# Highlighted ITDR Capabilities

#### In the face of evolving cyber threats, traditional security measures often fall short in protecting identity-driven environments. Rezonate’s ITDR capabilities are engineered to address this gap, providing a powerful, proactive defense across every stage of the MITRE ATT\&CK kill chain. Below are some highlighted threat scenarios that our ITDR module is capable of detecting

#### Initial Access

* Suspicious Console and Interactive Logins: Unusual or unauthorized login attempts, especially from new devices or unfamiliar locations.
* Brute Force and Distributed Brute Force Attacks: Repeated attempts to guess passwords or roles to gain unauthorized access, often using automated tools.
* Password Spray Attacks: Attackers use a common password across multiple accounts, hoping to find accounts with weak or reused credentials.
* MFA Fatigue: Overwhelming users with multiple MFA prompts to trick them into approving an unauthorized access attempt.
* Access via Tor and Proxy Networks: Using anonymizing services to mask IPs and obscure the attack’s origin, bypassing location-based security restrictions.
* Use of Legacy Protocols: Exploiting older, less secure protocols that lack modern protections like MFA.
* Login with Scripting Tools: Initial access attempts via scripting languages or command-line tools, signaling potential automation or unauthorized access.

#### Reconnaissance

* Enumeration of Resources: Attackers explore resources such as policies, roles, storage services, computing services, or code pipelines to gather information on the environment, looking for privileged resources or vulnerabilities.
* Enumeration of Security Services: Assessing the configuration of security tools like monitoring and logging solutions, looking for gaps or exploitable configurations.

#### Persistence

* Creation of Administrative Accounts and Credentials: Establishing persistence by creating high-privilege accounts or generating new access keys.
* MFA Enrollment and Deletion: Modifying MFA settings to secure persistent access, such as enrolling a new MFA method or removing existing ones.
* Conditional Access and Policy Manipulation: Updating conditional access policies to allow easier reentry or prevent detection of the compromised identity.
* Session Hijacking and Token Creation: Attackers create or hijack session tokens, bypassing traditional authentication mechanisms and allowing long-term access without direct logins.
* Service Principal and Application Credential Addition: Adding service principal accounts or applications with permissions, enabling attackers to bypass normal user logins and maintain access.
* Resetting Security Information: Changing security settings, such as recovery emails or authentication factors, to maintain exclusive control over a compromised account.
* Adding External Identity Providers: Configuring additional IDPs to allow unauthorized external accounts to authenticate as legitimate users.

#### Privilege Escalation

* Role and Group Modifications: Elevating privileges by adding compromised accounts to privileged roles or groups, granting unauthorized access to sensitive resources.
* Privileged Identity Management (PIM) Role Escalation: Exploiting PIM processes to temporarily or permanently add accounts to high-privilege roles.
* Consent Grants to Malicious Applications: Granting admin consent to applications, which then have persistent, elevated access to the environment.
* Adding or Updating Conditional Policies: Modifying policies to escalate privileges, such as granting new permissions, application access, or relaxing security policies for targeted users or groups.
* Service Principal and App Role Assignment: Assigning roles to applications or service principals to expand the scope of privileges without using user accounts.
* Owner and Administrator Privilege Changes: Assigning ownership or administrator privileges to accounts or applications, ensuring access to high-value resources.

#### Defense Evasion

* Disabling Monitoring and Logging Services: Disabling security services like logging, threat detection, or monitoring tools to preventthe detection of malicious activity.
* Modifying Security Policies to Avoid Detection: Updating access policies or security configurations to avoid triggering alerts, such as setting permissions that bypass standard protections.

#### Exfiltration

* Making Storage Public: Configuring storage buckets to allow public access, enabling the attacker to extract data without authorization.
* Cross-Tenant Sharing of Resources: Sharing resources, like snapshots or databases, across tenants or accounts, often to transfer data out of a secure environment.
* Creating External Data Shares: Establishing data shares with external entities, allowing unauthorized parties to access data continuously.
* High-Volume Queries for Data Exfiltration: Running large queries on databases to extract significant volumes of data in a short time, often unnoticed in high-traffic environments.

#### Impact

* Resource Creation and Manipulation: Creating or altering resources (e.g., compute instances, containers, or functions) to carry out malicious operations in the victims' environments.
* Mass Resource Deletion: Removing resources in large volumes to disrupt operations or hinder forensic investigations, typically seen in destructive attacks.
* Backup Data Corruption: Tampering with backup data to prevent recovery in the event of a successful attack.
* Malicious File or Script Execution: Executing unauthorized files or scripts on cloud instances or containers, potentially installing malware or manipulating data.

#### Lateral Movement

* Federated Identity Access across Services: Using federated identities to access other services, such as cloud platforms or code repositories, expanding the attacker’s reach.
* Cross-Account Role Assumption: Assuming roles in other accounts or tenants, allowing attackers to access resources in affiliated or partner environments.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kb.rezonate.io/platform-tour/risks-and-threats/highlighted-itdr-capabilities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.