Most organizations don’t know what Microsoft threats they should be monitoring for and struggle to get these fundamental detection capabilities in place.
Blumira’s automated detection & response platform allows organizations of any size to monitor, detect and respond to real threats – all in a single platform – and can easily be deployed in under an hour. Our integrations with many Microsoft services allows you to connect to Blumira and start streaming logs for immediate analysis and security value.
Attackers commonly use externally accessible Remote Desktop Protocol (RDP) and Server Message Block (SMB) to gain remote control of a Windows Server. RDP and SMB should not be exposed to the internet. Blumira detects and notifies you of any RDP and SMB connections from public sources, then provides next steps and best security practices for misconfigurations.
Password spraying is a technique by attackers to authenticate to your network or applications by typing in multiple usernames paired with a single password. It is used to discover weak passwords leveraged to move laterally throughout your environment. Early detection can prevent unauthorized access and stop system compromise. Blumira detects and notifies you when this attack is used in your Windows environment and guides you through remediation.
Common Windows Exploits & Hacker Tools
BlueKeep (CVE-2019-0708) is a critical severity exploit that affects Microsoft’s RDP, allowing for remote code execution. Blumira detects when BlueKeep is being used by an attacker to either gain a foothold into your environment and/or move laterally within it. Blumira also provides a playbook of best security practices to reduce your exposure to this vulnerability.
Cobalt Strike is a tool that can be used to conduct targeted attacks like spear phishing, emulate malware and other threat tactics. It uses different techniques to evade detection by common security solutions like antivirus software. Blumira detects when Cobalt Strike is being used, indicating a user has either been exploited by an outside attacker or an attacker has gained a foothold into your environment.
Mimikatz is a credential theft tool that targets Windows environments, dumping passwords, hashes, PINs and Kerberos tickets from memory. It enables attacks like pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. Blumira detects when Mimikatz is executed via endpoint antivirus logs, indicating an attacker has gained access to your systems and is running the tool in memory in an attempt to steal user credentials.
For cloud productivity and collaboration tools like Office 365 and G Suite, Blumira can detect external document shares that potentially expose internal files to external entities and allow for malicious data exfiltration. For our Office 365 integration, Blumira can also detect when your accepted domains are expiring soon, whenever there’s mass deletion of Office 365 objects, and any email loops (if recipients aren’t found in the service).
Blumira also detects anonymous network traffic (like Tor), which can indicate data exfiltration form a corporate network tunneling through a malicious server.
To protect sensitive data held by domain controllers, Blumira triggers an Azure ATP alert when it detects data exfiltration over SMB, as suspicious transfers of data are observed from your monitored domain controllers.
Ransomware continues to plague organizations of any size and industry – but there are many indicators of attacks that, if detected early and often, can alert your team to contain the impact of a potential compromise and prevent ransomware infection.
Blumira identifies, alerts and walks you through incident response whenever an indicator of a ransomware attack in-progress is detected in your Microsoft environment. The chain of infection involves several different stages, tactics, techniques and procedures (TTPs):
- Reconnaissance Scanning – This is an early indicator of attackers conducting the discovery stage of an attack; getting to know your environment, network, systems, users, etc. in order to understand where you may be vulnerable
- Privilege Escalation – Attackers will use different techniques to elevate their permission levels, create new domain or admin accounts in order to gain access to your data and infect your systems with ransomware
- Data Exfiltration – At this point, attackers are connecting to their own servers and/or exfiltrating your data. Blumira detects any indicators of data being transferred out of your environment, as well as different protocols and methods used to conduct it.
- Exposure Due to Misconfigurations – Public connections to RDP and SMB are commonly exploited by attackers for initial access to your organization’s systems, and often result in ransomware infection. Detecting Microsoft misconfigurations like these can help you respond early, prevent attacker access and ransomware infection.
- Malicious Executables or Malware Applications – By executing malicious files, attackers can download malware and hacker tools that can be used to deploy ransomware across your systems.
Detecting these threats early can help you stop a ransomware infection and limit the impact of an attack.
In addition to threats, risks and suspects, Blumira also detects and alerts you to day-to-day operational events, such as high-availability failover, disk capacity, CPU spikes, system notifications and more to help you identify when sensors are down, significant log flow decrease from a device, and whenever you have a failed Windows drive. See Blumira Security Findings to learn more.