TR0.5 Hybrid Environment Mapping and Asset Prioritization

The rapid environment snapshot

The triage responder needs answers to five questions within the first 2 minutes of any incident. These questions determine whether the alert is scoped to a single system or represents a cross-environment attack chain. Building the answers into a reference map before an incident means the responder doesn't waste triage time asking the infrastructure team.

// Q1: Does this identity exist in both AD and Entra ID?
IdentityInfo
| where AccountName has "svc-dbadmin"
| project AccountName, AccountUpn, IsAccountEnabled,
    OnPremisesDistinguishedName, Department
| take 5
// If OnPremisesDistinguishedName is populated: synced from AD.
// Compromise affects BOTH on-prem AD and Entra ID.
// Q2: Is this device hybrid-joined?
DeviceInfo
| where DeviceName == "DESKTOP-NGE042"
| project DeviceName, JoinType, OSPlatform,
    AadDeviceId, OnboardingStatus
| take 1
// JoinType: HybridAzureADJoined = PRT exists (Pass-the-PRT risk)
// Q3: Is this Linux server forwarding logs to Sentinel?
Syslog
| where Computer == "SRV-NGE-BRS-DB01"
| summarize LastEvent = max(TimeGenerated),
    EventCount = count() by Computer
// Empty result = no syslog forwarding. Triage relies on local logs only.
// Q4: What connects TO this system?
DeviceNetworkEvents
| where RemoteIP == "10.10.6.50"  // Linux server IP
| where Timestamp > ago(24h)
| summarize Connections = count(),
    Devices = make_set(DeviceName, 20),
    Ports = make_set(RemotePort)
    by RemoteIP

The first query reveals whether the compromised identity spans environments — a synced account compromise affects both AD and Entra ID simultaneously. The second identifies PRT risk on hybrid-joined devices. The third tells you whether Linux evidence will be available in Sentinel or requires SSH access. The fourth maps the inbound connection footprint — every device that touched the compromised system in the last 24 hours is a potential lateral movement source.

Question 5: What data does this system access? This question doesn't have a KQL answer — it requires the environment map. A compromised web server serving static content is low impact. A compromised database server holding 85,000 customer PII records triggers GDPR Article 33 notification within 72 hours. The environment map documents: server role, data classification, and regulatory exposure for every system the SOC monitors.

The NE hybrid architecture

Figure TR0.5 — NE hybrid environment. 810 users across three environments connected by Entra Connect sync and SSH. Six documented hybrid attack paths enable cross-environment lateral movement.

NE's hybrid architecture is typical of mid-size organizations. Entra Connect synchronizes password hashes (PHS) between on-prem AD and Entra ID — a compromise of the Entra Connect server grants DCSync-equivalent permissions, allowing the attacker to extract every password hash in the domain. Windows workstations are hybrid-joined, creating Primary Refresh Tokens that can be replayed for cloud access without MFA (the Pass-the-PRT attack covered in TR2).

Linux servers are SSH-accessible from AD-joined devices using cached credentials — which is how the CHAIN-HARVEST extended attack pivoted from the Windows endpoint to the database server.

The six documented attack paths at NE represent the most common cross-environment chains. CHAIN-HARVEST (AiTM → token theft → BEC) stays within the cloud unless the attacker extends to endpoints. CHAIN-DRIFT (compromised identity → beacon → LSASS dump → SSH lateral movement) crosses all three environments. CHAIN-PRIVILEGE (Kerberoasting → service account → Entra Connect exploitation) moves from AD to cloud via the sync mechanism. CHAIN-ENDPOINT (phishing → beacon → DCSync) stays within Windows and AD.

CHAIN-MESH (web vulnerability → container escape → host → AD) traverses Linux, containers, and AD. Each path represents a boundary crossing that the triage responder must recognize — because the boundary crossing is where single-environment triage fails and multi-environment triage succeeds.

Your organization has its own attack paths. The exercise is the same: identify every connection between environments (identity sync, device join types, SSH access, service accounts, API integrations), and for each connection, document the attack path an adversary would follow to cross that boundary. The result is your hybrid attack path map — the document the triage responder consults when an alert in one environment shows indicators of boundary crossing.

The 3-tier asset classification

A SOC analyst with 15 open alerts cannot triage all of them simultaneously. An SSH brute force against a development VM and an AiTM compromise on the CFO's account both fire alerts — but the business impact, attacker sophistication, and regulatory exposure are completely different. The 3-tier classification determines triage priority.

Tier 1 — Critical (SLA: 15 minutes). Domain controllers, Entra Connect server, Global Admin accounts, AD FS servers, database servers holding PII or financial data. A Tier 1 compromise triggers immediate triage regardless of alert severity. The blast radius of a compromised domain controller is the entire AD domain — all users, all servers, all workstations. The blast radius of a compromised Global Admin is the entire Entra ID tenant and all M365 workloads.

Tier 2 — High (SLA: 60 minutes). Member servers, file servers, senior leadership accounts, container hosts, Kubernetes control plane. A Tier 2 compromise is triaged next in queue. The blast radius is significant but bounded — a compromised file server exposes the data it holds, not the entire domain.

Tier 3 — Standard (SLA: 4 hours). Workstations, development VMs, standard user accounts, non-production servers. A Tier 3 compromise follows the standard queue. The blast radius is typically limited to the individual system and the user's accessible resources.

Blast radius assessment

When an alert classifies as TP, the triage responder must determine how far the compromise can reach. Four questions drive the assessment.

What credentials are accessible from this system? A compromised workstation holds the logged-in user's NTLM hash, Kerberos tickets, any cached credentials from previous logins, and credentials stored in applications (browser passwords, SSH keys, connection strings). A compromised domain controller holds the NTDS.dit — every domain password. The blast radius multiplies by the number of accessible credentials: if the compromised workstation has cached credentials for 3 users (the primary user plus 2 IT admins who logged in for support), all 3 accounts are potentially compromised.

What can those credentials access? Map each credential to its scope. A standard user reaches their mailbox, OneDrive, and shared resources. An IT administrator reaches all servers they manage, admin portals, and potentially Azure subscriptions. A domain admin reaches everything in the AD domain — every user, every server, every workstation. A Global Admin reaches everything in the Entra ID tenant and all M365 workloads. A service account reaches the specific services it connects to: database, application, API, or backup infrastructure.

The scope mapping reveals cascading risk. At NE, the svc-dbadmin service account reaches the MySQL customer database on SRV-NGE-BRS-DB01 — 85,000 PII records, GDPR-scoped. That single credential transforms a Tier 3 workstation compromise into a Tier 1 regulatory event. Similarly, the svc-backup account that appeared in the cached credential enumeration has read access to every server's backup share — compromising that account gives the attacker access to backup copies of every database, every configuration file, and every credential store in the organization.

What network segments can this system reach? A compromised system on a flat network reaches every other system. Behind proper segmentation, it reaches only its segment. The DeviceNetworkEvents query from the environment snapshot answers this in seconds.

What data is at risk, and what regulatory obligations apply? Map the accessible data to regulatory categories: customer PII triggers GDPR Article 33 (72-hour notification), financial data may trigger fraud reporting, intellectual property has no GDPR trigger but is business-critical. The data classification determines whether the incident requires DPO notification and regulatory reporting.

The blast radius assessment output feeds directly into three downstream decisions: the triage report scope section (Section 0.9), the regulatory notification assessment (Section 0.6), and the investigation team's initial scope definition. At NE, the blast radius assessment for the CHAIN-DRIFT attack on SRV-NGE-BRS-DB01 revealed: svc-dbadmin credentials (MySQL access to 85,000 PII records), /etc/shadow contents (credential reuse risk across 12 Linux servers on the same segment), and an SSH key for the CI/CD deployment pipeline.

A single compromised server created exposure across the customer database, the server fleet, and the software supply chain — none of which would have been apparent from triaging the initial SSH brute force alert in isolation.

The escalation decision framework

Not every confirmed true positive requires immediate escalation. The triage responder must determine: does this incident need the full investigation team now, or can it be contained and queued for next-business-day investigation?

Immediate escalation criteria — these are the conditions that justify waking people at 03:00. Tier 1 asset compromised (domain controller, Global Admin, Entra Connect server, database with PII). Active data exfiltration in progress — large outbound transfers detected in network logs. Ransomware indicators — encryption in progress, shadow copy deletion, ransom note deployment. Cross-environment attack chain confirmed where the blast radius is actively expanding.

Any incident where containment cannot be completed without additional expertise — the attacker is re-establishing access as fast as the responder removes it.

Standard escalation criteria — investigation begins next business day. Tier 2 or Tier 3 asset compromised with containment successful. Credential compromise without confirmed lateral movement — password reset plus MFA enforcement contains the immediate risk. BEC attempt detected but not yet executed — the fraudulent email was sent but finance has not acted on it. Cryptominer on a non-production system — contained, no data exposure, no regulatory trigger.

The escalation decision must be documented in the triage report with explicit justification. "Escalation: IMMEDIATE — Tier 1 asset (database server with 85,000 PII records) confirmed compromised. Active C2 channel detected. GDPR Article 33 triggered." This justification enables the investigation team lead to understand the urgency and to validate the escalation decision during the post-incident review. At NE, the escalation matrix assigns: Tier 1 pages the on-call IR analyst and notifies the CISO.

Tier 2 pages the on-call IR analyst without CISO notification until investigation confirms scope. Tier 3 queues for the next available analyst during business hours.

# List all accounts that have logged into this system
# Each cached profile = a credential the attacker can potentially extract
Get-CimInstance Win32_UserProfile |
    Where-Object { -not $_.Special } |
    Select-Object LocalPath,
        @{N='LastUse';E={$_.LastUseTime}},
        @{N='SID';E={$_.SID}},
        @{N='Account';E={
            (New-Object System.Security.Principal.SecurityIdentifier(
                $_.SID)).Translate(
                [System.Security.Principal.NTAccount]).Value
        }} |
    Sort-Object LastUse -Descending

This query reveals every account that has logged into the compromised endpoint. Each profile represents a credential the attacker can potentially extract from cached hashes. At NE, DESKTOP-NGE042 showed profiles for j.morrison (engineering manager), t.chen (IT support who logged in to troubleshoot a printer issue last month), and svc-backup (a service account used for nightly backups). Three compromised credentials, three different access scopes — and the svc-backup account has access to every server's backup share, expanding the blast radius to the entire server fleet.