Abuse and Detection of M365D Live Response for privilege escalation on Control Plane (Tier0) assets

What is Live Response? Security Operations Teams need the ability to establish a remote session to managed devices for in-depth investigation (including collection of forensic evidence).

Microsoft 365 Defender Portal's Live Response feature allows Security Operations Teams to establish a remote session to managed devices for in-depth investigation, including the collection of forensic evidence. It is enabled from the “Advanced features” blade and provides a cloud-based interactive shell with support for some basic commands. It can also be accessed programmatically through the “Microsoft Defender for Endpoint API” endpoint. Access to Live Response is granted to Azure AD admins, Global and Security Admins, and those with the Microsoft 365 Defender RBAC model.

Live Response can be abused to gain privileged access. Two attack scenarios are described: creating a Domain Admin account on Active Directory Domain Controllers and exfiltrating access tokens of Global Admin from Azure PowerShell. Detection of Live Response abuse is possible through the “History” tab of the “Action Center” in the M365D Portal, which displays the commands entered in the portal UI or requested via API call. The MDE API can also be used to get a list of Machine Actions, including Live Response API requests.

The article outlines the steps to integrate Machine Action into Microsoft Sentinel, including creating a logic app with a managed identity and assigned application permissions for Machine.Read.All, and using an HTTP action to access the MDE API. It also provides a KQL query to combine the tagging of high-value assets with events from the custom table that stores all Machine Action events. The article also provides a timeline and hunting query to get insights from live response commands, as well as a KQL query to start hunting on other processes created by the SenseIR service. It also outlines the Windows Events from the local device that can be integrated into the Microsoft Sentinel Workspace by using Azure Monitor Agent.

Finally, the article provides a list of mitigation steps that can be applied to ensure the security of Live Response. These include scoping permissions and isolating Control Plane (Tier0) assets, creating dedicated custom roles with Live Response permissions, and monitoring Live Response activities.

Live Response is a powerful tool that allows security teams to remotely access and investigate devices in real-time. However, it is important to note that Live Response should only be used with caution and with appropriate permissions in place. The article provides a comprehensive overview of the Live Response feature in Microsoft 365 Defender and how it can be used to investigate incidents, as well as the steps to integrate Machine Action into Microsoft Sentinel and the mitigation steps that can be applied to ensure the security of Live Response

📓 Abuse and Detection of M365D Live Response for privilege escalation on Control Plane (Tier0) assets 👉🏽 Microsoft 365 Defender Portal's Live Response feature explained. 👉🏽 Allows remote session to managed devices for in-depth investigation. 👉🏽 Collection of forensic evidence supported. 👉🏽 Accessible through the “Advanced features” blade and API endpoint. 👉🏽 Grants access to Azure AD admins, Global and Security Admins. 👉🏽 Can be abused to gain privileged access. 👉🏽 Detection possible through “History” tab of “Action Center”. 👉🏽 Provides steps to integrate Machine Action into Microsoft Sentinel. 👉🏽 Mitigation steps to ensure Live Response security provided. 👉🏽 Live Response should be used with caution and appropriate permissions.

link: https://www.cloud-architekt.net/abuse-detection-live-response-tier0/

#Microsoft365 #DefenderPortal #LiveResponse #SecurityOperationsTeams #MitigationSteps