[German]Microsoft published two blog posts from its Detection and Response Team (DART). The posts include advice for incident responders on recovering from systemic identity compromises (after Solarigate) and what to do if infected with the Sunburst Trojan.
Advertising
Advice on recovering from systemic identity compromises.
I became aware of the Microsoft Detection and Response Team's (DART) blog post Advice for incident responders on recovery from systemic identity compromises for incident responders on recovery from systemic identity compromises via the following tweet.
The post contains advice for people responding to a cyberattack (incident responders) looking for information on how to recover from systemic identity compromises. The blog post describes the issues that exist when hackers successfully penetrate an IT environment through compromised accounts or security settings and addresses the various aspects, from auditing to monitoring activity, in such a scenario. It all goes back to the SolarWinds Orion SUNBURST attack.
Understanding Solorigate Indicator of Compromise (IoC)
The second post is titled Understanding "Solorigate"'s Identity IOCs – for Identity Vendors and their customers and appeared in Techcommunity. It addresses pointers for administrators affected by the Sunburst attack (now referred to by Microsoft as Solarigate) to help recognize the signs that IT systems have been compromised.
Solorigate Indicator of Compromise
Advertising
The topics covered range from hints that you need to understand the IT environment and the attack, and goes into detailed explanations of the patterns used in the attack by the hackers. I think this might be a nice read for people in the field who are suffering from boredom over the holidays.
