Latest Posts

MVP Renewal

Sec-Labs proudly announces that both blog and writers Stefan Schörling and Mattias Borg were renewed as Microsoft MVPs.

They are both awarded in the security category for their contributions in SIEM & XDR technology area.

The Microsoft MVP Award is an annual award that recognizes exceptional technology community leaders worldwide who actively share their high-quality, real-world expertise with users and Microsoft.

Links to MVP Profiles

Stefan Schörlinghttps://mvp.microsoft.com/en-US/MVP/profile/712d88ae-3c9a-e411-93f2-9cb65495d3c4
Mattias Borghttps://mvp.microsoft.com/en-US/MVP/profile/4734d2c1-7eb7-ea11-a812-000d3a8ccaf5

The MVP Award program

https://mvp.microsoft.com

Antivirus exclusions and ASR

From working with customers we commonly get questions about exclusions for ASR and the impact of the exclusions or when it will work or not.

Indicators in MDE does work for ASR, but not all Indicator types. Defender Antimalware exclusions does work for ASR, but not all rules honor the exclusions. Here are a few tables from learn which can help you with this:

Rules which does not honor Defender Antivirus exclusions

  • Block Adobe Reader from creating child processes
  • Block process creations originating from PSExec and WMI commands
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication application from creating child processes

Rules which does not honor Defender for Endpoint (MDE) Indicators of type Certificate

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block Office applications from injecting code into other processes
  • Block Win32 API calls from Office macros

For further information about attack surface reduction, please visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction

Happy Hunting!

Microsoft announces Security Exposure Management

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to manage attack surfaces, protect critical assets, and explore and mitigate exposure risk.

From a personal perspective this is going to change a lot in the security business!

It is enabled in the Microsoft Defender XDR portal (https://security.microsoft.com)

Security Exposure Management is currently in public preview.

View attack surface map, this is bloodhound on steroids!

Microsoft is leading the next chapter of attack surface management so organizations can proactively improve their posture and reduce their exposure, faster than attackers are able to exploit them.

Microsoft Security Exposure Management is in Public preview and empowers organizations to:

  • Build an effective exposure management program with a continuous threat exposure management (CTEM) process.
  • Reduce risk with a clear view of every asset and real-time assessment of potential exposures both inside-out and outside-in.
  • Identify and classify critical assets, ensuring they are protected against a wide variety of threats.
  • Discover and visualize potential adversary intrusion paths, including lateral movement, to proactively identify and stop attacker activity.
  • Communicate exposure risk to business leaders and stakeholders with clear KPIs and actionable insights.
  • Enhance exposure analysis and remediation by integrating with third-party data sources and tools

The new foundational capabilities for a exposure management program is

  • Attack Surface Management: Provides a comprehensive view of the entire attack surface, allowing the exploration of assets and their relationships.
  • Attack Path Analysis: Assists security teams in visualizing and prioritizing attack paths and risks across environments, enabling focused remediation efforts to reduce exposure and breach likelihood.
  • Unified Exposure Insights: Provides decision-makers with a consolidated, clear view of an organization’s threat exposure, facilitating security teams in addressing critical questions about security posture.

Current seamless integrations are

  • Vulnerability Management (VRM)
    • Microsoft Defender Vulnerability Management (MDVM)
    • Qualys Vulnerability Management (Preview)
    • Rapid7 Vulnerability Management (Preview)
  • External Attack Surface Management (EASM)
    • Microsoft Defender External Attack Surface Management
  • Cloud Security (CSPM)
    • Microsoft Defender Cloud Security Posture Management (CSPM)
  • Endpoint Security (Device Security Posture)
    • Microsoft Defender for Endpoint (MDE) 
  • Identity Security (ISPM)
    • Microsoft Defender for Identity (MDI) 
    • Microsoft Entra ID (Free, P1, P2)
  • SaaS Security Posture (SSPM)
  • Email Security
    • Microsoft Defender for Office (MDO)
  • OT/IOT Security
    • Microsoft Defender for IOT
  • Asset & Configuration Management
    • ServiceNow CMDB (Preview)

Identifying and resolving attack paths

Who uses Security exposure management?

  • Security and compliance admins responsible for maintaining and improving organizational security posture.
  • Security operations (SecOps) and partner teams who need visibility into data and workloads across organizational silos to effectively detect, investigate, and mitigate security threats.
  • Security architects responsible for solving systematic issues in overall security posture.
  • Chief Security Information Officers (CISOs) and security decision makers who need insights into organizational attack surfaces and exposure in order to understand security risk within organizational risk frameworks.

As always, provide feedback

Happy Hunting!

New ASR Rules available

There 2 new ASR (Attack Surface Reduction Rules) available.

Attack Surface Reduction Rules is a Defender feature which, as it sounds, reduces attack surface on endpoints. This is done by blocking certain attack surfaces like “Block all Office applications from creating child processes”, “Block untrusted and unsigned processes that run from USB” and more, there are 19 rules available today. Two of which are in preview.

The great thing about ASR is that it closes some attack paths, instead of relying on Antivirus or EDR to detect on the malicious code or behavior since these changes all the time.

The new rules:

Block rebooting machine in Safe Mode (preview)

GUID: 33ddedf1-c6e0-47cb-833e-de6133960387

This rule prevents the execution of commands to restart machines in Safe Mode.

Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or simply execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.

Block use of copied or impersonated system tools (preview)

GUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb

his rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.

Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.

Please note that since these 2 new rules are in preview, additional upgrades to improve efficacy are under development

Happy Hunting!

Assigning severity to incidents and other features are now GA

The speed of how new useful functionalities in Microsoft Defender XDR, previously Microsoft 365 Defender, are being developed is very high. From this perspective it is super important to send feedback, not only things that may not work as you expected or if there is an error, but also new feature requests.

Some new features which was released in GA in February is within the incident management space.

Change incident severity

When a incident is being generated, the severity is based on the alert with highest severity. If the severity is wrong, you can change it by opening the manage incident which will open the incident pane.

Assign incident to a group

Instead of only assign the incident to a specific individual (who might be on a leave), it is now possible to assign the incident to a group by opening the manage incident which will open the incident pane.

Go hunt directly from attack story

When selecting an item in the attack story, you will get an option for “Go Hunt” which will give you the options to choose between All activities, Related alerts and See all available queries

When selecting a query, you will have the response in the same window. The positive thing with this is that you don’t have to move away from the incident view. If you want to continue the hunting you have the option to “Open in advanced hunting”

Happy Hunting!

Attack Simulation Training to be resilient against QR code phishing

QR code has been a hassle in the cyber world since a while back. There are multiple reasons for threat actors to use this method to phish uses and compromise accounts.

One reason is that it is difficult to detect (the MDO research team has done a great job in detecting these, huge kudos to you!) the other reason is that we force the user to move to another device. If they read the email on their monitored laptop, and then scan the QR with the phone it is more difficult to detect, and not all organizations have onboarded their phone to Defender.

Microsoft announced last month about partnership with Fortra’s Terranova Security and have launched two new QR code phishing training modules available in Attack Simulation Training. THis will provide a training email for the end-user which explains the QR code technique

How to launch a simulation with QR code

Go to Defender XDR portal and in the Email & Collaboration you select Attack simulation training

Select Launch a simulation and follow the wizard

Select the How-to Guide

Select payload Teching Guide: How to recognize and report QR phishing messages

Choose your targets

If required, exclude users

Configure your launch details

Monitor

Don’t forget to follow up your simulations with user awareness training to establish a cyber security culture

Happy Hunting!

Microsoft Defender XDR Deceptions Feature

Last year Microsoft announced a deception capability in Microsoft Defender for Endpoint. The idea with the deception is that adversaries access a Decoys or Lure which will trigger an incident for the response team to act on.

In Settings > Endpoints > Advanced features

Enable Deception

To create Deception rules

In Settings > Endpoints > Deception rules

It is possible to scope this specific deception rule to Devices with a specific tag

The system will automatically generate Alias or Hostnames which can be edited to better fit your organization

Lures can be autogenerated or use custom lures (file size up to 10MB)

A Lure can be of any filetype except PE files (exe and dll)
It is recommended that the lure contains information of decoys.

Happy Hunting!

QR Code phishing and MDO

QR code phishing campaigns have most recently become the fastest growing type of email-based attack. These types of attacks are growing and embed QR code images linked to malicious content directly into the email body, to evade detection. They often entice unwitting users with seemingly genuine prompts, like a password reset or a two-factor authentication request. Microsoft Defender for Office 365 is continuously adapting as threat actors evolve their methodologies. In this blog post we’ll share more details on how we’re helping defenders address this threat and keeping end-users safe.

It’s Friday and blog time

It’s difficult to detect for security vendors due to low signal for ML detection due to basically no text, embedded in attachments and so on. It’s brilliant as an attack technique.

MDO and EOP detects QR code inline in the mail flow and analyze the metadata and send the URL behind the QR to sandbox

All other attributes are also used for the final email verdict.

Statistics Microsoft Defender for office and QR code phishing at scale

  • With the power of existing capabilities and robust tools we have built, many heuristics-based rules were released within minutes leading to ~1.5 million QR code phishing blocked in email body per day in the last several months! As the attack patterns evolve, new rules continue to get released and refined as needed.
  • The advanced detection technologies built to extract QR code related metadata (URL and text), have scanned more than 200 million unique URLs on average weekly, out of which more than 100 million came from QR codes.
  • Our advanced detection technologies have blocked more than 18 million unique phishing emails containing a QR code image in the email body on average weekly and around 3 million unique QR code phishing emails per day.
  • QR code phishing protection includes Commercial as well as Consumer emails. More than 96% of these are QR code phishing blocked by our technologies in Enterprise alone.

From: Protect your organizations against QR code phishing with Defender for Office 365 – Microsoft Community Hub

But even if you have all great security in-place, we can still not patch the end-users. User awareness training is critical for your data

We recommend you to read the full post at Protect your organizations against QR code phishing with Defender for Office 365 – Microsoft Community Hub

Happy Hunting

Quick tip – Country Codes

All countries has an ISO code, described in ISO 3166 is an international standard.
These codes are used throughout the IT industry by computer systems and software to make it easier to identify a country.

It has multiple formats and they country codes are presented in the following formats: Alpha-2 (2 characters), Alpha-3 (3 characters) and Numeric (3 digits).

In the data from some logs like SigninLogs and IdentityLogonEvents the country is presented as Alpha-2. We realized pretty quick is that some 2-characters country codes are difficult to remember. As in below, picture it could be difficult to know all these countries.

We have been using this for a long time and thought it might be something others can use as well.

So to solve this I created a csv file and placed on github:

https://raw.githubusercontent.com/mattiasborg82/Hunting/main/General/cc.txt

To be able to join our data with this file we can use the external data operator in Kusto

Since it’s a CSV file, we can make it more usable by split the rows on comma

To to build the full use-case for this, we join it with our SigninLogs (or other logs that uses the country code)

Copy friendly code

let CountryCodes = externaldata (CountryCode:string)
[
 @"https://raw.githubusercontent.com/mattiasborg82/Hunting/main/General/cc.txt"
]
with(ignoreFirstRecord=true);
SigninLogs
| where isnotempty(Location)
| join kind=leftouter (
    CountryCodes
    | extend Country = tostring(split(CountryCode, ",")[0]),
              Location = tostring(split(CountryCode, ",")[1])
    | project-away CountryCode)
on Location
| summarize count() by Country,UserDisplayName

This can be used further to combine with conditional access blocks showing potential credential leak

Happy Hunting!