Welcome to Vectra Threat Detection & Response platform. Learn how you can use Vectra to detect and respond to ransomware attacks targeting your network.
Vectra tracks activity over time and attributes detections to specific accounts (or hosts) that behave suspiciously. These scores are dynamic, and change based on the detections.
Scores are comprised of certainty and threat.
Accounts are sorted in priority order.
Vectra's patented AI stitches together the cloud account and network account.
This account has 4 detections
An attacker has compromised a user's credentials through spearfishing.
The attacker has uploaded a malicious DLL file to the users OneDrive where it is automatically synced with their host.
The DLL is synced to the compromised users host and leads to a successful DLL hijacking. This triggers code execution on the host that makes a call back to the attackers C2 infrastructure enabling remote access and the ability to now attack the network.
Click to expand for details.
The attacker now moves from the cloud to enterprise network.
Using *LDAP* and *RPC* calls, the attack maps the network in search of domain admin credentials to distribute the ransomware on critical assets, in this case a domain controller.
With this knowledge, the attack uses *RPC* to call out to 300 machines and move laterally.
The attacker's recon leads them to find that there are domain admin credentials on host alan-x1.corp.example.com and so the Azure AD and network AD connected credentials are used move laterally. Once connected to alan-x1.corp.example.com the attacker is able to gain access to the domain admin credentials on the host.
The combination of the activities to this point would put this host & account in the critical quadrant, demanding immediate attention.
The attacker continues with their reconnaissance, scanning port 445 to identify potential targets.
We will continue as though the alerts were ignored and the attack is successful.
The recon is now complete now. The attacker has: a high privilege account for propagation, file shares to encrypt, as wellO365 files to encrypt.
Vectra Cognito will show you which files were actually encrypted.
The suspicious remote execution detection can be used to see which hosts were infected with the ransomware.
It's important to note that while the hosts have been infected, they have yet to be encrypted at this point.
As attackers connect, they exfil out data.