Recover

Threat and Vulnerability management with Defender ATP

Until today you had to keep track on vulnerabilities in applications, create your custom dashboards and use 3rd party systems for the inventory.

Today microsoft released Threat and Vulnerability Management Dashboard as a part of Defender ATP.

TVM Dashboard

This dashboard provides a lot of insight in your environment with cloud scale, even the systems which are never in the office.

You can find the new dashboard by clicking on the little castle with the flag in the menu bar.

Dashboard

This part gives you a full overview of vulnerabilities like

  • Exposure Score
  • Configuration Score
  • Top vulnerable applications
  • Top exposed machines
  • Top remediation activities
  • Exposure distribution

You are also presented with the top security recommendations


Security Recommendations

In the security recommendations view you can view and sort based on components, remediation type etc

If we look at the details for one of the entries we can se a description, vulernability details, the affected machines and related CVE’s

security recommendation details

If we from this view clicks on Open Sofware page, we can see further details

If we from this view opens one of the items, we can see the risks, category and other ID’s

Working with remedation plans

We can create activities and set the due date for that activity

This an also be exported to a CSV file

When we have selected items for remediation we can look in the remediation view for follow up

Sofware Inventory

In this part we get an overview of all applications, weaknesses and if there are any known exploits.

The information from TVM is also linked to the machine page

Happy Hunting!

Defender ATP and PowerBI

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

Automate response with Defender ATP and Microsoft Flow

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to https://flow.microsoft.com and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.


We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content

Actions

Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time

Threat Hunting with Windows Defender ATP

A while ago Microsoft released the Threat Hunting capatibilities in WD ATP.

This is a great feature since you’re able to query a lot of things across your devices.

Example scenario:

Let’s say you receive IoC’s for an ongoing attack or investigate threat actors with known files or IP’s you can Query these IoC’s on both on-prem devices and devices which only exists on the internet and never in the office.

That’s one of the benefits of using cloud security services.

As we wrote in the last post it’s now possible to onboard older operating systems like Windows 7 and Windows 8.1. There is also possible to onboard Linux systems and Macs

linux_mac_atp

Threat Hunting

hunting_atp

The hunting capatibilities in WD ATP involves running queries and you’re able to query almost everything which can happen in the Operating System.

If you’re familiar with Sysinternals Sysmon your will recognize the a lot of the data which you can query.

 

AlertEvents
AlertId, EventTime, MachineId, ComputerName, Severity, Category, Title, ActionType, FileName, SHA1, RemoteUrl, RemoteIP, ReportId

MachineInfo
EventTime, MachineId, ComputerName, ClientVersion, PublicIP, OSArchitecture, OSPlatform, OSBuild, IsAzureADJoined, LoggedOnUsers, MachineGroup, ReportId,

ProcessCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, ProcessId, ProcessCommandLine, ProcessIntegrityLevel, ProcessTokenElevation, ProcessCreationTime, AccountDomain, AccountName, AccountSid, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

NetworkCommunicationEvents
EventTime, MachineId, ComputerName, ActionType, RemoteIP, RemotePort, RemoteUrl, LocalIP, LocalPort, LocalIPType, RemoteIPType, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessParentCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId

FileCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessMD5, InitiatingProcessSHA1, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

RegistryEvents
EventTime, MachineId, ComputerName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId

LogonEvents
EventTime, MachineId, ComputerName, ActionType, AccountDomain, AccountName, AccountSid, LogonType, ReportId

ImageLoadEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

MiscEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, AccountDomain, AccountName, AccountSid, RemoteUrl, RemoteComputerName, ProcessCreationTime, ProcessTokenElevation, LogonId, RegistryKey, RegistryValueName, RegistryValueData, RemoteIP, RemotePort, LocalIP, LocalPort, FileOriginUrl, FileOriginIP, AdditionalFields, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessMD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessLogonId, ReportId

The query language is very similar to Splunk and adoption to these queries should be straight forward

ProcessCreationEvents
| where EventTime > ago(30d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "Invoke-Mimikatz"
or ProcessCommandLine has "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime

Use “Project” to select which columns you want in the output and you can export the result to a spreadsheet.

output

In the above example we ran a query to find malicious powershell commands being executed.

You can also, for example, query all powershell executions from Office applications

ProcessCreationEvents
| where EventTime > ago(14d)
| where ProcessCommandLine has "powershell"
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpoint.exe")

You can also use the quick search to finns URL’s, File hashes, IPs

quick search

The output will show you hits in organization and prevalance world wide which will give you more indication of a threat.

When we search for a filehash we can also submit the file for deeper analysis.

Microsoft has a Github repositories to help you with example queries

https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries

Sharing Queries

When working in a team it’s a good idea to share your queries to let your colleagues to use your hunting queries.

sharing_queries

The language reference is available here
https://docs.loganalytics.io/docs/Language-Reference/

 

Happy Hunting!

 

/Sec-Labs R&D