In January and February of 2021, the threat actor called Hafnium used a number of post-exploitation tools after gaining access to Exchange servers through a zero-day exploit. One of their persistence methods was creating new user accounts in the domain, giving them the ability to log back into the network using normal authentication rather than use a web shell or continue to re-exploit the vulnerability (which has since been patched). There are several good Splunk detections and Phantom responses that can find a Hafnium-like attack earlier in the chain, but monitoring new user accounts from Phantom is one of the easiest to get started with and the least specific to any particular kind of attack.
We already knew Active Directory was one of the most important systems for our security posture, and Hafnium just gave us a not-so-subtle reminder that we need to stay on top of it, whether on-premises through regular Active Directory or in the cloud with Azure Active Directory.
Tune in to this webinar to learn:
How to get started with an account monitoring use case
How our newest community playbook initiates a scheduled review of new accounts created in Azure Active Directory each week
How your security team should have a good understanding of the frequency and common attributes of newly created accounts