Alright, since I happen to be in a blog mode I keep the posts coming.
This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.
So what’s this Exploit Guard?
Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.
Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements
| Component | Details |
| Attack Surface Reduction (ASR) | A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats |
| Network Protection | Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen |
| Controlled Folder Access | Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders |
| Exploit Protection | A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications |
Example of ASR rules
• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code
Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.
If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.
This following dashboard is a part from the Monitor and Report section in the portal
Back to Defender ATP and the hunting which this post was supposed to be all about.
We have published some posts now about hunting custom alerts.
In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.
We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.
Examples from the output:
| AsrOfficeMacroWin32ApiCallsAudited |
| AsrPsexecWmiChildProcessBlocked |
| ControlledFolderAccessViolationBlocked |
| ExploitGuardAcgAudited |
| ExploitGuardChildProcessAudited |
| ExploitGuardNetworkProtectionBlocked |
| ExploitGuardNonMicrosoftSignedAudited |
| ExploitGuardWin32SystemCallBlocked |
| SmartScreenAppWarning |
| SmartScreenUrlWarning |
| SmartScreenUserOverride |
Interesting note “SmartScreenUserOverride” is a separate event which you can query
When we had the raw Actiontypes we created the query to cover as much as we could.
//Happy Hunting
MiscEvents
| where ActionType contains "asr" or
ActionType contains "Exploit" or
ActionType contains "SmartScreen" or
ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,
FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
We are also parsing AdditionalFields to be able to add extra value to events which contained such data.
From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment
Happy Hunting!
HI all,
I need to get list of machines, which are ASR rule off/unknown. Can you please help me with hunting query or any other option to get machine list ?
Thanks
Hi,
here the URL for the config: https://security.microsoft.com/asr?viewid=configuration however, it’s important to look at expected config as well, if you manage it through intune, sccm or GPO’s to make sure the governance of the config works
things have changed, updated:
//Happy Hunting
DeviceEvents
| where ActionType contains “asr” or
ActionType contains “Exploit” or
ActionType contains “SmartScreen” or
ActionType contains “ControlledFolderAccess”
| extend JsonOut = parse_json(AdditionalFields)
| sort by Timestamp desc
| project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType,
FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
Absolutely. This post was written when the old schema was used. Good point! I will go through the posts and look at our hunting queries to see if we have others that needs a change. thanks!