📢 April 18, 2023 - Microsoft has changed its naming taxonomy for threat actors, moving away from using element symbols to using weather-related names. APT29 attack was named Midnight Blizzard in Microsoft's new naming taxonomy for threat actors. In this blog, I will use the name "NOBELIUM" instead of Midnight Blizzard.
In Microsoft Defender for Endpoint's Evaluation Lab(MDE), Solorigate attack simulation(NOBELIUM) is covered. During this time, I will mainly focus on demonstrating MDE detection capabilities and how MDE captures the attack as EDR, XDR. Additionally, the available response capabilities of the product will be presented.
Solorigate in MDE Evaluation Lab
During incident response, there are various approaches and scenarios, and Microsoft offers comprehensive documentation on incident response for Microsoft 365 Defender. At this time, I would like to focus on containment and investigation, as highlighted in the blue line below:
incident response workflow, Incident response with Microsoft 365 Defender
Here are some important points to consider during the investigation.
- Where the attack started.
- What tactics were used.
- How far the attack has gone into your tenant.
- The scope of the attack, such as how many devices, users, and mailboxes were impacted.
- All of the data associated with the attack.
Note : When starting an investigation, it's important to navigate to the incident page instead of the alert page. This is because there can be a large volume of alerts and people may become lost or unsure of what they need to find.
| [Summary] | Check points |
|---|---|
| MITRE ATT&CK tactics | Analyze the full scope of attack using the MITRE ATT&CK framework. |
| Scope | Check the impacted assets such as devices, users, mailboxes, and apps. |
| Evidence | Ensure that any suspicious activities related to the incident are identified. |
| Alerts | Check the timeline of those alerts. |
e.g. At the time of the incident, I can see that 23 alerts are associated with it and [testmachine8] is an impacted device that requires action(containment) to be taken for incident response. In terms of suspicious activities, MDE has detected 31 entities.
Summary, Incident page
| [Attack story] | Check points |
|---|---|
| Incident graph | Check how your assets are related to suspicious entities and activities using a graph. |
| Alerts (Timeline) | Check how many alerts associated with an incident, as well as the timeline of those alerts. |
e.g. In the attack timeline, since the alert started from "suspicious service launched," it's possible that the service may have created additional malicious files or even established a C2C connection. Also, when I examine the incident graph, I can see that testmachine8 is connected to 'panhardware.com' and related files and processes.
Attack story, Incident page
This is one of the alerts in the incident. The attack began from sbsimulator.exe and sbsimulation_sb_340461_bs_293713.exe created a file bdata.bin which was detected as malicious activities.
Alert story, Alert page
Upon analyzing the timeline of the alert, it was found that all suspicious activities related to APT29 were captured on the device by MDE. I have summarized what the timeline is telling us.
Regarding containment of the impacted device, MDE has the capability to remotely isolate the network from the device.
Also, if the user account has an impact on the breach, then other response options are available.
e.g. Isolate devices from the network
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.