Cloud forensics: Forensic readiness and incident response in Azure Virtual Desktop

Azure Virtual Desktop (AVD) is becoming a prime target for attackers due to its expanding use in remote work. Threat actors exploit compromised AVD user accounts to move laterally and persist without malware installation. AVD intrusions are often stealthy and require swift detection and investigation. Traditional forensics struggles with AVD's unique architecture, necessitating new strategies. This post details how to build forensic readiness and conduct investigations in AVD environments. Threat actors use stolen credentials and compromised identities to access resources. AVD uses session hosts and FSLogix, storing user profiles as VHDs. Logging is crucial; diagnostic logs are often disabled initially but are essential. Investigation involves both live and offline collection, including disk snapshots and VHD extraction. Analysts should look at browser data, registry hives, and startup items. Successful threat hunting relies on examining identity, Azure platform, and host artifacts. The primary hunting objectives are identifying where the threat actor logged in from.