Respond

Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
Easy elevation of MTP alerts to Sentinel incidents.
Built-in detection rules utilizing the threat intelligence connector.
New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
Template playbooks now available on Github.
New threat hunting queries and libraries for Jupyter Notebooks

Incidents:

The interactive investigation graph is now publicly available.
Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.

MSSP and enterprise support:

Azure Lighthouse for multi-tenant management
RBAC support

For further information:

Pricing: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Product page: https://azure.microsoft.com/en-us/services/azure-sentinel/
Documentation: https://docs.microsoft.com/en-us/azure/sentinel/

Happy Hunting

Detect, Events, Respond, Security

Azure, Cloud, Sentinel, SIEM, ThreatHunting

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

Security Labs 2019-08-23 0 Comments

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.
Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!

Detect, Identify, Protect, Respond

Defender, epp, exploitprotection, gartner, MDATP, SOAR

Hunt for nuget/Squirrel update vulnerability

Security Labs 2019-07-01 0 Comments

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

Detect, Respond, Security, Uncategorized

AdvancedThreatProtection, Defender ATP, Kusto, Nuget, Teams, ThreatHunting, Vulnerability

March updates to Windows 10 for Cloud App Discovery integration in MDATP

Security Labs 2019-04-12 0 Comments

Who doesn’t want to get in control of their Cloud App Usage, and get a nice cloud usage dashboard like this?

With the latest March 2019 Updates to Windows 10, 1709 and 1803 Microsoft has back ported the Cloud App Discovery Capabilities from 1809 so now you will get Discovery Data from Windows 10 devices ranging from 1709 and above, all you need to do is to enable the integration and your machines that are on boarded to MDATP will start reporting in.

Microsoft has also included some back porting regarding Automatic Investigation, Remediation, Memory Forensic.

Happy Hunting

https://support.microsoft.com/en-us/help/4489890/windows-10-update-kb4489890
https://support.microsoft.com/en-us/help/4489894/windows-10-update-kb4489894

Detect, Identify, Respond

Defender ATP and PowerBI

Security Labs 2019-04-10 0 Comments

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

Recover, Respond, Security, Uncategorized

Dashboard, Defender ATP, PowerBI

New features added to WD ATP

Security Labs 2018-09-13 0 Comments

In the September release one of our most wanted features was added to WD ATP preview, Custom detection with scheduled queries.

This means that you can now develop your own hunting queries and run them every day automatically.

For this example we created a query to find a simple reverse shell from a Linux machine which runs Ziften.

Next step is to create a detection rule for the Query

detection rule

You can add Alert Title, Severity, Category, Description and Recommended actions.

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

detection rule page

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

custom detection

For further infomation about the new preview features please go to this url:

https://techcommunity.microsoft.com/t5/What-s-New/WDATP-September-2018-preview-features-are-out/m-p/242254#M95

Happy hunting!

/Sec-Labs

Detect, Identify, News, Respond

AdvancedThreatProtection, Features, WDATP

Working with Roles in Windows Defender ATP

Security Labs 2018-06-24 0 Comments

As with everything else we want to apply a least privilege access.

If you need permission to do X you should only have access to do X and not several other things.

That’s why you should define the roles and reponsibilities in your organization to make sure you can apply a least privilege strategy.

Many products supports RBAC and should be used.

Working with Roles in Windows Defender ATP is very simple. You can enable it in Settings menu.

Settings > Roles > Enable Roles

enableRoles

The Global administrator role is added by default and have full permissions which can’t be changed.

Creating Roles

It’s not a bad idea to create a few roles, even if it’s just ju who are the complete security team. One reason is organizational changes and one important reason is that we don’t want people to work as global administrators.

Create Role

In Settings > Permissions > Roles > Add Role

createrole

Assign Azure AD group to the role

aadgroups

One example of roles setup could be:

Viewonly – For managers, able to view data
ATP-Users – Teams working with ATP, run scans, threat remediation etc
ATP-Administrators – ATP Admins, change settings and manage security roles

Depending on your organization you might need more defined roles list.

Here is the permission list and sub items is what will be granted more specific to the role.

View Data
- View Data
Alerts investigation
- Manage alerts
- Initiate automated investigations
- Run scans
- Collect investigation packages
- Manage machine tags
Active remediation actions
- Take responsive actions
- Approve or dismiss pending remediation actions
Manage security settings
- Configure alert suppression settings
- Manage allowed/blocked lists for automation
- Manage folder exclusions for automated (applies globally)
- Onboard and offboard machines
- Manage email notifications

Working with Machine Groups

To be able to separate duties even further and configure different automatic remediation rules for different Machines we have the Machine Groups features.

Machine Groups is a way to group onaboarded Machines based on Name, Domain, Machine Tag and Operating System.

machinegroup

When using the “Show preview” at the bottom of the configuration page, you can see which onboarded machines will added to the Group.

You can select automation level

Semi – Require approval for any remediation
Semi – Require approval for non-temp folders remediation
Semi – Require approval for core folders remediation
Full – Remediate threats automatically

And you can assign a Azure AD userg group with roles to the machine group

mg_usergroup

The Groups, depending on how you defined group membership rules, will be populated automatically.

change_preview

more information about Machine Groups can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection

more information about RBAC in WD ATP can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection

Happy Hunting!

/Sec-Labs R&D

Detect, Protect, Respond

RBAC, Roles, WDATP

Onboarding older Windows Versions to WD ATP

Security Labs 2018-06-19 1 Comment

Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.

Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise

Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.

The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.

Installing the agent

64-bit agent is available here:
https://go.microsoft.com/fwlink/?LinkId=828603

32-bit agent is available here:
https://go.microsoft.com/fwlink/?LinkId=828604

When you have downloaded the setup file you extract it using “/c” parameter

Install command
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1

The workspace ID and Key is available in your ATP Portal https://securitycenter.windows.com

The clients will connect to the service using HTTPS and can be a direct connection or through a proxy or OMS gateway.

Agent Resource	Ports
*.oms.opinsights.azure.com	443
*.blob.core.windows.net	443
*.azure-automation.net	443
*.ods.opinsights.azure.com	443
winatp-gw-cus.microsoft.com	443
winatp-gw-eus.microsoft.com	443
winatp-gw-neu.microsoft.com	443
winatp-gw-weu.microsoft.com	443
winatp-gw-uks.microsoft.com	443
winatp-gw-ukw.microsoft.com	443

When your clients are configured you should start seeing them in the ATP console

As you may have noticed there’s a link to Azure ATP alerts where you can dig further on advanced attacks in your environment.

On the following link you can find more information about onboarding older Windows Versions to Defender ATP
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection

Happy Hunting

/SEC-LABS R&D

Detect, Protect, Respond

AdvancedThreatProtection, ATP, Defender, WDATP, Windows7, Windows8.1

TechDays Sweden – Take care of your clients, you don’t WannaCry

Security Labs 2017-06-07 0 Comments

In October SEC-LABS R&D Crew will be presenting at the Swedish Premier Microsoft IT Event TechDays. We will be talking about how to Secure your Windows clients, we are going to walk you through the Microsoft security stack you can use to protect your Windows client with. We will be focusing not only on Windows 10 but other solutions and practices you can leverage to build a more secure client environment.

http://tdswe.se/events/take-care-of-your-clients-you-dont-wannacry/

We hope to see you there / Stefan and Mattias

We have embedded a video from last years event below (Swedish)

Detect, Events, Protect, Respond

sLoad launches version 2.0, Starslord 2020-01-21
sLoad has launched version 2.0. With the new version, sLoad, which is a PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has added an anti-analysis trick and the ability to track the stage of infection for every affected machine. The post sLoad launches version 2.0, Starslord […]
How companies can prepare for a heightened threat environment 2020-01-20
Learn what actions companies can take and controls they can validate in light of the current level of threats, and during any period of heightened risk. The post How companies can prepare for a heightened threat environment appeared first on Microsoft Security.
Changing the monolith—Part 2: Whose support do you need? 2020-01-16
Transformation can be a daunting task. In this series, I explore how change is possible when addressing the components of people, process, and technology that make up the organization. The post Changing the monolith—Part 2: Whose support do you need? appeared first on Microsoft Security.
Introducing Microsoft Application Inspector 2020-01-16
Microsoft Application Inspector is a new source code analyzer that helps you understand what a program does by identifying interesting features and characteristics. The post Introducing Microsoft Application Inspector appeared first on Microsoft Security.
How to implement Multi-Factor Authentication (MFA) 2020-01-15
The goal of MFA implementation is to enable it for all your users, on all of your systems, all of the time. Learn how to successfully roll out and support MFA in your organization. The post How to implement Multi-Factor Authentication (MFA) appeared first on Microsoft Security.
Rethinking cyber scenarios—learning (and training) as you defend 2020-01-14
Gamified cybersecurity learning is an increasingly important must-have in your SecOps program, from understanding basic concepts all the way into advanced attacker and defense scenarios. Microsoft and Circadence are working together to democratize and scale cyber readiness globally. The post Rethinking cyber scenarios—learning (and training) as you defend appeared first on Microsoft Security.
Changing the monolith—Part 1: Building alliances for a secure culture 2020-01-09
Digital transformation is a daunting task. In this series, I explore how change is possible when addressing the components of people, process, and technology that make up the organization. The post Changing the monolith—Part 1: Building alliances for a secure culture appeared first on Microsoft Security.
Microsoft 365 helps governments adopt a Zero Trust security model 2020-01-08
With Microsoft 365 security services, governments can take confident steps to adopt a Zero Trust approach to cybersecurity. The post Microsoft 365 helps governments adopt a Zero Trust security model appeared first on Microsoft Security.
Threat hunting in Azure Advanced Threat Protection (ATP) 2020-01-07
DART was called into an engagement where the adversary had a foothold within the on-premises network, which had been gained through compromising cloud credentials. Luckily, this customer had deployed Azure ATP prior to the incident and it had already normalized authentication and identity transactions within the customer network. The post Threat hunting in Azure Advanced […]
CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life 2019-12-23
In this next post in our series, we provide insight into a day in the life of our SOC analysts investigating common front door attacks. The post CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life appeared first on Microsoft Security.