Author Archive: SEC-LABS R&D

Live response API – build your custom playbooks

SEC-LABS R&D 2021-07-19 0 Comments

PUBLIC PREVIEW FEATURE

We have been able to use Live Response for some time now. It’s really great and we can take the response actions we find necessary and download data from the endpoint through the browser session.

Here is a very high level of how the architecture looks for the live response feature

Some things which may be difficult today with the limitations of single session is we can only connect to one machine at the time and automation does not apply for a browser session

If a machine is compromised in any way it’s useful, but if we want to automate the responses or run the same custom playbook for multiple devices we need to use the API

The API can be used both to collect necessary artefacts from devices, and also take remediation actions.

On some events, we’ve presented how to use the Live Response to dump memory and export the dmp files to Azure storage as an example how powerful it is.

Requirements

Requirements and limitations

Rate limitations for this API are 10 calls per minute (additional requests are responded with HTTP 429).
25 concurrently running sessions (requests exceeding the throttling limit will receive a “429 – Too many requests” response).
If the machine is not available, the session will be queued for up to 3 days.
RunScript command timeouts after 10 minutes.
Live response commands cannot be queued up and can only be executed one at a time.
If the machine that you are trying to run this API call is in an RBAC device group that does not have an automated remediation level assigned to it, you’ll need to at least enable the minimum Remediation Level for a given Device Group.
Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions will not be executed.

Minimum Requirements

Before you can initiate a session on a device, make sure you fulfill the following requirements:

Verify that you’re running a supported version of Windows.Devices must be running one of the following versions of Windows
- Windows 11
- Windows 10
  - Version 1909 or later
  - Version 1903 with KB4515384
  - Version 1809 (RS 5) with with KB4537818
  - Version 1803 (RS 4) with KB4537795
  - Version 1709 (RS 3) with KB4537816
- Windows Server 2019 – Only applicable for Public preview
  - Version 1903 or (with KB4515384) later
  - Version 1809 (with KB4537818)
- Windows Server 2022

Set up service principle with API access

Sample code to connect with the service principle

Connecting to M365Defender

Connect to MDE API ( which applies to this case)

Request

Header

Name	Type	Description
Authorization	String	Bearer<token>. Required.
Content-Type	string	application/json. Required.

Body

Parameter	Type	Description
Comment	String	Comment to associate with the action.
Commands	Array	Commands to run. Allowed values are PutFile, RunScript, GetFile.

Available commands

Command Type	Parameters	Description
PutFile	Key: FileNameValue: <file name>	Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.
RunScript	Key: ScriptName Value: <Script from library>Key: Args Value: <Script arguments>	Runs a script from the library on a device.The Args parameter is passed to your script.Timeouts after 10 minutes.
GetFile	Key: Path Value: <File path>	Collect file from a device. NOTE: Backslashes in path must be escaped.

Sample Live response request body

Use can upload your own scripts to the library and call the scripts in a similar way as when you use interactive Live Response

POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runliveresponse


{
   "Commands":[
      {
         "type":"RunScript",
         "params":[
            {
               "key":"ScriptName",
               "value":"minidump.ps1"
            },
            {
               "key":"Args",
               "value":"OfficeClickToRun"
            }

         ]
      },
      {
         "type":"GetFile",
         "params":[
            {
               "key":"Path",
               "value":"C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
            }
         ]
      }
   ],
   "Comment":"Testing Live Response API"
}

For further reading, please visit

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-live-response

Happy Hunting!

Detect, Respond, Security

API, Defender for Endpoint, Live Response, MDE

Adding TAXII Threat Intel

SEC-LABS R&D 2021-04-01 0 Comments

To further enrich data in the Azure Sentinel workspace, we can ingest threat intel.

What is TAXII?

Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS.

More information about TAXII is available here:
https://oasis-open.github.io/cti-documentation/taxii/intro

Enabling TAXII Connector in Azure Sentinel

Go to connects view and search for “TAXII”

Open the connector settings page to add TAXII servers (you can add multiple servers)

In this demo we are using free TAXII feeds from Anomali (https://www.anomali.com/resources/limo)

When the TAXII server is configured, click “Next steps”

In this step we will get recommended workbooks, sample queries and analytic rules we can use to monitor and alert on the data we ingest from the TAXII server.

Provided sample queries gives us access to the data

ThreatIntelligenceIndicator | where SourceSystem != "SecurityGraph" and SourceSystem != "Azure Sentinel"

From the connector configuration, we can also see the related analytics rule templates

For further information, please visit:
https://docs.microsoft.com/en-us/azure/sentinel/import-threat-intelligence

Happy Hunting!

Security

Use kusto to breakdown time stamps

SEC-LABS R&D 2021-03-28 0 Comments

Some times you might want to split the time stamp of an event into smaller pieces, like month, day, hour etc.

For instance, you might want to see if you have more alerts during some specific hours of the day or if anyone is using RDP in the middle of the night.

To achieve this we use the function datetime_part which can split the time stamp to the following parts

Year
Quarter
Month
week_of_year
Day
DayOfYear
Hour
Minute
Second
Millisecond
Microsecond
Nanosecond

This data could, of course, be used to further analysis and joined with other events.

//Sample query
AlertInfo
| extend alerthour = datetime_part("hour", Timestamp)
| summarize count() by alerthour, DetectionSource
| sort by alerthour asc
| render areachart

For further reading about Kusto datetime_part, please visit
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-partfunction

#HappyHunting

Detect

Kusto, Microsoft365Defender, Threat Hunting

Microsoft 365 Defender connector for Azure Sentinel in public preview

SEC-LABS R&D 2020-11-10 0 Comments

A new connector for Microsoft 365 Defender is in public preview in Azure Sentinel. This connector makes it possible to ingest the hunting data into Sentinel

Currently, the Defender for Endpoint Data is available

To enable

Go to you Azure Sentinel Instance and select Connectors
Search for Microsoft 365 Defender

Click Open Connector Page
Select which Events you want to ingest

Click Apply Changes

Example queries

//Registry events
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "DefaultPassword"
| where RegistryKey has @"SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp

//Process and Network events
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType

If we look at the tables we can see the new created tables

More information about the data in these tables is available in this post https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/

For further reading:

Azure Sentinel https://docs.microsoft.com/sv-se/azure/sentinel
Microsoft 365 Defender https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection

News, Security

AzureSentinel, DefenderATP, MDE, Microsoft365Defender, MicrosoftDefenderForEndpoint, MTP, Sentinel

Helpful feature in MDATP

SEC-LABS R&D 2020-08-13 0 Comments

One of the benefits of using a cloud service backend instead of on-prem appliance boxes is that we can get new features without doing anything except for “enable” depending on feature.

One feature I like is the “flag event” feature in the timeline.

In the machine timeline view there is a “flag” we can enable on each event we find interesting. This will make it easier to go back and further investigate suspicious activities.

In the overview we can see where the flags are located in the timeline and if we want, we can also filter on flagged events

Happy Hunting

Detect, News

Defender ATP

Application Consent – Protect Detect and Respond

SEC-LABS R&D 2020-07-09 0 Comments

As companies raise their bars and protect more and more accounts with Multi-factor Authentication the attacks are twisting with new angles. The method of using Application Consent is nothing new but attackers haven’t had a need to use it as a stolen password is normally less friction.

So what is Application Consent, Application consent is a way to grant permissions to Applications to access your data that they need to perform their specific Task. An example could be a be a Travel App that needs to read your Travel itinerary so that it can automatically update your Calendar with Flight Data or other information.

I am sure everyone has seen a App Consent Screen

Kevin Mitnick did a malicious Ransomware PoC roughly with Application Consent two years ago around this, feel free to watch the demo on the youtube link.

Application Control Protect

The first thing you should ask your selves, do you allow your users to Grant Permissions themselves of their data or have you as an organization centrally taken this control?

The settings can be configured under your Azure Active Directory

First off can your users Register Applications themselves or is this under central control?

AAD > User Settings > Enterprise Applications

So if you do not allow this the users would never be able to allow an App consent either, but if you do you can control how much data they can share and under what circumstances, you will find a few options in the detailed settings below.

AAD > Enterprise Applications > User Settings

AAD > Enterprise Applications > Consent and Permissions > User Consent Settings (Preview at the time of writing)

Do not allow user consent
Allow user consent for apps from verified publishers
Allow user consent for Apps

Allowing users to allow Apps will put you at risk as they can be lured into accepting an Application Consent. This is not only sensitive from a Security Threat perspective, but also from a privacy / secrecy perspective where third party apps malicious or not are for an example being granted access to PII or Customer Data.

Here you need to find the balance between control and risk on how much you can detect. With the “Allow user consent for apps from verified publishers” you also have the option to control what data and methods are being granted as well. Not that the offline_access is something you need to review thoroughly as that opens up your exposure.

Another possibility that exists is also to user a Admin Consent Requests, in this case a User can request a consent that an Admin will have to review and approve or deny.

AAD > Enterprise Applications > User Settings

Application Control Detection

There are a few ways to see and detect Application Consent, either you create a manual process to review this on a schedule or you use the tools you have at hand. Some examples on what you can use below depending on how you are licensed and how you have integrated Logs.

Manually in Azure AD Portal
Powershell to extract data
Microsoft Cloud App Security
Azure Sentinel
Alerts in Office 365 Audit Log
3rd Party SIEM

If you have integrated Office 365 Logs to Azure Sentinel this is an example query to find application consent activity.

AuditLogs 
| where OperationName == "Consent to application"
| extend displayName_ = tostring(TargetResources[0].displayName)
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project displayName_, userPrincipalName_, ActivityDateTime

Application Control Respond

So what can you do if you find Applications that you suspect are doing malicious activities or is putting your data at risk.

You have a few options, start with documenting and putting a timeline with all the activities you are taking, its easy to forget when you need to go back in time.

Block Sign-in to Application
Remove Users from the Application
Remove the Application Completely
Ban/Block Application in MCAS
Review Permissions under the App in AAD

I wouldn’t recommend removing the app until your investigations is complete, id rather block the Login. Depending on that tools you have you can start going through your audit logs in relation to this app.

More Reading

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

Detect, Protect, Respond

The time of the year for the Microsoft MVP award

SEC-LABS R&D 2020-07-02 0 Comments

We are proud and happy to announce that both Mattias and Stefan are awarded with Microsoft MVP 2020-2021.

For Mattias it is the first Microsoft MVP award and he is awarded in the category: Microsoft Azure

Stefan is awarded for the 13th consecutive year and was awarded in 2(!) categories: Enterprise Mobility and Microsoft Azure

News

AWARD, Azure, Enterprise Mobility, MVP

24/7 protection during Covid-19 – Defender ATP Auto IR

SEC-LABS R&D 2020-05-14 0 Comments

One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.

Especially now, where you might be short on staff, and the Covid-19 virus can strike at the SOC organization or reduce the numbers of available people.

Of course, this does not only apply during the world crisis of Covid-19. Automation is also a help in the normal day to day work.

There are benefits of being able to automate responses and we have these discussions with many customers.

MDATP Automatic self-healing is built-in into Defender ATP and is mimicking these ideal steps a human would take to investigate and remediate organizational assets, impacted by a cyber threat.

This is done using 20 built-in investigation playbooks and 10 remediation actions

Increased Capacity

Respond at the speed of automation
Investigate and remediate all alerts automatically
Free up critical resources to work on strategic initiatives

Cost implications

It will drive down the cost per investigation and remediation
Takes away manual, repetitive tasks
Automated remediation eliminates downtime

Get full value of your protection suite and people, quick configuration and you are up and running

SecOps Investigation (Manual)

Sometimes it will take some time from the alert being triggered until someone has the time to start looking at it. Manual work also requires more resources for review and approval for each action

From a SecOPs perspective, an initial response involves information gathering.

Collecting:

Process list
Services
Drivers
Network connections
Files created
1. Where did the file originate from?
1. etc

Based on our results, we will decide the remediation steps (if we do not follow a playbook here, the catch will be different result depending on who makes the response).

Remediation:

The remediation will include connecting remotely or manually collect the device and then launch tools for the remediation process.

Automatic response with Auto IR

Fast time to respond which will avoid additional damage and compromise of additional devices, when attackers will start moving lateral in the environment.

It’s our 24/7 buddy who assists the SOC staff to remediate threats so the human staff can focus on other things

MDATP is sending telemetry data to the cloud
MDATP cloud continuously analyzes the data to detect threats
Once a threat is identitfied an alert is being raised
The alert kicks off a new automated investigation
AIRS component asks Sense client to initiate SenseIR
SenseIR is then orchestrated by AIRS on what action should be executed (Collection/Remediation)
Based on the data collected from the machine (current and historical) AIRS decides what actions should be taken
For every threat identified, AIRS will automatically analyze the best course of action and tailor a dedicated surgical remediation action to be executed using on device components (e.g. Windows Defender Antivirus)

Playbook is executed

“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident to ensure that nothing is missed.

Data Collection

Volatile data
- All processes list – main image, loaded modules, handles, suspicious memory sections
- All services list
- All drivers list
- All connections
None-Volatile data
- Recently created files – x minutes febore / after alert
- All persistence methods
- Recently executed files
- Download location

Incrimination

Microsoft Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML infrastructure etc.
Custom TI indicators – for allow / block list

Remediation

How?
- By leveraging OS components (e.g. Defender Antivirus) to perform the remediation (prebuilt into the system, low level actions (driver), tried and tested)
What?
- File actions
- Process actions
- Service actions
- Registry actions
- Driver actions
- Persistency methods (Reg, Link files, etc.) actions
- Scheduled task actions
- More…

Getting started

Go to the MDATP portal (https://securitycenter.windows.com)
Click settings and then Advanced features
Turn on Automated Investigation and Automatically resolve alerts

In machine groups select Add machine group

As you can see in the options, you can select different AutoIR levels

Summary

Go auto approval, save time and protect your business!

Happy Hunting

Detect, Protect, Respond, Security

AutoIR, Automation, DefenderATP, SOAR

Windows Defender Tamper Protection with Intune / MEM

SEC-LABS R&D 2020-03-28 0 Comments

As we have been reading about many of the advanced threats we see today do try to turn off and tamper with protections that are active on our endpoints.

With Windows Defender you have the option to enable Tamper Protection to make your Windows Defender configuration more safe.

With the protection the client is safeguarded from attempts to disable

Virus and Threat Protection and IOAV
Real-time Protection
Cloud-delivered protection
Behavior monitoring
Removal of Security Intelligence Updates

Of course you should not run as local admin as you expose your machine to other risks but this protection helps in some of those scenarios, there are of course other means an attacker can circumvent being detected and that why we strongly recommend adding EDR capabilities to your endpoint security strategy.

To turn this on you simply make sure your machines are managed

You can find the setting under Windows 10 and later > Endpoint Protection and Category > Microsoft Defender Security Center > Tamper Protection

Once you have enabled Tamper Protection assign it to your Endpoints.

On the endpoint you should be able to see that Tamper Protection is turned on in the Windows Security Center

If you are running a early version of Windows 10 you need to have atleast 1709 for this to work and for 1709-1809 you will not see this in the Security Center and need to verify this with powershell and look for the value “isTamperProtected” set to True