News – SEC-LABS R&D

Creating NRT Rules in Microsoft Sentinel

SEC-LABS R&D 2021-11-08 0 Comments

For information about NRT rules, please see previous blog post or visit

http s://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules

Creating NRT rules

Navigate to Microsoft Sentinel in the Azure portal

https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel

In the navigation, select Analytics

Click Create and select NRT query rule

Give it a name and add Description, Mitre Tactics and Severity and click *Next*

In the configuration window, there are no schedule and lookback time to define

Configure your query accordingly and continue the wizard.

Requirements

You can only refer to one table and cannot use unions or joins

No cross workspace query

Use project and only keep the necessary fields to avoid truncation due to size limitations of the alerts

For further information, please visit

https://docs.microsoft.com/en-us/azure/sentinel/create-nrt-rules

Detect, News, Security

Analytics, MicrosoftSentinel, SIEM

Microsoft 365 Defender connector for Azure Sentinel in public preview

SEC-LABS R&D 2020-11-10 0 Comments

A new connector for Microsoft 365 Defender is in public preview in Azure Sentinel. This connector makes it possible to ingest the hunting data into Sentinel

Currently, the Defender for Endpoint Data is available

To enable

Go to you Azure Sentinel Instance and select Connectors
Search for Microsoft 365 Defender

Click Open Connector Page
Select which Events you want to ingest

Click Apply Changes

Example queries

//Registry events
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "DefaultPassword"
| where RegistryKey has @"SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp

//Process and Network events
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType

If we look at the tables we can see the new created tables

More information about the data in these tables is available in this post https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/

For further reading:

Azure Sentinel https://docs.microsoft.com/sv-se/azure/sentinel
Microsoft 365 Defender https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection

News, Security

AzureSentinel, DefenderATP, MDE, Microsoft365Defender, MicrosoftDefenderForEndpoint, MTP, Sentinel

Helpful feature in MDATP

SEC-LABS R&D 2020-08-13 0 Comments

One of the benefits of using a cloud service backend instead of on-prem appliance boxes is that we can get new features without doing anything except for “enable” depending on feature.

One feature I like is the “flag event” feature in the timeline.

In the machine timeline view there is a “flag” we can enable on each event we find interesting. This will make it easier to go back and further investigate suspicious activities.

In the overview we can see where the flags are located in the timeline and if we want, we can also filter on flagged events

Happy Hunting

Detect, News

Defender ATP

The time of the year for the Microsoft MVP award

SEC-LABS R&D 2020-07-02 0 Comments

We are proud and happy to announce that both Mattias and Stefan are awarded with Microsoft MVP 2020-2021.

For Mattias it is the first Microsoft MVP award and he is awarded in the category: Microsoft Azure

Stefan is awarded for the 13th consecutive year and was awarded in 2(!) categories: Enterprise Mobility and Microsoft Azure

News

AWARD, Azure, Enterprise Mobility, MVP

Defender ATP EDR for MAC preview

SEC-LABS R&D 2019-11-07 0 Comments

During Microsoft Ignite, Microsoft announced Defender ATP EDR capabilities for Mac is available in preview.

It’s great to see Microsoft extends the EDR capabilities to cross-platform

Rich investigation experience – including machine timeline, process creation, file creation, network connections and, of course, the popular Advanced Hunting.
Optimized performance – enhanced CPU utilization in compilation procedures and large software deployments.
In-context AV detections – just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.

More information available at
https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-for-Mac-EDR-in-Public-Preview/ba-p/985879

Happy Hunting!

Detect, News, Security

Defender ATP, EDR, Mac, OSX

Defender ATP to Linux – available next year

SEC-LABS R&D 2019-11-05 0 Comments

During Ignite Microsoft announces Defender ATP for Linux is coming next year

Defender ATP for Linux coming next year #MDATP #Security #MSIgnite pic.twitter.com/mOMSRwJJKz
— Stefan Schörling (@stefanschorling) November 4, 2019

Extending Defender ATP to be able to natively support Windows, Mac and Linux is great news and will simplify advanced threat management across the environment.

Happy Hunting!

Detect, News

Defender ATP, Linux, ThreatHunting

Microsoft announces new innovations in security, compliance, and identity at Ignite

SEC-LABS R&D 2019-11-04 0 Comments

This far in the Microsoft Ignite Conference, Microsoft have made new announcements.

This list is a mix of some of the announcements made:

Azure Sentinel New connectors, Zscaler, Barracuda, and Citrix. They have also added new hunting queries and machine learning-based detections to assist in prioritizing the most important events.

Insider Risk Management in Microsoft 365 – to help identify and remediate threats stemming from within an organization. Now in private preview, this new solution leverages the Microsoft Graph along with third-party signals, like HR systems, to identify hidden patterns that traditional methods would likely miss. https://www.microsoft.com/en-us/microsoft-365/blog/?p=233542

Microsoft Authenticator Microsoft makes Microsoft Authenticator available to customers as part of the Azure Active Directory (Azure AD) free plan. Deploying Multi-Factor Authentication (MFA) reduces the risk of phishing and other identity-based attacks by 99.9 percent.

Microsoft Defender Advanced Threat Protection (ATP)—Microsoft extends endpoint detection and response capability in Microsoft Defender ATP to include MacOS, now in preview. Microsoft also plans to add support for Linux servers.

Azure Security Center—Microsoft announces new capabilities to find misconfigurations and threats for containers and SQL in IaaS while providing rich vulnerability assessment for virtual machines. Azure Security Center also provides integration with security alerts from partners and quick fixes for fast remediation.

Microsoft information protection and governance—The compliance center in Microsoft 365 now provides the ability to view data classifications categorized by sensitive information types or associated with industry regulations. Machine learning also allows you to use your existing data to train classifiers that are unique to your organization, such as customer records, HR data, and contracts.

Microsoft Compliance Score—Now in public preview, Microsoft Compliance Score helps simplify regulatory complexity and reduce risk. It maps your Microsoft 365 configuration settings to common regulations and standards, providing continuous monitoring and recommended actions to improve your compliance posture. Microsoft also introduces a new assessment for the California Consumer Privacy Act (CCPA).

For the full list see:

https://www.microsoft.com/security/blog/2019/11/04/microsoft-announces-new-innovations-in-security-compliance-and-identity-at-ignite/?fbclid=IwAR0Fa1YHBV2GfqxGaxzOVUsSLQEHvlR5CFAhvoQziJ9I-mnmsolnRiY0qbk

News, Uncategorized

Ignite, Security

SEC-LABS recognized at August 2018 Security Researcher’s list at MSRC

SEC-LABS R&D 2018-09-27 0 Comments

msrc
The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.

Both Stefan Schörling and Mattias Borg from SEC-LABS R&D is recognized at the Microsoft Security Response Center security researchers list for August 2018.

This was due to a vulnerability discovered with Johan Dahlbom and was reported to Microsoft.

We would like to give our appreciation to the MSRC team and it was a pleasure working with you to resolve this issue!

The list can be found here:
https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services

Identify, News, Protect, Uncategorized

Disclosure, MSRC, WhiteHat

New features added to WD ATP

SEC-LABS R&D 2018-09-13 0 Comments

In the September release one of our most wanted features was added to WD ATP preview, Custom detection with scheduled queries.

This means that you can now develop your own hunting queries and run them every day automatically.

For this example we created a query to find a simple reverse shell from a Linux machine which runs Ziften.

Next step is to create a detection rule for the Query

detection rule

You can add Alert Title, Severity, Category, Description and Recommended actions.

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

detection rule page

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

custom detection

For further infomation about the new preview features please go to this url:

https://techcommunity.microsoft.com/t5/What-s-New/WDATP-September-2018-preview-features-are-out/m-p/242254#M95

Happy hunting!

/Sec-Labs

Detect, Identify, News, Respond

AdvancedThreatProtection, Features, WDATP

Massive ransomware campaign hits victims in at least 74 countries

SEC-LABS R&D 2017-05-12 0 Comments

Today reports was flooding the internet about an large scale ransomware campaign.

*** Update 2017-05-13 : Microsoft has put together a detailed post about the matter now since they have gotten the time to reverse the malware. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems
Microsoft has also released updates for Windows XP and 2003 Server that you can apply for the MS17-010 SMB Vulnerability KB4012598 http://www.catalog.update.microsoft.com/search.aspx?q=4012598

***

–his time the attack had a massive impact on the society – according to reports multiple hospitals was taken out of business in the UK with local files and network files encrypted.

The following picture from MalwareTech showing the infections which has an extreme hitrate

WannaCry infections (pic from malwaretech)

It’s using the NSA exploit leaked by Shadow Brokers (EternalBlue which uses a vulnerability in the SMB Protocol to spread.

This means that unpatched systems are spreading this ransomware internal on the network.

Initial infection is still not clear but most likley it’s a phishing campaing and we can’t really point out how important Security Awareness training is for your end users.

Mitigations (for this specific campaign)

Patching
- You need to have a good patching process to patch your systems this would most likley stop the spread of this malicous code
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Office 365 ATP (Advanced Threat Protection)
- Office 365 ATP
- Protecting against unsafe attachments
  all suspicious content goes through a real-time behavioral malware analysis that uses machne learning to evaluate the content for suspicious activities.
  unsafe attachments are sandboxed in a detonation chamber before being sent to recipients
  
  Protect your environment when users click malicious links.
  The URL s are examined in real time when a user clicks them.
- Office 365 ATP URL SCAN
  
  One benefit is the reporting to so administrators can track which users clicked a link
- For further information about Office 365 ATP please visit https://products.office.com/en-us/exchange/online-email-threat-protection
Security Awareness
- Most likley this started by an email (well multiple emails) but I assume someone clicked on a link named invoice or something else
  Security awareness still very common to be overseen by secyurity teams and IT departments in general
  We can’t simple protect against every bad thing by technical means and we need to raise the awareness for the end users.
  Make sure to kick off a Security awareness program, This could be seminars, intranet information.
Segmentation
- Make sure you have network segmentation to avoid spreading
- Use a Local Firewall to block traffic usually there is no need to have SMB open against clients
Access to critical assets
- Separation of duties
- Users should only have access to what they need
- Don’t set up a share where all users can read and write files from all departments
Windows 10 Device guard
- Blocking untrusted code from executing. I bet this code wasn’t signed by a trusted certificate authority

Detect, News, Protect

Office365ATP, Patching, SecurityAwareness, ShadowBrokers, WannaCry