Detect

Application Consent – Protect Detect and Respond

As companies raise their bars and protect more and more accounts with Multi-factor Authentication the attacks are twisting with new angles. The method of using Application Consent is nothing new but attackers haven’t had a need to use it as a stolen password is normally less friction.

So what is Application Consent, Application consent is a way to grant permissions to Applications to access your data that they need to perform their specific Task. An example could be a be a Travel App that needs to read your Travel itinerary so that it can automatically update your Calendar with Flight Data or other information.

I am sure everyone has seen a App Consent Screen

Source: Microsoft docs

Kevin Mitnick did a malicious Ransomware PoC roughly with Application Consent two years ago around this, feel free to watch the demo on the youtube link.

Application Control Protect

The first thing you should ask your selves, do you allow your users to Grant Permissions themselves of their data or have you as an organization centrally taken this control?

The settings can be configured under your Azure Active Directory

First off can your users Register Applications themselves or is this under central control?

AAD > User Settings > Enterprise Applications

So if you do not allow this the users would never be able to allow an App consent either, but if you do you can control how much data they can share and under what circumstances, you will find a few options in the detailed settings below.

AAD > Enterprise Applications > User Settings

AAD > Enterprise Applications > Consent and Permissions > User Consent Settings (Preview at the time of writing)

  • Do not allow user consent
  • Allow user consent for apps from verified publishers
  • Allow user consent for Apps

Allowing users to allow Apps will put you at risk as they can be lured into accepting an Application Consent. This is not only sensitive from a Security Threat perspective, but also from a privacy / secrecy perspective where third party apps malicious or not are for an example being granted access to PII or Customer Data.

Here you need to find the balance between control and risk on how much you can detect. With the “Allow user consent for apps from verified publishers” you also have the option to control what data and methods are being granted as well. Not that the offline_access is something you need to review thoroughly as that opens up your exposure.

Another possibility that exists is also to user a Admin Consent Requests, in this case a User can request a consent that an Admin will have to review and approve or deny.

AAD > Enterprise Applications > User Settings

Application Control Detection

There are a few ways to see and detect Application Consent, either you create a manual process to review this on a schedule or you use the tools you have at hand. Some examples on what you can use below depending on how you are licensed and how you have integrated Logs.

If you have integrated Office 365 Logs to Azure Sentinel this is an example query to find application consent activity.

AuditLogs 
| where OperationName == "Consent to application"
| extend displayName_ = tostring(TargetResources[0].displayName)
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project displayName_, userPrincipalName_, ActivityDateTime 

Application Control Respond

So what can you do if you find Applications that you suspect are doing malicious activities or is putting your data at risk.

You have a few options, start with documenting and putting a timeline with all the activities you are taking, its easy to forget when you need to go back in time.

  • Block Sign-in to Application
  • Remove Users from the Application
  • Remove the Application Completely
  • Ban/Block Application in MCAS
  • Review Permissions under the App in AAD

I wouldn’t recommend removing the app until your investigations is complete, id rather block the Login. Depending on that tools you have you can start going through your audit logs in relation to this app.

More Reading

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

24/7 protection during Covid-19 – Defender ATP Auto IR

One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.

Especially now, where you might be short on staff, and the Covid-19 virus can strike at the SOC organization or reduce the numbers of available people.

Of course, this does not only apply during the world crisis of Covid-19. Automation is also a help in the normal day to day work.

There are benefits of being able to automate responses and we have these discussions with many customers.

MDATP Automatic self-healing is built-in into Defender ATP and is mimicking these ideal steps a human would take to investigate and remediate organizational assets, impacted by a cyber threat.

This is done using 20 built-in investigation playbooks and 10 remediation actions

Increased Capacity

  • Respond at the speed of automation
  • Investigate and remediate all alerts automatically
  • Free up critical resources to work on strategic initiatives

Cost implications

  • It will drive down the cost per investigation and remediation
  • Takes away manual, repetitive tasks
  • Automated remediation eliminates downtime

Get full value of your protection suite and people, quick configuration and you are up and running

SecOps Investigation (Manual)

Sometimes it will take some time from the alert being triggered until someone has the time to start looking at it.  Manual work also requires more resources for review and approval for each action

From a SecOPs perspective, an initial response involves information gathering.

Collecting:

  1. Process list
  2. Services
  3. Drivers
  4. Network connections
  5. Files created
    1. Where did the file originate from?
    1. etc

Based on our results, we will decide the remediation steps (if we do not follow a playbook here, the catch will be different result depending on who makes the response).

Remediation:

The remediation will include connecting remotely or manually collect the device and then launch tools for the remediation process.

Automatic response with Auto IR

Fast time to respond which will avoid additional damage and compromise of additional devices, when attackers will start moving lateral in the environment.

It’s our 24/7 buddy who assists the SOC staff to remediate threats so the human staff can focus on other things

  1. MDATP is sending telemetry data to the cloud
  2. MDATP cloud continuously analyzes the data to detect threats
  3. Once a threat is identitfied an alert is being raised
  4. The alert kicks off a new automated investigation
  5. AIRS component asks Sense client to initiate SenseIR
  6. SenseIR is then orchestrated by AIRS on what action should be executed (Collection/Remediation)
  7. Based on the data collected from the machine (current and historical) AIRS decides what actions should be taken
  8. For every threat identified, AIRS will automatically analyze the best course of action and tailor a dedicated surgical remediation action to be executed using on device components (e.g. Windows Defender Antivirus)

Playbook is executed

“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident  to ensure that nothing is missed.

Data Collection

  • Volatile data
    • All processes list – main image, loaded modules, handles, suspicious memory sections
    • All services list
    • All drivers list
    • All connections
  • None-Volatile data
    • Recently created files – x minutes febore / after alert
    • All persistence methods
    • Recently executed files
    • Download location

Incrimination

  • Microsoft Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML infrastructure etc.
  • Custom TI indicators – for allow / block list

Remediation

  • How?
    • By leveraging OS components (e.g. Defender Antivirus) to perform the remediation (prebuilt into the system, low level actions (driver), tried and tested)
  • What?
    • File actions
    • Process actions
    • Service actions
    • Registry actions
    • Driver actions
    • Persistency methods (Reg, Link files, etc.) actions
    • Scheduled task actions
    • More…

Getting started

Advanced Features (edited list)
  • In machine groups select Add machine group

As you can see in the options, you can select different AutoIR levels

Summary

Go auto approval, save time and protect your business!

Happy Hunting

SANS Threat Hunting Summit – Link list

Thank you for attending our session at Sans Threat Hunting & IR Summit in London.

Here are some resources as promised during our session which may help.

Threat Hunting

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/hunting

https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/

https://blog.sec-labs.com/2019/10/hunting-for-minint-security-audit-block-in-registry/

https://blog.sec-labs.com/2019/07/hunt-for-nuget-squirrel-update/

Power Automate / Logic Apps

https://docs.microsoft.com/en-us/cloud-app-security/flow-integration

https://docs.microsoft.com/en-us/power-automate/

https://docs.microsoft.com/en-us/azure/logic-apps/

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-create-api-app

Azure Automation:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

https://docs.microsoft.com/en-us/azure/automation/shared-resources/credentials

Configuration

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/best-practices-for-configuring-eop

https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth

https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score

Auditing and Logs

https://support.microsoft.com/en-gb/help/4026501/office-auditing-in-office-365-for-admins

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing

Investigation

https://github.com/OfficeDev/O365-InvestigationTooling

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations

https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth

https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions

API

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview

https://docs.microsoft.com/en-us/cloud-app-security/investigate-activities-api

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/apis-intro

https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0

Free Training resources

https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch

Happy Hunting!

follow us on twitter @mattiasborg82 and @stefanschorling

Blocking MCAS Unsanctioned Apps at the Endpoint with MDATP

*Note Preview Feature

Yes you read that right, its now possible to block unsanctioned apps in Microsoft Cloud App Security directly at your Windows 10 Endpoints. Moving towards a Zero-Trust network away from the corporate firewalls and proxies you still want to maintain network control from the endpoint side, this new feature will give you the possibility to block applications, this is a great step forward in the area and its clear that Microsoft is taking Zero-Trust and Security seriously.

So how to get started first of requirements! Last year we wrote about the Network Block Feature and it could be a good start before reading this article it can be found here. https://blog.sec-labs.com/2019/07/using-wdatp-network-block/

Requirements

  • MDATP and MCAS Integration Enabled
    • MDATP Portal > Settings > Advanced Features
  • Windows 10 with Network Block Enabled
  • MCAS Cloud App Control Enabled
    • MCAS Portal > Settings > Cloud App Control
      • (Its important to note if you have marked apps as unsanctioned in the MCAS Portal already they will automatically be marked as blocked so before turning this on review your unsanctioned apps.)

Configuring Unsanctioned Apps

Once you have your requirements in-place we can start to configure unsanctioned apps, You can either select to maintain this manually or configure a policy to set all apps matching a certain criteria to be blocked. An example could be block all apps with a Risk Score Lower than 3.

Manually

If you go to your Cloud App Dashboard and find the App you want to block just click on the App and select unsanctioned.


Automatically

To have apps marked as unsanctioned automatically can be done with a Policy. Below we have an example of blocking apps that meet the criteria Risk Score 1-3.

Its also possible to add other types of criteria if you want to refine your policy. It all depends what you want to limit and the purpose, is it to control Shadow IT or is it from a Security perspective. Some examples below of other criteria that could be useful depending on the use case.

  • App Category Productivity
  • Daily Traffic Below 5 MB
  • Number of Users Below 5

PRO TIP: When building your Policy its very good that you can play with the Preview Results, that gives you instant feedback on how well your query will perform so try that out.

Back-end Integration

When the unsanctioned app is marked as unsanctioned the back end integration between MCAS and MDATP exchanges data and Custom Indicators are being populated. You can find these under Settings > Indicators > URLs/Domains

Like in this example we did block WhatsApp and that would replicate over to the Indicators in MDATP. The whole flow depending on sync should not take longer than 3 hours. From that you have blocked in MCAS to that the Endpoint has the blocking instruction.

Once its available in MDATP the Endpoints should update their Indicators and should start blocking.

End User Experience

At the moment the end user experience is fairly limited the user would get a Toast Notification that something has been blocked unless you have turned notifications off.

Depending on the App you are trying to communicate with the blocked app/url the behavior would occur differently.

For WhatsApp it would look like this when Launching it (sorry message in Swedish)

And a Default Notification Message like this below

Reporting

At the moment the tracking and reporting is also limited to whats available in MCAS and MDATP and its supported retention times.

Future Asks

Things I want to see and I have fed back to the Product groups I want this to evolve to going forward.

  • Support for X-Platform Devices
  • Block without Alerting like Block and Report
  • Having the possibility to do Exclusions and Custom Targeting of Devices/Users
  • Expand this to URL Categories Block / Monitor
  • Better Historical Reporting
  • Customize Messages
  • End User Coaching
  • End User Exclusion Request

If you have other ideas feel free to tweet me at @stefanschorling and I will relay.

New Threat & Vulnerability Management capabilities in Defender ATP

Microsoft announces the following new capabilities that will go into public preview this month:

  • Vulnerability Assessment (VA) support for Windows Servers 2008 R2 and above
  • Integration with ServiceNow for improved IT/Security communication
  • Advanced hunting across vulnerabilities and security alerts
  • Role-based access controls (RBAC) for teams focusing on vulnerability management
  • Automated user-impact analysis

The ServiceNow integration is very easy. Just follow the guide in the settings tab

This feature provides one-click remediation request via Service Now to other IT teams.

TVM capabilities – Let’s use in hunting 🙂

TVM hunting

RBAC – more granular control

Defender ATP rbac

Happy Hunting!

Defender ATP EDR for MAC preview

During Microsoft Ignite, Microsoft announced Defender ATP EDR capabilities for Mac is available in preview.

It’s great to see Microsoft extends the EDR capabilities to cross-platform

  1. Rich investigation experience – including machine timeline, process creation, file creation, network connections and, of course, the popular Advanced Hunting.
  2. Optimized performance – enhanced CPU utilization in compilation procedures and large software deployments.
  3. In-context AV detections – just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.

More information available at
https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-for-Mac-EDR-in-Public-Preview/ba-p/985879

Happy Hunting!

Defender ATP to Linux – available next year

During Ignite Microsoft announces Defender ATP for Linux is coming next year

Extending Defender ATP to be able to natively support Windows, Mac and Linux is great news and will simplify advanced threat management across the environment.

Happy Hunting!

Hunting for MiniNt security audit block in registry

Another day in the Advanced Hunting feature.

I was told about a twitter post which explained it’s possible to block Security events from being created.

If the following key is added:
HKLM\System\CurrentControlSet\Control\MiniNt

Event Viewer after the registry key was added and after a reboot

Since it’s registry we have a lot of data to query in the Defender ATP portal (https://securitycenter.windows.com)

The Hunting query will be as follows

// Mattias Borg
// @mattiasborg82
RegistryEvents 
| where (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
        (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1

This is the initial hunting query and might be changed to avoid False-Positives if there are any.

To be able to create a custom detection rule we need to add “MachineId” and “ReportId” to the output.

// Mattias Borg
// @mattiasborg82
RegistryEvents 
| where (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") or
        (RegistryKey  == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MiniNt")
| sort by EventTime desc
| project EventTime, ComputerName, RegistryKey, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessSHA1, MachineId, ReportId 

Click on “Create a detection rule”

create detection rule

Fill in the form and select your preferred actions

defender atp custom rule

Happy Hunting!

Azure Sentinel is now GA

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

azure sentinel

Some of the new features are:

  • Workbooks are replacing dashboards, providing for richer analytics and visualizations
  • New Microsoft and 3rd party connectors

Detection and hunting:

  • Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
  • Easy elevation of MTP alerts to Sentinel incidents.
  • Built-in detection rules utilizing the threat intelligence connector.
  • New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
  • Template playbooks now available on Github.
  • New threat hunting queries and libraries for Jupyter Notebooks

Incidents:

  • The interactive investigation graph is now publicly available.
  • Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.

MSSP and enterprise support:

  • Azure Lighthouse for multi-tenant management
  • RBAC support

For further information:

Pricing: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Product page: https://azure.microsoft.com/en-us/services/azure-sentinel/
Documentation: https://docs.microsoft.com/en-us/azure/sentinel/

Happy Hunting

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

gartnereppmq2019

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.

Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!