Author Archive: Security Labs

BlueHatIL 2019 its a wrap!

So, this year I had the opportunity to participate in Microsofts conference  BlueHatIL in Tel Aviv, it’s a two day event that is packed with 18 sessions and other activities, this year you could team up in building Zumo Boats in this amazing Maker Studio. Outside of that there was a CTF Challenge to get into a secret room and in there the CTF Continued.All sessions got their own poster that where available to get for delagates but they where also part of the amosphere in the venue where they here put on walls and places around the venue.

 

Day 1

The AMDFlaws Story: Technical Deep Dive

To Kick off day one  Ido Li On and Uri Farkas took us through their research on flaws, they had over 8 months and 7 engineers researched the platform and found 13 vulnerabilities. One of them was related to the PSP Controller. As the found out issues with how the firmware was signed they where able to patch the Firmware and get their code in there and more or less Game Over. For those of you who don’t know the PSP it’s the Platform Security Processor and it controls many things early on. So, with this they could actually bypass features like Credential Guard as they had ownership of the components. On stage they demoed a custom version of Mimikatz where they where able to extract Credentials from a machine running Credential Guard.

 

Supply Chain Security: “If I were a Nation State…”

To follow up on this intro Andrew “bunnie” Huang had a great session on Supply Chain Security. The session gave examples of different Supply Chain Attacks either by replacing components, implanting new components in the hardware and a very thorough example of different technicies to do this. Bunnie showed several x-ray pictures on how hard this could be to detect, and some are more or less impossible to spot with the your bare eye.

Here is a simple example of Memory Cards he had analyzed showing Memory Cards with different chips on them from the same vendor, some of them didn’t behave like expected 😉. Possible Supply Chain Attack from a Nation State?

So, with that said, what components do you have in your equipment? Vendor approved, or Nation State approved.

After a a busy lunch with great food and some more work on the CTF it was time to listen to Benjamin Delpy and Ulf Frisk among others.

You (dis)liked mimikatz? Wait for kekeo

The man the myth the MimiKatz had a session on his tool Kekeo where he showed many cool features to impersonate users and how to exploit Kerberos. Some of the explotation included impersonation of users using smartcards, Changing password of a user without knowing the old password etc. A very good session with lots of humor and good insights on his tool Kekeo and Kerberos.

You can find the tools here https://github.com/gentilkiwi

 

Practical Uses for Hardware-assisted Memory Visualization

As far as I am aware I was the only Swedish delegate on BlueHatIL except for the speaker Ulf Frisk, I had a chance to sit down and talk to Ulf, its always nice to run into other Swedish people in the Security Community. Ulf has over the years built his tool PCILeech a open source tool to read and write System Memory on remote devices. This is something that is done over PCIe. During BlueHatIL he presented some new features where you remotely over the network could read and write to the System Memory on the remote machine. Some really scary and awesome stuff.

You can read some really amazing blog postes on DMA at Ulfs Blog http://blog.frizk.net/

Keynote – Offenses in Cyber Offense

The day ended with a Moderated Keynote with Citizen Lab and Associated Press on some of the recent cases of cyber espionage on citizens and public persons. Also a very loaded session with accusations flying back and forth on Nation State attacks.If you want to read up more on some of the reports Citizen Lab has produced you can find them here. https://citizenlab.ca/category/research-news/reports-briefings/.  Some of their research covers the “Pegasus” Spyware that an Israeli company is selling to Nation States and others.

Source: https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/

Day 2

Keynote -Modern Day Hypnosis: Weaponizing Data to Influence the Public

After a brief Microsoft Intro, the Day two Keynote started with Christopher Wylie also know as the Cambridge Analytica Whistleblower in a moderated session on how Weaponizing of Data Can influence the Public.

A session where he explained how data is used to manipulate the public and how its used to target individuals and influence and build “bubbles”. Very interesting but became very political from time to time. A lesson i learnt here is that these bubbles are used way beyond Online but also flow down and are used to form offline influencing “bubbles”.

No Code No Crime: UPnP as an Off-the-Shelf Attacker’s Toolkit

x0rz showed some of his reasearch on UPnP, still in 2019 there are many devices out there that have UPnP available against the internet. An easy search on Shodan will give you thousands of devices that you remotely can control and trigger port openings on routers. And by doing this you could control the device to allow traffic in to the local LAN and you could even open up a session and establish your TCP IP Session and then close the port again so when someone checks for open ports they will not see any open ports but they could possibly have an TCP Session going through their router without their knowledge. Most of the devices where geographically in Asia but quite some devices in Europe still. Personally I think its very sad to see that this is still out there as vulnerabilities and risks around UPnP has been known for years, but still fascinating.

PE-sieve: An Open-Source Process Scanner for Hunting and Unpacking Malware

In the session on PE-sieve Hasherezade showed how her tool could help in Malware Analysis and gave some helping guidance on how to use the tool. Simply the tool unpacks Malware and analysis changes to the system and gives you a summary of the changes and the files its

So if you are into Malware Analysis you can find the great tool here https://github.com/hasherezade/pe-sieve/

Maker Studio

And what an impressive makerstudio, 3D Printers, Laser Cutting Machines, Tooling, Printers, Sewing Machines, Molding Machines. Electronics, Engines etc, basically everything you needed to make an awesome custom zumo boat to win the battle. A great activity, I saw many people team up and do 3D Cad Drawings, Code Arduino and build some really cool boats to win the battle.

Image may contain: one or more people, people sitting and indoor

Image may contain: indoor

Image may contain: one or more people

 

 

Wrap

So, to wrap it up, a great conference, great atmosphere the prep of everything was so cool and yeah finally the secret Casino Room was just so awesome! In other words, I hooked up with a guy Yitai and we completed the first part of the CTF that as to gather information from some QR Codes and then decrypted the code to get to a webpage where you could find the next steps in the CTF that I unfortunately didn’t have time to play more more on.

Big shout out to the Team that made it possible and by the way don’t miss BlueHat in Shanghai in May! My biggest take away for the week is humbleness, there is still so much to learn in different areas. When talking security you just need to expect unexpected things,  things you think are impossible are very often possible. I have worked over 20 years in IT and Security and to be successful I would say you need curiosity, a mind that is thinking out of the box, allot of time and stubbornness is also some good things to put in the mix. And at last enjoy and have fun of what you are doing.

You can find more info on the Event at www.bluehatil.com or following and reading up on the twitter hashtag #bluehatil and why not watch the official aftermovie below.

Problems with self-encrypting drives

Microsoft has published ADV180028

The advisory explains the recently discovered vulnerabilities for self-encrypting drives. SED’s means that the drive is encrypted using the hardware instead of software only encryption provided by BitLocker Drive Encryption™.

The vulnerability was discovered by Carlo Meijer and Bernard van Gastel from the Radboud University in the Netherlands.

Verify encryption method using Powershell

Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType

bitlocker

In this example, the device is not vulnerable since hardware encryption is not present.

This code smippet will return if the machine is vulnerable or not (compliant $true) (vulnerable $false) based on encryption method which can be used with SCCM to get an overview in larger Environments.
$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }
}

This work was done together with Jörgen Nilsson (https://ccmexec.com) who has a detailed post about this and how to use SCCM to get the current status of compliant devices which is linked to below. He also provided a cab-fil which can be imported

Bitlocker Compliance using SCCM including Hardware encryption check

SEC-LABS recognized at August 2018 Security Researcher’s list at MSRC

msrc
The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.

 

Both Stefan Schörling and Mattias Borg from SEC-LABS R&D is recognized at the Microsoft Security Response Center security researchers list for August 2018.

This was due to a vulnerability discovered with Johan Dahlbom and was reported to Microsoft.

We would like to give our appreciation to the MSRC team and it was a pleasure working with you to resolve this issue!

The list can be found here:
https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services

New features added to WD ATP

In the September release one of our most wanted features was added to WD ATP preview, Custom detection with scheduled queries.

This means that you can now develop your own hunting queries and run them every day automatically.

For this example we created a query to find a simple reverse shell from a Linux machine which runs Ziften.

Next step is to create a detection rule for the Query

detection rule

You can add Alert Title, Severity, Category, Description and Recommended actions.

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

detection rule page

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

custom detection

For further infomation about the new preview features please go to this url:

https://techcommunity.microsoft.com/t5/What-s-New/WDATP-September-2018-preview-features-are-out/m-p/242254#M95

Happy hunting!

/Sec-Labs

6000+ sites are still leaking sensitive WordPress config files

Well, this isn’t anything new, not at all!

Google Hacking Database has been around for a long time.

We started to dig into WordPress config files and realized that it’s very common to create a backup of your config file, which is not a bad idea.

This config file contains the base configuration of a wordpress installation like Database Connection (user name, password, ost) and other sensitive information.

Example

config

What’s really bad is that some admins seems to store the file in the web root and changed the extension to txt will will be read in the browser.

If we change the file extension to .txt it will be managed by the web server/php interpreter as any other txt file and present the content to the user.

So if we look at one part that exists in the WordPress config file.
“define(‘AUTH_KEY’, ‘” and we also have some other phrases like “wp-config.php”.

If you want an idea of how bad it is we can let google sort that out for us using some search operands available.
Since google knows the content of all files it has indexed which are most of them we just search for the content using “intext:” and filter on txt files using “filetype:”

intext:define(‘AUTH_KEY’, ‘ wp-config.php filetype:txt

The result shows about 6000+ results (and probably some false positives in the results).

ghdb

This file is not something that would be read by the user and you should not be able to download the php file either ;).

What you need to do

  • Don’t place sensitive files in the web root that doens’t have to be there
  • Configure permissions
  • Definitely don’t place backup files in the webroot, in case you don’t have to temporarily to reinstall a web application but otherwise, keep them away from the internet

System Center User Group – Clients days 2018

System Center User Group Sweden (SCUGSE) Client Days, a 2 day event with many interresting sessions.

Date:
October 8th
October 9th

Location:
Microsoft Office – Stockholm
Finlandsgatan 36
36 Finlandsgatan
164 74 Akalla

On this 10 years celebration of SCUGSE, David James from the Config Manager product team will come to Sweden and present.

Description

Agenda (as per June 28th)

Day 1

  • 0815 – Doors Open
  • 0900 – 0915 – Welcome – Jörgen & Stefan
  • 0915 – 1015 – State of the union – David James
  • 1015 – 1030 – Break / Networking
  • 1030 – 1115 – TBA – David James
  • 1115 – 1130 – Break / Networking
  • 1130 – 1215 – What’s new from Ignite! – Stefan Schörling / TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1330 – Sponsor Session – TBA
  • 1330 – 1345 – Break / Networking
  • 1345 – 1430 – TBA – David James
  • 1430 – 1445 – Break / Networking
  • 1445 – 1530 – TBA – TBA
  • 1530 – 1615 – Q&A DJAM and Speakers

Day 2

  • 0815 – Doors Open
  • 0900 – 1000 – Windows 10 as a Service, the good the bad and the ugly – Stefan Schörling / Jörgen Nilsson
  • 1000 – 1015 – Break / Networking
  • 1015 – 1100 – Managing and Securing Web browsers in Windows 10 – Jörgen Nilsson
  • 1100 – 1115 – Break / Networking
  • 1115 – 1215 – From the Community – TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1330 – Sponsor Session – Lookout
  • 1330 – 1345 – Break / Networking
  • 1345 – 1430 – What’s new in Windows 10 1809 – TBA
  • 1430 – 1445 – Break / Networking
  • 1445 – 1545 – Advanced Windows 10 Deployment Tricks “TS End2End” – Nickolaj A
  • 1545 – 1600 – Closing and Price Drawings

OBS! Genom att anmäla mig binder jag mig till en no-show avgift på 500kr om jag anmäler mig till en fri-biljett och inte kommer på eventet. Jag godkänner även att mina uppgifter kan även komma att delas med sponsorerna.

THE EVENT WILL BE HELD IN SWEDISH FOR THE MAJORITY OF OUR SESSIONS EXCEPT FOR OUR INTERNATINAL SPEAKERS

For tickets and further information, please visit:
https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2018-tickets-47148736139

SCUG SE on Facebook:
https://www.facebook.com/groups/241438124169/

 

 

Working with Roles in Windows Defender ATP

As with everything else we want to apply a least privilege access.

If you need permission to do X you should only have access to do X and not several other things.

That’s why you should define the roles and reponsibilities in your organization to make sure you can apply a least privilege strategy.

Many products supports RBAC and should be used.

Working with Roles in Windows Defender ATP is very simple. You can enable it in Settings menu.

Settings > Roles > Enable Roles

enableRoles

The Global administrator role is added by default and have full permissions which can’t be changed.

Creating Roles

It’s not a bad idea to create a few roles, even if it’s just ju who are the complete security team. One reason is organizational changes and one important reason is that we don’t want people to work as global administrators.

Create Role

In Settings > Permissions > Roles > Add Role

createrole

Assign Azure AD group to the role

aadgroups

 

One example of roles setup could be:

  • Viewonly – For managers, able to view data
  • ATP-Users – Teams working with ATP, run scans, threat remediation etc
  • ATP-Administrators – ATP Admins, change settings and manage security roles

Depending on your organization you might need more defined roles list.

Here is the permission list and sub items is what will be granted more specific to the role.

  • View Data
    • View Data
  • Alerts investigation
    • Manage alerts
    • Initiate automated investigations
    • Run scans
    • Collect investigation packages
    • Manage machine tags
  • Active remediation actions
    • Take responsive actions
    • Approve or dismiss pending remediation actions
  • Manage security settings
    • Configure alert suppression settings
    • Manage allowed/blocked lists for automation
    • Manage folder exclusions for automated (applies globally)
    • Onboard and offboard machines
    • Manage email notifications

Working with Machine Groups

To be able to separate duties even further and configure different automatic remediation rules for different Machines we have the Machine Groups features.

Machine Groups is a way to group onaboarded Machines based on Name, Domain, Machine Tag and Operating System.

machinegroup

When using the “Show preview” at the bottom of the configuration page, you can see which onboarded machines will added to the Group.

You can select automation level

  • Semi – Require approval for any remediation
  • Semi – Require approval for non-temp folders remediation
  • Semi – Require approval for core folders remediation
  • Full – Remediate threats automatically

And you can assign a Azure AD userg group with roles to the machine group

mg_usergroup

The Groups, depending on how you defined group membership rules, will be populated automatically.

change_preview

more information about Machine Groups can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection

more information about RBAC in WD ATP can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection

Happy Hunting!

/Sec-Labs R&D

 

 

 

Threat Hunting with Windows Defender ATP

A while ago Microsoft released the Threat Hunting capatibilities in WD ATP.

This is a great feature since you’re able to query a lot of things across your devices.

Example scenario:

Let’s say you receive IoC’s for an ongoing attack or investigate threat actors with known files or IP’s you can Query these IoC’s on both on-prem devices and devices which only exists on the internet and never in the office.

That’s one of the benefits of using cloud security services.

As we wrote in the last post it’s now possible to onboard older operating systems like Windows 7 and Windows 8.1. There is also possible to onboard Linux systems and Macs

linux_mac_atp

Threat Hunting

hunting_atp

The hunting capatibilities in WD ATP involves running queries and you’re able to query almost everything which can happen in the Operating System.

If you’re familiar with Sysinternals Sysmon your will recognize the a lot of the data which you can query.

 

AlertEvents
AlertId, EventTime, MachineId, ComputerName, Severity, Category, Title, ActionType, FileName, SHA1, RemoteUrl, RemoteIP, ReportId

MachineInfo
EventTime, MachineId, ComputerName, ClientVersion, PublicIP, OSArchitecture, OSPlatform, OSBuild, IsAzureADJoined, LoggedOnUsers, MachineGroup, ReportId,

ProcessCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, ProcessId, ProcessCommandLine, ProcessIntegrityLevel, ProcessTokenElevation, ProcessCreationTime, AccountDomain, AccountName, AccountSid, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

NetworkCommunicationEvents
EventTime, MachineId, ComputerName, ActionType, RemoteIP, RemotePort, RemoteUrl, LocalIP, LocalPort, LocalIPType, RemoteIPType, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessParentCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId

FileCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessMD5, InitiatingProcessSHA1, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

RegistryEvents
EventTime, MachineId, ComputerName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId

LogonEvents
EventTime, MachineId, ComputerName, ActionType, AccountDomain, AccountName, AccountSid, LogonType, ReportId

ImageLoadEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

MiscEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, AccountDomain, AccountName, AccountSid, RemoteUrl, RemoteComputerName, ProcessCreationTime, ProcessTokenElevation, LogonId, RegistryKey, RegistryValueName, RegistryValueData, RemoteIP, RemotePort, LocalIP, LocalPort, FileOriginUrl, FileOriginIP, AdditionalFields, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessMD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessLogonId, ReportId

The query language is very similar to Splunk and adoption to these queries should be straight forward

ProcessCreationEvents
| where EventTime > ago(30d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "Invoke-Mimikatz"
or ProcessCommandLine has "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime

Use “Project” to select which columns you want in the output and you can export the result to a spreadsheet.

output

In the above example we ran a query to find malicious powershell commands being executed.

You can also, for example, query all powershell executions from Office applications

ProcessCreationEvents
| where EventTime > ago(14d)
| where ProcessCommandLine has "powershell"
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpoint.exe")

You can also use the quick search to finns URL’s, File hashes, IPs

quick search

The output will show you hits in organization and prevalance world wide which will give you more indication of a threat.

When we search for a filehash we can also submit the file for deeper analysis.

Microsoft has a Github repositories to help you with example queries

https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries

Sharing Queries

When working in a team it’s a good idea to share your queries to let your colleagues to use your hunting queries.

sharing_queries

The language reference is available here
https://docs.loganalytics.io/docs/Language-Reference/

 

Happy Hunting!

 

/Sec-Labs R&D

Onboarding older Windows Versions to WD ATP

Today Microsoft announced  that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.

  • Windows 7 SP1 Enterprise
  • Windows 7 SP1 Pro
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise

Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and  of ATP and it’s not possible to upgrade the machines.

The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.

Installing the agent

64-bit agent is available here:
https://go.microsoft.com/fwlink/?LinkId=828603

32-bit agent is available here:
https://go.microsoft.com/fwlink/?LinkId=828604

When you have downloaded the setup file you extract it using “/c” parameter

Install command
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1

The workspace ID and Key is available in your ATP Portal https://securitycenter.windows.com

 

The clients will connect to the service using HTTPS and can be a direct connection or through a proxy or OMS gateway.

Agent Resource Ports
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443

 

When your clients are configured you should start seeing them in the ATP console

As you may have noticed there’s a link to Azure ATP alerts where you can dig further on advanced attacks in your environment.

On the following link you can find more information about onboarding older Windows Versions to Defender ATP
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection

Happy Hunting

 

/SEC-LABS R&D

 

 

Controlling Auto Forward Rules of Emails to avoid data leakage

Email Forwarding is a challenge when it comes to modern attacks, and it was recently used as one of the tools in a crimecase in Sweden. Basically the attackers forwarded all emails from the victims to themselves to be able to track the victims very easily and to gain insights and data for social engineering attacks. Multifactor auth via e-mail or password reset links where obtained and could easly be used to manipulate and gain access.

Email forwarding can be created in Outlook or the the web application (OWA) by the users or an attacker with access to a user account.

The solution for this is very easy.
You can block email forwarding and redirects in general and allow it where it’s necessary (if you do have that scenario).

Block autoforward domain wide for Office 365 using PowerShell:

Set-RemoteDomain Default -AutoForwardEnabled $false

It is possible to configure this on a per domain basis.
For instance, if you need to allow forward to specific domain.

To view all forwarding rules today both on-prem and cloud you can use the following script.
The only difference is the connection part.

View the Rules

Function Get-AutoForwardRules
{
foreach ($a in (Get-Mailbox -ResultSize Unlimited |select PrimarySMTPAddress))
{
Get-InboxRule -Mailbox $a.PrimarySMTPAddress |
?{($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.DeleteMessage -eq $true) -or ($_.RedirectTo -ne $null)} |
select Name,Identity,ForwardTo,ForwardAsAttachmentTo, RedirectTo, DeleteMessage
}
}

#Example

Get-AutoForwardRules

To get the PowerShell module for office 365 which supports MFA.

Download the PowerShell Module (available in the 365 admin portal)

Connect using: Connect-EXOPSSession -UserPrincipalName user@example.com

Security Features in Office 365

Depending on your Office 365 Subscription you might get a warning email when someone tries to define a forwarding rule

 

This is an example for Exchange Online

$Mailboxes = Get-Mailbox -ResultSize "Unlimited"
$Count = 1
ForEach ($Mailbox in $Mailboxes)
{
Write-Progress -Activity "Checking inboxrules..." -Status "User $($Mailbox.PrimarySmtpAddress) ($count/$($Mailboxes.count))" -PercentComplete ($Count / $Mailboxes.count*100)
$MailboxWithRule = Get-InboxRule -Mailbox $Mailbox.Alias | Where-Object {($_.RedirectTo -ne $null) -and ($_.ForwardTo -ne $null) -and ($_.ForwardAsAttachmentTo -ne $null)}
if ($MailboxWithRule -ne $Null) {
Write-Host "Mailbox $($Mailbox.PrimarySmtpAddress) has these rulez:" $MailboxWithRule |
fl Name, Identity, RedirectTo, ForwardTo, ForwardAsAttachmentTo
}
$count++
}