Author Archive: Security Labs

Hunting for MiniNt security audit block in registry

Another day in the Advanced Hunting feature.

I was told about a twitter post which explained it’s possible to block Security events from being created.

If the following key is added:
HKLM\System\CurrentControlSet\Control\MiniNt

Event Viewer after the registry key was added and after a reboot

Since it’s registry we have a lot of data to query in the Defender ATP portal (https://securitycenter.windows.com)

The Hunting query will be as follows

// Mattias Borg
// @mattiasborg82
RegistryEvents 
| where (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
        (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1

This is the initial hunting query and might be changed to avoid False-Positives if there are any.

To be able to create a custom detection rule we need to add “MachineId” and “ReportId” to the output.

// Mattias Borg
// @mattiasborg82
RegistryEvents 
| where (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
        (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1, MachineId, ReportId 

Click on “Create a detection rule”

create detection rule

Fill in the form and select your preferred actions

defender atp custom rule

Happy Hunting!

Azure Sentinel is now GA

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

azure sentinel

Some of the new features are:

  • Workbooks are replacing dashboards, providing for richer analytics and visualizations
  • New Microsoft and 3rd party connectors

Detection and hunting:

  • Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
  • Easy elevation of MTP alerts to Sentinel incidents.
  • Built-in detection rules utilizing the threat intelligence connector.
  • New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
  • Template playbooks now available on Github.
  • New threat hunting queries and libraries for Jupyter Notebooks

Incidents:

  • The interactive investigation graph is now publicly available.
  • Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.

MSSP and enterprise support:

  • Azure Lighthouse for multi-tenant management
  • RBAC support

For further information:

Pricing: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Product page: https://azure.microsoft.com/en-us/services/azure-sentinel/
Documentation: https://docs.microsoft.com/en-us/azure/sentinel/

Happy Hunting

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

gartnereppmq2019

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.

Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!

Using WDATP Network Block

When working with Incident Response you from time to time find artifacts that you need to block, IP Addresses or specific URLs. Instead of doing this on the proxies or firewalls its often more efficient to do this on the endpoint level to catch roaming machines where ever they are. In some cases you also work with other TI vendors and get IPs and URLs you want to block and build automation around. This feature is currently in preview

So, with WDATP you can now block or allow IPs and Urls.

For this feature to work you need to have some prerequisites

  • Windows 10 1709 Pro, E3/E5 or Edu
  • Windows Defender Network Protection
  • Windows Defender AV
  • Cloud Delivered Protection Enabled

It’s possible to enable Network Protection in several ways

  • PowerShell
  • Group Policy
  • System Center Configuration Manager
  • Intune / MDM

For detailed steps for each method

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection

In our case we will just leverage PowerShell. To set and verify its configured

Set-MpPreference -EnableNetworkProtection Enabled

Get-MpPreference | fl

Once you have prepared the endpoint you can go to the  MDATP Portal and add your IPs/URLs

  1. Navigate to Settings > Rules > Indicators.
  2. Select the IP Address tab to view the list of IP’s.
  3. Select the URLs/Domains to view the list of URLs/domains.

In this tutorial we will Add a URL but the same procedure would apply for an IP.

1. Click on Add Indicator

2. Enter a url and select if you want the block to expire

3. Add an Action as you like and descriptive texts as you want to have with your alerts. In this case we want to block and get an alert for this.

4. Select Scope, in this case we will select all machines but if you have built a structure with Machine Groups you can select to target specific machine groups where this will apply.

5. On the Summary screen click Save.

Note: from entering an IP/URL it can take some time for it to propagate to the endpoints and when it comes to removal it may even take a bit longer.

So when this has propagated to the endpoints we can test it out and see how this looks on the endpoint.

When browsing to the URL the end user will be notified about that something is blocked with a toast notification and an event log entry will also be logged.

If you want to customize the toast notifications for Windows Defender you can do that with updated group policy templates more information on that here. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications

To create a custom view in event viewer use this url reference.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard

In our case an alert will also be triggered in in the MDATP console as well where we can continue our investigation. I hope this gave a little valuable insight on this feature.

MDATP Investigation behind forward proxy

There are still many companies using forward proxies and when analyzing traffic from endpoints this can be a bit challenging. This due to that the client connects to the forward proxy instead of the public endpoint like http://blog.sec-labs.com.

So instead of the public endpoint you would see that the process is connecting to the proxy.

Microsoft have engineers around this and by enabling the Network Protection feature in either Audit Mode or Block mode you can now see the public endpoint the process is actually communicating with behind the forward proxy.

Events that is coming from this type of detection is flagged with the a “NetworkProtection” tag.

If you want to use thees events generated when you do Hunting they are found under Network CommunicationEvents and if you know your proxy ip address you can get everything that has gone via the proxy with the following query.

NetworkCommunicationEvents

| where ActionType == “ConnectionSuccess” and RemoteIP != “ProxyIP” 

If you want to enable Network Protection the below link will guide you through the different ways you can enable it. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection

Happy Hunting

MDATP Long Term Retention with Azure Storage Account

 Microsoft Defender ATP is a great tool for enhancing your Detection capabilities and once you find incidents you can work with the Hunting capabilities we have blogged about earlier. The challenge we often face is that the Hunting Data is only available for 30 days so if you need to go back further that data is not available.

Microsoft is now introducing two new built-in methods of storing that data for longer than 30 days, currently in preview

  • Azure Storage Account
  • Azure Event Hub

And from these you can then access the data and do what you like with it.

In this blog we will walk you through how you can set these up the Storage Account integration.

Storage Account Integration

Azure Portal

So first off let’s start with setting up a Storage Account in the Azure Portal

1. Create a storage account

This image has an empty alt attribute

2. Select your Subscription and Resource Group if you have one or create it.

3. Give your storage account a name and select your desired storage settings.

4. Configure Advanced settings as you need. In my case I used the defaults.

5. Add Tags if you are using it and review the settings and complete the creation, Let the creation complete and go to the newly created storage account.

6. To configure the integration we need to get our resource ID so open properties of the Storage Account and copy the resource ID information.

Resource Provider and onboarding consent

We also need to make sure we have microsoft.insights registered as a resource provider you can configure that this way.

1. In the Azure Portal, go to – Subscriptions > Your subscription > Resource Provider

2. On the microsoft.insights recourse provider click register if its not already registered.

This image has an empty alt attribute

3. A Tenant Admin has also to give concent to the onboarding application. you can do this by clicking on the follwoing link and logging on with the desired Tenant rights. https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=88cfeabb-510d-4c0d-8358-3d1929c8d828&response_type=code&sso_reload=true

Now we can move to the security center portal and continue configuring the integration.

MDATP Portal

In the MDATP Console go to

1. Interoperability > Data Export Settings

2. Click on Add data export settings

The wizard to export data will show up and here we have a few options.

1. Give it a Name

2. We need to have the Storage Account Resource ID from our Storage account which we stood up in the earlier steps. It can be found under properties on the storage account in the Azure Portal.

3. Check the Event Types you want to Store in your Storage Account

4. Click Save

Once you have saved Events will start being sent to your Storage Account and if you browse the blob in the Azure Portal you will see the different events categories.

If you click through one of them you will see that they are stored in an order of “tenantid\year\month\date\hour\minute\”

The schema of the JSON files is build in the following structure

{

           {

                    “time”: ” <The time WDATP received the event>

                    “tenantId”: ”  <Your tenant ID>

                    “category”: ” <The Advanced Hunting table name with ‘AdvancedHunting-‘ prefix>

                    “properties”: { <WDATP Advanced Hunting event as Json> }

            }               

}

Advanced Hunting – Defender ATP – Squirrel

When working with Advanced Hunting in Defender ATP, you tend to always want to update your queries as you learn. You will probably also notice that sometimes your query wasn’t broad enough or all information was not available at the time. And sometimes you just want to make it look better for others to use in a shared environment.

We have updated the Squirrel hunting query to adjust to more parameters which can be used. we simple remove the check for a parameter and focus on the http part instead.

There are also some legit domains which are used by some of the applications, slack and discord to mention some of them.

ProcessCreationEvents
| where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe")
| where (ProcessCommandLine contains "http")
| extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine)
| where URL !in ("https://slack.com/desktop/update/windows_x64", "https://discordapp.com/api/updates/stable")
| sort by EventTime desc 
| project EventTime, 
          ComputerName,
          URL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Happy Hunting!

Hunt for nuget/Squirrel update vulnerability

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

Hunting for USB Rubber Ducky/ Bad USB with ATP

Alright, so we’re here again with a hunting query to help catching some bad people out there.

This hunting started as a discussion with a customer and we figured out we should be able to chain the queries to see what happens after an event to be able to decide if it’s malicious or not.

Just to clear things out:
A USB Rubber Ducky is not something your AV solution would pick up. It’s a keyboard, it’s a preprogrammable keyboard. It exactly the same thing as plugging in a USB keyboard and type, except you’ve already told the keyboard what to type.

The ducky language is very simple as shown in below example

DELAY 3000
gui r
DELAY 100
STRING powershel xxxxxxxx
ENTER

The example will wait for 3 seconds, press win key and “r” and wait for another 100 ms and then type powershell xxxxxxx and then enter

USB rubber ducky

You encode the textfile to a binary and loads it to the flash memory inside (which is read by the rubber ducky, not by the device you connect it to) well you can make some changes to that, but in general and depending how you configure it.

Hunting USB devices

It’s easy to find the PnP event which could be headsets, mass storage devices, keyboards etc.

    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | project 
        EventTime,
        ComputerName,
        DeviceDescription=tostring(parsed.DeviceDescription),
        ClassName=tostring(parsed.ClassName),
        DeviceId=tostring(parsed.VendorIds),
        VendorIds=tostring(parsed.VendorIds), MachineId , ReportId 

Mass storage devices

MiscEvents
| where ActionType == "PnpDeviceConnected"
| extend ParsedFields=parse_json(AdditionalFields)
| project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),
DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime
| where ClassName contains "drive" or ClassName contains "usb"
| where DeviceDescription contains "Mass Storage"

But idea to hunt for duckies is that we want to see what happens after the device load.

  • Device connected
  • Someone executes powershell or cmd within a certain amount of time (10 seconds)

To explain further

We gather all devices where action type is “PnpDeviceConnected” and where the device description is “HID Keyboard Device”

Then we gather process starts which contains powershell or cmd and then we compare the time for the event and only present the ones where the process start happened within 10 seconds after the device load event.

// Hunting for malicious HID Keyboard devices
// PNP Event and Powershell or CMD within 10 seconds after driver load
let MalPnPDevices =
    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | where parsed.DeviceDescription == "HID Keyboard Device"
    | project PluginTime=EventTime, ComputerName,parsed.ClassName, parsed.DeviceId, parsed.DeviceDescription, AdditionalFields;
ProcessCreationEvents
| where ProcessCommandLine contains "powershell" or
        ProcessCommandLine startswith "cmd" 
| where isnotempty(ProcessCommandLine)         
| project ProcessCommandLine, ComputerName, EventTime, ReportId, MachineId
| join kind=inner MalPnPDevices on ComputerName
| where (EventTime-PluginTime) between (0min..10s)
| where ComputerName == ComputerName1

Of course, the 10 seconds is basically the Delay time. If an attacker sets 11 seconds, we would miss it. But this query would have to be trimmed for your environment.

There is also another thing, as an attacker, you would like to deliver the payload as quick as possible but still want the driver to be able to load.

I usually use between 3-6 seconds as initial payload for my duckies.

happy hunting ATP

You could also chain this with other events, like networkevents to discover network request after a specific event.

Happy Hunting!

Sec-Labs R&D

Custom IOCs in Defender ATP

Working with custom IOC can be done via the UI or script (Powershell or Python).

This post will describe the UI way for creating a custom IOC

Go to settings and in the Rules section click on Allowed/Blocked List

You can create an IOC based on File hash, IP address and URLs/Domains

When creating a new IOC you have the options to Import (more on that later) and a wizard.

We click on the Add indicator text and start by filling in the template.

To get the filehash you can just use powershell “get-filehash” or if you have that information from another system or a list from somewhere.

You can set the Custom date for IOC expiration if you want.

You can at this point look at the impact for this IOC by clicking on the Show statistics which will get the data for that specific ile hash from the last 30 days

From this view you could take action and stop the file if needed depending on the situation.

Click next and add details for response action, alert details etc


Scope the machines to different machine groups

Click save in the summary.

Import IOC

The CSV template is comma separated

IndicatorType,IndicatorValue,ExpirationTime,Action,Severity,Title,Category,Description,RecommendedActions

New alert