How Reveal(x) Detects Attacks on Microsoft Environments, an Introduction

Microsoft tools have long been top targets for threat actors, partly because of their widespread use in enterprise environments. Hundreds of millions of people use Microsoft 365 and Active Directory, and millions of organizations have deployed Exchange Server.

Threat actors also target Microsoft because of the vulnerabilities in its software. In fact, four of the most frequently exploited CVEs in 2022 were connected to Microsoft products, according to the U.S. Cybersecurity and Infrastructure Agency. The good news is that the ExtraHop Reveal(x) NDR platform detects all four of these vulnerabilities, three with the core NDR tool and the fourth with the Reveal(x) IDS module.

Reveal(x) gives security analysts unequaled visibility into enterprise networks, helping them detect and stop attacks before they result in major damage and cost millions of dollars. This visibility extends to Microsoft environments.

With Reveal(x), users receive timely detections and Threat Briefings for vulnerabilities in Microsoft products. In addition to detections of the four Microsoft vulnerabilities on CISA’s 2022 list, Reveal(x) covers BloodHound and NTLM relay attacks on Active Directory, Windows Print Spooler exploits, and many others.

Reveal(x) gives users broad visibility into protocols used by Active Directory, including Kerberos, LDAP, and DNS, and provides detailed metrics on individual domain controllers and clients.

Reveal(x) not only includes detections of exploits targeting known Microsoft vulnerabilities, but it also uses machine learning to model attacker behaviors and identify new activity that resembles existing attack techniques.

Reveal(x) also employs rule-based detection, peer group analysis, and deep learning to detect the full range of attack activity and provide holistic coverage of attacker tactics.

Broad Decryption of Attacker Activity

The detections in Reveal(x) also leverage its unmatched decryption capabilities, which allow analysts to see malicious activity hiding in encrypted traffic, including Kerberos golden ticket attacks.

In addition, the decryption in Reveal(x) helps security analysts identify unauthorized access and privilege escalation attempts in Active Directory, and it helps organizations defend against exploitation of high-risk vulnerabilities that leverage encrypted channels, including PrintNightmare, ProxyLogon, and ProxyShell. Three of the most exploited vulnerabilities in 2022 were ProxyShell attacks.

The decryption capabilities also give Reveal(x) users visibility into living-off-the-land techniques, in which attackers misuse legitimate tools to gain access to targeted IT systems. Reveal(x) supports the decryption, parsing, and analysis of Microsoft authentication protocols such as Kerberos and NTLM and application protocols including LDAP, MS-RPC, WIN-RM, and SMBv3.

Expanded decryption capabilities in Reveal(x) target advanced attacks on Microsoft authentication and application protocols, allowing detections of advanced attacks like living-off-the-land and Kerberos golden ticket attacks that target many of the most exploited network protocols.

The advanced decryption capabilities give Reveal(x) users unparalleled visibility into their networks and Microsoft environments. Most other decryption tools available in the market do not monitor East-West network traffic, leaving security analysts blind to lateral movement.

Integrations Provide More Visibility

ExtraHop continues to expand coverage of Microsoft environments in Reveal(x) and to release integrations that make it easy for Reveal(x) to work smoothly with Microsoft tools and detect suspicious activity targeting Microsoft applications, systems, and protocols. For instance, an integration between Reveal(x) and Microsoft Azure Sentinel allows Azure users to access Reveal(x) dashboards within Sentinel, and it allows contextual alerts from Reveal(x) to be used to automate threat responses based on an organization’s own security practices.

Another integration allows customers to view Microsoft 365 detections and investigate threats directly in Reveal(x). The integration provides detections of common risks such as password spraying attacks and compromised credentials.

Do you have questions about securing Microsoft environments? Join the discussion on the ExtraHop customer community.