Sensors – Bitdefender TechZone

Microsoft Office 365 accounts are a top target for cybercriminals. They often use phishing attacks to trick users into revealing their login credentials. This compromise grants attackers' access to your valuable data and email communication.

You can use Office 365 Sensor to discover security incidents at any stage of the attack lifecycle. The Sensor detects accounts with disabled anti-phishing protection, which weakens security. It detects attempts to exploit Office 365 accounts and emails, including identifying phishing campaigns before they can trick your users into revealing their login credentials.

If an attacker gains access to an account, the Sensor continues to monitor Office 365 for suspicious activity. This includes watching for the creation of new users without requiring multi-factor authentication, a tactic often used by attackers to bypass security measures. The Sensor detects uploads of documents containing suspicious macros to SharePoint and OneDrive, a common method for delivering malware and mailbox permission changes, that can grant unauthorized access to multiple mailboxes.

The GravityZone Sensor actively monitors Microsoft Exchange Online email activity to identify and stop exfiltration attempts (theft of data) and detect unusual deletions.

GravityZone XDR Office 365 Sensor proactively identifies suspicious activity, empowering you to take immediate action via the GravityZone console. Explore all response options in the Threat Response article.

Google Workspace, suite of collaboration tools like Gmail and Docs, is a critical asset for companies, making it a prime target for attackers. The Google Workspace Sensor plays a vital role in protecting your data by actively monitoring for signs of suspicious activity.

You can use Google Workspace Sensor to discover security incidents at any stage of the attack lifecycle. The sensor employs mechanisms to detect brute force attacks by identifying unusual, failed login attempts. It monitors the creation of new administrator accounts, manipulation of security rules, and administrator password changes, allowing for the identification of anomalies indicative of malicious activity.

In post-compromise scenarios, the Sensor leverages various techniques to detect data exfiltration attempts and attacker persistence mechanisms. For example, it can identify instances of coordinated two-factor authentication (2FA) disablement from a single location or unexpected acquisition of access to many mailboxes by a single user.

The Sensor's capabilities extend beyond account activity and setting observation. It actively analyzes user behavior within the Google Workspace environment. This includes the identification of potentially malicious uploads, such as executable files or files with unrecognized extensions. Furthermore, it maintains vigilance for irregularities in file access patterns, including sudden and extensive file deletions.

The Sensor finally detects email usage anomalies, for example, excessive email sending or file sharing within a short period. These anomalies could indicate a compromised account or an attempt to exfiltrate data.

Google Workspace Sensor proactively identifies suspicious activity, empowering you to take immediate action via the GravityZone console. Explore all response options in the Threat Response article.

You can use the Active Directory Sensor to detect activity associated with attacks that attempt to use compromised accounts, tokens, and objects, encompassing not only end user accounts but also system and service accounts.

Active Directory Sensor actively detects attacks targeting the Kerberos network authentication protocol. It supports various detections at any stage of the attack lifecycle, starting with the ability to identify when a Kerberos login is used for brute-force attacks against a system. During such attacks, malicious actors attempt to gain system access by rapidly generating passwords or encryption keys.

It identifies other Kerberos-related activities, such as the use of stolen Kerberos tickets to move laterally across a network, requests for tickets with weak encryption (a common sign of malicious intent), and replay attacks, which involve stealing packets from the network and forwarding them to a service or application.

The Active Directory Sensor not only detects suspicious logins following a brute-force attack, but also identifies instances where attackers register a rogue domain controller and use it to inject malicious objects into other controllers within the Active Directory infrastructure.

Finally, the Sensor identifies various activities performed by attackers on Active Directory objects and their authentication attempts to remote systems using stolen credentials.

Active Directory Sensor proactively identifies suspicious activity, empowering you to take immediate action via the GravityZone console. Explore all response options in the Threat Response article.

You can utilize the Azure Active Directory Sensor to actively monitor sign-in activities and configurations, providing valuable insights into user authentication methods and potential security risks within the Azure AD environment.

The Sensor for Azure Active Directory gathers and processes sign-in activities and configurations, playing a crucial role in detecting threats throughout the attack chain. It tracks and analyzes user sign-in attempts, including timestamps, locations, and IP addresses. This allows the detection of unusual sign-in patterns that might indicate attackers scouting for valid credentials or vulnerable accounts.

By monitoring sign-in attempts, the Sensor can identify activities suggesting compromised credentials. This includes failed logins from a single location, which could indicate a brute-force attack or successful logins from unusual geographic regions. Additionally, can identify suspicious user behavior, such as creating multiple accounts or changing names/emails, which could be used for impersonation.

Azure Active Directory Sensor can detect the creation of applications with overly permissive access rights, which can indicate a potential privilege escalation attempt, where attackers create an application with excessive permissions to gain unauthorized access to sensitive resources.

It can recognize when new users are added to the privileged domain administrators' group and provide visibility into application permissions where global administrator rights are assigned.

Azure Active Directory Sensor proactively identifies suspicious activity, empowering you to take immediate action via the GravityZone console. Explore all response options in the Threat Response article.

The Microsoft Intune Sensor monitors actions within the Intune environment, including changes in device ownership, policy assignments, and Intune app creation.

You can use Microsoft Intune Sensor to detect changes in device ownership, such as transitions from company-owned to personal devices or vice versa. This detection capability provides visibility and control over device ownership, crucial for preventing unauthorized access during the initial stages of an attack.

Additionally, the Sensor can detect when Intune policies are assigned to specific groups. This ensures effective policy application across designated user or device groups, ensuring consistent enforcement of centralized policies.

Furthermore, the Microsoft Intune Sensor identifies the creation of Intune apps with specific attributes, including install/uninstall command line options, setup file paths, detection/requirement rule scripts, or filenames. This facilitates monitoring and managing the deployment and configuration of Intune apps, ensuring compliance with organizational standards, and mitigating the risk of privilege escalation through unauthorized or misconfigured applications.

With AWS Cloud Sensor you can monitor activity indicating potential security compromises in cloud environments and detect security incidents at any stage of the attack lifecycle. AWS Sensor establishes a baseline of normal behavior and then flags anomalies when activities deviate from this baseline.

The Sensor actively identifies reconnaissance activities against S3 buckets and detects multiple login failures or unsuccessful multi-factor authentication attempts. This helps identify attackers trying to gain initial access.

During the initial access stage, the AWS Sensor detects the uploading of files with suspicious extensions or abnormal cloud function operations. Attackers might use such tactics to bypass security measures and establish a foothold.

The Sensor identifies attempts to maintain unauthorized access and avoid detection. This includes detecting the unauthorized removal of default encryption from AWS S3 buckets and attempts to disable monitoring services like CloudTrail or delete CloudWatch logs.

Finally, the Sensor detects attackers exploiting compromised systems by identifying the execution of suspicious Lambda functions for manipulations such as updating security groups to enable unauthorized access to cloud instances.

AWS Sensor proactively identifies suspicious activity, empowering you to take immediate action via the GravityZone console. Explore all response options in the Threat Response article.

With the Azure Cloud Sensor, you can monitor activity indicating potential security compromises in cloud environments and detect security incidents at any stage of the attack lifecycle. Azure Sensor establishes a baseline of normal behavior and then flags anomalies when activities deviate from this baseline.

The Azure Cloud Sensor detects when a security system rule is created or modified, potentially exposing applications or resources publicly. This action provides attackers with an initial access point to penetrate your network.

It identifies the creation of an Azure automation account, which can present security risks like misconfigured connections and connections to other Azure resources and external systems. This activity may be part of the execution phase, as attackers set up mechanisms for their malicious activities within the compromised environment.

The Sensor detects attempts to enable public anonymous access to a storage account indicating activities aimed at maintaining persistence and evading detection. Allowing unprivileged access to resources enables attackers to establish persistence within the environment.

Finally, identifying instances such as the deleting of a log analytics workspace resource suggests intruders are trying to hide their presence in the network. This action may be part of the covering tracks phase, where attackers erase evidence of their activities to avoid detection and investigation.

With the Google Cloud Platform Sensor, you can monitor activity indicating potential security compromises in cloud environments and detect security incidents at any stage of the attack lifecycle. GCP Sensor establishes a baseline of normal behavior and then flags anomalies when activities deviate from this baseline.

The GCP Sensor actively detects the deletion of the Audit log, which attackers may use to cover tracks, hide unauthorized access, or compromise the integrity of the logging system. This indicates potential efforts by attackers to conceal their activities and evade detection.

The Sensor detects the deletion of a file store backup, disk image, or VM instance, signaling a potential security incident that requires immediate attention. This deletion could serve as an initial access point for attackers, highlighting a breach in the system's defenses.

Additionally, the Sensor monitors security-related events, such as detecting the deletion of a network route, the addition of a VPC route, identifying modifications to a VPC firewall, and alerting when a Cloud function is made public. These actions may be part of the execution phase where attackers set up mechanisms to carry out their malicious activities within the compromised environment.

The Sensor identifies account manipulations, such as modifications to IAM configurations or the assignment of high-privilege roles to new users. This highlights the importance of proactive monitoring to prevent attackers from establishing persistence and evading detection within the system.

GCP Sensor proactively identifies suspicious activity, empowering you to take immediate action via the GravityZone console. Explore all response options in the Threat Response article.