# Highlighted ITDR Capabilities

#### In the face of evolving cyber threats, traditional security measures often fall short in protecting identity-driven environments. Rezonate’s ITDR capabilities are engineered to address this gap, providing a powerful, proactive defense across every stage of the MITRE ATT\&CK kill chain. Below are some highlighted threat scenarios that our ITDR module is capable of detecting

#### Initial Access

* Suspicious Console and Interactive Logins: Unusual or unauthorized login attempts, especially from new devices or unfamiliar locations.
* Brute Force and Distributed Brute Force Attacks: Repeated attempts to guess passwords or roles to gain unauthorized access, often using automated tools.
* Password Spray Attacks: Attackers use a common password across multiple accounts, hoping to find accounts with weak or reused credentials.
* MFA Fatigue: Overwhelming users with multiple MFA prompts to trick them into approving an unauthorized access attempt.
* Access via Tor and Proxy Networks: Using anonymizing services to mask IPs and obscure the attack’s origin, bypassing location-based security restrictions.
* Use of Legacy Protocols: Exploiting older, less secure protocols that lack modern protections like MFA.
* Login with Scripting Tools: Initial access attempts via scripting languages or command-line tools, signaling potential automation or unauthorized access.

#### Reconnaissance

* Enumeration of Resources: Attackers explore resources such as policies, roles, storage services, computing services, or code pipelines to gather information on the environment, looking for privileged resources or vulnerabilities.
* Enumeration of Security Services: Assessing the configuration of security tools like monitoring and logging solutions, looking for gaps or exploitable configurations.

#### Persistence

* Creation of Administrative Accounts and Credentials: Establishing persistence by creating high-privilege accounts or generating new access keys.
* MFA Enrollment and Deletion: Modifying MFA settings to secure persistent access, such as enrolling a new MFA method or removing existing ones.
* Conditional Access and Policy Manipulation: Updating conditional access policies to allow easier reentry or prevent detection of the compromised identity.
* Session Hijacking and Token Creation: Attackers create or hijack session tokens, bypassing traditional authentication mechanisms and allowing long-term access without direct logins.
* Service Principal and Application Credential Addition: Adding service principal accounts or applications with permissions, enabling attackers to bypass normal user logins and maintain access.
* Resetting Security Information: Changing security settings, such as recovery emails or authentication factors, to maintain exclusive control over a compromised account.
* Adding External Identity Providers: Configuring additional IDPs to allow unauthorized external accounts to authenticate as legitimate users.

#### Privilege Escalation

* Role and Group Modifications: Elevating privileges by adding compromised accounts to privileged roles or groups, granting unauthorized access to sensitive resources.
* Privileged Identity Management (PIM) Role Escalation: Exploiting PIM processes to temporarily or permanently add accounts to high-privilege roles.
* Consent Grants to Malicious Applications: Granting admin consent to applications, which then have persistent, elevated access to the environment.
* Adding or Updating Conditional Policies: Modifying policies to escalate privileges, such as granting new permissions, application access, or relaxing security policies for targeted users or groups.
* Service Principal and App Role Assignment: Assigning roles to applications or service principals to expand the scope of privileges without using user accounts.
* Owner and Administrator Privilege Changes: Assigning ownership or administrator privileges to accounts or applications, ensuring access to high-value resources.

#### Defense Evasion

* Disabling Monitoring and Logging Services: Disabling security services like logging, threat detection, or monitoring tools to preventthe detection of malicious activity.
* Modifying Security Policies to Avoid Detection: Updating access policies or security configurations to avoid triggering alerts, such as setting permissions that bypass standard protections.

#### Exfiltration

* Making Storage Public: Configuring storage buckets to allow public access, enabling the attacker to extract data without authorization.
* Cross-Tenant Sharing of Resources: Sharing resources, like snapshots or databases, across tenants or accounts, often to transfer data out of a secure environment.
* Creating External Data Shares: Establishing data shares with external entities, allowing unauthorized parties to access data continuously.
* High-Volume Queries for Data Exfiltration: Running large queries on databases to extract significant volumes of data in a short time, often unnoticed in high-traffic environments.

#### Impact

* Resource Creation and Manipulation: Creating or altering resources (e.g., compute instances, containers, or functions) to carry out malicious operations in the victims' environments.
* Mass Resource Deletion: Removing resources in large volumes to disrupt operations or hinder forensic investigations, typically seen in destructive attacks.
* Backup Data Corruption: Tampering with backup data to prevent recovery in the event of a successful attack.
* Malicious File or Script Execution: Executing unauthorized files or scripts on cloud instances or containers, potentially installing malware or manipulating data.

#### Lateral Movement

* Federated Identity Access across Services: Using federated identities to access other services, such as cloud platforms or code repositories, expanding the attacker’s reach.
* Cross-Account Role Assumption: Assuming roles in other accounts or tenants, allowing attackers to access resources in affiliated or partner environments.

<br>