Hi everyone,
In response to the recent compromise (that I'm sure has impacted all of us) we (Jumpcloud MSP users) performed an investigation to determine if any of our organisations were affected. I'm aware it's extremely unlikely but better safe than sorry.
I'm wondering if anyone has any suggestions as to how to perform this check?
We did the following:
- Check our users list for any that we don't recognise or that otherwise seem unusual.
- Perform similar checks on Commands.
- Go through the logs and see if anything there looks wrong.
We looked at the following kinds of log entries between 22/6 and the present:
- user_create - Duplicating item #1 above
- command_create, command_run, command_delete - Duplicating #2
- user_password_change - I'm not sure this is even relevant but I checked it out
- user_create_provision - Seems like something that could potentially be useful to an attacker
- association_change - Could be used for privilege escalation
- software_add, software_change, software_remove - Could be used add malware or remove defensive software such as antivirus
- admin_access_granted, admin_update - Unlikely to be relevant but generates a small amount of data, so why not?
Has anyone got anything to add to this?
