Uncategorized

MDATP Long Term Retention with Azure Storage Account

 Microsoft Defender ATP is a great tool for enhancing your Detection capabilities and once you find incidents you can work with the Hunting capabilities we have blogged about earlier. The challenge we often face is that the Hunting Data is only available for 30 days so if you need to go back further that data is not available.

Microsoft is now introducing two new built-in methods of storing that data for longer than 30 days, currently in preview

  • Azure Storage Account
  • Azure Event Hub

And from these you can then access the data and do what you like with it.

In this blog we will walk you through how you can set these up the Storage Account integration.

Storage Account Integration

Azure Portal

So first off let’s start with setting up a Storage Account in the Azure Portal

1. Create a storage account

This image has an empty alt attribute

2. Select your Subscription and Resource Group if you have one or create it.

3. Give your storage account a name and select your desired storage settings.

4. Configure Advanced settings as you need. In my case I used the defaults.

5. Add Tags if you are using it and review the settings and complete the creation, Let the creation complete and go to the newly created storage account.

6. To configure the integration we need to get our resource ID so open properties of the Storage Account and copy the resource ID information.

Resource Provider and onboarding consent

We also need to make sure we have microsoft.insights registered as a resource provider you can configure that this way.

1. In the Azure Portal, go to – Subscriptions > Your subscription > Resource Provider

2. On the microsoft.insights recourse provider click register if its not already registered.

This image has an empty alt attribute

3. A Tenant Admin has also to give concent to the onboarding application. you can do this by clicking on the follwoing link and logging on with the desired Tenant rights. https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=88cfeabb-510d-4c0d-8358-3d1929c8d828&response_type=code&sso_reload=true

Now we can move to the security center portal and continue configuring the integration.

MDATP Portal

In the MDATP Console go to

1. Interoperability > Data Export Settings

2. Click on Add data export settings

The wizard to export data will show up and here we have a few options.

1. Give it a Name

2. We need to have the Storage Account Resource ID from our Storage account which we stood up in the earlier steps. It can be found under properties on the storage account in the Azure Portal.

3. Check the Event Types you want to Store in your Storage Account

4. Click Save

Once you have saved Events will start being sent to your Storage Account and if you browse the blob in the Azure Portal you will see the different events categories.

If you click through one of them you will see that they are stored in an order of “tenantid\year\month\date\hour\minute\”

The schema of the JSON files is build in the following structure

{

           {

                    “time”: ” <The time WDATP received the event>

                    “tenantId”: ”  <Your tenant ID>

                    “category”: ” <The Advanced Hunting table name with ‘AdvancedHunting-‘ prefix>

                    “properties”: { <WDATP Advanced Hunting event as Json> }

            }               

}

Hunt for nuget/Squirrel update vulnerability

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

Custom IOCs in Defender ATP

Working with custom IOC can be done via the UI or script (Powershell or Python).

This post will describe the UI way for creating a custom IOC

Go to settings and in the Rules section click on Allowed/Blocked List

You can create an IOC based on File hash, IP address and URLs/Domains

When creating a new IOC you have the options to Import (more on that later) and a wizard.

We click on the Add indicator text and start by filling in the template.

To get the filehash you can just use powershell “get-filehash” or if you have that information from another system or a list from somewhere.

You can set the Custom date for IOC expiration if you want.

You can at this point look at the impact for this IOC by clicking on the Show statistics which will get the data for that specific ile hash from the last 30 days

From this view you could take action and stop the file if needed depending on the situation.

Click next and add details for response action, alert details etc


Scope the machines to different machine groups

Click save in the summary.

Import IOC

The CSV template is comma separated

IndicatorType,IndicatorValue,ExpirationTime,Action,Severity,Title,Category,Description,RecommendedActions

New alert

Hunting Windows Defender Exploit Guard with ATP

Alright, since I happen to be in a blog mode I keep the posts coming.

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

ComponentDetails
Attack Surface Reduction (ASR)A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder AccessProtects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit ProtectionA set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Example of ASR rules

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:

AsrOfficeMacroWin32ApiCallsAudited
AsrPsexecWmiChildProcessBlocked
ControlledFolderAccessViolationBlocked
ExploitGuardAcgAudited
ExploitGuardChildProcessAudited
ExploitGuardNetworkProtectionBlocked
ExploitGuardNonMicrosoftSignedAudited
ExploitGuardWin32SystemCallBlocked
SmartScreenAppWarning
SmartScreenUrlWarning
SmartScreenUserOverride

Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

//Happy Hunting
MiscEvents 
| where ActionType contains "asr" or
        ActionType contains "Exploit" or
        ActionType contains "SmartScreen" or
        ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc 
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
         JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
         

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

Happy Hunting!

Defender ATP and PowerBI

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

Running Windows Sandbox in a VM

The feature Sandbox available in Windows 10 preview version is very intersting for us who uses a web browsing VM.

The Sandbox feature or disposable VM is a Windows 10 container running on your Windows laptop and gives you the opportunity to launch a temporarily VM if you want to test something or just use it to browse internet to avoid infecting your machine (see the “note” later in this post because bad things can still happen) .

When you close the application all files are removed and possible malware will die.

sandbox-disposable

You might want to test the feature on a VM, which will basically be running VM on a VM (nested).

If you open features you will see that the feature is grayed out and you won’t be able to enable it that way however you can enable the service with DISM.

But when you launch Sandbox it will complain.

To solve this you have to make a change on the VM CPU where you want to run Sandbox.

The only thing you have to do is enabling “Expose Virtualization Extensions”

Set-VMProcessor -VMName Windows10Prev -ExposeVirtualizationExtensions $true
powershell set exposevirtualizationextensions to true

On the VM side

Enable the feature using GUI or PowerShell and restart.

dism /online /enable-feature Containers-DisposableClientVM


Launch Sandbox app

windows 10 disposable vm

This feature is perfect instead of using and manage a VM for this kind of work.

Launch Sandbox as any other applications

Note: You will still have access to resources on the network. Therefore malware can still execute and do bad things. But they will not survive a reboot of the Sandbox but they might have already replicate themselves to another system.
You can reach other systems via RDP.
If you have your host enrolled to WD ATP, and you isolate the host, the Sandbox will still be available

The AV Engine doesn’t seem to be running either

But regardless of the “Note” it’s still a very interresting feature and it will help a lot

When you exit the application you will be prompted that all data will be lost

sandbox exit





Vulnerability in Microsoft DHCP server

CVE-2019-0626

This is a high priority patch for your Windows DHCP server. This RCE is executed by sending a speciallly crafted packet to the DHCP server.
We haven’t seen any public available information like Proof of concept or exploit code but that’s just a matter of time.

CVSS Score

BaseTemporal
9.88.8

For further information please visit:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626

Security update guidance:
https://portal.msrc.microsoft.com/en-us/security-guidance

SEC-LABS recognized at August 2018 Security Researcher’s list at MSRC

msrc
The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.

 

Both Stefan Schörling and Mattias Borg from SEC-LABS R&D is recognized at the Microsoft Security Response Center security researchers list for August 2018.

This was due to a vulnerability discovered with Johan Dahlbom and was reported to Microsoft.

We would like to give our appreciation to the MSRC team and it was a pleasure working with you to resolve this issue!

The list can be found here:
https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services

SSH native in Windows 10 1803

If you manage a mixed platform your might be switching between, RDP sessions, Remote PowerShell and other remote Tools.

Except for old legacy applications which may not be possible to manage without a GUI, it’s easier, possible to automate and will save you a lot of time using a command line interface.

To extend this support, there is now a native SSH client in Windows.

You may want to check your firewall rules to Control who and where admins can connect and what you need to block