Uncover the latest cloud data security capabilities from Microsoft Defender for Cloud
Learn about the latest multicloud data security capabilities from Microsoft Defender for Cloud to strengthen your data security posture and protect your cloud data estate against data breaches and malware distribution.Announcing the enhanced Microsoft Sentinel AWS CloudTrail solution, powered by new MITRE-Based Rules
Use the updated Microsoft Sentinel AWS CloudTrail solution to better protect your AWS environment. The updated solution includes over 70 MITRE-based rules, and monitoring and alerting capabilities to detect suspicious activity in your environment.
Microsoft Defender for Cloud - Elevating Runtime Protection
In today's rapidly evolving digital landscape, runtime security is crucial for maintaining the integrity of applications in containerized environments. As threats become increasingly sophisticated, the demand for more adaptive protection continues to rise. Attackers are no longer relying on generic exploits — they are actively targeting vulnerabilities in container configurations, runtime processes, and shared resources. From injecting malicious code to escalating privileges and exploiting kernel vulnerabilities, their tactics are constantly evolving. Overcoming these challenges requires continuous monitoring, validating container immutability, and detecting anomalies to prevent and respond to threats in real time, ensuring container security throughout their lifecycle. Building on these best practices, Microsoft Defender for Cloud delivers advanced and innovative runtime threat protection for containerized environments, providing real-time defense and adaptive security to address evolving threats head-on. Empowering SOC with real-time threat detection At the heart of our enhanced runtime protection lies our advanced detection capabilities. To stay ahead of evolving threats and offer near real-time threat detection, Microsoft Defender for Cloud is proud to announce significant advancements in its unique eBPF sensor. This sensor now provides Kubernetes alerts, powered by Microsoft Defender for Endpoint (MDE) detection engine in the backend. Leveraging Microsoft’s industry-leading security expertise, we've tailored MDE's robust security capabilities to specifically address the unique challenges of containerized environments. By carefully validating detections against container-specific threat landscapes, adding relevant context, and adjusting alerts as needed, we've optimized the solution for maximum accuracy and effectiveness that is needed for cloud-native environments. By utilizing the MDE detection engine, we offer the following enhancements: Near real-time detection: Our solution provides timely alerts, enabling you to respond quickly to threats and minimize their impact. Expanded threat coverage: We've expanded our detection capabilities to cover a broader range of threats such as binary drift and additional threat matrix coverage. Enhanced visibility: Gain deeper insights into your container environment with detailed threat information and context that is sent to Defender XDR for further investigation. Switching between multiple portals leaves customers with a fragmented view of their security landscape, hindering their ability to investigate and respond to security incidents efficiently. To combat this, Defender for Cloud alerts are integrated with Defender XDR. By centralizing alerts from both solutions within Defender XDR, customers can gain comprehensive visibility of their security landscape and simplify incident detection, investigation, and response effectively. Introducing binary drift detection to maintain optimal security and performance, containerized applications should strictly adhere to their defined boundaries. With binary drift detection in place, unauthorized code injections can be swiftly identified. By comparing the modified container image against the original, the system detects any discrepancies, enabling timely response to potential threats. By combining binary drift detection with other security measures, organizations can reduce the risk of exploitation and protect their containerized applications from malicious attacks. An example of binary drift detection Key takeaways from above illustration: Common Vulnerability and Exposures (CVE) pose significant risks to containerized environments. Binary drift detection can help identify unauthorized changes to container images, even if they result from CVE exploitation. Regular patching and updating of container images are crucial to prevent vulnerabilities. In some customer environments, it's common to deviate from best practices. For example, tasks like debugging and monitoring often require running processes that aren’t part of the original container image. To handle this, we offer binary drift detection along with a flexible policy system. This lets you choose when to receive alerts or ignore them. You can customize these settings based on your cloud environment or by filtering specific Kubernetes resources. Learn more about binary drift detection For a deep dive into binary drift detection and how it can enhance your container security posture, please see Container, Security, Kubernetes. Presenting new scenario-driven alert simulation Simulate real-world attack scenarios within your containerized environments with this innovative simulator, enabling you to test your detection capabilities and response procedures. You can enhance your security posture and protect your containerized environments from emerging threats by leveraging this powerful tool. Examples of some of the attack scenarios that can be simulated using this tool are: Reconnaissance activity: Mimic the actions of attackers as they gather information about your cluster. Cluster-to-cloud: Simulate lateral movement as attackers attempt to spread across your environment. Secret gathering: Test your ability to detect attempts to steal sensitive information. Crypto-mining activity: Simulate the impact of resource-intensive crypto-mining operations. Webshell invocation: Test your detection capabilities for malicious web shells. You can gain valuable insights into your security controls and identify areas for improvement. This tool provides a safe and controlled environment to practice incident response, ensuring that your team is well-prepared to handle real-world threats. Key benefits of scenario-driven alert simulation: Test detection capabilities: Validate your ability to identify and respond to various attack types. Validate response procedures: Ensure your incident response teams are prepared to handle real-world threats. Identify gaps in security: Discover weaknesses in your security posture and address them proactively. Improve incident response time: Practice handling simulated incidents to reduce response times in real-world situations. Alert simulation tool Enhancing Cloud Detection and Response (CDR) From detection to resolution, we've streamlined every step of the process to ensure robust and efficient threat management. By enabling better visibility, faster investigation, and precise response capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Cloud-native response actions for containers Swift and precise containment is critical in dynamic, containerized environments. To address this, we’ve introduced cloud-native response actions in Defender XDR, enabling SOC teams to: Cut off unauthorized pod access and prevent lateral movement by instantly isolating compromised pods. Stop ongoing malicious pod activity and minimize impact by terminating compromised pods with a single click. These capabilities are specifically designed to meet the unique challenges of multi-cloud ecosystems, empowering security teams to reduce Mean Time to Resolve (MTTR) and ensure operational continuity. Response actions Action center view Log collection in advanced hunting Limited visibility in Kubernetes activities, cloud infrastructure changes, and runtime processes weakens effective threat detection and investigation in containerized environments. To bridge this gap, we’ve enhanced Defender XDR’s advanced hunting experience by collecting: KubeAudit logs: Delivering detailed insights into Kubernetes events and activities. Azure Control Plane logs: Providing a comprehensive view of cloud infrastructure activities. Process events: Capturing detailed runtime activity. This enriched data enables SOC teams to do deeper investigations, hunt for advanced threats, and create custom detection rules. With full visibility across AKS, EKS, and GKE, these capabilities strengthen defenses and support proactive security strategies. Advance hunting view Accelerating investigations with built-in queries Lengthy investigation processes can delay incident resolution and can potentially lead to a successful attack attempt. To address this, we’ve equipped go hunt with pre-built queries specifically tailored for cloud and containerized threats. These built-in queries allow SOC teams to: Focus their time in quickly identifying attacker activity and not write custom queries. Gain insights in minutes vs. hours, reducing the investigation time enormously. This streamlined approach enhances SOC efficiency, ensuring that teams spend more time on remediation and less on query development. Go hunt view Bridging knowledge gaps with guided response using Microsoft Security Copilot Many security teams, especially those working in complex environments like containers, may not have deep expertise in every aspect of container threat response. Additionally, security teams might encounter threats or vulnerabilities they haven’t seen before. We are excited to integrate with Security Copilot to bridge this gap. Security Copilot serves as a valuable tool that offers: Step-by-step, context-rich guidance for each incident. Tailored recommendations for effective threat containment and remediation. By leveraging AI-driven insights, Security Copilot empowers SOC teams of varying expertise levels to navigate incidents with precision, ensuring consistent and effective responses across the board. Security copilot recommendations Summary Microsoft Defender for Cloud has introduced significant advancements in runtime protection for containerized environments. By leveraging the Microsoft Defender for Endpoint (MDE) detection engine, this solution now offers near real-time threat detection, enhancing threat visibility and response capabilities. A key feature, binary drift detection, monitors changes in container images to identify unauthorized modifications and prevent security breaches. Additionally, the integration with Defender XDR centralizes alerts, providing comprehensive visibility and simplifying incident detection, investigation, and response. With enhanced cloud-native response actions and advanced hunting capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Learn more Ready to elevate your container security? Experience the power of our new features firsthand with our cutting-edge simulator—test them in your containerized environments and see the difference! Alerts for Kubernetes Clusters - Microsoft Defender for Cloud | Microsoft LearnCommon scenarios using Watchlists (with query examples)!
Watchlists in Microsoft Sentinel allow you to correlate data with events in your Microsoft Sentinel environment. Watchlists can be used for searching, detection rules, threat hunting, and in response playbooks. This blog highlights the 4 common Use-cases for watchlists then goes on to describe sample scenarios associated with each.
Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from. Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys. In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin). Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile. I have a couple of questions / observations and wondered if anyone could shed any light on this. 1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches. 2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach. 3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts). 4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location? 5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app. 6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now. In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring. Many thanks, DaveMicrosoft Defender for Cloud latest protection against sophisticated abuse of Azure VM Extensions
Introduction Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors. The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations’ cloud environments, gaining strong permissions, operating for financial gain, and more. Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is: Azure VM extensions. Announcing new detections and alerts against extension abuse Azure VM extension abuse has never left Microsoft’s sight since its first appearance, and previous publication has discussed the topic. Today, we continue to deliver customer protection as a result of extensive research and monitoring, thus announcing the new and enhanced protection capabilities that Microsoft Defender for Cloud offers as part of Microsoft Defender for Servers plan 2 offering, against extension abuse, and its importance. Our customers can enjoy the protection capabilities effortlessly, without the need to manually deploy a dedicated agent on the VM. Azure virtual machine extensions Azure virtual machines extensions are small applications that provide post-deployment configuration and automation on Azure VMs, such as software updates, code and script execution, antimalware deployments, and more. VM extensions play an instrumental role in workload management and VM maintenance. Many organizations’ cloud environments are dependent on the extension’s capabilities, such as automation in configuration deployment, security management, continuous monitoring, troubleshooting and log analytics. On the other hand, extensions can be abused as a powerful cloud-native tool by threat actors who gained an initial foothold in the victim’s Azure environment. Solely dependent on Azure RBAC permissions, threat actors can abuse VM extensions to execute operations with high privileges to perform stealthy and destructive cyber-attacks. In this blog, we will discuss the various extensions, their uniqueness, the corresponding MITRE techniques associated with them that are abused in the wild and researched in the security world, and introduce Microsoft Defender for Cloud new series of alerts that combats this abuse. Threat hunting Reconnaissance Network Watcher, Azure Monitor, VMSnapshot extensions The following extensions allow different kinds of data collection and monitoring over network traffic, resources data, diagnostics, analytics and more. Network Watcher allows threat actors to capture network traffic, analyze packets, verify IP flow, and diagnose network security groups (NSGs). The Network Watcher tool can be invaluable for advanced threat actors looking to learn about the environment topology and identify weaknesses in the victim’s cloud environment by: Understanding the structure of the environment’s security framework. Using IP Flow to verify packet allowance to find exposed resources. Analyzing existing NSGs to determine how to manipulate them to gain access and then persistence. Azure Monitor allows threat actors to create data collection rules over resources, in order to capture various kinds of machine logs and events. Capturing Windows events of different kinds like security, system, and applications logs, could be of high importance for threat actors to gather information about the running compute inside the environment. This can be done by creating a dedicated log analytics that will consume the logs from the Azure Monitor agent on the VM. VMSnapshot allows threat actors to capture VM disks snapshots as part of Azure Backup service. Through Microsoft’s extensive research and investigation of recent sophisticated attacks, evidence has shown that not only do threat actors attempt to reset passwords and gain access and persistence to VMs by leveraging the VMAccess extension (which will be discussed later on), they also attempt to capture disk snapshots of VMs that capture their interest during the initial phases, by leveraging Azure Backup service capabilities. Capturing disk snapshots allows threat actors to export critical data from the VM’s disks during a short window of time, to a local or remote location, using a dedicated URL for downloading, or copying the disk to another location in the environment. After that, threat actors will attempt to attach the snapshots of the disks to their own controlled machines, after configuring them to the right format. Execution Azure VM extensions offer a variety of ways for code execution and running scripts as SYSTEM/sudo on your virtual machines, thus providing threat actors with a powerful tool to facilitate deployments of their different attack techniques, at scale: (Managed) Run Command Run Command uses the VM agent to run scripts on the VM, as SYSTEM/sudo. It can be abused in a variety of ways, from running recon commands to learn about the victim’s cloud environment, creating local admin users for persistence, to downloading payloads on the machine, executing crypto miners for impact, and more. Custom Script extension (CSE) The custom script extension allows the user to download and run a script on the VM, as SYSTEM/sudo. CSE can be used to deploy different attack vectors at scale especially when looking to run the same script across different VMs within a virtual machine scale set (unlike Run Command). As an example, Microsoft witnessed the following techniques being abused by a threat actor: Password Spraying campaign Threat actor successfully gains initial access to user accounts in Azure. Mass compute resource creation Threat actor sets up the crypto mining environment with the needed network resources. Mass deployment of XMRig software on all compute using Custom Script Extensions to initiate the crypto mining campaign. Azure Desired State Configuration (DSC) extension The extension uploads and applies a DSC configuration on the VM. Using DSC, threat actors can maliciously deploy scheduled tasks, apply configurations, and execute scripts, resulting in the deployment of a backdoor, connection to a C2 (Command and Control), extracting the VM managed identity, and more. Persistence Virtual Machine Access extension The VMAccess extension allows the user to manage administrative users and reset access on Azure VMs. Threat actors often abuse the VMAccess extension to gain access to VMs inside the victim’s environment, after they gain initial foothold, by resetting passwords, SSH keys, and manipulating the admin users in the VM. As a result, they can choose their target wisely inside the environment and gain access to it, only by using the cloud native RBAC roles needed to execute the extension, thus, discovering sensitive information and disrupting critical workloads inside the environment. We can see that the new user can successfully run commands as sudo: Impact GPU Driver extension The extension provides the ability to install the NVIDIA or AMD GPU drivers on supported compute VMs, which are GPU card equipped, in order to take full advantage of the card capabilities. Threat actors can leverage this capability to deploy a GPU driver on supported Azure VMs in the victim’s Azure environment and follow up with the installation of crypto mining software by leveraging the Custom Script Extension, or any other technique, and move on to the mining phase. Disk Encryption extension Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines. Threat actors can abuse this extension by attempting to encrypt the VMs’ disks in the victim’s cloud environment that captures the threat actor’s interest, with the goal to render all data permanently inaccessible by attempting to delete the encryption key or the key vault that contains the key. In such cases, it is crucial for the victim to be aware of purge protection and the protection measures that Microsoft provides to delay/prevent the deletion of the encryption key. Detection After going through the abuse scenarios for the variety of VM extensions, we will dive through Microsoft’s new detection capabilities and techniques, and how we are able to defend our customers through continuous monitoring and analysis of suspicious signals, from the control plane to the endpoint. Microsoft Defender for Cloud is announcing a new series of alerts targeting Azure VM extensions abuse, which are available to the customer through Microsoft Defender for Servers plan 2. Not only does the new series of detections target a wide range of abuse techniques, but it also targets a wide range of extension abuse types, to protect our customers against attack vectors that emerge. Through extensive research, we have been able to single out and identify the suspicious signals for which the likelihood of a breach is high, and as a result of studying the user’s behavior, and monitoring for such signals, we are able to detect suspicious activity, some of the signals are the following: Usage of VM extensions by a user account which hasn’t used any VM extensions recently. A sudden surge in extension usage by a suspicious user account, which might indicate a post-breach reconnaissance, impact, or persistence activity. Code or script execution containing parts that indicate a malicious intent. Usage of a combination of extensions in a short time windows which might indicate a recon attempt. Mitigation Identities in Azure require certain high privileged roles in Azure to be able to use extensions, this is yet another example of how identities and permissions represent the core of the cloud environment’s access controls. As a result, we recommend building a strong framework which is least privileged based, in order to provide the identity with the least permissions needed to perform its dedicated and legitimate operations and prevent imminent attacks. In addition to the above, continuous monitoring and detection efforts are essential to remediate ongoing attacks and prevent possible future ones. Conclusion With the advent and continued growth of cloud computing in Azure, many threat actors rely on techniques that facilitate their deployment of malicious activities, thus targeting Azure VM Extensions. As a result of in-depth research and continued monitoring, Microsoft Defender for Cloud is announcing a detection campaign to provide its customers with strong security measures for sophisticated attack vectors and threat actor campaigns targeting extensions abuse. Learn more about VM extensions: Link Learn more about the new series of alerts: Release Notes, Azure VM extensions alerts table Learn more about Defender for Cloud plans: Link Learn more about Defender for Servers plans: LinkAnnouncing Microsoft Defender for Cloud capabilities to counter identity-based supply chain attacks
In this blog, we will demonstrate the mechanisms of identity-based supply chain attacks in the cloud and discuss how service providers’ cloud access can be used by attackers for identity-based supply chain attacks. We will also show how a new alert enrichment in Microsoft Defender for Cloud can help to detect and remediate those threats.
