Micosoft Defender Attack Paths

Attack paths, for example LPE (Local Privilege Escalation) and RCE (Remote Code Execution) are TTPs (Tactics, Techniques and Procedures) used by black hat (bad actors) and/or white hat (ethical hackers) to get access to the environment.

Microsoft Defender for Identity [MDI; Active Directory] and Microsoft Defender for Cloud [MDA; Azure & AWS] provide visualized attack paths.

MDI; Lateral Movement Path

Lateral Movement Paths [LMPs] in Microsoft Defender for Identity (Microsoft 365 Defender) are paths that can be (ab)used by an attacker to use a non-sensitive account to gain access to a sensitive (e.g. admin) account or device.

For example when a user is logged on to a machine and that machine has stored sign-in credentials (Credential Manager in Control Panel) from an admin account which can be easily exploited via MimiKatz.

privilege::debug
sekurlsa::logonpasswords

Advanced Hunting

With advanced hunting you can query ‘lateral movement path’ activities.

IdentityDirectoryEvents
| where ActionType contains "lateral Movemenent path"
| project Application, AccountDisplayName, AccountDomain, DeviceName

When an entity (user or computer) is found, you can visualize the path how an attacker can move laterely through the network via Microsoft 365 Defender -> Identities (or Devices) and select the entity found via the KQL hunting query.

The tab Lateral movement paths is only visible if there is a LPM.

There are different methods to prevent ‘lateral movement pahts’:

• Sensitive accounts only use dedicated (never shared) workstations (e.g. PAW; Privileged Access Workstation)
• Use the concept of least privilege and seperation/segregation of duties

Pro-tip: use BloodhoundAD to create a graph of Active Directory vulnerabilities and/or attack paths.

MDC; Attack Path

Attack paths in Microsoft Defender for Cloud requires the add-on Defender CSPM plan.

Attacks paths are available for ‘Azure VMs, data and containers’ and ‘AWS VMs and data’ and are scans in the cloud security graph for exploitable paths that an attacker can (ab)use to gain access to cloud resources.

The Attack path feature (refresh interval is 24 hours) is available in the Recommendations section of Microsoft Defender for Cloud.

By selecting the Attack path an overview is presented of the different attack paths, see reference for all possible attack paths.

In our example we have an attack path called Internet exposed VM has high severity vulnerabilities with the description Virtual machine ‘[MachineName]’ is reachable from the internet and has high severity vulnerabilities [RCE]

Details are visible by selecting the attack path which shows the entities (e.g. from which internet exposed public IP-address the attack path is possible) with Insights (e.g. CVEs) and Recommendations.

There is also a Recommendations tab which show all recommendations for the attack path

Pro-tip: use Microsoft Defender EASM (External Attack Surface Management) to get even more insights in internet exposed vulnerabilities for your organization (Azure but also on-premises etc.)