Detect – Page 4 – SEC-LABS R&D

MDATP Investigation behind forward proxy

SEC-LABS R&D 2019-07-23 0 Comments

There are still many companies using forward proxies and when analyzing traffic from endpoints this can be a bit challenging. This due to that the client connects to the forward proxy instead of the public endpoint like http://blog.sec-labs.com.

So instead of the public endpoint you would see that the process is connecting to the proxy.

Microsoft have engineers around this and by enabling the Network Protection feature in either Audit Mode or Block mode you can now see the public endpoint the process is actually communicating with behind the forward proxy.

Events that is coming from this type of detection is flagged with the a “NetworkProtection” tag.

If you want to use thees events generated when you do Hunting they are found under Network CommunicationEvents and if you know your proxy ip address you can get everything that has gone via the proxy with the following query.

NetworkCommunicationEvents
| where ActionType == “ConnectionSuccess” and RemoteIP != “ProxyIP”

If you want to enable Network Protection the below link will guide you through the different ways you can enable it. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection

Happy Hunting

Detect, Protect, Security

MDATP Long Term Retention with Azure Storage Account

SEC-LABS R&D 2019-07-23 0 Comments

Microsoft Defender ATP is a great tool for enhancing your Detection capabilities and once you find incidents you can work with the Hunting capabilities we have blogged about earlier. The challenge we often face is that the Hunting Data is only available for 30 days so if you need to go back further that data is not available.

Microsoft is now introducing two new built-in methods of storing that data for longer than 30 days, currently in preview

Azure Storage Account
Azure Event Hub

And from these you can then access the data and do what you like with it.

In this blog we will walk you through how you can set these up the Storage Account integration.

Storage Account Integration

Azure Portal

So first off let’s start with setting up a Storage Account in the Azure Portal

1. Create a storage account

2. Select your Subscription and Resource Group if you have one or create it.

3. Give your storage account a name and select your desired storage settings.

4. Configure Advanced settings as you need. In my case I used the defaults.

5. Add Tags if you are using it and review the settings and complete the creation, Let the creation complete and go to the newly created storage account.

6. To configure the integration we need to get our resource ID so open properties of the Storage Account and copy the resource ID information.

Resource Provider and onboarding consent

We also need to make sure we have microsoft.insights registered as a resource provider you can configure that this way.

1. In the Azure Portal, go to – Subscriptions > Your subscription > Resource Provider

2. On the microsoft.insights recourse provider click register if its not already registered.

3. A Tenant Admin has also to give concent to the onboarding application. you can do this by clicking on the follwoing link and logging on with the desired Tenant rights. https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=88cfeabb-510d-4c0d-8358-3d1929c8d828&response_type=code&sso_reload=true

Now we can move to the security center portal and continue configuring the integration.

MDATP Portal

In the MDATP Console go to

1. Interoperability > Data Export Settings

2. Click on Add data export settings

The wizard to export data will show up and here we have a few options.

1. Give it a Name

2. We need to have the Storage Account Resource ID from our Storage account which we stood up in the earlier steps. It can be found under properties on the storage account in the Azure Portal.

3. Check the Event Types you want to Store in your Storage Account

4. Click Save

Once you have saved Events will start being sent to your Storage Account and if you browse the blob in the Azure Portal you will see the different events categories.

If you click through one of them you will see that they are stored in an order of “tenantid\year\month\date\hour\minute\”

The schema of the JSON files is build in the following structure

{
           {
                    “time”: ” <The time WDATP received the event> “
                  “tenantId”: ” <Your tenant ID> “
                    “category”: ” <The Advanced Hunting table name with ‘AdvancedHunting-‘ prefix> “
                    “properties”: { <WDATP Advanced Hunting event as Json> }
            }
}

Detect, Events, Identify, Uncategorized

Advanced Hunting – Defender ATP – Squirrel

SEC-LABS R&D 2019-07-02 1 Comment

When working with Advanced Hunting in Defender ATP, you tend to always want to update your queries as you learn. You will probably also notice that sometimes your query wasn’t broad enough or all information was not available at the time. And sometimes you just want to make it look better for others to use in a shared environment.

We have updated the Squirrel hunting query to adjust to more parameters which can be used. we simple remove the check for a parameter and focus on the http part instead.

There are also some legit domains which are used by some of the applications, slack and discord to mention some of them.

ProcessCreationEvents
| where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe")
| where (ProcessCommandLine contains "http")
| extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine)
| where URL !in ("https://slack.com/desktop/update/windows_x64", "https://discordapp.com/api/updates/stable")
| sort by EventTime desc 
| project EventTime, 
          ComputerName,
          URL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Happy Hunting!

Detect

Defender ATP, Kusto

Hunt for nuget/Squirrel update vulnerability

SEC-LABS R&D 2019-07-01 0 Comments

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

Detect, Respond, Security, Uncategorized

AdvancedThreatProtection, Defender ATP, Kusto, Nuget, Teams, ThreatHunting, Vulnerability

Hunting for USB Rubber Ducky/ Bad USB with ATP

SEC-LABS R&D 2019-05-05 2 Comments

Alright, so we’re here again with a hunting query to help catching some bad people out there.

This hunting started as a discussion with a customer and we figured out we should be able to chain the queries to see what happens after an event to be able to decide if it’s malicious or not.

Just to clear things out:
A USB Rubber Ducky is not something your AV solution would pick up. It’s a keyboard, it’s a preprogrammable keyboard. It exactly the same thing as plugging in a USB keyboard and type, except you’ve already told the keyboard what to type.

The ducky language is very simple as shown in below example

DELAY 3000
gui r
DELAY 100
STRING powershel xxxxxxxx
ENTER

The example will wait for 3 seconds, press win key and “r” and wait for another 100 ms and then type powershell xxxxxxx and then enter

You encode the textfile to a binary and loads it to the flash memory inside (which is read by the rubber ducky, not by the device you connect it to) well you can make some changes to that, but in general and depending how you configure it.

Hunting USB devices

It’s easy to find the PnP event which could be headsets, mass storage devices, keyboards etc.

    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | project 
        EventTime,
        ComputerName,
        DeviceDescription=tostring(parsed.DeviceDescription),
        ClassName=tostring(parsed.ClassName),
        DeviceId=tostring(parsed.VendorIds),
        VendorIds=tostring(parsed.VendorIds), MachineId , ReportId

Mass storage devices

MiscEvents
| where ActionType == "PnpDeviceConnected"
| extend ParsedFields=parse_json(AdditionalFields)
| project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),
DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime
| where ClassName contains "drive" or ClassName contains "usb"
| where DeviceDescription contains "Mass Storage"

But idea to hunt for duckies is that we want to see what happens after the device load.

Device connected
Someone executes powershell or cmd within a certain amount of time (10 seconds)

To explain further

We gather all devices where action type is “PnpDeviceConnected” and where the device description is “HID Keyboard Device”

Then we gather process starts which contains powershell or cmd and then we compare the time for the event and only present the ones where the process start happened within 10 seconds after the device load event.

// Hunting for malicious HID Keyboard devices
// PNP Event and Powershell or CMD within 10 seconds after driver load
let MalPnPDevices =
    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | where parsed.DeviceDescription == "HID Keyboard Device"
    | project PluginTime=EventTime, ComputerName,parsed.ClassName, parsed.DeviceId, parsed.DeviceDescription, AdditionalFields;
ProcessCreationEvents
| where ProcessCommandLine contains "powershell" or
        ProcessCommandLine startswith "cmd" 
| where isnotempty(ProcessCommandLine)         
| project ProcessCommandLine, ComputerName, EventTime, ReportId, MachineId
| join kind=inner MalPnPDevices on ComputerName
| where (EventTime-PluginTime) between (0min..10s)
| where ComputerName == ComputerName1

Of course, the 10 seconds is basically the Delay time. If an attacker sets 11 seconds, we would miss it. But this query would have to be trimmed for your environment.

There is also another thing, as an attacker, you would like to deliver the payload as quick as possible but still want the driver to be able to load.

I usually use between 3-6 seconds as initial payload for my duckies.

You could also chain this with other events, like networkevents to discover network request after a specific event.

Happy Hunting!

Sec-Labs R&D

Detect

Defender ATP, Hunting, RubberDucky, USB

Threat and Vulnerability management with Defender ATP

SEC-LABS R&D 2019-04-16 0 Comments

Until today you had to keep track on vulnerabilities in applications, create your custom dashboards and use 3rd party systems for the inventory.

Today microsoft released Threat and Vulnerability Management Dashboard as a part of Defender ATP.

This dashboard provides a lot of insight in your environment with cloud scale, even the systems which are never in the office.

You can find the new dashboard by clicking on the little castle with the flag in the menu bar.

Dashboard

This part gives you a full overview of vulnerabilities like

Exposure Score
Configuration Score
Top vulnerable applications
Top exposed machines
Top remediation activities
Exposure distribution

You are also presented with the top security recommendations

Security Recommendations

In the security recommendations view you can view and sort based on components, remediation type etc

If we look at the details for one of the entries we can se a description, vulernability details, the affected machines and related CVE’s

If we from this view clicks on Open Sofware page, we can see further details

If we from this view opens one of the items, we can see the risks, category and other ID’s

Working with remedation plans

We can create activities and set the due date for that activity

This an also be exported to a CSV file

When we have selected items for remediation we can look in the remediation view for follow up

Sofware Inventory

In this part we get an overview of all applications, weaknesses and if there are any known exploits.

The information from TVM is also linked to the machine page

Happy Hunting!

Detect, Identify, Recover

3rd party, ATP, Threat, TVM, Vulnerability Management

March updates to Windows 10 for Cloud App Discovery integration in MDATP

SEC-LABS R&D 2019-04-12 0 Comments

Who doesn’t want to get in control of their Cloud App Usage, and get a nice cloud usage dashboard like this?

With the latest March 2019 Updates to Windows 10, 1709 and 1803 Microsoft has back ported the Cloud App Discovery Capabilities from 1809 so now you will get Discovery Data from Windows 10 devices ranging from 1709 and above, all you need to do is to enable the integration and your machines that are on boarded to MDATP will start reporting in.

Microsoft has also included some back porting regarding Automatic Investigation, Remediation, Memory Forensic.

Happy Hunting

https://support.microsoft.com/en-us/help/4489890/windows-10-update-kb4489890
https://support.microsoft.com/en-us/help/4489894/windows-10-update-kb4489894

Detect, Identify, Respond

Hunting Windows Defender Exploit Guard with ATP

SEC-LABS R&D 2019-04-11 4 Comments

Alright, since I happen to be in a blog mode I keep the posts coming.

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

Component	Details
Attack Surface Reduction (ASR)	A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection	Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder Access	Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit Protection	A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Example of ASR rules

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:

AsrOfficeMacroWin32ApiCallsAudited

AsrPsexecWmiChildProcessBlocked

ControlledFolderAccessViolationBlocked

ExploitGuardAcgAudited

ExploitGuardChildProcessAudited

ExploitGuardNetworkProtectionBlocked

ExploitGuardNonMicrosoftSignedAudited

ExploitGuardWin32SystemCallBlocked

SmartScreenAppWarning

SmartScreenUrlWarning

SmartScreenUserOverride

Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

//Happy Hunting
MiscEvents 
| where ActionType contains "asr" or
        ActionType contains "Exploit" or
        ActionType contains "SmartScreen" or
        ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc 
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
         JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

Happy Hunting!

Detect, Identify, Uncategorized

ASR, ATP, CFA, Defender, ExploitGuard, Kusto, MDATP, SmartScreen, WDATP, WDEG

Creating custom Azure Sentinel Hunting Queries

SEC-LABS R&D 2019-03-19 0 Comments

Creating a hunting query by clicking on Hunting and New Query

Add a name, Description and the custom query.

You can test the query to see that you get the result you’re looking for

Use the mapping to map columns to entities recognized by Azure Sentinel

Select tactics for the query

The tactics can be used to filter queries

Happy Hunting!

Detect, Security

Azure, Custom Queries, Hunting, Sentinel, SIEM

Audit Scheduled tasks using Azure Sentinel

SEC-LABS R&D 2019-03-19 1 Comment

Azure Sentinel is a powerful cloud based SIEM solution.
This blog series will be on how to work with Sentinel.

It will be example based on different solutions which we might run into.

This first post is about how you can work with logs and get insight in Scheduled Tasks as a way for attackers to persist in your network

For further information regards Sentinel, visit https://azure.microsoft.com/en-us/services/azure-sentinel/

Scheduled Tasks

By default there are no events created if someone creates or modifieds a scheduled task. To enable logging you have to enable logging of object access.

To view current settings, use the following command:

auditpol.exe /get /category:*

Only Success is required for this. This enables us to get the event 4698

To enable logging, create a new GPO and assign the following settings (depending if you want success/failure or only success)

You also have to configure your agents to send log to your workspace, you can download the agent from the Azure Sentinel workspace / <workspace name> / Advanced Settings

Otherwise, you can add the Sentinel workspace to your existing agents

$Agent = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
$ID= "<WorkspaceID>"
$Key = "<key>"
$Agent.AddCloudWorkspace($ID,$Key)
restart-service HealthService

In Azure Sentinel – Data connectors, configure Security Events

Verify heartbeats from computers


Heartbeat | summarize argmax(TimeGenerated, *) by Computer

So now we have logs from 2 computers and now we want to query Scheduled Tasks

A simple way is to just query the EventID

We can use project to format our table but we still want to get information about the tasks that were created to get a better overview

According to documentation we can use Parse operator into one or more calculated columns

https://docs.microsoft.com/en-us/azure/kusto/query/parseoperator

//Example
SecurityEvent
| where EventID == "4698"
| parse EventData with * '"SubjectUserName">' SubjectUserName '<' * '"SubjectDomainName">' SubjectDomainName '<' *

This query will

Select all events where eventid=4698
parse the column event data and look for ‘”SubjectUserName”>’
Put everyting to a column named SubjectUserName until character ‘<‘
the wildcard will run the samething again
Continue parsing until ‘”SubjectDomainName”>’
Put everything into column SubjectDomainName until character ‘<‘

To continue this to get some really useful information we continue to parse the content until we get everything we need

//Sec-Labs Demo - Sentinel Hunting for Scheduled Tasks Persistance
let start=datetime("2019-03-12T19:39:47.762Z");
let end=datetime("2019-03-19T22:39:47.762Z");
SecurityEvent
|where TimeGenerated > start and TimeGenerated < end
| where EventID == "4698"
| parse EventData with * '"SubjectUserName">' SubjectUserName '<' * '"SubjectDomainName">' SubjectDomainName '<' * '"TaskName">\\' TaskName '<' * 'Author>' Author '<' * '<Command>' SchedCommand '</Command' * 'Arguments>' SchedArgs '</Arguments' * 'WorkingDirectory>' SchedDir '&' *
| where isnotempty (SubjectUserName) 
| project TimeGenerated,SubjectUserName,Computer,Activity,SubjectDomainName,TaskName,SchedCommand,SchedArgs,SchedDir
| project-rename CreatedBy = SubjectUserName

To rename columns, you can use project-rename <new name> = <old column name>

Happy Hunting!

Detect

Azure, Cloud, Preview, Security, Sentinel, SIEM, SOC