General
Attic uses a number of rules to check successful login attempts on the tenant against lists of IP addresses.
Rationale
Research has shown that AiTM attackers usually log in to a stolen user account from servers where it is difficult to trace them back to their identity. Cloud services such as AWS, Azure and CloudFlare are suitable for this. At the same time, it will be very unusual for your colleague to try to log in from an IP address of these cloud services for legitimate reasons.
Finally, Attic's AiTM detection service (didsomeoneclone.me) itself collects intelligence about IP addresses from which attacks are carried out. Detecting login attempts from these types of IP addresses is therefore highly recommended!
In Attic these Rules are active:
- RULE-1143 - Detections from CloudFlare IP-range
- RULE-1144 - Detections from IP matching DSCM intelligence
- RULE-1145 - Detections from Azure IP-range
- RULE-1146 - Detections from AWS IP-range
Attic Fix
A Fix is available for this detection that blocks the account in question. This action ensures that no further damage can occur, but it is recommended to carry out further research into what the account has done since the login attempt.
If you have an IR Strippenkaart, please contact our experts to carry out the follow-up research.
Manual Follow-up
Follow these steps to follow up on this detection:
- Open the Entra admin portal https://entra.microsoft.com
- Under Identity and Monitoring & Health and then Sign-in logs
- Find the log entry from the Attic alarm
- Investigate the login attempt and only if it can be determined that the alarm is a false positive:
- Block the user account
- Reset the password and revoke logged-in sessions
- Investigate the account for suspicious behavior or changed authentication methods and suspicious App Consents. Zolder can assist with this.
- Only when the account is free for use again, enable it again.
Comments
0 comments
Please sign in to leave a comment.