Clever Cyber Attack: Stealthy Tactics Exposed! #shorts

It actually turns out that the threat actor thought it would be stealthy to log on from a compliant device. So, they enrolled it in Intune. But, if someone takes over an existing application or like it generates credentials for an existing application, that won't really show up anywhere. You will have this entry in the audit log, but after 90 days that's gone, and there's no way in the UI to list all the application secrets. So, I mean, I think there is some way like you can do it with APIs and so on to get a get out like the hashes or whatever for those. But, it's a really sneaky persistence technique, right? It's very common that threat actors

register new applications, but use abusing existing applications, I think is um clever. So, that's logged, of course. And it actually turns out that the threat actor thought it would be stealthy to log on from a compliant device. So, they enrolled it in Intune. What they didn't know was that the customer would then push out automatically an EDR client to the threat actor's machine. So, what we see here is actually the threat actor's machine. And my my colleague Hassan has a complete talk where he just talks about everything we can see on this threat actor's machine because it's sent to the EDR, right? And of course, they use that machine to attack multiple different customers.