If a player can answer the Objective
challenge without hints, they will gain an advantage by receiving maximum points. When hints are
used, the maximum points decrease. This gives players who determine the correct responses
without using hints an advantage and they will have a greater chance of moving up the
leaderboard. See the next section for more details. See the next section for more details on how
scoring works.

Using Hints to Solve Mission Tasks
The in-game Hints provide a way for players, who may not have the inherent knowledge on how to
solve a given challenge, a way to be guided towards the solution.
Players are not penalized for using Hints in that points are not subtracted from their score for using
them, at the same time they will not be rewarded with the maximum points available. Because the
Leaderboard is based on points, the use of Hints will negatively affect a player’s position on the
board.
The task objective scoring works as follows:

1. Maximum points for a correct answer is 100 points.
2. First Hint is free, no effect on their scoring.
3. Second Hint reduces the maximum points achievable to 75 points
4. Third Hint reduces the maximum points achievable to 50 points
5. Fourth Hint reduces the maximum points achievable to 25 points
Should a player decide to use a hint:
They click on the adjacent to the task objective. This will open first page of
the hints window. The player then reviews the hint and is free to switch back to the console
window and attempt to solve the task objective.
If the player wishes to see a second hint, they click on the right arrow, revealing a second
hint. Likewise, they can continue through the hints until in the final hint, the answer is
revealed.

Using the VNC console
All of the Battle Room challenges take place on a remote Windows desktop that players connect to
using the button.
Clicking on will open a new browser window providing the player a remote console
where all of the tasks and exercises will take place for this mission.
Notice the icon. Clicking on that icon will open up a browser with three tabs: One for

Sentinel, one for Defender and one for the Q&A Portal used to answer the questions.
Running Microsoft Sentinel

Both Microsoft Sentinel and Defender can be launched using shortcuts provided on the home page
of the virtual console.
To launch Sentinel:
1. From the Field Operations screen, click on . This will open a new browser for
access to the console.
2. From the console window double-click on the Short-cut and in the browser
that opens, click on the second tab to access Sentinel. (Note: the order of the tabs may be
slightly different in your session).
3. Logon to Sentinel using the credentials provided in the credentials file, found on the console
home page.

4. Click on when ask to take the Azure tour.
5. In the search Microsoft Azure search bar type and select from
the results window.
6. Click on the Sentinel workspace called

7. Under the Threat Management window to the left, click on .
8. The incidents page is now open for use in solving Objectives. In many cases, you will need to
proceed to Defender to solve the Learning Objective. On the incidents page, click on an
incident where the Product name is .
9. Click on the option to option.

10. Microsoft Defender for Desktop is opened.
Remember to adjust the timeframe in both Defender and Sentinel if you do not get the
results you are expecting. Below is a screenshot of how to adjust the timeframe in Sentinel.
First click on and then adjust the timeline; 14 days should work for most
objectives.
Video Click here to view the Sentinel logon walkthrough video.

Running Microsoft 365 Defender
Both Microsoft Sentinel and Defender can be launched using shortcuts provided on the home page
of the Field Operations virtual console.
To launch Microsoft 365 Defender:
1. From the Field Operations screen, click on VNC Access. This will open a new browser for
access to the console.
2. From the console window double-click on the Short-cut on the left of the
screen. This will open a browser with three tabs. Select the Defender tab
3. Logon to Defender using the credentials provided in the credentials file, found on the
console home page.

Once logged on, you will be ready to use Microsoft 365 Defender
Video Click here to view the 365 Defender logon walkthrough video.

Microsoft 365 Defender and Sentinel Documentation
Players have access to Microsoft documentation while working within Project Ares.
For convenience, these Microsoft Sentinel and Defender documents can be found on the web here:
1. Microsoft 365 Integration with Microsoft Sentinel

2. Microsoft Sentinel Investigation
3. What is Microsoft 365 Defender
4. What is Microsoft Sentinel
Players will find the complete set of documents on the VNC console desktop by clicking on the
shortcut:

Answering Questions via the Analyst Portal
When players have researched the Objective and wish to answer questions, they use the Analyst
Portal to respond. On the VNC console home screen, click on the shortcut and then
select the Analyst Portal tab.
This opens the window where players can enter their answers.

Clicking on any one of the Questions will open a Response window where you can enter your
answer, then click on

Into The Breach - Objectives and Solutions
Objective 01: Can you take a Hint?
Can you take a Hint? Introduction to the Interface.
Hint 1:
The first hint provides a small amount of information, just to get you started if you
weren't really sure where to start. You may view this hint without penalty. You'll still
get 100 points once you complete the objective.
Hint 2:
The second hint will expand upon the first. It will get you closer to the answer,
perhaps directing you to the specific portal where the indicator can be found. It will
usually provide some leading information on what to do (or not do) next. Viewing this
hint will cost you 25 points. Your score for completing the objective at this point
would be 75 points.
Hint 3:
The third hint will get you even closer to the answer. This hint will typically point you
toward the section within the portal, and might include some guidance for a query or
filter if appropriate. Viewing this hint will cost you another 25 points. You will receive
50 points for this objective once you complete it.
Hint 4 (How to Solve):
The fourth, and last hint, will walk you through how to get the answer. We don't want
you completely stuck on a question! Viewing this hint will cost you another 25 points.
You will receive 25 points for this objective once you complete it.
Done

Objective 02: Piling Bricks
Piling Bricks - On what endpoints did the ransomware execute successfully?.
Watch this Objective’s Walkthrough Video.
For this Learning Objective, the student is expected to access Microsoft 365 Defender through the
shortcut on the VNC desktop and determine which endpoints Defender terminated or prevented
the execution of ransomware.
The required steps to do this include the following:
1. Launch VNC Access

2. Launch Microsoft 365 Defender using the shortcut on the desktop
3. Log onto Defender using the credentials stored in the folder on the desktop.
Watch a quick tutorial video on this process by clicking here.
A combination of knowledge, research and the in-game hints will eventually lead the Player to the
correct answer.
Here are the in-game Hints provided to solve this Learning objective:
Hint 1:
Ransomware can cause permanent or temporary loss of data, shutdown operations,

create financial losses for an organization, or damage a company's reputation
amongst other things. Determining the extent of damage or how far the ransomware
has spread within a network is key in determining the next steps in triaging the
incident or mitigating further spread of the malware.

Most ransomware creates artifacts on systems and network sensors even if the
endpoint device has been infected due to lack of protection. There are ways to find
these indications of ransomware through analysis of network activity.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents with Microsoft Sentinel" link in the
Documentation folder on your Analyst desktop.
Hint 2:
Microsoft Sentinel's log aggregation and correlation can help us quickly identify high-
severity incidents. Access Microsoft Sentinel through the shortcut on the desktop or
navigate to https://portal.azure.com and select Microsoft Sentinel. Analyzing
anomalous account or system activity is one method to consider when searching for
potential ransomware on a network or endpoint devices. Depending on the size of the
network, this can be a daunting task to accomplish checking each endpoint device
one-by-one.
Hint 3:
Microsoft Sentinel can show us when incidents have been detected across our
security tools. In this scenario, it has aggregated data from Microsoft 365 Defender,
Microsoft Defender for Endpoint, and Microsoft Defender for Identity. Incidents and
alerts from Microsoft 365 Defender and Microsoft Defender for Endpoint will contain
the necessary evidence to help us find which endpoints ransomware executed on
successfully. With these tools, indications of a successful payload deployment will be
easily identifiable by locating suspicious incidents in the portal.
Hint 4 (How to Solve):
In Microsoft Sentinel, navigate to the Incidents tab under Threat management. Look
for a high severity alert from Microsoft 365 Defender related to privilege escalation
and ransomware*. Select that alert, then choose View full details. Scroll through the
Timeline tab reviewing the alerts. A few alerts will contain the answer you're looking
for, for example the 'Sodinokibi ransomware was detected’ alerts. From the incident
or Alert pages, you can also select Investigate in Microsoft 365 Defender or click the
Alert link to view the source data in the defender portal.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
picu-1, rehab-8, floor-5-adm

Objective 03: Malware Everywhere!
Malware Everywhere! What was the filename of the ransomware executable?
Now that we have some idea of where the ransomware successfully deployed and
which endpoint devices prevented infection, we can drill down into the specific
incidents where the infections occurred. Ransomware leaves a trail of activity behind
that can provide a detailed account of the initial execution and potentially where it
originated from.
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com. Drilling down on a specific incident and
understanding how the ransomware was executed on the endpoint provides
extensive details about the ransomware including, but not limited to, the processes
that were started or stopped, commands executed during installation of the
ransomware, and the filename of the shared library that is the actual ransomware.
Microsoft 365 Defender portal is the primary location to determine the behavior of
the ransomware from installation through execution. Just viewing the top level
incident may not be enough, and you should investigate the incident in more detail
using the built-in features of the portal.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the list of related alerts. A few alerts will contain the answer
you're looking for, for example the 'Sodinokibi ransomware was detected' alert. Open
that alert, then look through the Alert Story for a reference to a shared library.
mpsvc.dll

Objective 04: Repeat Offender
When they can, attackers will use a single mechanism to deploy malware across
many assets. In this scenario, you've seen that the attacker used PowerShell to
download the ransomware on an impacted device. For additional information about
the tools and features that might be helpful, reference the "Hunt for threats with
Microsoft Sentinel" link in the Documentation folder on your Analyst desktop.
Sometimes as an analyst you are equipped with enough information to conduct

targeted queries using the information you have gathered during an investigation. For
this reason Microsoft Sentinel would be the preferred method to obtain more
information on what was occurring as the attacker was using PowerShell to distribute
ransomware across the environment.
At this point, using Microsoft Sentinel will greatly increase your chances of finding
specific pieces of information that may require specialized queries. Not all hope is
lost, as you can use pre-built queries to hunt for Powershell downloads under the
Threat Management.
In Microsoft Sentinel, select Hunting from under the Threat management category in
the left-hand menu. Look for the pre-built query about downloads via PowerShell,
using the search bar if needed. Before you select the query, set the appropriate time
range based on your knowledge of the attack. After you have set the time range,
select that query and click the View Results button. Review the results to see how
many assets the ransomware was downloaded to using PowerShell.
If you'd prefer not to count the lines, you could add the following logic to the end of
the query in order to get a succinct list of results related to the download of the DLL
file:
| where ProcessCommandLine contains 'mpsvc.dll'

You could also add the following logic to display the number of results per unique
hostname:
| summarize count() by ComputerName.

Objective 05: The Source of Evil
The Source of Evil - From what host did the attacker use remote commands to download and
execute the ransomware throughout the environment?
Attackers will often find a way into a network on an endpoint device or other host
that has little or no protection. This is usually a launching point to more critical
network devices or infrastructure that will provide the attacker with more control
over the larger network.
https://security.microsoft.com
Often times movement by an attacker can be followed by viewing higher level

incidents and drilling down through specific alerts or alert stories. Looking for
indications of suspicious remote usage of web-based enterprise management
infrastructure may be helpful.
If using Microsoft Defender and looking at high level incidents that involve privilege
escalation, there are alerts that indicate suspicious usage of Windows Management
Instrumentation (WMI) that may lead to discovery of which device the attacker used
to execute the ransomware on the environment.
First, we need to identify which IP address the remote commands to download and
execute the ransomware came from. In Microsoft 365 Defender, navigate to the
Incidents tab under Incidents & Alerts. Look for the incident concerning privilege
escalation and ransomware*. Click on that incident to open the Incident Details page,
and click on the alerts tab to view the list of related alerts. Look for an alert about
“suspicious WMI process creation.” Scroll through the Alert Story to find an event
where cmd.exe was invoked remotely. Expanding that event will provide the source

IP address. You may have to check multiple alerts before finding the IP address:
192.168.0.100.
Now that we’ve identified 192.168.0.100 as the source of the remote execution, we
can review the network map to determine which host is associated with that IP
address.
NMIS

Objective 06: Sniffing Around
Sniffing Around - What Active Directory enumeration tool did the attacker use to gather information
on the Domain Controller?
Having information about how the ransomware was executed in the environment, we
can now expand our scope to understand what led up to that moment. Understanding
the ransomware can lead us into understanding what the attacker was doing as they
moved through the environment.
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
https://security.microsoft.com.
When attackers achieve initial access to an environment and as they move laterally
through it, they often perform discovery and enumeration tasks to gather as much
information as they can. Some alerts provide a clear indication about the activity that
the attacker was performing to acquire this information.
By using Microsoft 365 Defender and focusing on alerts on the domain controller you
should find clear indications of tool usage and the activity that the attacker
performed.
Look for the incident concerning privilege escalation and ransomware*. Click on that
incident to open Incident Details page, and click on the devices tab to view the list of
related devices. Select the Domain Controller (dc01) from this list. Choose the Alerts
tab to view the alerts detected on this particular endpoint. Look for an alert title
containing the name of a well-known Active Directory enumeration tool, which will
reference post-exploitation.

Bloodhound

Objective 07: Sneaking Through the Back
Sneaking Through the Back - What administrative tool is used to establish persistence on the
Domain Controller? Provide the executable name.
Another common attacker technique for laying low is using common system tools to
perform aspects of their attack. This can help them stay hidden in the environment,
as security tools may be less likely to detect suspicious behavior from benign
applications.
Although most system tools provide a benefit to system efficiency and health, there
may be suspicious activities that are detected by Microsoft 365 Defender. Further
analysis of this type of activity is recommended to provide more insight into the how
the administrative tool was used to determine if it is legitimate use or actions taken
by an attacker.
Using the alerts in Microsoft 365 Defender for the specific endpoint in question will
provide enough information on how this administrative tool was used in this
objective.
incident to open the Incident Details page, and click on the devices tab to view the
list of related devices. Select the Domain Controller (dc01) from this list. Choose the
Alerts tab to view the alerts detected on this particular endpoint. Look for an alert
title referencing the scheduling of tasks. Selecting this alert will show you the Alert

Story. Skim through the alert story for the events showing a command running the
administrative tool.
schtasks.exe

Objective 08: Well That's Not Supposed to be Here
Just like choosing to use common system tools, choosing names that blend in can
also help attackers hide from security tools and analysts.
Further analysis of the suspicious activity discovered on the domain controller and
the system tool that was used to conduct this activity provides detailed knowledge of
how the attacker gained persistence on the target.
The alerts listed for the domain controller in Microsoft 365 Defender provide a wealth
of knowledge on how the attacker gained persistence to this endpoint. You must drill
down into alerts related to this activity to discover the name of the task used by the
attacker.
incident to open the incident Details page, and click on the devices tab to view the
title referencing the scheduling of tasks. Selecting this alert will show you the Alert
Story. Look for the events where the scheduled task is being created via a command.
The '/tr' switch designates the executable name, while the '/tn' switch sets the task
name.

Network Controller Manager

\Microsoft\Windows\Network Controller\Network Controller Manager
Microsoft\Windows\Network Controller\Network Controller Manager

Objective 09: Hollaback Girl? More like Callback Script
By identifying the persistence mechanism we have learned that it may have been
used to connect back to the attacker's machine, where they would most likely have a
listener waiting.
https://security.microsoft.com. In order to blend in with normal traffic, the attacker is
likely to choose a destination port that would typically be seen as totally normal. This
traffic may not be easily discovered like more intrusive activities that typically
generate alerts. Understanding the time frame that the attack occurred will be
beneficial to other forms of analysis to discover activity that may appear to be normal
to the system.
While there are many ways to locate suspicious communications to an attacker's

external Command & Control infrastructure, Microsoft 365 Defender can provide this
information. Creative uses of filters, searchable fields, and an understanding of the
time line will narrow down large data sets to just the information the analyst needs to
discover external IP addresses.
Timeline tab to view the timeline of events detected by Defender, even ones that
aren't correlated with an alert or incident. Change the time frame to fit the attack
scope, and set a filter for Network events. To make finding the particular network

connection easier, add the filename of the persistence malware run as a scheduled
task to the Search field: ITtestscript.exe.
40.77.31.232:8443

Objective 10: Friend or Foe?
Friend or Foe? What management protocol was used to perform remote execution against the
Domain Controller?
The practice of using system tools is often called 'living off the land' by people in
cybersecurity. The attacker can count themselves fortunate when they find system
tools that let them remotely access or interact with other endpoints in the
environment.
Unlike finding nefarious Command & Control communications, remote execution

using management protocols will most likely generate alerts that can be quickly seen
by an analyst during initial investigation.
Alerts listed in Microsoft 365 Defender provide indications of remote execution.

Common indicators of this type of activity could be process creation or other similar
alerts.
list of related devices. Select the Domain Controller (dc)01 from the list. Choose the
title concerning suspicious process creation which references a common Windows
management protocol.

Windows Management Instrumentation Protocol (WMI)

Objective 11: Same Task, Different Box
Same Task, Different Box - On what other endpoint did the attacker create the same scheduled task
using a different executable?
Like the rest of us humans, attackers are creatures of habit and benefit from
efficiency. As a result, they are just as prone to reusing tools and techniques as the
rest of us. In this scenario, the attacker used the same method for establishing
persistence on the middle endpoint they compromised as they did on the DC.
reference the "Proactively hunt for threats with advanced hunting" link in the
Sometimes, Microsoft 365 Defender finds a behavior suspicious on one endpoint, but
not on another. This could be the result of many factors, including configurations or
auditing rules, but it can also be based on contextual data about the overarching
activities seen on each endpoint. Since Defender for Endpoint didn't alert on any
other suspicious scheduled tasks, we can leverage its Hunting capabilities to
broaden our search for this specific behavior.
Microsoft 365 Defender Advanced Hunting lets us use the Keyword Query Language
(KQL) to search data across our sources for results that match our requirements. For
our purposes, we can craft a query for all events containing the name of the
scheduled task we identified previously. If we knew the event ID for scheduled task
creation off the tops of our heads, we could use that as our filter also. Since KQL is
also used by Microsoft Sentinel, we could search either tool using the same query.
In Microsoft 365 Defender, navigate to Advanced Hunting under Hunting in the left-
hand menu. Add your query to the Query field, leveraging the Schema and Functions
tabs if needed for guidance. Adjust your timeframe as needed, then click Run query.
The query below will do the trick in this scenario.
DeviceEvents
| where ActionType == "ScheduledTaskCreated"

and AdditionalFields contains "Network Controller Manager"
floor-5-adm

Objective 12: The Sneakiest of Services
The Sneakiest of Services - What is the filename of the executable used to establish persistence after
the first lateral movement?
For this scheduled task, the attacker used a different executable. Unlike on the DC,
where they executed a callback to a network listener on their end, this time they put
the listener on the internal endpoint but disguised it as a common service executable.
This is another clever way attackers' try to disguise their actions.
Microsoft 365 Defender doesn't only enable you to view and analyze data related to
alerts and incidents, it also gathers event data from endpoints. This is great for
adding more context to understand what happened around overtly suspicious or
malicious activity. The Timeline tab for each onboarded endpoint lets you filter by
timeframe and event type, as well as providing a Search feature to make narrowing
down the results even easier.
As is often the case, using multiple ways of filtering at once can help us find the
answers we need more efficiently. Rather than applying one filter and scrolling
through the thousands of events accumulated in the Timeline view, consider how
multiple filters could help narrow down your results. For this step, searching for a
known string in combination with filtering by event type and timeframe could be
useful.
In Microsoft 365 Defender, navigate to the Devices list under the Assets category,
then select floor-5-adm from the list. Choose the Timeline tab to view the timeline of
events detected by Defender, even ones that aren't correlated with an alert or
incident. Change the timeframe to fit the attack scope, and set a filter for Scheduled
Task events. To make finding the right event easier, add the name of the scheduled
task to the Search field: Network Controller Manager.

Select the task creation event to view the command executed by the scheduled task
in the Task command or Task executables field. The first executable referenced in
the full command is the one being executed.
svchost.exe

Objective 13: Dumping Hashes for Days
Before attempting to move laterally again, the attacker sought to gather some very
important data. They had successfully gained access to a machine with 'adm' in the
hostname, so they may have been hoping to luck into more administrator credentials.
By gathering password hashes, they could attempt to crack them or try to achieve
authentication via pass-the-hash exploits.
Unlike using system tools that might not be detected by Microsoft Defender for
Endpoint, credential harvesting tools tend to raise flags. Not only was the behavior
seen and alerted on, Microsoft 365 Defender successfully correlated its connection
to the callback malware that allowed the attacker to establish access.
This time, Microsoft 365 Defender alerted on the behavior while referencing the
scripting language used to invoke the credential harvesting tool. PowerShell has only
increased in popularity over the years, both for system administrators and attackers.
Through the course of this attack, we see the attacker repeatedly rely on built-in
PowerShell capabilities, and also downloading and importing their own modules.
In Microsoft 365 Defender, navigate to the Devices List under the Assets category,
then select the floor-5-adm from the list. Choose the Alerts tab to view the alerts
detected on this particular endpoint. Look for an alert title referencing a credential
theft tool.
Mimikatz

Objective 14: Disabling Our Defenses
How was the attacker even able to run a credential harvester? Many techniques used
by attackers to gather credentials are automatically detected and blocked by
Microsoft Defender for Endpoint. We can even see alerts about the tools used being
detected, so why weren't they stopped?
With the right connectors configured, Microsoft Sentinel gathers the data from
endpoint event logs. This gives us a view into events that might have been captured
by the local Windows Event platform even if it wasn't alerted on by Defender for
Endpoint. Based on past experience, the environment was already configured with
informational event alerts that relate to administrative activity. Because some
behavior was already configured to alert, we can see Incidents where our Analytics
rules were triggered.
The Incidents tab in Microsoft Sentinel is a great place to see incidents gathered
from across your security tools. In addition to the Microsoft Sentinel incidents, you'll
be able to see incidents from Microsoft 365 Defender, Defender for Endpoint, and
Defender for Identity.
In Microsoft Sentinel, navigate to the Incidents tab under Threat Management. Look
for an informational-level incident referencing a tactic that could be used by the
attacker for defense evasion as well as to eliminate roadblocks to their attack.
The following query could also be used in the Logs tab to manually find these results:

Event
| where EventID == 5001
Disabling Real-Time Protection

Objective 15: Knock Knock Knocking on the DMZ Door
But how did the attacker even get access to this endpoint? That's the next question
we need to answer. It doesn't look like this was their initial access, so where did they
move laterally from? For that, we'll look for credential access alerts. For additional
information about the tools and features that might be helpful, reference the
"Investigate incidents with Microsoft Sentinel" link in the Documentation folder on
your Analyst desktop.
endpoint Security Event logs. This gives us a view into events that might have been
captured by the local Windows Event platform even if it wasn't alerted on by
Defender for Endpoint. Based on past experience, the environment was already
configured with security event alerts for known-bad activity, such as remote brute
force. Because some behavior was already configured to alert, we can see Incidents
where our Analytics rules were triggered.
The Incidents tab in Microsoft Sentinel is a great place to see incidents gathered
from across your security tools. In addition to the Microsoft Sentinel incidents, you'll
be able to see incidents from Microsoft 365 Defender, Defender for Endpoint, and
Defender for Identity.
for an incident title indicating a tactic that could be used to achieve credential access
to enable lateral movement. In this case, you'll find an incident targeting a remote
access protocol.
Brute Force

Objective 16: The Call is Coming from Inside the House
From those alerts, we can drill into the logs to find where the brute force was coming
from. A brute force from outside the environment likely would have gotten blocked
by the firewall, so maybe it came from the initial access endpoint.
endpoint Security Event logs. This gives us a view into events that might have been
captured by the local Windows Event platform even if it wasn't alerted on by
Defender for Endpoint. Based on past experience, the environment was already
configured with security event alerts for known-bad activity, such as remote brute
force. Because some behavior was already configured to alert, we can see Incidents
where our Analytics rules were triggered.
Once you know what incident you want to drill into, you'll easily be able to pivot to
viewing the relevant alerts or events. A quick way to get to the network flow logs that
relate to the alert is by choosing Events from the Incident details pane, selecting a
single alert from the timeline, then clicking the Link to LA. This will automatically
generate a LogAnalytics query to get all the results related to that alert.
for an incident title indicating a tactic that could be used to achieve credential
access, specifically the Remote Authentication Brute Force incident. Select that
incident then click view full details to see all the related information. Select a single
alert in the timeline, and select Link to LA to view the results in LogAnalytics. Look for
an IP address in the IPEntity or IpAddress column.
172.16.40.5

Objective 17: If at First You Don’t Succeed…Try, Try Again
Internal phishing is one of the many lateral movement techniques that can be used by
attackers. For them, its benefits can include the opportunity to escalate their access
privileges while flying below the radar.
Email flow can be investigated using the Email & collaboration Explorer. By default,
the Explorer displays metrics about all email, with views on malware, phishing, and
campaigns also available. The available tabs also show the top malware families, top
targeted users, email origins, and campaigns. The View options may be useful as you
proceed with your investigation.
Applying filters to the email logs is a great way to find what you're looking for more
easily. In Microsoft 365 Defender, the filter has many options to choose from.
Formulating an Advanced filter will let you filter by multiple types or values at once. A
couple types that may be useful to you are sender domain, sender, recipient, and
directionality.
In Microsoft 365 Defender, navigate to the Explorer under Email & collaboration. The
All email tab should be your default view. Select the Advanced filter button to create
a filter with multiple parameters.

Using the Add a condition button, add the following filter types and values:
- Sender domain – Equals any of: uvmhealthX*.onmicrosoft.com
- Directionality: Intra-org
- Recipients – Equal’s none of: players@uvmhealthX*.onmicrosoft.com
Use the Query button to submit the query, then adjust your time frame if needed. Hit
Refresh after changing your time frame to see the list of results. Look at the sender
column to determine the source account of the email that doesn’t look like normal
enterprise email traffic.
*Notice: to get keep data current, the platform toggles between uvmhealth1 and uvmhealth2; if one does not
work, try the other.
jroader@uvmhealthX*.onmicrosoft.com

Objective 18: Stranger Danger:
While internal phishing can be used by attackers attempting to move laterally,

external phishing is often of greater concern to organizations. External phishing
remains one of the leading successful techniques for initial access, despite
advancements in security tools and security awareness training. Looking through the
mail logs for the user you know was compromised would be a great way to
understand whether they were phished to begin with.
reference the "Email security with Threat Explorer in Microsoft Defender for Office
365" link in the Documentation folder on your Analyst desktop.
In this scenario, external phishing gave the attacker initial access via an endpoint that
was not protected by Defender for Endpoint. Microsoft 365 Defender is a great tool
to find the answer to this question. Access Microsoft 365 Defender through the
shortcut on the desktop or navigate to https://security.microsoft.com.
Email flow can be investigated using the Email & collaboration Explorer. By default,
the Explorer displays metrics about all email, with views on malware, phishing, and
campaigns also available. The available tabs also show the top malware families, top
targeted users, email origins, and campaigns. The View options may be useful as you
proceed with your investigation.
directionality.
All email tab should be your default view. Select the Advanced filter button to create
a filter with multiple parameters. Using the Add a condition button, add the following
filter types and values:

- Recipient – Equals any of: jroader@uvmhealthX*.onmicrosoft.com
- Directionality: Inbound
Use the Query button to submit the query, then adjust your timeframe if needed. Hit
Refresh after changing your timeframe to see the list of results. Review the Sender
column in the list of results to identify the source address of the phishing email that
led to an account compromise.
*Note: to get keep data current, the platform toggles between uvmhealth1 and uvmhealth2; if one does not work
please try the other.
systems@maxdefense.com

Objective 19: I’ve Got You Now!
Even benign-looking email attachments can be exploited by attackers to gain access

to an environment. In this scenario, a Microsoft Word document was used with a
macro to discrete download and execute callback malware on the victim endpoint.
Since it isn't often reasonable to block all email attachments, or even just attached
documents, endpoint protection becomes even more important. Effective endpoint
protection can detect the malicious behavior initiated by the macro and prevent the
callback malware from being successfully deployed.
reference the "Email security with Threat Explorer in Microsoft Defender for Office
365" link in the Documentation folder on your Analyst desktop.
Since the initially accessed endpoint did not have Defender for Endpoint Real-Time
Protection enabled, the email attachment was able to download callback malware
using a macro. Based on mail logs and alerts about malware prevented on protected
endpoints, you can identify the exact file that was attached to phishing emails sent to
the users.
directionality. After finding the source email, you can drill into the details to discover
information about the attachment itself.
All email tab should be your default view. Change the filter type to Sender and add
the known source address to the filter field. Adjust your timeframe if needed, then hit
Refresh to see the list of results. Click on a single email, then scroll to the bottom of
the informational pane to view the attachments.
nmis_connectivity.docx

Objective 20: And Life Goes On
Sometimes when investigating an incident, you stumble across alerts that are
completely unrelated to the path you're uncovering. These unrelated alerts are
important to take note of to ensure they are appropriately reviewed and prioritized
for remediation.
reference the "Investigate alerts in Microsoft 365 Defender" link in the
Sometimes we are so focused on managed endpoints that other devices get

overlooked during the investigation. These devices present a unique security
concern when allowed to use network resources such as internet access.
Most alerts in Microsoft Defender provide enough information to quickly identify that
unsupported devices or operating systems have alerted to suspicious activity such
as accessing web sites or IP addresses know for phishing and other malicious
activity.
In Microsoft 365 Defender, navigate to the Alerts list under the Incidents & alerts
category. Look for an informational-level alert that references a device attempting to
access a phishing site and an investigation state "Unsupported OS." Open that alert
to see on which device the detection took place.
bberg_android

Objective 21: Well That Can’t Be Good
A macro is an action or a set of actions that you can run as many times as you want.
When you create a macro, you are recording your mouse clicks and keystrokes.
When a macro is run, it performs each action. As a result, malicious macros can be
created that execute commands, such as the PowerShell command used in this
scenario to download the callback malware.
Since we're seeking to find events related to the creation of files and execution of
commands, Microsoft 365 Defender is going to be the best place to look. Defender
for Endpoint gathers information about what takes place on onboarded endpoints
and performs correlation to make analysis more efficient.
While the original email attachment wasn't considered malicious itself, Defender for
Endpoint still recognizes download and execution behavior by Microsoft Word as
suspicious. Therefore, we can find alerts that break down the sequence of events
that led to the callback malware being created on the endpoint and executed.
incident, then view the list of related alerts. Look for an alert that references Office
running suspicious commands. Scroll through that Alert Story to find an event where
PowerShell executed a script immediately followed by the execution of a uniquely
named executable.
4axxl10r.exe

Objective 22: Automation For the Win
Automation For the Win - On which endpoint could Microsoft 365 Defender Automated
Investigations remediate the detection of a Meterpreter post-exploitation tool?
In a real-world scenario, Microsoft 365 Defender can automatically intervene when it

detects an attack in-progress. Let's review what it could've done during this attack,
which might've disrupted the entire attack progression early on.
reference the "Automated investigation and response in Microsoft 365 Defender" link
in the Documentation folder on your Analyst desktop.
Automated investigations that are triggered by alerts can be analyzed to see how
Defender 365 identified these alerts and more importantly, if they were remediated
or are pending analyst approval of actions.
Viewing the investigations that relate to privilege escalation incidents will help
quickly identify the suspicious activity and how it was handled by the system. For
more detailed information, you can select this investigation and view a graph which
shows all alert activity related to this end point.
incident, then select the Investigations tab. One investigation will reference a
ransomware infection being prevented. You can use the “Triggering alert” or “Status”
filters to find the answer more easily. The answer to this question can be seen in the
Entities column, or by opening the investigation page and reviewing the graph or
Devices tab.

Note: Depending on the Azure data refresh cycle, the answer to this objective will sometimes be “floor-3-desk”
and other times it will be “picu-5”. Please advise your players accordingly.
floor-3-desk (see note above)

Objective 23: Getting Their Bearings
Getting Their Bearings - What system tool did the attacker use to enumerate active network
connections?
Once they achieved initial access, the attacker sought to get the lay of the land and
identify endpoints to move laterally. DNS enumeration is a common technique for
this, as it can tell attackers the hostnames and IP addresses for endpoints across the
domain. Attackers love to use tools that already exist in the victim environment when
they can, a technique referred to as "living off the land." Doing so can help them
blend in with normal activities. Even if their usage of a particular tool triggers an alert,
security practitioners are used to false positives caused by their own administration
activities.
As we're looking for evidence about the execution of commands, Microsoft 365
Defender is going to be the best place to look. Defender for Endpoint gathers
information about what takes place on onboarded endpoints and performs
correlation to make analysis more efficient.
In this scenario, the attacker leveraged a system tool commonly used for displaying
active network connections for this endpoint. To find evidence we can look at alerts
in Microsoft 365 Defender. The tool itself wasn't flagged as malicious or anything, but
the contextual behavior was considered suspicious by Defender.
incident, then view the list of related alerts. Look for an alert that references the
suspicious discovery of network connections. Read through the Alert Story until you
find an event for the execution of a system tool for displaying network statistics with
relevance to the alert.

netstat.exe

Objective 24: Hey, That’s My Data!
Hey, That's My Data! What is the filename of the archive exfiltrated by the attacker?
Another common purpose of discovery and enumeration activity is identifying

potentially valuable data. In this scenario, the attacker found a file share containing
sensitive or protected data. They then zipped it up and exfiltrated it right under our
noses.
reference the "Proactively hunt for threats with advanced hunting” link in the
During their discovery once they achieved initial access, the attacker came across
some potentially valuable data. By exfiltrating it, they could use it to try to extort a
higher ransom payment than ransomware alone might've gotten. Unfortunately, this
is becoming a common practice alongside ransomware in order to put more pressure
on organizations to pay up. A great backup and restoration process might save you
from ransomware, but it can't delete your data from the attacker's device.
Fortunately, Microsoft 365 Defender knows what normal data sharing looks like. By
attempting to blend in with DNS network traffic, the attacker actually generated host
events. It isn't considered normal for large amounts of data to be passed over DNS,
and Defender for Endpoint also recognized the command used to perform the
exfiltration contained the name of a local file.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents and Alerts.
Look for the incident concerning privilege escalation and ransomware. Open that
incident, then view the list of related alerts. Look for an alert about data exfiltration.
Viewing the details, scroll through the Alert Story and look for an executable
performing exfiltration over DNS. The command used to execute that executable will
contain the filename of the archive being exfiltrated.
UVMHealth_Data.zip

Objective 25: Weaseling Their Way In
Moving onto the next phase of the investigation, let's start with a simple one that you
were just gathering details about. This is a common question during the reporting and
lessons learned phases of incident response, as its often seen as the key issue by
stakeholders. Simply put, how did they get in? While it's never the full story, its often
seen as the key issue as people assume that if they hadn't gotten in the rest of the attack
couldn't have happened. While that's true, we have to remember that attackers are
adaptive and will keep trying different methods until one works. While we're busy trying
to patch all the holes, they just need to find one.
For additional information about the tools and features that might be helpful, reference
the "Investigate incidents in Microsoft 365 Defender" link in the Documentation folder on
your Analyst desktop.
In addition to gathering and correlating events into alerts and incidents within each tool,
Microsoft 365 Defender also performs correlation across Defender for Endpoint,
Defender for Identity, and Email Protection. In this scenario, Microsoft 365 Defender was
able to connect the initial phishing emails to the callback malware via a Chain Event
Detection.
The Chain Event Detection tag means that Microsoft 365 Defender is corelating across
multiple data sources to connect what might have otherwise appeared to be unrelated
events. In this scenario, the previously-considered-benign email attachment is correlated
to the suspicious behavior exhibited by Microsoft Word.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts. Look
for the incident concerning privilege escalation and ransomware*. Open that incident,
then view the list of related alerts. The first alert in the chain gives a clue as to the source
of the initial compromise. Open the "Malicious email attachment" alert the choose “View
alert details” to view some additional alert details in the right-hand pane. The MITRE
ATT&CK Techniques section lists one technique specifically.

phishing

Objective 26: One is Enough
As we see in this scenario, it only took one user opening a bad attachment for the
rest of the attack path to be played out by the attacker. Recognizing that the
attacker's scope was broader than just one user is a good reminder of what we're up
against. In this environment, it was just seven other users, but in a real enterprise
environment its likely to be hundreds or thousands.
In addition to gathering and correlating events into alerts and incidents within each
tool, Microsoft 365 Defender also performs correlation across Defender for Endpoint,
Defender for Identity, and Email Protection. In this scenario, Microsoft 365 Defender
was able to connect the initial phishing emails to the callback malware via a Chain
Event Detection. Even though none of the other recipients were successfully
compromised, Microsoft 365 Defender recognizes that they were also targeted.
The Chain Event Detection tag means that Microsoft 365 Defender is corelating
across multiple data sources to connect what might have otherwise appeared to be
unrelated events. In this scenario, the previously-considered-benign email
attachment is correlated to the suspicious behavior exhibited by Microsoft Word.
incident, then view the list of related alerts. The first alert in the chain gives a clue as
to the source of the initial compromise. Open the “Malicious email attachment” alert,
there will be a box at the top with a count of accounts that received the malicious
attachment. Click on that box to view all accounts, and the answer will be everyone
except the user that was compromised.

mvalorel, mperro, cjones, emuirgo, sbeavers, reldo, bberg

Objective 27: Strutting Around Like They Own the Place
Over the course of the ensuing attack, the attacker managed to gain access to
multiple endpoints. Gathering that information into one cohesive thought is handy to
have up your sleeve during discussions about the scope and impact of the attack, as
well as while you're planning security enhancement efforts. We're trying to put
everything we learned along the way together to fill out the context surrounding the
attack. We've gathered a lot of particulars and specifics, but now we need to
correlate across the phases to make sure we understand the full scope of the attack.
Throughout the investigation we've relied heavily on Microsoft 365 Defender

Incidents without really acknowledging what they are. Rather than blasting security
practitioners with hundreds of separate alerts that they have to try to corelate
themselves, Incidents automatically show connections between related alerts and
organize them logically. This makes reviewing a full incident far easier than trying to
knit individual alerts into a sensible storyline yourself.
With an incident's details you'll find a summary tab, but the Graph tab can be of great
help when trying to fully understand the scope of an incident. The Summary is great
for metrics, but the Graph tab is where we can see how the attack progressed, what
was impacted, and what indicators were detected by our security tools.
incident, then view the Graph tab. Play the attack story, pausing or stepping through
as needed to see each lateral movement to a new endpoint appear in the graph after
the initial access endpoint.

floor-5-adm, dc01

Objective 28: Pivoting Constantly
Identifying all the user accounts compromised by the attacker is also important as
you evaluate everything the attacker was able to do and everything they could have
accessed. Those three accounts will certainly require remediation, and a greater
conversation will be necessary to determine whether a domain-wise password reset
is warranted.
Throughout the investigation we've relied heavily on Microsoft 365 Defender

Incidents without really acknowledging what they are. Rather than blasting security
practitioners with hundreds of separate alerts that they have to try to corelate
themselves, Incidents automatically make connections between related alerts and
organize them logically. This makes reviewing a full incident far easier than trying to
knit individual alerts into a sensible storyline yourself.
With an incident's details you'll find a summary tab, but the alerts tab can be of
greater interest to security practitioners. The Summary is great for metrics, but the
Alerts tab is where we can see how the attack progressed, what was impacted, and
what was detected or prevented by our security tools.
incident, then view the list of related alerts. Scroll through the list and take note of
the Impacted Entities column, specifically looking for changes in the user account as
the attack progresses. Scroll through the Impacted Entities column to find all three
compromised accounts.

jroader, sbeavers, uvmadmin

Objective 29: Blocking Baddies
During a real-world incident, Sentinel's automation capabilities could stop and

remediate attack impacts as they're detected across the connected security tools.
Luckily there are resources available that may help in preventing or remediating the
attack in this scenario.
reference the "Automate threat response with playbooks in Microsoft Sentinel" link in
the Documentation folder on your Analyst desktop.
Members of security operation centers can be overwhelmed with large volumes of

incidents and alerts on a regular basis. So much that many alerts are ignored and
investigations are not started. This may lead to an organization vulnerable to attacks,
all of which go unnoticed.
Microsoft Sentinel Playbooks provide a collection of commonly recurring patterns

that address specific activities or alerts freeing up analyst resources to conduct
other investigations. The playbook helps automate and orchestrate the proper
response to attackers.
Microsoft Sentinel Playbooks can be run manually or set to run automatically to

respond to specific alerts or incidents if they are triggered by pre-defined rules.
Playbooks templates are found in the Configuration menu of Sentinel and provide a
list of pre-written and user created templates.
In Microsoft Sentinel, navigate to the Automation page under the Configuration

category. Switch to the Playbook templates (Preview) tab, and review the available
templates.
Block AAD user - Incident

Objective 30: Everything But the Kitchen Sink
Over the course of our investigation, we identified three lateral movement and
credential access techniques used by the attacker. As we consider remediation and
security enhancement efforts, we'll want to consider how to ensure those techniques
cannot be used against us in any future attacks.
Some questions require multiple tools to answer. This time, in addition to leveraging
Microsoft 365 Defender, we also need to remember what Microsoft Sentinel
detected in the network traffic. Microsoft Sentinel's Analytics rules can analyze
network traffic for anomalies or concerning patterns.
To find what we need in Microsoft 365 Defender, we'll want to review the Incident
Alerts as well as the Email Quarantine. To find what we're looking for in Microsoft
Sentinel we need to review the Incidents.
This question requires a process of elimination, so here's how to find evidence for
each technique the attacker did use.
Password Hash Harvesting: In Microsoft 365 Defender, look for an alert for the
Mimikatz credential theft tool or Malicious credential theft tool execution. These
alerts are included in the Multi-stage incident involving Privilege escalation* including
Ransomware on multiple endpoints reported by multiple sources.
Remote Authentication Brute Force: Review the Incidents in Microsoft Sentinel,

looking for an incident related to Remote Authentication Brute Force. This incident
was detected and correlated by Microsoft Sentinel.
Internal Spearphishing: Look at the Email Quarantine in Microsoft 365 Defender,

specifically for a quarantined email between two internal addresses.

User Creation

Objective 31: Attacking from Every Direction
Turning our focus to an important external factor, we'll also want to evaluate where
the attack originated from a network perspective. While blacklisting every single IP
address that scans your external IP range may be too tedious to maintain, blacklisting
the source of an attack is certainly warranted. While investigating the network traffic,
you may also discover evidence of reconnaissance being performed prior to the
attack. All of this information could contribute to effective network monitoring or
alerting changes.
Once again, this answer could be found in either Microsoft 365 Defender or Microsoft
Sentinel. Think back through the investigation to consider at what points each IP
address might've been used by the attacker. The two IP addresses served different
purposes - one acted as the connection point for callbacks, the other provided a
download source for staging malware and tools.
Microsoft 365 Defender grabbed events containing each IP address from various
points in the attack. Alert stories reference each IP address, depending on what
activity they were used for. The alerts related to callback malware is likely to provide
one IP address, while alerts related to malware being downloaded and executed are
likely to contain the other. In Microsoft Sentinel we can review network traffic to find
each IP address. We could formulate queries about the first by recalling what ports
were being used by the callback malware, or by looking for external traffic during
specific timeframes from the internal compromised IP addresses. For the second, we
could formulate a query looking for web traffic from compromised endpoints, or for
the logs from the DNS exfiltration.

IP Address 1: Review the callback events in Microsoft 365 Defender alerts or
Microsoft Sentinel LogAnalytics.
IP Address 2: Review the download source of malware files in Microsoft 365

Defender alerts, or query for the exfiltration destination in Microsoft Sentinel
LogAnalytics.
40.77.31.232, 23.99.191.12

Objective 32: Learning Our Lesson
Microsoft 365 Defender doesn't just offer preventative and reactive security, it also
can help guide effective security planning and prioritization. From Threat Analytics to
Vulnerability Management, the Defender portal provides insights from across your
environment and security tools.
reference the "Security recommendations - threat and vulnerability management" link
in the Documentation folder on your Analyst desktop.
The Vulnerability Management feature accessible through the Microsoft 365

Defender portal draws important security insights from Microsoft Defender for
Endpoint for onboarded endpoints across the organizations. Components like the
software inventory and vulnerability scanning can help you keep track of what's
present in your environment.
In addition to making vulnerability, threat, and configuration data readily available,

the Recommendations page can also help you prioritize changes to improve your
security posture. Often, configuration changes can reduce your attack surface, even
if there isn't a specific vulnerability associated with the change.
In Microsoft 365 Defender, open the Vulnerability management menu under

Endpoints. Select Recommendations from that list to review the top
recommendations Defender for Endpoint has generated from endpoint data. The
Related component column lists what component the recommendation applies to.
The results with Security controls as the Related component include which security
control the recommendation falls under.
Attack Surface Reduction

Appendix A
Changes to version 2022.03.09 from original release include:
1. Addition of Appendix A
2. Changes to the wording and solution for eight Learning Objectives, resulting in changes to
this document as well as the eight solution videos:
• OBJ#04 – The solution now uses a different IP address

• OBJ#15 – Solution uses “view full details” tab instead of “events” tab
• OBJ#16 – Entire walkthrough video re-recorded due to changes to solution.
• OBJ#17 – Added notation to the video re uvmheath1 vs. uvmhealth2
• OBJ#22 – Ending re-recorded due to new solution to the objective.
• OBJ#28 – Ending re-recorded due to new solution to the objective.
Changes to version 2022.03.27 from version 2022.03.09 include:
• All Objective screenshots updated to reflect latest design and dialog

• Changes to objectives 4 through 18:
• What was objective 18 in previous guide, is now objective 4
• Changes to Question 2:
• QA Portal: Minor word change from “referencing the alerts” to “referencing the
incident”. Changed 4th hint to better lead the player from Sentinel to M365D.

• Changes to Question 4:
• QA Portal: This was originally question 18 and moved to question 4 and re-worded.
All questions following question 4 were incrementally shifted up one number.
• Objective/Hints: (tyr-q4-m74) This was the question moved from 18 to 4.
• New Answer to question 4: 9
• Changes to Question 5
• QA Portal: Changed question type from freeform to choice, spelled out “Windows
Management Instrumentation Protocol (WMI)” as the correct choice with other
incorrect choices. Minor grammatical change in the question.
• Objective/Hints: (tyr-q5-m74) Changed IP address to 192.168.0.12
• New answer: Windows Management Instrumentation Protocol (WMI)
• QA Portal: Changed question type from freeform to choice. Used Mitre Att@ck high
level tactics as the player choices with “Brute Force” as the correct answer.
• Objective/Hints: (tyr-q15-m74) Minor grammatical change from “what” to “which” in
description.
• Hint 4 (solution), changed last sentence to better represent the changes made to the
multiple choice answer.
• QA Portal: Changed answer from “jroader@uvmhealth2.onmicrosoft.com” to
“jroader@uvmhealth1.onmicrosoft.com”
• Objective/Hints: (tyr-q18-m74) changed uvmhealth2 to uvmhealth1
• Sender domain: uvmhealth2.onmicrosoft.com com changed to Recipient: Sender
domain: uvmhealth1.onmicrosoft.com
• Recipient: jroader@uvmhealth2.onmicrosoft.com changed to Recipient:
jroader@uvmhealth1.onmicrosoft.com
• QA Portal: Changed answer to bberg_android
• QA Portal: Changed answer to nmis_connectivity.docx
• QA Portal: Changed the question to “On which endpoint did Microsoft 365 Defender
Automated Investigations block an active ransomware infection”
• Changed answer to floor-3-desk
• QA Portal: Changed question to better drive player to use the graph.

• QA Portal: Changed the question as per Microsoft/player feedback.
• New screenshots for Objective numbers 3, 14 and 34

• Changed the font for all Answers to Consolas for easier interpretation of characters.
• Changes to the answers to Objective numbers 2, 3, 13, 16, 29
• Updated the walkthrough videos for objectives 2, 3, 16 and 29
• Changed Objective #5, Hint #4 text
• Changed the answer to Objective #8 from one to three valid responses.
• Changed Objective #16, Hint #4 text.
• Renamed the section “Navigating Instructor Tools” to “Navigating Instructor Tools”
• Replaced the entire section called “Navigating Instructor Tools” with all new content
reflecting the new Leaderboard functionality.
• Replaced the screenshots (Sentinel workspace name changed) on pages 25, 26 and 27.

• Changed Objective #29, Hints #2 and #4 text.
• Changed Objective #8, Hint #4 text

• Updated Objective #8 video
• Fixed Obj #5, Hint #4 typo: Changed “loof” to “look”.

• Fixed Obj #4. The answer was 9, it is now 8; video updated as well.
• Fixed Obj #5. IP address was 192.168.0.125, it is now 192.168.0.100; video updated as well.
• Added a Note in Objective #17, Hint #4 mentioning that using Sentinel will not help the
player find the answer.
• Added a Note in Objective #18, Hint #4 on how to make the solution easier to find.

• Added a note to Objective #24, Hint #4: Depending on the Azure data refresh cycle, the
answer will sometimes be “floor-3-desk” and other times it will be “picu-5”
• Fixed Obj #2, Hint #4 changed – New description on finding the solution.
• Fixed Obj #4, Hint #3 and #4 changed – New descriptions on finding the solution.
• Fixed Obj #17, Hint #1 and Hint #4 changed – New descriptions on finding the solution.
• Fixed Obj #19, Hint #4 changed – New descriptions on finding the solution.
• New videos created for Objectives: 2, 3, 4, 16, 17, 18, 19, 26.
For 2022.07.28:
• Fixed Obj#12, Hint #4 changed – New description on finding the solution.
• Objectives 17 and 19 were removed. The original objective 21 was switched to be after the
original objective 22. Objectives 18 through the end were renumbered accordingly.
• Fixed Obj #2, Hint #4 changed – New description on finding the solution. Updated video.
• Fixed Obj’s #2, 3, 5, 6, 7, 8, 9, 10, 11, 13, 21, 22, 23, 24, 25, 26, 27 and 28 by adding special
wording around those Objectives that have this text in hint #4: “privilege escalation and
ransomware”. Recorded all new walkthrough videos for each.


Security Immersion - Into The Breach - Instructors Guide - Aug 2022

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Immersion - Into The Breach - Instructors Guide - Aug 2022

Uploaded by

Copyright:

Available Formats

Microsoft

Into The Breach

2 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

3 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Conventions Used in this Guide

4 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

5 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Watch the Account Activation video: https://projectares.academy/support/account-activation

Reach out to your Project Ares coordinator: InstructorServices@ProjectAres.Academy

Instructor Login Process

6 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Enter the credentials provided to you.

7 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

8 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

13 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

14 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

15 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

When the button turns gold, the mission is ready to play.

16 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

17 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

3. Attacker performs some local system enumeration before establishing persistence.

5. Attacker performs privilege escalation to achieve SYSTEM access.

6. Attacker wipes local Defender definitions and performs network enumeration.

18 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

19 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

20 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

21 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

The task objective scoring works as follows:

22 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

23 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Running Microsoft Sentinel

access to the console.

24 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

6. Click on the Sentinel workspace called

25 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

9. Click on the option to option.

26 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Video Click here to view the Sentinel logon walkthrough video.

28 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

To launch Microsoft 365 Defender:

29 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

30 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

1. Microsoft 365 Integration with Microsoft Sentinel

31 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

32 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

33 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Can you take a Hint? Introduction to the Interface.

Hint 4 (How to Solve):

34 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Piling Bricks - On what endpoints did the ransomware execute successfully?.

Watch this Objective’s Walkthrough Video.

The required steps to do this include the following:

1. Launch VNC Access

Watch a quick tutorial video on this process by clicking here.

Ransomware can cause permanent or temporary loss of data, shutdown operations,

35 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Hint 4 (How to Solve):

picu-1, rehab-8, floor-5-adm

36 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Malware Everywhere! What was the filename of the ransomware executable?

37 Microsoft Security Immersion Workshop Into The Breach Instructor Guide

Sometimes as an analyst you are equipped with enough information to conduct

| where ProcessCommandLine contains 'mpsvc.dll'