This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools-including a CISA-developed tool, Sparrow-for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity. Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.Using forged authentication tokens to move laterally to Microsoft cloud environments and.Compromising or bypassing federated identity solutions.These tactics, techniques, and procedures (TTPs) feature three key components: CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. This Alert also addresses activity-irrespective of the initial access vector leveraged-that CISA attributes to an APT actor. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products. Government agencies, critical infrastructure entities, and private network organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. For more information on SolarWinds-related activity, go to and. Additional information may be found in a statement from the White House. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). ![]() ![]() ![]() See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |