Identify

Taking actions on on-prem accounts with MDI Action Account, troubleshooting

Background

The response action of blocking a compromised account is important to have available. Regardless of solution one must be able to quick and easy be able to block an account.  In MDI (part of Microsoft 365 Defender) it is possible since some time ago to configure an MDI Action Account, lately the option to run with the system account of the Domain Controller has been added to this feature and therefor you don’t have to configure the gMSA account.

Using system or a custom gMSA account

The choice is made based on organizational structure, Tiering/RBAC, MSSP partner. Basically, if you are required to delegate the permissions to only allow actions on accounts in certain OU’s, then you must use a custom gMSA accounts.

For example, if you have a MSSP partner monitoring your security and take actions to discovered threats, a so called MDR (Managed Detection and Response), you have an option to control to which accounts the MSSP can take actions.

The available actions are:

  • Disable user in Active Directory: This will temporarily prevent a user from logging in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
  • Suspend user in Azure Active Directory: This will temporarily prevent a user from logging in to Azure Active Directory. This can help prevent compromised users from attempting to exfiltrate data and minimizes the time between Disable user in Active Directory and the sync of this status to the cloud.
  • Reset user password – This will prompt the user to change their password on the next logon, ensuring that this account can’t be used for further impersonation attempts.

From an MSSP perspective, this feature is very useful since there wouldn’t require customer access (VPN or other kind of access) to respond to threats. Even though this feature is very popular for MSSPs, you will still want to have this option if you have your internal security operations to be able to respond from the portal you are currently working in.

Even though this feature is very popular for MSSPs

To learn how to create and configure the gMSA account you can start with this link
https://learn.microsoft.com/en-us/defender-for-identity/manage-action-accounts

Troubleshooting

(The troubleshooting path will be updated based on troubleshooting session done with customers)

There 2 primary sources for troubleshooting this, sensor logs and event logs. Preferably the logs are sent to SIEM solution (like Microsoft Sentinel).

Using Sentinel (or look in the event viewer, or if you have another SIEM solution in place).

SecurityEvent | where Account has "gMSA-MDIAction$"

Note the $ character in the account name, gMSA account is more like a computer account. It’s the type of msDS-GroupManagedServiceAccount.

If the account doesn’t have logons ending with a $ (like a computer account), then it’s not a gMSA account and start there by creating a one.

https://learn.microsoft.com/en-us/defender-for-identity/manage-action-accounts

This can also be checked on the logon event (this will trigger 4625, logon failed)

Verify that the AccountType is “Machine”

Successful sign-in:

Account is not allowed to logon as a service

If the gMSA Account is setup and configured correctly and there is still event 4625 being logged.

Check the Status property of the login event

0xc000015b indicates that the account is not allowed to login0xC000015B

STATUS_LOGON_TYPE_NOT_GRANTED, A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who can logon interactively and through the network.

More information about the Status property can be found here:

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55

To address this issue you need to create a new or update existing policy to allow that account to logon as service on the target system (the DCs)

https://learn.microsoft.com/en-us/system-center/scsm/enable-service-log-on-sm?view=sc-sm-2022#enable-service-log-on-through-a-local-group-policy

Successful events effecting the user you try to take action on

The following query will find events of enabling and disabling a user

SecurityEvent
| where EventID in(4738,4725,4722)
| where Account contains "gMSA-mdi-action$"
| where TargetAccount contains "test" //the user you want to take action on
You see 4738 “A user account was changed” at the same timestamp as the 4725 and 4722 and the 4738 event show the UAC 0x10: Account Enabled and 0x11: Account Disabled

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738

Hope this helps!

We will continue to update this post if we run into other related troubleshootings

//Happy Hunting

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.

Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!

MDATP Long Term Retention with Azure Storage Account

 Microsoft Defender ATP is a great tool for enhancing your Detection capabilities and once you find incidents you can work with the Hunting capabilities we have blogged about earlier. The challenge we often face is that the Hunting Data is only available for 30 days so if you need to go back further that data is not available.

Microsoft is now introducing two new built-in methods of storing that data for longer than 30 days, currently in preview

  • Azure Storage Account
  • Azure Event Hub

And from these you can then access the data and do what you like with it.

In this blog we will walk you through how you can set these up the Storage Account integration.

Storage Account Integration

Azure Portal

So first off let’s start with setting up a Storage Account in the Azure Portal

1. Create a storage account

2. Select your Subscription and Resource Group if you have one or create it.

3. Give your storage account a name and select your desired storage settings.

4. Configure Advanced settings as you need. In my case I used the defaults.

5. Add Tags if you are using it and review the settings and complete the creation, Let the creation complete and go to the newly created storage account.

6. To configure the integration we need to get our resource ID so open properties of the Storage Account and copy the resource ID information.

Resource Provider and onboarding consent

We also need to make sure we have microsoft.insights registered as a resource provider you can configure that this way.

1. In the Azure Portal, go to – Subscriptions > Your subscription > Resource Provider

2. On the microsoft.insights recourse provider click register if its not already registered.

3. A Tenant Admin has also to give concent to the onboarding application. you can do this by clicking on the follwoing link and logging on with the desired Tenant rights. https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=88cfeabb-510d-4c0d-8358-3d1929c8d828&response_type=code&sso_reload=true

Now we can move to the security center portal and continue configuring the integration.

MDATP Portal

In the MDATP Console go to

1. Interoperability > Data Export Settings

2. Click on Add data export settings

The wizard to export data will show up and here we have a few options.

1. Give it a Name

2. We need to have the Storage Account Resource ID from our Storage account which we stood up in the earlier steps. It can be found under properties on the storage account in the Azure Portal.

3. Check the Event Types you want to Store in your Storage Account

4. Click Save

Once you have saved Events will start being sent to your Storage Account and if you browse the blob in the Azure Portal you will see the different events categories.

If you click through one of them you will see that they are stored in an order of “tenantid\year\month\date\hour\minute\”

The schema of the JSON files is build in the following structure

{

           {

                    “time”: ” <The time WDATP received the event>

                    “tenantId”: ”  <Your tenant ID>

                    “category”: ” <The Advanced Hunting table name with ‘AdvancedHunting-‘ prefix>

                    “properties”: { <WDATP Advanced Hunting event as Json> }

            }               

}

Threat and Vulnerability management with Defender ATP

Until today you had to keep track on vulnerabilities in applications, create your custom dashboards and use 3rd party systems for the inventory.

Today microsoft released Threat and Vulnerability Management Dashboard as a part of Defender ATP.

TVM Dashboard

This dashboard provides a lot of insight in your environment with cloud scale, even the systems which are never in the office.

You can find the new dashboard by clicking on the little castle with the flag in the menu bar.

Dashboard

This part gives you a full overview of vulnerabilities like

  • Exposure Score
  • Configuration Score
  • Top vulnerable applications
  • Top exposed machines
  • Top remediation activities
  • Exposure distribution

You are also presented with the top security recommendations


Security Recommendations

In the security recommendations view you can view and sort based on components, remediation type etc

If we look at the details for one of the entries we can se a description, vulernability details, the affected machines and related CVE’s

security recommendation details

If we from this view clicks on Open Sofware page, we can see further details

If we from this view opens one of the items, we can see the risks, category and other ID’s

Working with remedation plans

We can create activities and set the due date for that activity

This an also be exported to a CSV file

When we have selected items for remediation we can look in the remediation view for follow up

Sofware Inventory

In this part we get an overview of all applications, weaknesses and if there are any known exploits.

The information from TVM is also linked to the machine page

Happy Hunting!

March updates to Windows 10 for Cloud App Discovery integration in MDATP

Who doesn’t want to get in control of their Cloud App Usage, and get a nice cloud usage dashboard like this?

With the latest March 2019 Updates to Windows 10, 1709 and 1803 Microsoft has back ported the Cloud App Discovery Capabilities from 1809 so now you will get Discovery Data from Windows 10 devices ranging from 1709 and above, all you need to do is to enable the integration and your machines that are on boarded to MDATP will start reporting in.

Microsoft has also included some back porting regarding Automatic Investigation, Remediation, Memory Forensic.

Happy Hunting

https://support.microsoft.com/en-us/help/4489890/windows-10-update-kb4489890
https://support.microsoft.com/en-us/help/4489894/windows-10-update-kb4489894

Hunting Windows Defender Exploit Guard with ATP

Alright, since I happen to be in a blog mode I keep the posts coming.

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

ComponentDetails
Attack Surface Reduction (ASR)A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder AccessProtects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit ProtectionA set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Example of ASR rules

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:

AsrOfficeMacroWin32ApiCallsAudited
AsrPsexecWmiChildProcessBlocked
ControlledFolderAccessViolationBlocked
ExploitGuardAcgAudited
ExploitGuardChildProcessAudited
ExploitGuardNetworkProtectionBlocked
ExploitGuardNonMicrosoftSignedAudited
ExploitGuardWin32SystemCallBlocked
SmartScreenAppWarning
SmartScreenUrlWarning
SmartScreenUserOverride

Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

//Happy Hunting
MiscEvents 
| where ActionType contains "asr" or
        ActionType contains "Exploit" or
        ActionType contains "SmartScreen" or
        ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc 
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
         JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
         

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

Happy Hunting!

Problems with self-encrypting drives

Microsoft has published ADV180028

The advisory explains the recently discovered vulnerabilities for self-encrypting drives. SED’s means that the drive is encrypted using the hardware instead of software only encryption provided by BitLocker Drive Encryption™.

The vulnerability was discovered by Carlo Meijer and Bernard van Gastel from the Radboud University in the Netherlands.

Verify encryption method using Powershell

Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType

bitlocker

In this example, the device is not vulnerable since hardware encryption is not present.

This code smippet will return if the machine is vulnerable or not (compliant $true) (vulnerable $false) based on encryption method which can be used with SCCM to get an overview in larger Environments.
$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }
}

This work was done together with Jörgen Nilsson (https://ccmexec.com) who has a detailed post about this and how to use SCCM to get the current status of compliant devices which is linked to below. He also provided a cab-fil which can be imported

Bitlocker Compliance using SCCM including Hardware encryption check

SEC-LABS recognized at August 2018 Security Researcher’s list at MSRC

msrc
The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.

 

Both Stefan Schörling and Mattias Borg from SEC-LABS R&D is recognized at the Microsoft Security Response Center security researchers list for August 2018.

This was due to a vulnerability discovered with Johan Dahlbom and was reported to Microsoft.

We would like to give our appreciation to the MSRC team and it was a pleasure working with you to resolve this issue!

The list can be found here:
https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services

New features added to WD ATP

In the September release one of our most wanted features was added to WD ATP preview, Custom detection with scheduled queries.

This means that you can now develop your own hunting queries and run them every day automatically.

For this example we created a query to find a simple reverse shell from a Linux machine which runs Ziften.

Next step is to create a detection rule for the Query

detection rule

You can add Alert Title, Severity, Category, Description and Recommended actions.

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

detection rule page

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

custom detection

For further infomation about the new preview features please go to this url:

https://techcommunity.microsoft.com/t5/What-s-New/WDATP-September-2018-preview-features-are-out/m-p/242254#M95

Happy hunting!

/Sec-Labs

6000+ sites are still leaking sensitive WordPress config files

Well, this isn’t anything new, not at all!

Google Hacking Database has been around for a long time.

We started to dig into WordPress config files and realized that it’s very common to create a backup of your config file, which is not a bad idea.

This config file contains the base configuration of a wordpress installation like Database Connection (user name, password, ost) and other sensitive information.

Example

config

What’s really bad is that some admins seems to store the file in the web root and changed the extension to txt will will be read in the browser.

If we change the file extension to .txt it will be managed by the web server/php interpreter as any other txt file and present the content to the user.

So if we look at one part that exists in the WordPress config file.
“define(‘AUTH_KEY’, ‘” and we also have some other phrases like “wp-config.php”.

If you want an idea of how bad it is we can let google sort that out for us using some search operands available.
Since google knows the content of all files it has indexed which are most of them we just search for the content using “intext:” and filter on txt files using “filetype:”

intext:define(‘AUTH_KEY’, ‘ wp-config.php filetype:txt

The result shows about 6000+ results (and probably some false positives in the results).

ghdb

This file is not something that would be read by the user and you should not be able to download the php file either ;).

What you need to do

  • Don’t place sensitive files in the web root that doens’t have to be there
  • Configure permissions
  • Definitely don’t place backup files in the webroot, in case you don’t have to temporarily to reinstall a web application but otherwise, keep them away from the internet