Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

Breach

Other
MR
Matt Ramsey
Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
Breach by Mind Map: Breach

1. Insider Threats & Human Factors

1.1. Social Engineering & Impersonation

1.1.1. Send email our to AllCM to warn and/or teach

1.2. Malicious Insider with Admin Privileges

1.2.1. Review Azure permissions

1.3. Overprivileged Users (Least Privilege Violations)

1.3.1. Review Azure permissions

1.4. Human Error (Accidental exposure, poor security hygiene)

2. Identity & Access Management (IAM) Attacks

2.1. Phishing Attacks (Credential theft, MFA fatigue)

2.1.1. Emails

2.2. Password Attacks (Brute force, credential stuffing)

2.2.1. Check password failure logs

2.3. Session Hijacking (Token theft, replay attacks)

2.3.1. Check defender for session hijacking

2.4. Privileged Escalation (Exploiting permissions, role abuse)

2.4.1. Search Azure AD Audit Logs for Role Changes

2.4.2. Search for Users Added to High-Privilege Groups

2.4.3. Check Microsoft Entra ID Privileged Role Assignments

2.4.4. Investigate Service Principal & Application Permissions

2.4.5. Detect Suspicious Conditional Access Policy Changes

2.4.6. Correlate with Sign-In Logs (Check Unusual Access)

2.5. OAuth & Consent Grant Abuse (Malicious third-party apps)

2.5.1. eM Client

2.5.2. Azure ESTS Service

2.6. MFA Bypass (SIM swapping, MFA push spam)

3. Authentication & Authorization Risks

3.1. SSPR (Self-Service Password Reset) Exploits

3.2. MFA Manipulation & Takeover

3.3. Conditional Access Policy Gaps

3.3.1. Review Conditional Access bypasses

3.4. SSO (Single Sign-On) Exploits

3.5. Legacy Authentication Use (Basic Auth, no MFA)

4. Endpoint & Device Security

4.1. Compromised User Workstations (Malware, keyloggers)

4.1.1. Run Malwarebytes on affected user computers

4.2. Remote Desktop (RDP) Exploits

4.2.1. Review RDS logs

4.2.2. Review RDS connections from uncommon locations

4.3. Endpoint Configuration Drift (Unpatched systems)

5. Cloud & Azure Infrastructure Attacks

5.1. Azure AD Sync Exploits (Compromising on-prem AD)

5.1.1. Review CM-DC-02 logs

5.1.2. Review Azure AD Connect logs

5.2. Compromised Service Principals & API Tokens

5.2.1. Review logs for service principals and APIs

5.3. Misconfigured Azure Roles & Policies

5.4. Azure AD Connect Sync Hijacking

5.4.1. For example: https://securityboulevard.com/2022/11/syncjacking-hard-matching-vulnerability-enables-azure-ad-account-takeover/

6. Network & External Threats

6.1. Unusual IP Activity (Geo-based anomalies, TOR, proxies)

6.1.1. Review Microsoft defender logs fo unusual IP activity for the past 2-3 months

6.2. Man-in-the-Middle (MITM) Attacks

6.3. Public-Facing API Exploits

6.4. Exposed Remote Access Ports (RDP, SSH, VPN exploits)

6.4.1. Review Screenconnect logs

6.4.2. Review Cisco Secure Client logs

6.4.3. Review Meraki security logs

6.5. Network General

6.5.1. Review Meraki logs