Section 4: Microsoft Ecosystem Flashcards
(31 cards)
Which MITRE ATT&CK technique exploits a stolen item that can be leveraged to compromise a cloud instance by accessing the cloud Application Programming Interface (API)?
Credentials Acquisition
API Access Rights
MFA Bypass
Application Access Token
c8b3c2fd-37ec-43fd-95b7-4207b7173711
MITRE ATT&CK technique T1550.001 (Application Access Token) assumes that the attacker acquires some sort of token that, when sent along with an Application Programming Interface (API) request to the cloud provider, allows the action to take place — provided the account with which the token is associated has the proper rights.
Book 4 Page 7
Which MITRE ATT&CK technique’s goal is to exfiltrate sensitive information from emails hosted in cloud platforms, such as Microsoft 365 or Google Workspace?
Remote Email Collection
Remote Data Collection
Local Email Collection
Email Forwarding Rule
96c2d59f-bc1e-49ce-b5d6-98d13b779731
MITRE ATT&CK technique T1114.002 (Remote Email Collection) has only one goal: to exfiltrate data from the victim’s environment to an attacker-controlled system residing outside the victim’s environment. Remote Email Collection is specifically targeting the mail infrastructure, while Local Email Collection focuses on client-side systems, such as stealing an Outlook .PST or .OST file.
Book 4 Page 9
What is an important consideration before Azure Detection Services, such as MS Defender for Cloud, can be leveraged?
The appropriate log data must be sent to the Azure Elastic Search workspaces.
All log data must be sent to the Azure Log Sail Service.
The appropriate log data must be sent to the Azure Log Analytics workspaces.
Azure Detection Services automatically consume the appropriate log data.
679a9363-9590-44c0-9ac0-ef2626894319
Azure provides built-in threat detection and alerting services such as Microsoft Defender for Cloud and Microsoft Sentinel. Both capabilities require adequate log data stored in an Azure Log Analytics workspace. Examples of such log data include:
- Azure management activity
- Azure services’ diagnostic logs
- Virtual Machine logs
Book 4 Page 11
Which component of the Microsoft Defender for Cloud identifies deviations from security best practices, benchmark guidance, and compliance regulations?
Cloud Security Posture Management
Cloud Workload Protection
Azure Log Analytics
Microsoft Threat Intelligence
af3b798a-520a-42f1-9d99-7836ed286bc9
Microsoft claims that Microsoft Defender for Cloud enhances your security using two different techniques: acting as a Cloud Security Posture Management (CSPM) solution; as well as a Cloud Workload Protection (CWP) platform. CSPMs, as the name implies, are tasked with identifying deviations from security best practices, benchmark guidance, and compliance regulations. Microsoft Defender for Cloud meets this mark by offering an automated and frequent analysis of several common policies.
Book 4 Page 12
When leveraging Microsoft Defender for Cloud, what step must be taken to identify known adversarial TTPs against Azure Virtual Machines, such as the SSH brute-force alert?
The Logons plan must be enabled.
The Containers plan must be enabled.
The Servers plan must be enabled.
The Storage plan must be enabled.
4603529f-5510-43a2-962e-7b0046ffdf68
To take advantage of the Microsoft Defender for Cloud Security Alerts feature in Azure, the appropriate plan must be enabled. Different plans include different attackers’ behaviors.
One of the plans is the Servers plan, which allows Azure VMs to send their feed to the Defender for Cloud platform; one of the predefined rules is SSH brute-force alert.
Book 4 Page 14
Which Analytics rule in Microsoft Sentinel runs once every minute and captures events ingested in the preceding minute?
Microsoft security rules
Scheduled rules
Near-real-time rules
Default rules
ID: df7eccec-9b9c-4966-82ae-9cc78c664080
- Scheduled rules to generate an alert and/or incident
- Microsoft security rules pull in alerts from other Microsoft products to generate an incident.
- Near-real-time (NRT) rules running once per minute
Book 4 Page 21
Which of the following threat intelligence indicators can be created in Microsoft Sentinel?
Logon
File
Resource
Password
ID: a9b08dea-954d-47ee-b0ce-405236faae97
The supported indicators you can create in Microsoft Sentinel are:
- file: A hash of a suspicious or malicious file used during an attack. This would be a great indicator to see whether systems or cloud resources other than the presumed infected system also contain this file.
- domain-name: A known domain name used during attack campaigns. An example is a stage 2 malware download URL.
- ipv4-addr: An IP version 4 address. This indicator can be used to find other communication to an attacker discovered during an investigation. Perhaps the attacker was communicating elsewhere in the Azure ecosystem.
- ipv6-addr: This indicator is identical to ipv4-addr, but, of course, IP version 6.
- url: A Uniform Resource Locator (URL). This could be a known malware download site, data exfiltration location, or other internet-based system adversaries use to communicate with victim systems.
Book 4 Page 28
What Azure service offers automated suspicious activity identification using machine learning techniques?
Dynamic Identification of Suspicious Actions (DISA)
User and Entity Behavior Analytics (UEBA)
Unusual Activity Detection Analytics (UADA)
Account Analytics of User Behaviors (AAUB)
9773ff94-2f28-40ce-87f4-e17c7f15f9b5
Not all threats can be identified using atomic indicators — for example, behaviors of users or cloud resources can be monitored to identify suspicious actions. This requires comparing each action against a normal action.
User and entity behavior analytics (UEBA) technologies automate suspicious activity identification using machine learning techniques.
Book 4 Page 29
What important characteristic of Microsoft 365 admin centers must be understood when securing Microsoft 365 SaaS?
Simplified, built-in, out-of-the-box detection strategies can be implemented.
A wide range of attributes can be fully customized.
There is only one admin center per customer’s instance.
Capabilities within the admin centers are limited.
ID: f2f4d8b7-66a3-430b-a7d6-ad15b7d5087b
There are a large number of admin centers in Microsoft 365. They are used to manage multiple service components at once or individual components. Capabilities within these admin centers are limited, with little, if any, customization. Customizations, when available, are quite rigid. The options presented to the end users are not as fully featured as what is available in Microsoft Azure. In fact, some of the detection strategies require the end user to get creative in their approach by querying the Microsoft Graph service directly to gain more insight into the Microsoft 365 resources.
Book 4 Page 39
Which detection feature of the Microsoft Exchange Admin Center can provide early warning of suspicious activity, such as slow transport rules, mail loops, or new forwarding rules?
Mail health-check
Mail flow
Message traces
Spam filtering
4203aeb6-f7d9-4183-956a-d7bac9a765e6
Mail flow – Can be used to discover mail loops, slow transport rules, and new forwarding rules. Security team can be notified via email of suspicious activity.
Spam filtering – Discover likely spam messages. Places message into quarantine. Can also be used to detect potential phishing from cousin domains.
Message traces – Query for email based on sender and receiver addresses.
Book 4 Page 40
Which of the following is a term used for domains that are similar to legitimate domains and are often used in phishing campaigns?
Twin domains
Command and control domains
Phish domains
Cousin domains
ID: b2e8021b-b13c-4d98-8bb9-3e75060ce450
Oftentimes, targeted phishing attacks may try to lure an unsuspecting user to click on a link. This link may look very similar to a legitimate link, but could be controlled by the attacker or, at the very least, contain malicious content that the attacker would like to leverage against this victim. These look-alike domains are known as cousin domains.
Book 4 Page 42
A compliance analyst needs to review the Microsoft 365 Compliance Admin Center log data. How can the analyst programmatically retrieve the log data from outside the time that it would be available within the Compliance Admin Center?
Use the Get-ComplianceLog PowerShell cmdlet.
Use the Office365ComplianceAnalyzer tool.
Use the Search-UnifiedAuditLog PowerShell cmdlet.
A programmatic option is not available.
50406084-6fff-411e-a1c4-bc816f78ad35
To programmatically access these data outside of the graphical user interface that is the Compliance Admin Center, a PowerShell cmdlet is available to retrieve and query the audit log called Search-UnifiedAuditLog.
The Compliance Admin is used primarily for meeting the compliance needs of an organization. Normally, most data in Microsoft 365 related to user activity or detected threats are short lived. Thirty to ninety days is a pretty typical lifespan for these data. With auditing, you have the power to retain this trail of events for the following intervals: ninety days, six months, nine months, one year, or ten years.
Book 4 Page 45
What is the next step after a storage location has been chosen when configuring DLP policies using the Microsoft 365 Compliance Admin Center?
Identify data to be protected.
Create rule conditions and actions.
Name and describe the policy.
Enable, test, or disable the policy.
ID: db88eae7-37c5-4754-a224-ec39e9c45193
Data Loss Prevention (DLP) is a great feature to prevent and detect malicious use of organization data within the Microsoft 365 services. This needs to be set up by the end users and can be done by using DLP policies. To create these policies, there are a few steps that the Microsoft 365 Compliance admin center will walk through:
Step 1: Identify the types of data to be protected.
Step 2: Name and describe the policy so that viewers can make sense of the policy and why it would have triggered a violation.
Step 3: Choose which of the available storage locations the policy pertains to.
Step 4: Create specific rule conditions (when to trigger) and actions (what to do when triggered).
Step 5: Enable, test, or disable the policy.
Book 4 Page 46
Once Microsoft 365 Defender is enabled, which component will allow an analyst to scan email for content of interest?
Explorer
Endpoints
Analytics
Auditing
ID: 10823319-0098-4fd4-855c-04ec7948d6c0
Microsoft 365 Defender contains a massive amount of defensive capabilities but does not automatically come with all Microsoft 365 subscriptions. Once Microsoft 365 Defender is enabled, some of the capabilities offered are redundant; but many more capabilities are now rolled into this one service, saving analysts from clumsily moving from one admin center:
Explorer: A new feature that can scan email for content of interest
Attack simulation training: Sends benign phishing emails to internal users
Incidents and alerts: Roll-up of all identified suspicious activity
Hunting: Manually search for data or activity of interest; also allows for custom detection rules
Threat analytics: Microsoft-provided analytics to identify malice
Endpoints: Perform inventory, vulnerability management, and configuration management of users’ devices
Auditing: The compliance admin center
Book 4 Page 47
What is a key question to answer when determining what is known normal in Entra ID?
Are guest users or external identities in use and are they approved?
How many Entra ID Domain Controllers should be provisioned?
What is the naming convention and structure of Organizational Units?
How many users are members of the Domain Administrators and Enterprise Administrators AD groups?
faa5ab2c-67c6-4189-b257-b579f5e03a73
Knowing what to expect in the Entra ID deployment you are tasked to protect is paramount. Some of the more important questions to answer related to Entra ID are as follows:
- Are guest users or external identities in use and are they approved?
- What users are currently in Entra ID?
- Which groups are in use and who are members of these groups?
- Which roles are assigned and to whom?
Book 4 Page 58
What conclusion can be made about a guest Entra ID User account with the following User Principal Name?
janedoe79_protonmail.com#EXT#@sec541.onmicrosoft.com
- The user account is a member of the sec541.onmicrosoft.com Azure account.
- The user is the Azure account owner.
- A user from the sec541.onmicrosoft.com Azure account has invited them.
- The user has extended attributes populated (based on the #EXT# tag).
64ef2d63-643e-4aba-9fa2-cd55dcffb5cf
EXT# identifies that this account is an external account. The user type for this user account is Guest, which means that someone invited the external user to the Azure environment.
Book 4 Page 59
Which role assignments scope can be leveraged to apply permissions directly to a single Azure resource using Azure RBAC?
Entra ID
Resource
Resource Group
Classic Subscription Admin
9b49a401-73c7-4840-b3be-540cffb48559
Resource roles can be leveraged to apply permissions directly to a single Azure resource. In classic subscription admin role, an administrator can directly apply permissions that affect all resources deployed within the Azure subscription. In resource group, one or more Azure resources are placed during deployment. The resource group roles, as you could likely guess, control access to all resources within the resource group.
Book 4 Page 60
How long are the logs stored and viewable in the Entra ID service?
Twenty-four hours
Seven days
One month
Twelve months
Entra ID logs are only stored and viewable in the Entra ID service for one month.
Book 4 Page 66
Which Azure Log Analytics workspaces table would contain an audit trail of sign-ins performed by a client application or OS component on behalf of a user?
AADNonInteractiveUserSignInLogs
ApplicationLogs
AuditLogs
AADManagedIdentitySignInLogs
bf44e83c-7940-4d46-8d30-586add970e3f
If the log data are exported to Azure Log Analytics workspaces, there will be several tables generated as the log data arrive. Some common tables that are generated include:
The AADNonInteractiveUserSignInLogs table would be most helpful to investigate a type of interaction where a user is leveraging some sort of client application or operating system component to interact with the Azure environment.
The AADManagedIdentitySignInLogs can be very useful if monitoring or investigating where Azure service components (like an Azure Virtual Machine) are leveraging either a user-assigned or system-assigned managed identity.
The AuditLogs table will capture activity log–like data related to the Entra ID service. If strange configurations, users, groups, or other resources are noticed in Entra ID, a record of this activity and context around the interaction can be viewed in this table.
The SignInLogs table can be very valuable if determining when, how, and from where users are signing into the Azure environment.
Book 4 Page 75
An analyst is looking to identify if a new Azure account was added as a persistence mechanism. Which of the following logs should they search for the “add user” operation?
Application logs
AuditLogs
Azure Resource logs
Sign-in logs
09993339-14b7-44da-9d2e-5e43fd2e5cf1
To identify the user creation persistence technique, you will need to craft two queries: one to find evidence of a new user creation event and one for that user being assigned either a role or, in this case, to a group. Both queries will leverage the AuditLogs table in log analytics which has been fed event data from Entra ID.
Book 4 Page 81
An attacker would like to use the local agents on cloud virtual machines to execute script content; which of the following resource provider operations would they require?
Microsoft.Compute/VirtualMachines/RunCommand/Action
Microsoft.ClassicCompute/virtualMachines/start/action
Microsoft.ClassicCompute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/login/action
ID: 03e85ed6-02b0-47f6-9a6a-206a3856a5dc
The Microsoft.Compute/VirtualMachines/RunCommand/Action resource provider operation is required to utilize the feature to run commands in the virtual machine using run commands. This operation grants the necessary permissions to execute commands on the VM via the installed agent. Attackers who obtain these permissions can exploit this feature to run malicious scripts or commands, gaining control over the VM without needing direct network access to it.
Book 4 Page 85
What minimum access is required to use the serial console of a virtual machine in Azure Cloud?
Tenant global admin
Cloud account
None
Local account
b48f2909-2afb-4bc7-8a0f-a52ae9162817
If enabled for the VM, attackers could access the console of the VM. This requires a local account with credentials that the attacker knows or can guess.
Book 4 Page 87
What can be inferred when the Creation Time and the Last Modified time are different in an Azure blob storage container that is specifically used to keep historical log data?
The historical log entries are indexed by the Azure Cognitive Search service and the Last Modified time reflects the latest indexing activity.
A backup job has successfully completed and the Last Modified time reflects the latest backup timestamp.
A backup job has failed and the Last Modified time is used to identify which files failed to back up.
An attacker may be attempting to cover their tracks by modifying the historical log entries.
5a7bf047-3670-4da9-a144-cc9c23a44083
Azure generates metadata for blobs uploaded to the container. These data are retrievable using both the Azure Portal and the Azure CLI.
When historical log data are stored in an Azure Storage container, these data, being log data, are not expected to have changed. That is unless, perhaps, a mistake has been made by an administrator. Even worse, what if a malicious user is trying to cover their tracks by manipulating the records? The metadata field of Creation Time would allow you to catch either one of these by indicating the changes. In fact, being log data, if the Creation Time and Last Modified entries were different, that would show an alteration to the data.
Book 4 Page 95
What would an analyst be looking for when they execute the following Azure CLI command?
az storage container list –account-name $storageAcctName –query [?[].properties.publicAccess==”blob|container”]
Azure blob storage containers that have public access disabled
Azure blob storage containers that are responsible for the highest monetary cost
Azure blob storage containers that are present in the given storage account
Azure blob storage containers that are not configured as private
c3cff31b-991f-43de-8086-7976ccacdb9b
There are three options in Azure blob storage in the Azure Storage service to set the container’s public access level to. The first option, and the default in Azure, is Private, which means only Entra ID users with proper rights can access the container and its stored data. The second option, Blob, on the other hand, allows users, both inside and outside of Azure, the ability to access the blob data. Lastly, and exposing the most to the public, is Container. This option allows for not only reading the blob data, but also listing the container’s contents.
A way to efficiently identify publicly accessible Azure Storage containers and blobs is to leverage the tools provided by Azure: the Azure PowerShell Get-AzStorageContainer cmdlet and the Azure CLI tool’s az storage container list command.
The Azure CLI command in the question searches the $storageAcctName storage for containers with public access property set to Blobs or Containers. Blobs and Containers are publicly accessible. Therefore, the command is identifying blob storage containers not configured as private.
Book 4 Page 98