For this hybrid scenario, the compromised system will be located on-premises and the company has a cloud-based monitoring system, which for the purpose of this example will be Azure Security Center. To show how a hybrid cloud scenario can be similar to an on-premises online scenario, we will use the same case that was used before. Again, a user received a phishing email, clicked on the hyperlink, and got compromised. The difference now is that there is an active sensor monitoring the system, which will trigger an alert to SecOps, and the user will be contacted. The users don't need to wait days to realize they were compromised; the response is faster and more accurate.
The SecOps engineer has access to the Security Center dashboard and, when an alert is created, it shows the NEW flag besides the alert name. The SecOps engineer also noticed that a new security incident was created, as shown in the following screenshot:
As mentioned in Chapter 11, Active Sensors, a security incident in Azure Security Center represents two or more alerts that are correlated. In other words, they are part of the same attack campaign against a target system. By clicking on this security incident, the SecOps engineer noticed the following alerts:
There are four alerts included in this incident and, as you can see, they are organized by time and not by priority. In the bottom part of this pane, there are two notable events included, which are extra information that can be useful during the investigation. The first event only reports that the antimalware installed in the local machine was able to block an attempt to drop a piece of malware in the local system. That's good, but, unfortunately, the attacker was highly motivated to continue his attack and managed to disable antimalware on the local system. It is important to keep in mind that, in order to do that, the attacker had to escalate privilege, and run a command such as Taskkill or killav to kill the antimalware process. Moving on, we have a medium priority alert showing that a suspicious process name was detected, as show in the following screenshot:
In this case the process is mimikatz.exe, which was also used in our previous case. You may ask: why is this medium priority and not high? It is because, at this point, this process was not launched yet. That's why the alert says: Suspicious process name detected. Another important fact about this event is that type of attacked resource, which is Non-Azure Resource, and this is how you identify that this is on-premises or a VM in another cloud provider (such as Amazon AWS). Moving on to the next alert, we have a Suspicious Process Execution Activity Detected:
The description of this alert is pretty clear about what is happening at this point and this is one of the biggest advantages of having a monitoring system watching process behavior. It will observe these patterns and correlate this data with its own threat intelligence feed to understand if these activities are suspicious or not. The remediation steps provided can also help to take the next steps. Let's continue looking to the other alerts. The next one is the high priority alert, which is the execution of a suspicious process:
This alert shows that mimikatz.exe was executed and that the parent process was cmd.exe. Since mimikatz requires a privileged account to successfully run, the assumption is that this command prompt is running in the context of a high privilege account, which in this case is EMSAdmin. The notable events that you have in the bottle should also be reviewed. We will skip the first one, since we know is about cleaning the evidence (wipe out the logs), but the next one is not so clear, so let's review it:
This is another indication that the attacker compromised other files, such as the rundll32.exe. At this point, you have enough information to continue your investigation process. As described in Chapter 12, Threat Intelligence, the Azure Security Center has a feature that enables you to go deeply into the details of a security issue, which is the investigation feature. In this case, we will select the second alert of this list and click on the Investigation button. The investigation path for this particular case is shown in the following screenshot:
Each entity in this diagram provides details about its own object and, if there are other entities related to the one selected, you can pivot it by clicking on the object itself, as shown in the following screenshot:
The investigation map helps you to visualize the steps that were taken during this attack and better understand the correlation between all entities that were involved.